steveWorking with a US employer and a US healthcare management company. They cannot send emails to each other because the email contain PHI. The email get caught by DLP and sent to a captive portal. The captive portal is holding the PHI documents in the cloud, who knows where. The captive portal corrupts the message to unreadability. Opportunistic TLS is already available throughout the entire path. And the email is encpypted at each hop. 1/3 #securityTheater #privacyTheater #PHI #email #privacy
The solution from the healthcare management company is to use "enforce TLS" on the email. Enforced TLS sounds fine until you look at the details. Both companies use a 3rd party email filter/DLP. Enforced TLS only applies to the email in transit between the 3rd party companies. It does not cover encryption in transit between each company and the respective 3rd party email filter or encryption at rest on the 3rd party servers in the cloud. 2/3
The company managing the healthcare management's email employs foreign nationals not on the same side of the globe. Any changes are at best a 24 hour turn around. But these theatrics are sufficient for the healthcare management to allow emails containing PHI to not be captured by the captive portal. No wonder we have data leaks. No one considers the bigger picture and all the exposure points. 3/3