4
Encryption of mail boxes
Idea shared by Lakshan Salgado - 10/13/2014 at 10:59 AM
Proposed
I'm looking to SM to give us a road map of when we can expect mailbox encryption. Basically i am looking at encryption to be available at three levels that are managed at each level . 1 Server level (we can encrypt all data on our SM server for all clients) 2 - Domain level (The domain administrator can encrypt there mail accounts) 3) user level where an individual can choose to encrypt there mail box only.
Reasons for each level.
1. I do not like the fact my employees can look at my email/box on my SM server. I suspect there are lot of others who own a SM server who feel that way.
2. Customers are concerned that we will look a their mailboxes. Plus this is a hippa thing for folk who host with us .
3. There may be an executive that is a user that wants to keep his stuff private yet allow the system admin within their org to manage their hosted email.
SM, can you give us some idea? We are now at v12, its very mature platform and time to start rolling some of these key items. Thanks
 
 
 

10 Replies

Reply to Thread
1
If you are hosting customers who need to be HIPAA compliant, then you should have a BUSINESS ASSOCIATE CONTRACT with your customer - making you responsible for that data.  This requirement went into effect, as law, last November.  Anyone who performs any work for any agency who require HIPAA compliance, along with any sub-contractors, is 100% responsible for the security and enforcement of the data.
 
You will also have to vet all of your employees and have them sign BUSINESS ASSOCIATE CONTRACTS with you.
 
For a sample template for the HIPAA BUSINESS ASSOCIATE CONTRACT, see: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
 
These are the guidelines for HIPAA BUSINESS ASSOCIATED CONTRACTS from AHIMA (the American Healthcare Information Management Association):  http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_050447.hcsp?dDocName=bok1_050447
 
This is not something to be ignored or taken lightly.  As a HIPAA contractor, you are subject to the same audits as the customers you are providing the service(s) to and are MANDATED to undergo regular, annual training.  See: http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_050447.hcsp?dDocName=bok1_050447
 
and here are some good HIPAA Business Association training resources: https://www.google.com/search?q=hipaa+business+associate+training+powerpoint
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Bruce, you completely missed the point.
As for hippa our responsibility per the law is to secure and protect the data as a provider. The point of this request of SM here is the clear text visibility of the data, the lack thereof to encrypt the data and their road map. Bluntly, when everyone else is either on the way or is already encrypting  public data (i.e. your and my customers hosted data) we have no visibility from SM when those expectations can be met.
In house we do something similar on .net products that we deliver as outsourced gigs becasue they usually have some kind of sensitive data. We give the system admin a place to enter a complex password that is stored in encrypted form and used as it as a master key. Encrytion and decryption occurs on the fly on the static data. There is an option for them to provide us a decrpt key as a back door (most choose not to do so). No key = we cant see the data. (If the law comes knocking we give them encrytped data)
My guess is that I nor other SM hosters have any desire to have a "Business Associate Contracts" with some outfit in the middle of Bulgaria or some corner of Burma that pays us $5.00/month.
Okay enough said. SM, the response is in your hands as to your roadmap.
 
0
Your customer is mandated, by Federal law, to give you a Business Associate Contract.  As guardian for their e-mail, you are mandated to comply with the same rules and regulations they must comply with and you must also ensure that whatever passes through your servers, whether IIS, FTP, or E-Mail, is in compliance. 
 
If you want to provide the product to HIPAA covered entities, then you must be in compliance, and part of that requires that you are covered by a Business Associate Contract.
 
I provided the links for your review.  If you don't comply, and your customer is audited, you will be too.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Bruce you are still missing the point. This request is about encrypting customer mailbox data on a SM mail server, HIPPA and stuff is a seconday matter. Look beyond the trees to see the forest :)
 
0
I understand what you want to do, and I think it can be done, but I have never tried it.  Yes, to truly be HIPPA complaint all data on the server would have to be encrypted.
 
Keep in mind that encryption and decryption would result in a LOT of CPU usage.
 
You would do the following on the Domains folder:
http://windows.microsoft.com/en-us/windows/encrypt-decrypt-folder-file#1TC=windows-7
 
Various versions of Windows might have a slightly different procedure to accomplish the same task.
 
Good luck, and again I want to say I have never actually tried this.  If you try it and it works please let me know.
 
Thanks,
-Joe
Thanks, -Joe
0
Very useful links about HIPAA. Thank you, Bruce.
0
Any ever talk about add OpenPGP to Smartermail as an optional addon?
J. Sebastian Lee Service2Client LLC 6333 E Mockingbird Ste 147 Dallas, TX 75214 - 877.251.3273
1
All well and good, up to a point. You should, however, be able to protect the files and folders where SM data is stored, using Windows security, without encrypting those files/folders. I have had entire SM email servers blocked for file access for anyone but admins for years. If your SM server is running on a file server with shared (document, etc.) folders, you can still do this quite easily.
 
Setting up your SM server datastore so that only admins have rights to those files/folders does NOT prevent the flow of email to and from the datastore, because that happens over different mechanisms than file/folder access rights.
 
That said, encrypting the data does take up processor time, and certainly can make recovery of mailboxes and emails more difficult. I can see where some folks would need it or want it, but along with the "view password" issue, it's definitely not desired in many cases, as it adds administrative and processor overhead.
 
Regarding HIPAA security, employers generally, by law, have full rights to peruse the BUSINESS emailboxes of employees, when they provide company email. How HIPAA laws affect these rules, I have no idea. Would not mind being enlightened on that point.
 
0
I believe SmarterTools themselves recently posted that they don't represent SmarterMail as being HIPAA compliant. In it's current form I don't see any way to make SmarterMail HIPAA compliant.
0
Thanks, Joe. Happily I'm not in that situation with any of my clients running SM.

Reply to Thread