E-mail encryption is becoming a necessity for protecting sensitive information.
The sheer volume was the shocker. Cliff Gobin had figured it would be maybe a few dozen e-mails a month - only those carrying confidential patient information off the network - that would need to be encrypted once his hospital rolled out a secure-messaging capability to employees and affiliated physicians.
The actual number of e-mails being encrypted today: 1,000 to 1,500 per month.
"That's 1,000 or 1,500 messages that would have been sent clear text without the product, so we feel a lot better now than we did a year ago," says Gobin, director of IT security at Memorial Hermann Hospital in Houston, referring to the Zix's Virtual Private Messenger (VPM).
If you listen to the vendors, you'll come away wondering why so much as a single message still flies across the Internet naked as a jaybird. Not only is securing electronic correspondence essential in this age of the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act, it has become as easy for end users as clicking a button, and not much more difficult for network managers, these vendors insist.
Customers generally agree, although they tell a slightly less unblemished story. Industry watchers also say that secure-messaging vendors have made dramatic strides in making their products easier to use and afford, but they, too, see the vendors' job as unfinished, especially in terms of making the sending process transparent and the decrypting process foolproof.
In a typical organization, about 20% of employees find frequent use for secure e-mail capabilities, according to Michael Osterman, president of Osterman Research. He says 60% are occasional users and the balance need it rarely. According to Osterman's studies, two-thirds of organizations have some type of secure e-mail capability, evenly distributed between server , gateway and/or desktop approaches.
"Secure messaging is sort of a serendipitous technology," Osterman says. "If you ask somebody if they need to encrypt e-mail, a lot of people will say, 'No, not really.' But put an easy-to-use encryption capability in front of them, and they find more uses for it."
This phenomenon has been evident at Memorial Hermann Hospital, which has 16,500 employees spread over three dozen facilities, and 3,000 affiliated doctors with e-mail accounts.
A Microsoft Exchange and Outlook shop, the hospital spent $75,000 a year ago on VPM to provide encryption.
Gobin says hospital IT executives had for some time recognized the need for secure e-mail. "We were concerned before, but the HIPAA privacy regulations gave us the incentive to go ahead and spend some money on this," he says.
Zix VPM initiates encryption at one of two points in the process. End users wishing to encrypt a message type the trigger word "secure'' in the subject line before hitting the send button. "In addition, the better tool is that Zix scans the e-mail's text and attachments and looks for combinations of words and numbers that look like it's going to be patient-identifiable information," Gobin says. "It looks for healthcare terms like cancer, and someone's name, and perhaps a Social Security number, account number or medical record number. When the software sees that combination, then it automatically encrypts that e-mail, whether or not the user indicated that it should be secure."
Tales from the encrypt
Good thing, too, as Gobin's analysis of the hospital's e-mail stream shows clearly that end users are often not mindful of the need to encrypt. Of the hospital's e-mail that is sent encrypted, about one-third carries the trigger word that users apply to the subject line; two-thirds are encrypted by the policy server, with 95% of that group being "real cases where protected health information was in the note and the submitter forgot to put 'secure' in the subject line."
False positives - e-mail encrypted unnecessarily - were more of an issue early on, Gobin says, but the software has become more accurate with upgrades and tweaking. There also have been end-user support issues, primarily problems some recipients have had navigating a password-protected Web site to fetch encrypted messages. Zix-encrypted messages arrive in a recipient's in-box with a link to a Web site set up by the hospital. When recipients arrive at the site, they are authenticated and establish a password.
Overcoming the human failings of e-mail senders and recipients is pretty much Job One for today's secure e-mail vendors.
"The vendors have figured out that they're in the policy business that happens to include encryption, not the encryption business that happens to include policy," says Paul Hoffman, director of the VPN consortium and former director of the Internet Mail Consortium. "That's how their customers are going to look at this. The people who are scared of HIPAA, scared of Sarbox, stuff like that, they're coming at the problem strictly with the question of 'How do I meet this policy?'"
With desktop encryption products long considered too complex for end users and too costly for widespread corporate deployment, policy-based gateway products have arrived.
"What you're going to find is that the ROI on these things is surprisingly reasonable," Hoffman says. "And, of course, now that we're many years later, encryption goes faster, and you don't need as big of a system to do it. You don't need a high-end SPARC workstation to process this kind of stuff."
No matter what vendors say about ease of use, customers should expect to see an increase in help desk calls after rolling out encryption capabilities. "But they're not going to be the kind of user calls that are horribly confusing," Hoffman says. "It's going to be 'I got this piece of e-mail bounced back to me with this message.'"
Meeting policy requirements was exactly the challenge facing John Sherman, HIPAA project manager at Corporate Benefit Services of America (CBSA), a third-party administrator of company insurance plans in Minneapolis that processes 200,000 claims every month from its customers' 400,000 enrolled employees. CBSA's 500 employees are scattered in offices nationwide and until recently had no ability to secure their Exchange/Outlook e-mail. This spring the company rolled out Sigaba Secure Email after considering competing products from Authentica and Tumbleweed.
In addition to transparency and ease of use, CBSA was eager to avoid client-side plug-ins that would decrypt messages. "As time goes on, and more and more companies are encrypting, it will become a real jungle out there," as clients and decryption sites proliferate, Sherman says. "Also, we had some of our regular correspondents wanting to send us a plug-in so that they could send their secure e-mail to us, but we had nightmare visions of having multiple plug-ins from multiple correspondents, and we didn't think that was a workable solution."
Sigaba Secure Email requires a user to click a "secure and send" tab to initiate encryption. Each message carries the code needed for recipients to authenticate back with the sender's server and request the key needed to decrypt the e-mail.
CBSA also wanted to avoid additional storage burdens.
"We didn't want them to have to come to our Web site and download our e-mail or our reports, because that would saddle us with a large storage requirement that we really didn't want to manage," Sherman says.
While the product has been running only a few months, and there was an initial spike in help desk requests, Sherman says he's pleased with how it has been received internally and externally.
While opting for a different vendor, Hills Bank in Hills, Iowa, also has been satisfied with its recent foray into secure messaging. The 100-year-old bank employs 400 people in 12 locations. Another Microsoft shop, Hills Bank had no encryption before laying out $27,000 last fall to license Voltage SecureMail for three years.
"Protecting confidential information is a key aspect of our business, and we needed a tool that would be easy to deploy, easy to administer, and easy for our users," says Rod Jensen, senior information systems officer at the bank. The decision to go with Voltage "came down to price and our consultant's recommendation."
SecureMail includes a small desktop client and that did originally concern its IT department.
"We do run a terminal services environment, so the more add-ons you install, the more complex the system grows," says Josh Holst, information systems officer at the bank. "But after testing the system, it worked out real well for us." SecureMail took a few days to deploy with the help of a Voltage technician, and testing was completed in 2 ½ months.
As for those using the system?
"They think it's great. They like knowing that their information is secure," Holst says. "The customers don't have to go out and create a logon account and then sign in and remember a password. It's fairly straightforward as far as how you get that encrypted e-mail."
Employees at other banks that deal regularly with Hills Bank can install their own version of the Voltage client software that enables them to receive and decrypt secure e-mail with fewer steps each time. "The downside there is that they need to get approval from their IT staffs," Holst says.
In general, customers believe these secure e-mail products have come a long way from the days when encryption was considered too complex and costly.
"The price came down to a manageable level, and the accuracy has risen to an acceptable level," Memorial Hermann's Gobin says, "so that now we don't have any question that this is a good investment."
MULTIPLE RESPONSES ALLOWED. TOTAL RESPONSES: 115