1. ProofPoint email Encryption Project Kansas Health Solutions Patrick Yancey, Director of Information Technology

2.  Clear text email sent over the Internet is not secure!  It’s kind of like a message sent on a post card.  Anyone can read the message along the way.  It’s actually riskier than a post card  email may be copied multiple times along the way.  Copies may be included on server backups at various points between the sender and receiver.  May be inspected by various firewalls through which email passes.  IT staff members at any point along the way might have access to the message contents.  File attachments are also at risk.

3.  HIPAA has imposed tougher requirements.  Business associates once accountable to the covered entity are now liable for governmental penalties.  Penalties for a HIPAA violation have been expanded.  Under recent HITECH rules, those who enforce the rules and levy fines now have a financial incentive to do so. HIPAA

4.  Legal statutes call for more safeguards.  Best practices demand higher security.  Simply put:  Unencrypted email is like an open lock  It can be intercepted by unauthorized parties.  Sometimes inadvertently.  Sometimes with malicious intent.  Can result in significant loss.  Loss of reputation.  Loss of customers.  Costly fines.  Cleanup costs related to notifying customers, credit monitoring, etc.  Let’s not forget the potential hardship on our customers!

5.  Yet business partners need the ability to exchange important information.  Providers need to communicate  With hospitals  With KHS  With SRS  With patients  With each other

6.  What this all means:  We need to communicate but there is big risk  Encryption is paramount.  Management of security policies is of the utmost importance.  There is need to deploy appropriate technology to protect data.

7.  In the current environment under which we operate:  The need to communicate is high  The need for security is high  The risk is high

8.  The work of the ACMHCK IT Committee  Identified the needs of the partner organizations  Developed a specific set of requirements  Considered security protection, ease of use, ease of administration, capacity, cohesiveness and affordability.  Identified potential software/hardware solutions  Compared alternatives relative to requirements  Held a vendor demonstration day  Opportunity for vendors to pitch their product(s)  Made a unanimous selection on a unified solution.

9.  ProofPoint enterprise gateway-to-gateway secure email transfer. Provider KHS Providers and others outside of federation

10.  Defends against inbound threats  Prevents leaks of information  Acceptable use policies, ePHI, confidential messages, HIPAA, confidential documents  Encrypts sensitive information  On demand or automatically through message text analysis  Desktop to desktop, gateway to gateway, policy based  Provide analysis of messaging infrastructure  Message tracking, Compliance, Investigation

11.  Makes ad hoc, secure communication just as easy as traditional, non-encrypted messaging.  Automatically and dynamically applies encryption based on organization policies.  This is done at the gateway.  Compliance, data loss prevention and content security policies are consistently and accurately applied on an as-needed basis.  Recipients can view encrypted email through their email client (Outlook) or through an easy-to-use web- based interface.

13.  Separate, but together- the Federation  A collection of security domains that have established relationships for securely sharing resources  Provides unified email services through cross-domain communication and management of services  Provides encryption all the way down to each desktop within the Federation  Configuration and rules enforcement for each domain device is independent of other federation devices Provider KHS The Federation

14. Email encryption federation partners SouthwestBert Nash CrawfordWyandotte ValeoEast Central High PlainsKHS Family Service & GuidanceArea KanzaCowley Family Life CenterTGC SumnerSoutheast Central KansasJohnson County Center for Counseling & ConsultationPawnee Prairie View

15.  Sending an encrypted email in Outlook  When a person wishes to send an encrypted e-mail message, he/she can type the word [encrypt] in brackets in the subject line. For example:

16.  What if I forget?  If a person accidentally forgets to type the word “[Encrypt] in the subject line of an email, ProofPoint can automatically encrypt an email.  ProofPoint can scan and analyze the content of a message.  Can automatically encrypt based on message contents  E.g. SSN, MEDICAID ID, etc.  These rules are defined by the organization and are “appliance specific”.  Note: an organization may also choose to encrypt all outgoing email. OOPS!

17.  How does ProofPoint work?  After the end user composes the message with [encrypt] in the subject line and presses send:  The e-mail is sent to the Proofpoint device where it is encrypted and stored.  Proofpoint sends a separate message to the recipient indicating they have an encrypted message to view.  The recipient receives and opens the e-mail.

18.  Opening a Secure email  The recipient receives email and opens the attachment titled “SecureMessageAtt.html” by double-clicking on it (or by right-clicking on the icon and selecting the “Open” command).

19.  Opening a the secure attachment  When opening the attachment a browser window will open and display the message below. The user will then click on the button labeled “Click to read message”.

20.  Registering with the ProofPoint appliance  The first time an individual receives a secure message, she/he will be prompted to create an account to register with Proofpoint Encryption.  Only required the first time.  The user will fill in the all fields, select a security question and answer, and then click Continue.

21.  Reading a secure email  Once an individual is registered or logged into ProofPoint, the message is then delivered to the browser window.

22.  Reading a secure email  Depending on the organization’s security policies, the Reply, Reply All and Forward options will be available.

23.  Reading a secure email  When finished reading and replying to the email, an individual can logout of ProofPoint by clicking Logout.  ProofPoint then displays the “logged out” message.

24.  Reading a secure email  Upon subsequent use of the ProofPoint system, an individual is not required to register. Rather, he/she is presented with a login screen.

25.  What if I forget my password?  If an individual forgets his/her password, there is an option within the message labeled “Forgot Password”. When an individual clicks on this option, the system will prompt her/him with the password reset question. If the individual answers the password reset question correctly, he/she will be allowed to change the password and read the message.  Note: If you forget the answer to your security question, the ProofPoint administrator can reset your password for you.

26.  Does ProofPoint work with mobile devices.  Yes (with browser support).  If you attempt to read a secure message from your mobile device, you will receive an email message with a link that you can click to authenticate with Proofpoint Encryption.  After authenticating you will be able to read the secure message.

27.  Access to Proofpoint via Web interface  The ProofPoint administrator has the option of providing a Web link that allows users outside (or inside) the Federation to compose secure messages.  With this feature enabled, anyone can send secure messages by clicking on this link.