7 More Reasons Why Sending Cleartext IM and Email Is *NOT* Secure Even If Your Doc Says It Is…Part 2

As a continuation of my blog posting from Monday, here are 7 additional reasons to add to the previous 4 for why sending cleartext instant messages (IMs) and email is not secure:


5) Wireless transmissions can easily be intercepted.
Thanks to Rich Mogull a colleague in the Security Catalyst Community for putting it so nicely,

“If the user is on a wireless or other shared network, including their work network, there is a moderate to high risk of unauthorized sniffing of IM or email. On a corporate network this may be done as a matter of course, and if the enterprise is doing any sensitive data monitoring, odds are the healthcare info may trigger an alert and some administrator/security officer will see the content. No wireless or public wired network can be considered secure, and sniffing is common depending on where you are.”

If a patient is communicating with a doctor on a wireless transmission that is not encrypted, the information within those IMs or email messages may very easily be intercepted…without any indication to the patient or doctor that it was intercepted…by someone else in the area or neighborhood who is also using wireless to search for such communications to snag.
6) Communications from work networks are subject to monitoring.
People are increasingly using IM and email from their work to send and receive messages that are not work-related, such as with their doctors. For more information about this, see my blog posting, “Preventing Data Leakage Through Email and Instant Messaging.”
Among other interesting facts within it, research from 2004 showed 11 million people were using IM at work…think how much this has increased in three years!
If a patient is communicating with a doctor from their work via cleartext email and IMs, the chances are pretty good that all those communications are being logged within the corporate network.
7) Email mistakes.
Ever since people have been using email, they have also been mistakenly sending email messages to the wrong people. I have blogged about this many times, such as in the blog posting here that contains many examples of actual email mistakes. It is very easy to accidentally pick the wrong email address from your email address book and send your email without realizing your mistake…before it is too late! Here is another very good real life example of how such a mistake can occur.
Everyone is prone to these types of mistakes, not only patients, but also their doctors, lawyers and accountants.
8) Email and IM communications may be subject to discovery during court actions.
The E-Discovery Rule, see “The Business Leader Data Retention and E-Discovery Primer” here, opens up the very real possibility that email messages and IMs in storage…including on a doctor’s computer or the patient’s computer…is open to being used during court cases. The stored messages may be gathered during the discovery process to the lawyers involved, and subject to their close review.
Here‘s an example of how a doctor’s computer, and the messages stored upon it, were obtained during a court case.
Think about it before sending personal details and personally identifiable information (PII) within email and IM messages; would you want others to use the information you are sharing with your doctor in any court case?
9) IM & Email Phishing Exploits.
There are growing numbers of phishing (cybercriminals tricking people into giving information or going to a malicious site by sending what looks like a legitimate message that must be acted upon) attacks and exploits, not only through email but also through IM.
It would be relatively easy for someone to send a message to a patient and fool them into providing personal information or PII based upon the cybercriminal knowing that using email and IM is a common way of a doctor communicating with his or her patients. If the patient commonly communicates with a doctor using email and IM, the patient will be highly susceptible to providing the information a phishing criminal is trying to get to them.
When professionals or organizations advertise that they communicate in clear text emails and IMs, the cybercriminals will be able to exploit this method of communication and the professionals/organizations can then easily be targeted for phishing schemes, not only via email but also through IM.
For some real world examples and discussions of phishing, see here.
10) Email Forwarding.
There have been many times when people have accidentally or purposefully forwarded messages containing sensitive information on to others without realizing that they should not be forwarding the sensitive information. Here‘s a good example of a forwarding mistake.
Even professionals, such as doctors, can make these types of mistakes.
11) Message Spoofing.
When professionals, such as doctors, advertise that they routinely share communications with their customers or patients, the cybercriminals now have a nice target. Spoofing IM and email messages is easy to do. It would be very easy for a cybercriminal to communicate with patients or customers and make it look like the message was coming from a trusted professional, such as a doctor.
Spoofing is similar to phishing, but goes a bit further by making the message sender details look as much as possible like the spoofed sender’s actual message would look.
If such cleartext email and IM communications between doctors and patients are routine, the recipient patient or customer would be very susceptible to providing the information requested by the masquerading criminal.
Not only can personal information and PII be obtained in this way, but malicious code is also a common payload that can do much damage to the customer’s or patient’s computer. Just this past Mnday a new malicious code attack via spoofed IMs was widely reported.
For another example and discussion of spoofing see here.
And there are many more risks. However, these 11 should give you reason to pause and think about what you are sending in cleartext IMs and email messages.
Noah Campbell, a computer engineering guru who is also a colleague in the Security Catalyst Community, also has a good point about email and IM communications between doctors and patients,

“Another thing to consider is that a doctor may be making a judgement on behalf of the patient. Since IM and email can be initiated by the doctor, what prevents him or her from sending out an email saying those cold symptoms sound serious…why not come in. An un-interested party may become interested and fraudulently try to attain more information through these channels. How does the doctor know he or she is not talking to an attacker at the other end? Does pre-texting mean anything after HP made it well known?”

Michael Santarcangelo, an information security guru, suggests patients ask their doctor/accountant/lawyer/any professional wanting to communicate via email and/or IM the following three important questions:

“1. How important am I to your practice?
2. How important is my information, and how are you taking it seriously?
3. How can we improve our ability to communicate, etc.”

How will your doctor/accountant/lawyer/whomever answer?
The bottom line is, cleartext email and IM communications are not secure.
It is important that customers and patients know the risks of communicating with their doctors/lawyers/accountants in this way before they start sending their personal information.
It is important that doctors/lawyers/accoutants/whomever professional make it very clear to their patients and customers the risks of communicating information in cleartext email and IM before the ask their patients/customers to actually start sending information in this way.
Always remember that you, as the patient or customer, should be able to control how you share your personal information or PII. It is your call to say whether or not you potentially want the world to know that you have a growth in your ear, are considering plastic surgery, or are concerned about some sensitive medical condition. You should know the risks of doing such communication. That is at the core of privacy; *you* determining what *you* don’t want others to see, or making the decision to disclose information about yourself.
Something you find very personal and want to keep private may not be viewed in the same way by others.
Cleartext email and IM communications are not secure. If you do not want potentially many others to see information, then don’t send in clear text email and IM. You should have the privacy right to choose whether or not to put your personal information at risk.
For some more information discussing the vulnerabilities of using email and IMs, see a paper I wrote earlier this year, “Preventing Data Leakage Through Email and Instant Messaging.”

Tags: , , , , , , , , , , , , , , , , ,

Leave a Reply