Ted works in the billing department of a large university’s medical clinic. He replies to an email request for billing information from their associated hospital partner.
Ted knows this message contains sensitive information for a recipient outside the university’s network. Therefore, he tags the email as Confidential to encrypt it before sending. Ted also includes a set of instructions to the recipient explaining how to decrypt and read the sensitive message and re-encrypt any replies.
With over 10,000 faculty and staff email users on ECU’s Exchange email system, one of the biggest concerns on campus is the accidental breach of sensitive information such as FERPA, HIPAA or PCI through email. This can happen when an email containing sensitive information is sent unencrypted to a recipient outside the ECU network. The message could be stolen while en route or inadvertently sent to the wrong recipient.
All faculty and staff now have the ability to send encrypted email and are required to do so when a message contains sensitive information to an outside address. Fortunately, this is a simple matter of either tagging the message as CONFIDENTIAL or typing [sendsecure] in the subject line.
What is Encryption?
Encryption uses a mathematical algorithm to scramble electronic text in an email or document so that it can only be read by the recipient who has the key to unscramble (decrypt) the information back to a readable form.
It is the easiest and most practical method of protecting data stored or transmitted electronically and is particularly essential with sensitive data. Even a single failure to encrypt sensitive data, whether through email or via a stolen flash drive or laptop, can result in a security breach with criminal or civil liabilities and irreparable harm to finances and the reputation of the university.
When is Encryption Required?
If an email containing sensitive information is addressed to a recipient outside the ECU network, it must be encrypted by tagging it as CONFIDENTIAL or typing [sendsecure] in the subject line. To decrypt and read the email, the recipient registers once with Cisco.
Note that all messages in a conversation – replies and forwards – must be encrypted before sending.
To see step-by-step instructions for both encrypting and decrypting an email: http://www.ecu.edu/cs-itcs/email/upload/EncryptEmail2010-13.pdf
What is Considered Sensitive Information?
Examples of sensitive information include:
- Social Security number (SSN)
- credit & debit card number
- driver’s license number
- personally identifiable patient information
- personally identifiable student information
- personnel information
- proprietary research data
- legal data
Learn More about Sensitive Information at ECU
To learn more about sensitive information at ECU, visit the following websites:
Guidelines for Protecting Sensitive Data – http://www.ecu.edu/cs-itcs/itsecurity/Sensitive-Data.cfm
Compliance and Regulations – http://www.ecu.edu/cs-itcs/itsecurity/regulations.cfm
Email Encryption – http://www.ecu.edu/cs-itcs/email/encryption.cfm
HIPAA Policies – http://www.ecu.edu/PRR/12/60/
FERPA Policies – http://www.ecu.edu/cs-acad/registrar/FERPA.cfm
Payment Card Industry (PCI) Information – http://www.ecu.edu/cs-admin/financial_serv/pci/index.cfm
Social Security Number Regulations – http://www.ecu.edu/ssnresource/