Secure, encrypted email welcomed by BC’s healthcare industry

Medinet announces release of Medinet Mail

VANCOUVER, Feb. 17, 2012 /CNW/ – Medinet, British Columbia’s source of integrated electronic health solutions for physician offices and health authorities is pleased to announce the introduction of Medinet Mail, its secure email solution. Physicians using Medinet Mail can send secure and encrypted email messages to anyone with an email address. Using patented technology, senders can track each message to see when it has been received, taking the guesswork from medical communication. The system maintains its traffic on secure Internet mail servers located in Canada.

“The rollout of Medinet Mail is going extremely well,” says Medinet President John Culter. “We’re getting rave reviews, with a number of early adopter physicians sending secure, encrypted messages to colleagues and patients. With an unlimited file size attachment, the system is well suited to sharing confidential clinical information between general practice doctors and specialists. Health authorities are using Medinet Mail to help patients book appointments electronically, and to pass clinical information back and forth in advance of admission to hospital.”

Culter says, “We’ve been working on a secure email product for several years, and are delighted to be in partnership with Email2 SCP Solutions Inc, which provides the underlying technology for Medinet Mail. This product is the best developed, most secure and easiest to use in the marketplace today. Because of the capable programmable interface, users of Medinet Mail will be able to connect with Medinet’s over 15,000 users across the province. We expect it to become a significant solution in the drive to move BC physicians from their present dependence on fax into the new eHealth environment.”

Email2 SCP Solutions President Kirk Hamilton said, “We are delighted to have Medinet as our health market distributor for British Columbia. They have excellent knowledge of the market and a strong customer service focus to support the various health applications our Secure Messaging Platform can enable.”

Medinet Mail is powered by Email2′s Secure Messaging Platform, which provides a ‘cloud-based’ secure messaging platform architecture that makes email encryption easy to install and use. Founded in 2006, email2.com is a Vancouver business, delivering solutions across Canada and the US to governments, health, financial and legal service providers.

Visit email2.com for more information about specific applications and an overview of the security and privacy infrastructure.

For further information:

John R Culter, President
Medinet Health Systems Inc
jrculter@medi.net
604 742-8832 or 604 908-3119 (mobile)
www.medi.net

Kirk Hamilton, President
Email2 SCP Solutions Inc.
khamilton@email2.com
1 888 362-4520 ext 798
www.email2.com

The importance of guidelines to ensure Efficient and Effective email Use

“Most companies are grappling with email overload,” says Monica Seely, an email management expert at Mesmo and author of Brilliant Email. “Companies are losing up to 20 days per person per year, dealing with email poorly.”

Most of us would not disagree with these statements. But how many organizations have you encountered that have email guidelines in place – that are actually enforced?  The answer is likely none.

Having no email charter (that is adhered to) is like having no HR policies for staff (that are adhered to).  Payroll expenses and the inefficient use of email are some of the most costly expenses in most professional services organizations.  Implementing guidelines around managing these resources are not nice-to-haves, but rather fundamental business rules - and applicable to any size organization.  Having these guidelines in writing is not good enough. In order for them to be effective, they must be enforced and become part of the operational culture and house rules and become as second nature as, well,… sending an email.  Sending a flaming email or an unwarranted ‘reply to all’ with the dreaded ”thanks!” should become as unacceptable and ‘yesterday’ as scotches for lunch and smoking at our desks.

One can’t assume that staff ‘just know’ how to use email. Most individuals’ email training is simply non-existent and ends with opening their MS Outlook application and composing their first email.

Guidelines for when Secure Encrypted Email must be used

If you are on vacation and you want to send something generic to a friend such as “wish you were here”, you send a postcard. If the message or letter is more personal and you would prefer that only the intended recipent read it, you would send it in a sealed envelope.  The same principle applies in the business world.  Encrypted email is your sealed envelope (+). It can be more like a signature-required guaranteed delivered package, depending on the encryption service used.

Rarely covered in an email policy is the inclusion of guidelines around sending sensitive or client-confidential information. The sending organization or the sender who is including sensitive business, client, or employee information in an email is unequivocably responsible for ensuring that the information is secure and only seen by intended recipients. If a sender does not use email encryption, all information sent over the internet can be intercepted – and leaves the organization open to high risks of data leaks and breach of privacy and other regulatory compliance. It’s like sending a postcard into cyberspace.

Sample Encrypted Email Guidelines

Here’s just a sample of general guidelines that can be included in your email charter to address the use of encryption to ensure that sensitive content is only seen by intented recipients.

Encrypted email must be used:

1. When sending or discussing confidential, strategic, non-public, or classified business information.
2. For Board of Directors discussions.
3. When sending or discussing any type of client confidential, priviledged, or private information. Clients could include students, patients, citizens, or customers.
4. When emails include credit card numbers, social security numbers, passwords, logins or any recognizable format for sensitive information.  The use of data leak prevention tools here, is also key. Data leak prevention tools will recognize the format of email content, such as xxxx-xxxxx-xxxxx-xxxxx for credit cards, and prevent sending of the email or at least warn the sender to encrypt the email.
5. When attaching any kind of sensitive document to an email. Encryption is much more secure than including a password to open the document, which can be hacked.
6. By all legal and accounting staff working for the organization, or any staff who frequently deals with confidential information as part of their regular duties.  This may include IT, and Sales.
7. When communicating outside the organization with firms dealing with sensitive information such as legal, accounting and IT firms. In many sectors, such as the healthcare industry or public sector, guidelines would include a long list of external or partner agencies.
8. By HR staff when communicating sensitive employee information, AND when communicating with potential new hires and candidates – particularly when discussing or sending employment offers.
9. As an aside, secure email guidelines should also include guidelines for the topic of email delegates. How to communicate which staff members have delegates, and alternative communication methods to reach staff with delegates when ultra-sensitve emails are exchanged.  Navigating the sensitivities of email delegates can be challenging if guidelines are not in place.

Once communicated, email rules or guidelines should be adhered to and enforced like any other organizational policy.  With minimal training and reminders, email can be a highly effective communication tool. There may be a lot of talk recently about  rogue companies abolishing email all together as a way of dealing with the ineffective use of email. But the reality is that email is not going anywhere for the unforeseeable future.

It’s not the medium that’s the problem. It’s who uses it and how.

Contact us here if you would like to receive a complete email policy or guidelines template.

Ariane Laird works with Email2.

Email2 provides straightforward secure email encryption and data leak prevention solutions for various sectors, and uses the same security technology as Internet banking.

From your desktop to mobile, securely send, receive, control, track and automate delivery of confidential email and large attachments outside the organization. Brilliantly simple, anytime anywhere encryption – without requiring staff or recipients to change their existing email.

Not once did the Senior banking representative alert me that we should not be transferring this type of information when corresponding by unsecured basic email.  Nor did he provide me with an alternative secure email solution. He tends to be very customer-service oriented and understands and respects that my preference by far is to use the asynchronous communication method of email.  This way I can email him at midnight when it’s convenient for me, and he can respond when it’s good for him.

However, convenience and customer preference should never override the fundamental right to privacy or securing my ultra-sensitive information.  It’s also important to note that I bank with one of the 2 largest (and most profitable) banks in the country.  It is unequivocally the banking institution’s responsibility to 1) ensure that my confidential and private information is only seen by intended recipients and 2) accommodate my preference for email communication.  In that order, but preferably both.

When this uneducated and naive customer (me) finally understood that my emails were not secure and could easily be intercepted once it leaves my computer and travels through various nodes in the world ‘wild’ web en route to its final destination, I brought the subject matter up with my rep.  My aha occurred after 313 emails were sent to my banking rep - yes, I counted them – which does not include emails received.

After my inquiry, my banking rep advised in November of last year that he ‘did’ have access to an encrypted email solution, but did not seem to be that familiar with it.  He would get back to me.  I reminded him about this again the following January - after sending him 10 additional confidential emails during the 2 month lag.

He finally sent me a link to a web page for accessing their secure banking email. It was a one-page badly laid out and confusing user interface. It looked like a school project from a comp sci first year student. And that student would have undoubtedly received a ‘C’ for that project.  But the worst part of this experience is that the password for accessing the secure email site was created and sent to me by my banking rep using basic email!

I tried to respond to his encrypted email, but the ‘solution’ sent me a canned email requesting my ‘encryption certificate’ and to include my ‘digital ID’.  It read: “The easiest way to do this is to apply a digital signature to your reply using your e-mail software.”  Huh? The comp sci first year student who developed this tool clearly did not speak my language, which is English.   I emailed my banking rep to find out what this meant, and he replied that he may not have followed the process correctly.

And that was the end of that. (true story)

I came up with 3 conclusions as a result of this experience.

1.  Lack of Confidence that Humongous Bank cares about securing my Confidential Information

I have very little confidence that my humongous and well-established bank cares about securing my private and confidential banking, personal or financial information. It has not trained its staff to understand the importance of securing customer communication and passwords.  Does encrypted email only become a recommended option when a customer inquires about security?  I’ll also clarify that my banking rep has been with the bank for at least 20 years and is not a junior account rep.

2.  Banking & Financial Services 101: User-Friendly Email Encryption Solutions that work

Providing me with a secure and user-friendly email encryption solution without requiring a technology dictionary and a 10-page instruction manual to use it, is NOT a difficult task for an extremely profitable banking institution.  After all, they have figured out the technology and user-interface for Internet banking? The email encryption solution that I was provided has to be an embarrassment to any successful or progressive organization – but particularly one that provides financial services.

And let’s not forget about policies regarding basic email.  If financial services organizations are permitting their staff to communicate with customers using an unsecured email system, at minimum, data leak prevention policies and tools must be in place to ensure that if/when confidential information is included in a basic email such as bank account numbers, passwords or credit card numbers, then the sender would be alerted – if not prevented from sending the email.

It appears as though even humongous bank does not have to adhere to basic and fundamental principles in securing customer information and privacy.

3.  Banking & Financial Services Customers are Unaware that Basic Email is not Secure

My banking rep does not often use his email encryption solution and doesn’t seem to be familiar with it.  I am left to conclude that his hundreds of other banking customers are clearly not clamoring for their private information to remain secure, likely because most have no clue that email is not secure and that straightforward alternatives do exist.

To all banking or financial services customers, or any customer of an organization where your confidential information is exchanged:  Using unsecured email or fax is like shouting something across a crowded room.  If you are willing to take the chance that your private, confidential or financial information is intercepted and seen by the occupiers of a crowded room, then by all means, carry on with the status quo.  How about a nice order of identity theft with that email?

Ariane Laird works with Email2.

• Email2 provides straightforward secure email encryption, data leak prevention, and e-statement solutions for the financial service industry using the same security technology as Internet banking.
• Email2 enables financial services organizations to securely send, receive, control, track and automate delivery of confidential email and large attachments outside the organization – without requiring staff or recipients to change their existing email.

• Desktop Agent (PC) [BETA]
  The Desktop Agent is ideal for non-MS Outlook® Users and external or guest Users with individual personal email programs such as Gmail and Yahoo. The Desktop Agent acts as a secure productivity agent & notifier. It displays an icon in a User’s PC system tray and lets the user know instantly when they have a new secure message, or when their sent secure messages are read, replied to and forwarded – without having to open a web browser.

  The Desktop Agent also offers some convenient shortcuts for creating secure messages and instantly sending and sharing large files securely. It is responsible for all asynchronous and resumable uploads / downloads of large files and local desktop API integration. It can easily be installed from the web & mobile enabled Secure Message Center and it is available to all users.

• Asynchronous Large File Transfers [BETA]
  Instantly send and receive large files (tested up to 20GB) asynchronously. Large files can easily be sent and downloaded at high speeds (up to 4 times faster with the Secure Messaging Platform acceleration technology), from MS Outlook® to MS Outlook®, without requiring the User to log into an FTP server or a browser-based application with additional links to click. The Secure Messaging Platform eliminates all the challenges professionals encounter when exchanging large files using traditional and unsecure basic methods.

  It works directly within MS Outlook® without dealing with size and security limitations. It bypasses file size & security limitation & quarantined policies set by external organizations or by individual recipients’ existing email applications – such as Gmail® or Yahoo®. It eliminates the need for complicated FTP or external unsecure services such as DropBox® and MS SharePoint®. Finally, it eliminates saturation of email inbox storage limit; no taxing of the network – therefore reducing IT costs and overhead.

• Secure API Delivery
  Secure API Delivery automatically archives every secure message, decrypted, in your existing compliant email archiving or document management solution. A direct and real time API connection ensures that every secure message is archived, regardless of MS Exchange and journaling configurations. Secure messages can remain encrypted in the mail server (e.g. MS Exchange), but stored decrypted in the email archive store or document management.

  Administrator tools include the ability to archive all secure messages, or segment per email domains or User Groups. Files attachments are automatically archived with every secure message, with the ability to specify the maximum file size (e.g. 20MB). A complete activity log is available real time of all secure messages and file attachments archived, with the ability to retry entries that failed due to down time from the third party archiving tool. An option to use SLL / TLS is available and recommended if you use a third party SaaS / Cloud email archiving solution.

IMPROVEMENTS

Delivery Slip

• Fixed display issue where the FileFreeze (PDF) check box in the MS Outlook Delivery Slip was not aligned with the check boxes in the above sections.

Secure Message Center (Webmail)

• New Attachment Library column called ‘Actions’ now available with the following features: ‘Compose New Secure Message’, ‘Download’ and ‘Delete’.
• New Attachment Library folder labeled ‘All’ that is selected by default and displays all sent and received file attachments.
• Added new feature on the Login screen to ‘Bookmark’ the page so that users can add the login page to this list of bookmarks / favorites.
• Moved the ‘Forgot Password’ link at the login screen to be visible right below the Password field, before the ‘Login’ button (required for visually impaired users).
• Desktop Agent (PC) installation page, including wizard-like step-by-step procedure with detailed instructions and screenshots for non-technical users.
• Fixed issue when recalling a secure message, the User was unable to use the backspace key while editing the reason for recalling the secure message.
• Fixed issue with the Name Picker where an entry for every email alias was shown instead of just showing the Master account.
• Fixed issue where Name Picker did not allow sending an invite to a new account with a name that was a subset of an existing contact.
• Fixed issue with IE9 where replying to a secure message would add extra spacing.
• Fixed Usability issue for visually impaired users where the Label “Remember me on this computer” and “Keep me logged in (14 days)” check boxes were not labeled properly.
• Changed the label of ‘Mobile / Lite’ access to ‘Mobile / Accessible’ to clearly identify that this version should be used for visually impaired users.
• Fixed issue with long file names where adding a new file to a secure message from the Attachment Library would cause the file attachment to not display its file name properly.
• On compose, the cursor now properly displays at the TO: field instead of the body of the secure message. Additionally, when adding a new recipient, using the TAB key stays within context to add additional recipients. TAB twice takes the user directly to the Subject: field, third TAB takes the user to the body of the secure message.

Secure Message Center (Mobile / Accessible)

• Fixed issue with FileFreeze (PDF) where is the ‘prompt’ user feature was turned off, users could not send the secure message.
• Fixed Accessibility issues for visually impaired users where the ‘Browse’ button, TO: CC: BCC:, Tracking Options and the Tracking Gird were not labeled properly.
• Fixed issue with the Registration Page where tabbing to the next field wasn’t working properly.

MS Outlook Toolbar

• Fixed issue with sync Webmail sent items with Local Store: only new secure message are now synced and not all secure messages from the time the user account was created.
• Fixed issue with auto-retrieve sent items in local store whereby secure messages sent to Guest Users with ‘hide email address’ enabled did not convert properly into MS Outlook.
• Fixed issue where SMTP email address not configured with the domain extension (e.g. .com) would not activate in MS Outlook.
• Fixed issue where if there was a sender email address mismatch, SEND/CC/BCC yourself would cause a “Link removed” message instead of decrypting the secure message.
• Fixed issue where if a User stored a secure attachment in MS Outlook (or with auto-retrieve attachments on), the stored attachment was still viewable in the secure message even after the secure message was recalled.
• Fixed issue with FYEO where the receiving User should not be able to manually store attachments in the local store (e.g. MS Outlook) for a secure message marked as FYEO. The expected result is that attachments for FYEO messages should never be stored in the local store (e.g. MS Outlook).
• Fixed issue where with auto-retrieve sent items in local store turned off, secure messages with attachments would arrive in basic email (message notification) with both the placeholder and the attachment itself.
• Deprecated ‘@’ as the test to confirm the user SMTP email address in MapiHelper methods.
• Fixed issue with MS Exchange CachedDisconnected mode where if there was already an SMTP address in the cache, do not override it with the CN value, causing MS Outlook Toolbar activation problems.
• Fixed issue when loading the list of cached email addresses, the cached invalid entries are now removed (using regular expression).
• Changed user workflow to remove the ‘Auto-retrieve sent Items’ in local store option from the Toolbar. The expected outcome is that only as administrator should be able to set this feature from the Web Admin Console, and not at the User level from MS Outlook.
• Fixed issue where ‘hide email address functionality ignored the ‘Enable Local Store’ settings. This caused secure messages with disabled local store enabled to still store messages in MS Outlook.
• Fixed issue where ‘Auto Retrieve Sent Items’ in local store would also auto-retrieve attachments bypassing the ‘Auto Retrieve Attachments’ feature settings.
• Fixed issue where saving an attachment in MS Outlook would send 2 copies of the attachment on forward.
• Fixed user feedback warning message when selecting multiple basic emails, and then right click forward, the wrong warning message was displayed for MS Outlook 2010. The warning message has been replaced to: ‘To ensure that encrypted emails are not forwarded as basic unencrypted email, please use the ‘Forward as Attachment’ feature under the ‘More’ drop-down in the ‘Respond’ group of the Home Ribbon to forward multiple messages.
• Fixed issue with FileFreeze (PDF) feature where the ‘Cancel’ button would send the secure message converting the Word Document into a PDF.
• Fixed issue with Hosted Exchange where having a contact in both the local Address Book and in Hosted Exchange Profile (GAL) created a security conflict for sending new secure messages.

Desktop Agent (PC)

• Support for asynchronous large file transfers;
• Fixed issue where clicking “Check for Updates” caused the default logo to display in the Tasktray.
• Fixed issue where the forgot password link on the login window did not go to the correct URL.
• Fixed issue where if you unchecked “Remember me”, it did not work correctly on the login window.
• Fixed issue where if you sent 2 secure file attachments the subject of the draft secure message was incorrect.

Web Admin Console

• Ability to delete a client’s Secure Messaging Platform was added, even if the client’s data is part of a database that contains more than one client. [BETA]
• Fixed an issue where deleting a default User Group would return an error.

PEN Server Console

• N/A

Secure Messaging Directory

• N/A

Some of the findings are surprising, if not shocking given the attention and legislation put in place to deal with this topic. Lip service? One is really left to wonder.

The Data

When looking at the data, let’s also keep in mind that the survey targeted data protection professionals, with 43% of respondents holding the title of chief security officer, chief information security officer, chief information officer, chief privacy officer or chief compliance officer. Additionally, the sample was skewed toward larger healthcare organizations, “excluding the plethora of very small provider organizations, including local clinics and medical practitioners,” the report said.

There’s a lot of interesting (and highly disturbing) data in the report, but I’ll focus on only a few highlights according to healthcare organizations responding to the survey:

1.  96% have had at least one data breach in the past 24 months.
On average organizations have had 4 data breach incidents during the past two years. Breaches increased 32% from the previous year.

(96%?  Does that not sound a lot like 100%?)

2.  The top 3 causes for a data breach are:

1. lost or stolen computing devices
2. third-party snafu
3. unintentional employee action.

Even more troubling is the data in regards to what appears to be the prevailing and unsettling mind-set surrounding security as a priority.

3.  Staff do not understand the importance of patient data protection

1. 66% agree medical billing personnel do not understand the importance of patient data protection
2. 58% say IT personnel do not understand its importance
3. In contrast, 58% say administrative personnel do understand the importance of protecting patient data.

4.  Protecting patient data and privacy is not a priority for healthcare organizations

1. Only  29% of respondents agree that the prevention of unauthorized access to patient  data and loss or theft of such data is a priority in their organizations
2. Less than one-fourth (23%) said their organization has “encryption solutions  installed.”

Email Encryption – a minimum in healthcare prevention for breach of patient data and privacy

Let’s focus for a moment on the last piece of data shown in 4(2) above. Less than one-fourth (23%) said their organization has “encryption solutions  installed.”  This also means that healthcare organizations are not using email encryption (secure email) to communicate patient information securely. Which also ties into 3rd party snafus as one of the top reasons for patient breaches.

It seems that email encryption and secure communication should be at the top of the priority list as one of the first steps in securing patient information. The report cites the following types of compromised patient data:

• Medical file
• Billing and insurance record
• Scheduling details
• Prescription details
• Payment details
• Monthly statements

While the report does not provide details about how this information was intercepted, I think it’s a pretty good guess that the breaches were not related to the use of encryption technology. Using phone, unsecured email, fax, couriers, mail, or in-person visits to transfer or share private patient information is not secure and can easily be intercepted.

At the very least, healthcare organizations must adopt email encryption to communicate medical, insurance, scheduling and billing statements information with patients and other healthcare organizations.  Email encryption is well positioned to become the way of the future in healthcare communication, and it has the teeth to back up that privilege since it also addresses regulatory compliance with HIPPA and other technical security safeguard standards.  Its adoption must become as routine and pervasive as any other fundamental business practice in the healthcare industry.

51% named inadequate budgets for privacy and security as the top weakness in their healthcare organization’s security program.  Encrypted email is also a highly efficient and cost effective way to prevent patient privacy and data leaks – as well as providing enhanced patient services.  For example, sending monthly e-statements by secure email to patients and other healthcare providers is associated with significant cost savings, efficiencies, as well as the added bonus of a reduced environmental footprint.

If email encryption were adopted by the surveyed organizations today, the survey results would show significant improvements next year.  Guaranteed.

Ariane Laird works with Email2.

• Email2 provides straightforward secure email encryption, data leak prevention, and e-statement solutions for the healthcare industry using the same security technology as internet banking.
• Email2 enables healthcare organizations to securely send, receive, track and automate delivery of confidential email and large attachments outside the organization – without requiring staff or recipients to change their existing email.
• View our related blog post: 4 ways medical offices can use encrypted email to address compliance and productivity
  

No surprise, statements issued by the legal firms were predictable and generic.  But what struck me was that the issued statements included something that goes like this:  “We take our obligations of confidentiality to our clients very seriously”.

Following on to my blog entry in November, it sure doesn’t feel that way.

The medium most used by law firms to communicate with their clients is email.  I have and continue to use lawyers extensively for personal and corporate representation, including employment lawyers for the HR side of my life.  Not once has a law firm ever used email encryption or secure email to communicate with me.  Not only does the body of the email contain sensitive strategy conversations, but there are also numerous draft documents that are transferred back and forth as unsecured email file attachments.

Now I will concede that the information I am dealing with, such as personal family law matters or employee terminations are likely not as sexy or hack-worthy as the Potash deal.  But how do I know that this information is not being intercepted and reviewed?  Who is going to fess up if this happens?  It may be happening all the time and I just don’t know about it – and never will.

Email is a much easier target for attacks then any client file saved behind a legal firm’s firewall. Email leaves the relative safety of the legal firm and travels into the world ‘wild’ web through various passages and nodes before it gets to its final destination.  It can be intercepted at any time through its zig zagged and stopped-over journeys through cyberspace.

What we do trust is the technology used for internet banking to communicate and process the ultimate in high-risk and sensitive transactions because the protocol used to transfer information is as safe as we can get it. The transmission is protected by an end-to-end SSL pipe that cannot be intercepted.  When we see that additional ‘s’ in https:// in our browser, we are assured that it’s SSL protected – such as when we access internet banking or process a credit card transaction on line. Without that ‘s’, the information submitted is simply not secure.

It seems to make sense that we (clients) should be expecting law firms (and government) to begin taking client confidentiality as seriously as banks do, by adopting the same type of security technology used by banking to secure email communication with clients.  After all, whose responsibility is it to safeguard my (the client) confidential and ultra-sensitive information – the law firm or the client?  Addressing compliance and the law is also clear in echoing my feelings about this important topic.  It’s unequivocally the legal firm’s responsibility.

It really feels like it’s time for legal firms to put the ‘confidential’ back into ’priviledged and confidential’ for their clients.  Technology exists to help them do just that.

Join the discussion. Agree or disagree?

Ariane Laird works with Email2.

Email2 provides straightforward secure email encryption solutions and data leak prevention for government and law firms that uses the same security technology as internet banking.

Email2 enables professional services organizations to securely send, receive, track and automate delivery of confidential email and large attachments outside the organization – without requiring staff or recipients to change their existing email.

That may be the case in her world, but email continues to be the primary communication tool for organizations and that’s not going to change anytime soon.  Email allows senders and receivers to communicate asynchronously – meaning that each party does not have to be present at the same time to engage in the conversation. It eliminates playing telephone tag, in-person meetings, or the even more delayed methods of mail and couriers.

It occurred to me that as instant as email is, it does not provide the instant feedback that some of the other electronic communication methods provide such as Blackberry Messenger, Facebook, or Google Talk.

With these tools, one knows instantly that the message has been received and can even see the recipient typing a reply  (and can see when they stop typing and decide to never send the reply they’re typing – there’s a whole social game attached to that one, and another full blog entry for another time). But bottom line is that communication is in real time and instant feedback exists. Which is not the case with email.

There are many benefits to email, but one of the challenges is that you never really know what’s happening to your email after it leaves your sent box. What exactly is that email doing?  Did it get stuck in spam?  Was it intercepted?  Did it stop over in one of the many nodes it has to go through before reaching its final destination and decided it was a nice place to stay for a while?  Where exactly is it? And if you don’t hear back from the recipient within 24  hours, do you send another email asking if it was received? A sender is never really sure about the appropriate timing to reach out to the recipient to ask if they simply decided to not respond, or confirm that they received the message.

How many times have we heard from a recipient “I never got your email”?  I for one have both said or heard those words on many occasions.

The younger generation is impatient and don’t want to wait for a reply, and want to know what is happening to the words that have been sent electronically – and when it is being responded to – in real time.

Email would be a much better 2012 communication tool if we had better visibility into its life cycle.  It would be ideal if email was a hybrid of social media’s instant feedback and email’s asynchronous qualities of not having to be be present in real time to communicate.  A ‘Fedex’ version of email would solve this challenge. Send out the email communication with the ability to track its every move.  In other words, evolve email so that we (the sender) know and can get proof when an email is received, read, forwarded, replied to, printed, or deleted.

Otherwise, the next generation will continue to view email as the ’pigeon carrier’ of electronic communication.

Ariane Laird works with email2.

email2 provides features that guarantees email delivery and tracks and provides proof when an email and attachment is received, read, replied to, forwarded, deleted or printed.

email2 enables professional services organizations to securely send, receive, track, control and automate delivery of confidential email and large attachments outside the organization – without requiring staff or recipients to change their existing email.

I have always felt uncomfortable that email delegates have access to the sensitive information and confidential conversations I have with my colleagues.  I frequently avoided communicating important information on the fly by email or blackberry because I knew that someone other than the intended recipient had access to the email. And picking up the phone and calling 7 members of the executive team is never feasible – particularly on weekends or after business hours.  So I have to admit that communication was impeded and stifled, and sometimes fell through the cracks.

My personal view is that an assistant’s seniority or professionalism is not under attack here. An assistant is human and can negatively react to information they are often not equipped to understand.  And the executive has in-the-know team members to discuss the situation with. Assistants don’t, making it naturally challenging for them to refrain from sharing the information with close co-workers or family members.  To expect them to, may not always be realistic.

In my HR roles, I inevitably discussed terminations of individuals or organizational lay-offs with the executive team by email.  In order to secure private conversations, we had no choice but to exchange our private email addresses to engage in discussion.  In some cases, the termination was for the head of the IT department who would also have access to all corporate email communication (Yes, it’s true.  Bottom line is that IT folks have access to all emailed communication sitting on the server. Whether they read it or not is not the point. The point is simply that all emails are available to IT staff, unless a corporate security policy and technical features exist that prevent this capability).

Executives also have to be ‘talked off a ledge’ regularly by HR (who knew!) and some of these private discussions occur on email. I have very often exchanged private email conversations with executives with email delegates, by using our private email addresses.

Doesn’t it seem counter-intuitive that in order to secure a private conversation, an executive team has to go outside corporate email?

There are many other examples of super sensitive email conversations and file attachments that HR shares with senior individuals who have email delegates. Topics include salary increases, candidates for senior positions, re-organizations, performance challenges, budget cuts, and discussions about organizational ranking or identification of ‘must keep’ employees or bonus distribution - which may not always include the delegate as a high performer.

I am using HR as an example here, but there are infinite examples of situations where it may not be appropriate for delegates to read emails intended for executives. For example, the confidentiality challenges get even more complicated where external exchanges are involved. Mergers and acquisition discussions are particularly sensitive where financial liabilities are at risk when conversations are contractually bound by the confidentiality assurances included in non-disclosure agreements.

On a personal note, my husband has no choice but to use an email delegate to manage the hundreds of emails he receives every day.  My intention when sending him emails is not to have the carte blanche ability to send him inappropriate email content, but simply to deal with housekeeping items that could include a doctor’s appointment or input for a vacation budget decision.  But privacy is important to me, and I just would prefer that an email delegate did not have insight into my private life.  So fair enough. I have to respect that work processes and efficiencies are primary considerations, and I have no choice but to avoid sending him email messages.  Alternatively, sending him a message to his Hotmail account is futile since he is exclusively plugged into his corporate email account during business hours.

Individuals sending sensitive and private information to an executive may not know or forget that the individual has an email delegate who will have access to the information. What happens if an email includes content or feedback about the delegate?  Awkward! (it does happen - and HR is left to clean up the inevitable drama that ensues).

As much as an executive may view their delegate/assistant  in a can-do-no-wrong light and believes an implicit trust and loyalty exists between them, the rest of the team or other email senders may not know the delegate very well or share the executive’s enthusiasm about the individual. The concern about email delegates may never be disclosed by email senders to avoid conflict or discomfort – particularly if the email recipient is the CEO and at the very top of the food chain. The executive should not be in a position to impose a no-way-around-it experience for the sender who often prefers that only the intended recipient can read the email.

It may also not be fair to an email delegate to expose them to feeling ‘send resistance’ from senders or be expected to be neutral and unaffected by sensitive information – particularly at the initial raw discussion phase of sensitive topics or when context is missing that was previously provided in in-person meetings.

In my career, I have seen many mishaps and uncomfortable situations occur related to email delegates viewing internal and external sensitive information and related to senders not understanding that the email account is viewed by more than one recipient.   Executive teams would be well advised to enter into a discussion about how sensitive and confidential email is handled when a staff member has an email delegate, and about the risks and challenges associated with this type of communication flow . The team may be surprised to learn that some of the members around the table have never heard of the concept of ’email delegate’, let alone that some of the people around the table actually have one that is reading every email sent to that individual.  After all, are email delegates every discussed or disclosed as part of orientation? Is this information published anywhere?

Not that I’ve ever seen.

Join the discussion. Share your thoughts regarding email delegates functionality - particularly if you’re an email delegate. We’d love to hear your point of view.

Ariane Laird works with email2.

email2 prevents email delegates from accessing their managers’ ultra-sensitive emails when marked as ‘For Your Eyes Only’.

email2 enables professional services organizations to securely send, receive, track, control and automate delivery of confidential email and large attachments outside the organization – without requiring staff or recipients to change their existing email.

The sensitive information and super-confidential details included in the body of the email often include financial information and legal strategy discussions. Not to mention the email attachments which often include copies of financial statements or draft responses to opposing counsel.  This private information which is intended to be classified as ‘privileged and confidential’ can easily be cyber-attacked and intercepted.

My legal counsel exchanges confidential information with both me and opposing counsel.  The communication exchange methods include unsecured fax which can also easily be intercepted. Faxes are paper-based and are often printed in public office spaces.

I have never insisted on a secure email solution from my attorney because I naively felt that if there was a straightforward solution available, the law firm would undoubtedly have adopted it by now. After all, the responsibility for ensuring that confidential legal email exchanges remain secure lies with the legal firm, not the client.   But a recent situation with my legal firm has zapped me out of complacency and into insisting that my lawyer adopt an email encryption solution to secure my email transactions and records.

In this particular situation, my attorney and I were involved in hot negotiations with another party and working on a 10 page proposal to be presented to opposing counsel. As the client and active participant, I literally spent at least 15 hours working on the proposal to ensure it was positioned perfectly. To accomplish this, my attorney and I emailed 10 versions of the draft proposal back and forth as email attachments.

When it was finalized, I gave my lawyer the green light to send the proposal to opposing counsel. Unfortunately, the wrong version of the proposal was faxed to opposing counsel by the legal firm’s receptionist.  It was void of important changes in strategy and points included in the final version of the proposal.  Because it was sent by fax, there was no way to retract the proposal. Re-sending the correct version of the proposal to opposing council would only have served to highlight the changes in the document and divulge the evolving strategy.  There was nothing I could do except deal with my frustration.

The following ‘fix’ may appear biased. But this is a true account of my unfortunate experience, and email2’s secure email is truly the ideal solution to address the discomforts outlined in this blog post.

Firstly, email2’s secure email would ensure that my private email exchanges (and attachments) with my lawyer are as secure as internet banking.

Secondly, email2 would be able to repair the erroneous send of the older version proposal.  Had the legal firm adopted email2’s encrypted email solution, the message and file attachment could have instantly been recalled – even if opposing counsel had opened and read the email and attached proposal.  The email and attached wrong version proposal would have instantly been fully recalled (pulled) from opposing counsel’s inbox, and the correct version would have been re-emailed.

Third, I have also been in a position where the legal firm does not hear back from opposing counsel for weeks, and we’re never sure if opposing counsel has received or read the proposal. They simply go dark. Are they away? On vacation? With email2, my lawyer would have access to message tracking capabilities and instant visibility into what happens to an email after it’s sent. Was the message and attachment received? Read? Printed? Deleted? Saved?

email2 also provides functionality to prevent opposing counsel from forwarding, saving or printing the email and attachment for full control of confidential exchanges.

email2 does not require my legal firm or me (the client) to change their existing email – including my use of Outlook, Blackberry, or Yahoo.  So there should be no reason why clients can’t insist that their legal firm of choice adopt a solution that provides secure email and controls.

Join the discussion. Tell us your stories about unsecured communication with your legal firm.

Ariane Laird recently joined email2.

email2 enables professional services organizations to securely send, receive, track and automate delivery of confidential email and large attachments outside the organization – without requiring staff or recipients to change their existing email.

Canadian Government emailing confidential citizen information

The Canadian public sector is made up of thousands of different organizations with large numbers of staff, external partners and an even larger number of clients – namely the public and the environment.

The biggest challenge facing Canadian public sector organisations (PSOs) today is the ability to securely exchange confidential information with citizens and other agencies outside of government secure networks, as well as complying with Canadian privacy and other regulations.  The answer continues to be to simply restrict access or prevent the electronic flow of highly sensitive information. The result is that current rudimentary methods for exchanging sensitive information with the Canadian public and a wide range of other government agencies continue to include in-person visits, telephone conversations (and phone tag), faxes, regular mail and couriers.  Not only are these methods not secure, but they only serve to aggravate the new reality for PSO’s to reduce costs, increase efficiencies, offer 24/7 online convenience, and improve green initiatives. And in the end, do nothing to delight the customer!

email2 is made in Canada and has you covered.  We help public sector organizations delight their customers by providing encryption solutions to securely send, receive, track and automate delivery of confidential email and large attachments outside the organization – without requiring staff or recipients to change their existing email.

Made-in-Canada – secure email encryption solutions for Canadian government agencies

email2 is made in Canada and provides 5 email encryption solutions for public sector organizations to address specific needs relating to securing, tracking and automating the delivery of sensitive emails outside the organization.

1. Secure email and tracking
2. Enhanced email security including privacy compliance, data leak prevention, additional password protection, recipient permissions & authentication, message recall
3. Secure e-Forms. Accept citizen data input & attachments directly from an online form on a government agency website
4. E-Statements.  Automation and secure delivery of citizen invoices or notices
5. Email any-size attachments or ‘print screens’

1.  Secure email & tracking for Canadian government

• Email Encryption Plus provides encrypted email without the complications.  Offered as a cloud on-demand service that is deployed in minutes and uses the same security technology as internet banking.  It wraps around any existing staff and recipient email application so there’s no new software to learn and email encryption will actually be adopted.  Ìt’s as easy to use for staff, citizens and external agencies as remaining with their existing email application and mobile devices – including MS Outlook and Exchange, Blackberry, iPhone, as well as individual email programs used by citizens such as yahoo or gmail.
• Now email and attachments can be used by provincial Social Services case workers, CRA, school administrators, or justice ministries to instantly and securely communicate with citizens and other Canadian or provincial government agencies: Email sensitive citizen files or information including social insurance numbers, financial information, welfare documentation, taxation questions and answers, judgement orders.
• Eliminates telephone tag and allows for 24/7 asynchronous private conversations with citizens and other government agencies (ie: does not require that all parties involved in the communication be present and available at the same time).
• Email is guaranteed-delivered – and can be proven.  Tracks and proves when an email is received, read, replied to, forwarded, deleted or printed.
• Increases the Canadian public’s confidence by adopting a straightforward email encryption solution that ensures citizen’s private information will only be seen by intended recipients.
• Provides faster more efficient Canadian public services with anytime communication access and reduced in-person appointments, phone calls (and phone tag), and use of mail and couriers.
• Provides disabled or ill citizens who may be unable to use the the phone or attend in-person meetings, with a secure communication alternative.
• Can be deployed by a single department or throughout the entire organization.
• Learn more about Email Encryption Plus.

email2 offers the following add-ons for Canadian or provincial government, agencies or ministries that are all powered by Email Encryption Plus to ensure that emails are tracked, and sent and received securely without interception.

2.  Adresssing compliance & email data leak prevention for provincial ministries

• Data Leak Prevention provides enhanced email security for extra protection that sensitive citizen information won’t fall into the wrong hands.
• Instantly retracts email messages – even after the message has been read.
• Includes permission settings to prevent a recipient from replying, forwarding, saving or printing an email.
• Provides the option to include an additional layer of password protection for selected ultra-sensitive emails. Prevents even email delegates from reading the email.
• Prevents emails from being sent unsecured if certain words or patterns are included in the message.
• Authenticates recipients.  For example, a citizen may have to enter their SIN and birth date to authenticate their identity before they can access the secure email.
• Prevents data leaks and mitigates the risk of a breach of privacy of citizen information.
• Addresses compliance with privacy legislation.
• Provides additional email security tools for system administrators.
• Learn more about Data Leak Prevention.

3.  Secure e-Forms for Canadian Federal or Provincial government and citizens

Today, a Canadian citizen may visit a public sector organization’s office or website, obtain or print a form, fill it out in pen, and use time-consuming and unsecured methods for delivering the completed form such as in person office visits, mail, or fax.

• With Secure e-Form, any form completed by citizens or other Canadian or provincial government agencies can now be securely completed online.
• e-Form customizable fields are placed on any web page and are filled out by the relevant ‘customer’. e-Form does not require the existing web page to use SLL to safeguard the information submitted.
• e-Form also securely accepts uploaded addendum files of any size that may be relevant to the particular form’s subject matter, for example a copy of a birth certificate, passport, school transcript, driver’s license.
• Each completed form submission can trigger an encrypted email message that is sent directly to the designated government worker(s)’ existing inbox.
• The public sector worker can securely reply to the form submission and engage in a private conversation with the citizen or external partner -  without divulging the email address or the name of the worker.
• The submitted data is automatically entered into any third party application or government database, and eliminates time-consuming interpretation of handwriting, data entry, and data entry errors.  Reduces manual collection, filing, archiving and eventual destruction of physical forms.
• e-Form examples include: secured ‘Contact Us’ form, ‘Canadian Welfare Application’ form, ‘Canadian Employment Insurance Application’ form, ‘Canadian Passport Application’, ‘Provincial Student Enrolment” form.
• Learn more about Secure e-Forms.
• See an illustration example for securely completing annual public school student forms online, using e-forms.

4.  Canadian Government automation & secure delivery of citizen invoices, statements, or notices

Most Canadian public sector offices today, manually create and print statements, invoices or notices, place them in envelopes, and mail them to citizens.

• Realize guaranteed efficiencies and cost savings using email2′s automated e-Statements that securely emails hundreds or thousands of citizen notices overnight.
• e-Statements automatically extracts sensitive details from any third party database used by the public sector offices.  Content is generated in a format that is ready to be sent directly to citizens’ existing inboxes via encrypted email.
• Eliminates the need for building a secure portal where citizens are required to link through to a website and have to remember logins and passwords to access their information. Now, all relevant information is securely delivered via email or attachments to recipients without the need for additional steps and linking outside their email inboxes.
• Email Encryption Plus features are used to guarantee email delivery and track and prove when a notice has been received, read, printed, saved or deleted. Prevents statements such as “Sorry, I never received it” or “It got stuck in spam” and significantly shortens notification and payment cycles.
• Data Leak Prevention features are used to authenticate citizens, and set recipient permissions including limitations for replying to, forwarding, saving or printing emails and attachments.
• e-Statements improves Canadian government green initiatives and provides an immediate savings of 80% or more by eliminating waste and costs associated with creating, printing, mailing or faxing notices.
• Other applications for e-Statements could include Provincial Healthcare invoices, Canadian government employee pay stubs, citizen account statements, CRA tax return confirmations.
• Learn More about e-Statements.

5.  Emailing large file attachments and ‘print screens’ by Canadian Provincial or Federal government agencies 

• Now encrypted email can be used to send and receive any-size file attachments by Canadian government, so there’s no worry about sending that 10 MB, or even that 50 MB file.
• Bypasses file size & security limitation & quarantined policies set by external government agencies or citizens’ existing email applications – such as gmail or yahoo.
• Eliminates the need for the use by Canadian government or citizens of complicated FTP or external services such as DropBox.
• Eliminates saturation of email inbox storage limit. No taxing of the network – reduces IT costs and overhead.
• Provides storage, permissions, search and download functionality for file attachments.
• All file attachments are saved in a Permission-based Library making it easy to download, store, search and set permissions.  Eliminates Canadian government staff searching through email inbox for a specific file.
• ‘Print to Secure Message’ feature provides Canadian public sector professionals with the unique ability to instantly ‘print screen’ what is viewed on screen – regardless of the length of the page or what application was used to view the information – and send the file via encrypted email.  Any scanned document or any content that is typically sent to a printer and distributed via fax, mail or courier will benefit from the PSM feature.  For example, instantly and securely email Canadian student records or Canadian tax information even if they are rendered by specialized applications.
• Learn more about Large File Attachments & PMS.

Learn more about email2 products.

Ariane Laird works with email2, provider of encrypted email and patented compliance and secure content delivery features used by thousands of professionals.

Definitions:  Canadian or provincial public sector organizations can include Federal or Provincial government agencies, Federal or Provincial government ministries, social services, CRA, Provincial employment standard branches.