How to share information securely in online support groups

September 21, 2014

Pathcare is a HIPAA-compliant service for sharing and private messaging with support group members and support group leaders and faciliators. Inside the Pathcare private social network for healthcare– you don’t have to worry about your personal or protected health information being disclosed.
But sometimes – you have to get off the private social network for healthcare and send a doctor some information by email.
You think, that should be easy, you’ll just fire up Gmail and then what happens? How do you protect your personal information from being read by someone else besides the recipient?  In this day and age of Snowden you cannot be blamed for being paranoid even if truth be told it is friends and family breaching patient privacy – not hackers and whistle blowers
The only problem is Email encryption software is clumsy and hard to use and an unexpected surprise for your recipient.  You don’t want to have to walk your doctor through a lengthy tech support telephone conversation  after you sent her your first encrypted email. Of course that will be hours after you’ve managed to get the necessary software installed and worked out how to generate your key pairs etc.
We have been longing for a user friendly encryption product for years, one that can be used by anyone and that will allow your recipient the ability to decrypt it without the need for them to buy the same software or even install something on their PC. Most people don’t understand encryption and have no wish to learn the finer points. They just want a method of exchanging potentially sensitive information securely.
The Answer
Finally smart technology is allowing the emergence of this type of encryption product. Software that allows you not only to encrypt emails and their attachments but also much larger files for exchange via cloud servers, thumb drives, CD ROMs even DVDs. The clear front-runners in email encryption make use of identity-based encryption.
Why Identity-based Encryption?
There are three very good reasons why identity-based encryption is highly desirable:

  • With identity-based encryption you immediately ensure you link the private data to be shared with the intended recipient.
  • You can negate the need to create another password that has to be remembered.
  • You don’t have to burden the user with the need to understand “key pairs” along with the exchange of their public key.

Think about it, the one thing that will be unique when emailing someone is his or her email address! A system where a user’s email address is bonded in this way can generate key pairs associated with the address. These keys will be used to encrypt and decrypt any emails the user requires protecting.
No Limits
But why limit it to just emails? Some software products of this type allow the same simple system to be used for; files, disks, thumb-drives, CD-ROMs pretty much anything you require to be encrypted.
How Does It Work
Let me try to explain in simple terms how this all works. Every email or data file you want to encrypt and subsequently share with someone else has to be encrypted using that persons “public key”. Their “public key” will have a twin known as a “private key”. Together they are known as a “key pair”. The “private key” of an individual is used to decrypt something that has been encrypted with it’s twin or “public key”.
OK, so now we need a method of exchanging “public keys”. By generating and then associating the “key pair” with someone’s email address you have automatically produced a unique “key pair”. The system will know if you are sending an encrypted message to Fred it must generate a “key pair” for Fred. Using Fred’s “public key” it will then encrypt the message. When Fred receives his encrypted email he will be asked to retrieve his private key by logging onto the system using his email address, which will be used to authenticate him and then automatically decrypt his message.
These matching key pairs can be one-time pairs that will only apply to each email or data exchange further improving the security. Since each key pairing is only good for one exchange if they were to be compromised it does not result in and future or past exchange being put at risk, clever!
What to Look For
Considerations to bear in mind when selecting this type of product are;

  • How good is the algorithm being used?
  • Has the algorithm been implemented correctly?
  • Has sufficient entropy been collected to utilise the full force of the algorithm?

Say what? I know! This is where it gets quite technical. However there are some products out there that have been independently certified by experts in the field so that you can take assurance that the product offers robust protection. Try out   Egress’s Email Encryption software called Switch. Looks like it answers all the above requirements for robustness and user-friendlieness.

More Articles