Email Encryption Issues

Pretty Good Privacy

A Simple Solution for Encrypting Patient Information in
E-mail and the Internet

by
Randale Sechrest

One of the biggest barriers to using the Internet for transporting sensitive healthcare information has been the perceived lack of security. The reality is that there are very robust encryption tools available that anyone can use to protect both email and file attachments such as digital images and documents. The most widely available encryption software may well be Pretty Good Privacy (PGP), a program written by Phil Zimmerman. This program caused quite a stir when it was released free onto the Internet several years ago and landed Mr. Zimmerman in trouble with the US authorities for violating export laws for strong encryption technology. This, in turn, prompted a reaction from the civil libertarians who came to the rescue and Mr. Zimmerman eventually was cleared of all charges. Although PGP is currently marketed as a commercial product through Network Associates, Inc., there remains a freeware version that works just fine.

PGP is based on an encryption technology known as public key cryptography. This approach uses two keys (called a key pair) to maintain secure communications. One of the keys is designated as a private key to which only you have access and the other is a public key which you freely exchange with other people who wish to communicate securely with you.

Many later email programs include plug-ins to use PGP. These include Mirosoft Outlook, Outlook Express and Eudora. I use Microsoft Outlook as my email program and using PGP is about as simple as it gets. Using Microsoft Outlook you can encrypt and sign as well as decrypt and verify your messages while you are composing and reading your mail with a simple click of a button. After installing PGP you will have to create a private and public key pair. After you have created a key pair, you can begin corresponding securely with other PGP users. To encrypt messages you wish to send to them you will need a copy of their public key and they will need yours to send encrypted messages back. Your public key is just a block of text, so it's quite easy to trade keys with someone. You can include your public key in an email message, copy it to a file, or post it on a public or corporate key server where anyone can get a copy when they need it. If you need someone's key (provided they use PGP), chances are you can find it on one of the national servers available. Mine is registered on ldap://certserver.pgp.com.

Once you have a copy of someone's public key, you can add it to your public keyring. A keyring is nothing more than a small software program that organizes all the keys for people you communicate with - sort of like an address book. Storing and organizing keys also works seamlessly in Microsoft Outlook. If the persons key resides on your keyring, Outlook just uses it and goes about its business of encrypting and signing the email. If not, it prompts you to supply the key. If you really want to get compulsive there are multiple levels of authentication that will allow you to verify other folks keys, have them sign your key, etc. I think for most of us this is probably unnecessary.

I'm beginning to use encryption to protect patient information that my secretary and I exchange by email. It is a convenient way to ensure that patient information is not compromised and really is almost seamless once your email program is setup to use the PGP plug-in. For those who wish to begin transferring patient records or image attachments electronically to referring physicians or remote offices I would encourage you to take a look at PGP. It's free available and easy to use. To get a copy visit the International PGP Homepage.