Abstract
Are doctors allowed to communicate with their patients via email? The GDPR sets the bar high for securing health data: either an end-to-end-encryption (E2EE) or a guaranteed transport encryption needs to be used. As E2EE (with PGP or S/MIME) is not widely used in practice, only a guaranteed transport encryption comes into question. But are doctors’ email servers properly configured and provide such strong security guarantees? As we found out in a large-scale investigation of German medical institutions, this is not the case at all. Only a very small minority of email servers provides state-of-the-art security. In all other cases, communication between doctors and patients via email is not secure and, thus, not permitted with regards to the GDPR.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Google regularly publishes numbers that show that around 90% of all emails sent and received via Google Mail are protected with transport encryption: https://transparencyreport.google.com/safer-email/overview.
- 2.
In the rest of the paper, we use the more general term medical institution, which also covers clinics and medical care centers.
- 3.
The same is true for other businesses and authorities as well.
- 4.
In Germany, other than in other European countries, there are 18 DPAs in toal.
- 5.
- 6.
The sourcecode for the project is available at https://git.informatik.fh-nuernberg.de/email-research/medical-institution-email-check.
- 7.
web.de and GMX actually are part of the same company called “1 & 1 Mail & Media GmbH”. Web.de and GMX are very popular freemailing services in Germany; there exist paid premium services as well, though.
- 8.
Since one provider can manage multiple domains (MX records of two providers on one domain) it is actually the sum of the managed domains of all providers.
- 9.
- 10.
And due to an absence of privacy guarantees for private accounts, such medical institutions might violate another term in the service agreement: The Code of Conducts requires: “Don’t engage in activity that violates the privacy of others.”.
- 11.
- 12.
It should be noted that this might not only be the case for Microsoft but for other freemail services (like web.de or GMX) as well; we did not check their service agreements and privacy protection policies in detail, though.
- 13.
We used outlook.com, outlook.de, live.com, live.de, msn.de, msn.com, hotmail.com, hotmail.de for the analysis.
- 14.
Rather, those email accounts will soon be protected with DANE, as Microsoft announced a DANE roll-out for 2022: https://techcommunity.microsoft.com/t5/exchange-team-blog/releasing-outbound-smtp-dane-with-dnssec/ba-p/3100920.
- 15.
It is a good sign that Microsoft started DANE roll-out for Exchange Online in early 2022: https://techcommunity.microsoft.com/t5/exchange-team-blog/releasing-outbound-smtp-dane-with-dnssec/ba-p/3100920.
- 16.
However, 47 of these medical institutions employ a gmx or web.de address and it is not clear whether it is a freemail or a business account.
References
Alle Microsoft 365-Pläne vergleichen \(|\) Microsoft. https://www.microsoft.com/de-de/microsoft-365/business/compare-all-microsoft-365-business-products?market=de. Accessed 14 June 2022
Change your Microsoft 365 email address to use your custom domain. https://docs.microsoft.com/en-us/microsoft-365/admin/email/change-email-address?view=o365-worldwide. Accessed 14 June 2022
Cryptographic Message Syntax (CMS). https://datatracker.ietf.org/doc/html/rfc3369. First CMS RFC that mentions S/MIME. Accessed 15 June 2022
dig(1) - OpenBSD manual pages. https://man.openbsd.org/dig.1. Accessed 18 June 2022
Google Online Security Blog: Google Public DNS Now Supports DNSSEC Validation. https://security.googleblog.com/2013/03/google-public-dns-now-supports-dnssec.html. Accessed 19 June 2022
Google Public DNS. https://developers.google.com/speed/public-dns. Accessed 15 Apr 2022
Mail Transfer Protocol. https://datatracker.ietf.org/doc/html/rfc772. Original Mail Transfer Protocol RFC. Accessed 15 June 2022
Microsoft 365 Single Kaufen - Premium-Office-Paket \(|\) Microsoft. https://www.microsoft.com/de-de/microsoft-365/p/microsoft-365-single/cfq7ttc0k5bf?rtc=1 &activetab=pivot:overviewtab. Accessed 14 June 2022
OpenINTEL. https://www.openintel.nl/. Accessed 24 Mai 2022
PGP Message Exchange Formats. https://datatracker.ietf.org/doc/html/rfc1991. First PGP RFC. Accessed 15 June 2022
shuque/gotls: Diagnostic tool to perform DANE & PKIX authentication of a TLS server. https://github.com/shuque/gotls. Accessed 18 June 2022
Simple Mail Transfer Protocol. https://datatracker.ietf.org/doc/html/rfc5321. Accessed 18 Apr 2022
SMTP Service Extension for Authentication. https://datatracker.ietf.org/doc/html/rfc4954. sMTP Auth Extension RFC. Accessed 15 June 2022
SMTP Service Extension for Secure SMTP over TLS. https://datatracker.ietf.org/doc/html/rfc2487. Original SMTP STARTTLS Extension RFC. Accessed 15 June 2022
SMTP Service Extension for Secure SMTP over Transport Layer Security. https://datatracker.ietf.org/doc/html/rfc3207. Updated SMTP STARTTLS Extension RFC. Accessed 15 June 2022
SMTP Service Extensions for Transmission of Large and Binary MIME Messages. https://datatracker.ietf.org/doc/html/rfc1830. sMTP Chunking Extension RFC. Accessed 15 June 2022
Testing TLS/SSL encryption. https://testssl.sh/. Accessed 15 Apr 2022
Braun, S., Oostveen, A.M.: Encryption for the masses? An analysis of PGP key usage. Mediatization Stud. (2) (2018)
Dukhovni, V., Hardaker, W.: SMTP security via opportunistic DNS-based authentication of named entities (DANE) transport layer security (TLS). RFC 7672, IETF (2015)
Dukhovni, V., Hardaker, W.: The DNS-based authentication of named entities. DANE) protocol: updates and operational guidance. Technical report (2015)
Durumeric, Z., et al.: Neither snow nor rain nor MITM... an empirical analysis of email delivery security. In: Proceedings of the 2015 Internet Measurement Conference, pp. 27–39 (2015)
Foster, I.D., Larson, J., Masich, M., Snoeren, A.C., Savage, S., Levchenko, K.: Security by any other name: On the effectiveness of provider based email security. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 450–464 (2015)
Kambourakis, G., Gil, G.D., Sanchez, I.: What email servers can tell to Johnny: an empirical study of provider-to-provider email security. IEEE Access 8, 130066–130081 (2020)
Lee, H., Gireesh, A., van Rijswijk-Deij, R., Chung, T., et al.: A longitudinal and comprehensive study of the DANE ecosystem in email. In: 29th USENIX Security Symposium (USENIX Security 2020) (2020)
Petrlic, R.: The general data protection regulation: from a data protection authority’s (technical) perspective. IEEE Secur. Priv. 17(6), 31–36 (2019). https://doi.org/10.1109/MSEC.2019.2935701
Zhu, L., Wessels, D., Mankin, A., Heidemann, J.: Measuring DANE TLSA deployment. In: Steiner, M., Barlet-Ros, P., Bonaventure, O. (eds.) TMA 2015. LNCS, vol. 9053, pp. 219–232. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-17172-2_15
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Lange, C., Chang, T., Fiedler, M., Petrlic, R. (2023). An Email a Day Could Give Your Health Data Away. In: Garcia-Alfaro, J., Navarro-Arribas, G., Dragoni, N. (eds) Data Privacy Management, Cryptocurrencies and Blockchain Technology. DPM CBT 2022 2022. Lecture Notes in Computer Science, vol 13619. Springer, Cham. https://doi.org/10.1007/978-3-031-25734-6_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-25734-6_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-25733-9
Online ISBN: 978-3-031-25734-6
eBook Packages: Computer ScienceComputer Science (R0)