Secure email

Associate
Joined
16 Jun 2011
Posts
1,891
Location
Cheshire
Hello

Dentist here and noob PC enthusiast. Colleagues and I use Outlook for emailing patient referrals back and forth - dental radiographs - names, addresses, dob, contact tel nos, email addresses........

During the pandemic emailing patients information about their care is more common.

The NHS has issued secure email addresses to NHS dentists. Although I wonder what NHS secure means - I know wanacry was an issue so there is a level of irony there? Many dentists are reluctant to use email because of GDPR and security.

My question is - what is more secure than Outlook?

Is there a securer way for private practice colleagues to email their patient information to me - and for me to email information to colleagues and patients?

Is protonmail something to look at - or would it make no difference?

It may be necessary to explain like I am 10........thanks pod
 
It might not be what is more secure than outlook but maybe they might issue email systems themselves for all practitioners to use. Other than that I have no idea what could be more secure than Outlook/0365.

I would ask them for sure what they envisage.

That is reassuring.
 
Recent Outlook versions backed by office355 is probably about as secure as you reasonably need a solution to be assuming you Microsoft everything?

Are you hosting your own email accounts at the moment and just using outlook to connect to them instead?

User training and enabling provider features like safelinks etc if available is sane, your provider might also provide scanning for dodgy attachments etc as well.

If your hosting you own email or running an older SMTP server or something POP3 yourselves just stop and use the NHS accounts or something from a big provider. Unless someone at your practice is a proper sysadmin or something it's very easy to build email systems that are fragile/vulnerable/insecure etc

I am just using 2 email addresses via Outlook. Not hosting as far as I understand. The email addresses are our names plus our company domain name - dot co dot uk.

I host the domain on Dreamhost.

Colleagues email, send pdfs, jpegs to me. I send them emails and MS word docs (letters) and jpegs.

A facility to send in information via our website using a contact form and 'upload' jpegs or pdfs is going to be useful. My understanding is that it needs to be saved securely.
 
Do you all not get a nhs email address? I know the ones around my way do when they work directly with the NHS.

Hi, and thanks for posting by the way I am grateful. I am in private practice. I could ask for one or two addresses. Our current email addresses are on our literature so using those is ideal.
 
Outlook, or any client for that matter is not the issue, the issue is generally in transit. It's all about how it's configured at the back end and you will need to know this to answer their question. For proper email security you can implement SMIME within exchange which leverages active directory certificate services and the certification authority in AD. SMIME offers end to end encryption using private/public key infrastructure and offers security over and above that of deterministic TLS (transaction layer security). We use it to communicate with many of our clients. Can it be done, absolutely, but both ends would need to publish their certificates to each others stores and make revoked certification information available to each other. Why not ask the NHS for their partner document for these secure addresses. It's what often happens to us and is why we run S/MIME in the first place. i.e we were forced to by a big multinational.

Put simply have a look/ read up on smime and if not already make sure that you are running at least TLS. Some cloud providers have partners that can offer additional layers of security so if you don't run your own infrastructure talk to your vendor about TLS and S/MIME. Even if you do run your own infrastructure and use s/mime, tls and other security features you can also tag on in transit security as the mails leave your network/ enter your network with services such as messagelabs (which i think is now part of the symantec/veritas cloud), zscaler, mimecast and other similar services. Personally I leverage Exchange with S/MIME using our own Certification Server, Veritas for mail continuity, messagelabs for in transit and zscaler on the proxy for web traffic.

Hi Vince thanks for posting. I am going to let the IT Pro-ness wash over me. Very interesting and I am going to research the above.
 
I would be very tempted to move your email over to 0365 and use webmail OR as you say ask for a NHS email if you are working directly with the NHS.

I'm not saying Dreamhost isn't secure but I think it could be more secure by moving it over. I haven't even heard of Dreamhost until now. :)

As Vince has pointed out it isn't just the client it is the transport of the emails and the ability for someone to intercept them in the middle between you and the servers. There's a good chance this is also what they are talking about.

You could always forward your email address to the NHS one until you update all your leaflets and signs e.t.c that would be fine to do. :)

Hi. Could I ask a noob question - could you explain what you mean by "move your email over to 0365", do you mean change to outlook.com addresses?
 
You can still use office 365 with your own domain. Everything gets filtered at Microsoft rather than your host.

You also get your own control panel to manage all your users and usually the licencing is done by the host you choose.

It doesn't cost the earth either and you can then use webmail with your own domain.

Changes are required with your current host domain that would point to the Microsoft system but I don't recommend you doing it yourself though unless you know how to do it. :)

https://www.microsoft.com/en-gb/microsoft-365/business-variant

On top of this you can also add other features if you really wanted too depends on your budget. Like Microsoft Teams, Office Licences e.t.c :)

Thanks, thats really great to know. I already buy 365 for home ~£50 / £60 a year so this looks great. I will have a read! No I don't know how to do it! I will have a read - a pal has a wordpress IT business - poor guy - he may get the pleasure!
 
Just because you can do Wordpress doesn't mean they know how to manage 0365. It's a special area when setting this up, migrating e.t.c.

You could save money by Migrating over to it for your business and you can add as many users on as you need and control your business from one control panel. It's 100% worth looking into as it's not expensive.

That's great BA I will have a read about it - thank you.
 
It's worth finding out :) Will make it much easier to point you in the right direction :) 0365 may not be the easy choice depending on what they ask for.

I said I was a noob! When I check my email I do it in Chrome. The address is https://outlook.live.com/mail/0/inbox

My email address is me at my domain name which is hosted on Dreamhost.

Does that answer your question? Haha

I am guessing that is webmail? Could be wrong.
 
your email resolves to Microsofts Hosted Exchange platform aka O365. Now all you need to work out is if you run a hybid i.e. do you have an AD server local?

.......

Your host, like all other hosts, simply rebrand "whitelabel" Microsofts Hosted Exchange Platform. In terms of integration it shouldn't be too hard to link things up. I'll have a little read of the NHS documentation also.

So if you go here:

https://support.nhs.net/knowledge-base/technical-pre-requisite-tasks/

You can see the following chart of pre req's:


To me it looks like they are just enforcing TLS so on O365 you should be good to go, other checks for non o365 seem to be around checking for open relay, split tunnel vpn? not sure why as all that is doing is forcing remote clients out over local for internet based services. Likely this is to protect NHS bandwidth. But pretty much they are enforcing TLS.

Just so I understand this correctly. When you say good to go....does that mean I am already running TLS and my current set up is the equivalent in security?

Or does that mean there is some work to take place - AD server local (I know the tune but not the words here.......) and with that work it will be the equivalent in security and local colleagues should not fear emailing patient info back and forth?

I am sorry to have an utter noob understanding - I am a much better dentist! I may be AFK for a while shortly. Many thanks to all btw.
 
I added a bit to my previous post. Really it boils down to (and I cant get to this bit for obvious reasons) sign up to the service, you can then enter 10 email addresses to pre auth against a single address at the nhs side. (there side is already set up and enforces tls via a receive connector, basically that bit you don't need to worry about.) I am pretty sure you will register your addresses and then they will pre authenticate those email addresses against the address provided by them to you. At which point providing your server supports TLS you can simply send an email, if the tls handshake is successful your email will arrive to them.

Final noob question before I give you a break and I get some UV...I assume other non dental folk will be able to email to my regular email address - is that correct?
 
Correct - TLS is deterministic for that very reason :) Also - Sorry I keep updating posts, more again above!

Vince thank very much indeed. I will have a read and thank you for your kind offer.

I am grateful to be able to ask advice from you all and it increases my IT-IQ, thank you. :D
 
Back
Top Bottom