Protecting Email

protecting email

The Internet has now been around for 40 years, with email as a core application. The Internet is used in many enterprises to enable computer networking and facilitate electronic communications. In the early years, the security of email communication was not an issue, but it surely is now!

The use of the Internet and email has grown exponentially … used by the original research organizations, and now by governments, militaries, businesses -including banking and healthcare, and many, many individuals’ worldwide.

During the past 40 years there has not only been an explosion in use of the Internet and email, but an explosion in the diversity of applications deployed on the Internet. At the same time there has been an explosion of Internet- and email-based criminal and nuisance THREATS.

The Internet’s core email protocol, Simple Mail Transfer Protocol (SMTP), was adopted in 1982! Yes, 1982 – making it almost 35 years old! It is still deployed and operated today, but with modifications and augmentations to deal with security threats, including content modification and content surveillance.

With other types of security protections implemented and in use, NIST[1] states in its October 2016 ITL Bulletin article, Making Email Trustworthy that “email systems can be regarded as sufficiently secure of government, financial and medical communications.”[2]

The suggested security protections include:

  • Spoofing protection: Spoofing in a network context, a situation in which one person or program successfully masquerades as another by falsifying data to gain an unknowing and often illegal advantage. Email address spoofing is very easy; the sender information shown in e-mails (the “From” field) can be spoofed. Spammers use this technique to hide the origin of their e-mails. For example, if you get an email from the IRS … it is never from the IRS;
  • Integrity protection: See HIPAA Security Rule section 312(c) Technical Safeguards, Integrity;
  • Encryption: See HIPAA Security Rule Technical Safeguard sections (a) Access Control, and (e) Transmission Security; and
  • Authentication: See HIPAA Security Rule section 312(d) Technical Safeguards, Person or Entity Authentication.


NIST has two Special Publications (SP) 800 documents related to email security:

  • Guidelines on Electronic Mail Security (SP 800-45, Version 2)[3], published in 2007, and
  • Trustworthy Email (SP 800-177)[4], published in September 2016.


Trustworthy Email classifies the security threats to email as follows:

  • Integrity-related threats to the email system, which could result in unauthorized access to an enterprises’ email system, or spoofed email used to initiate an attack;
  • Confidentiality-related threats to email, which could result in unauthorized disclosure of sensitive information; or
  • Availability-related threats to the email system, which could prevent end users from being able to send or receive email. [5]


Trustworthy Email also includes mitigation recommendations for:

  • Unauthorized email senders;
  • Unauthorized email receivers;
  • Unauthorized email messages;
  • Tampering or modification of content; and
  • Phishing and spear phishing.


There are many more recommendations within Trustworthy Email that are useful for small CEs and large BAs and everyone in between.

The NIST SPs are required for all federal agencies and the individuals and enterprises that contract with federal agencies. For everyone else, for all healthcare covered entities (CEs) and business associates (BAs), these documents are excellent outlines to use for email security protections planning, updating and implementation.

Conclusion: As Internet and email security threats are ever changing and evolving as applications and uses change, I suggest that all CEs and BAs use the NIST Email SPs 800 documents in planning, updating and implementing email protections.

[1] National Institute of Standards and Technology, federal agency, part of the Department of Commence