Abstract
Are doctors allowed to communicate with their patients via email? The GDPR sets the bar high for securing health data: either an end-to-end-encryption (E2EE) or a guaranteed transport encryption needs to be used. As E2EE (with PGP or S/MIME) is not widely used in practice, only a guaranteed transport encryption comes into question. But are doctors’ email servers properly configured and provide such strong security guarantees? As we found out in a large-scale investigation of German medical institutions, this is not the case at all. Only a very small minority of email servers provides state-of-the-art security. In all other cases, communication between doctors and patients via email is not secure and, thus, not permitted with regards to the GDPR.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Google regularly publishes numbers that show that around 90% of all emails sent and received via Google Mail are protected with transport encryption: https://transparencyreport.google.com/safer-email/overview.
- 2.
In the rest of the paper, we use the more general term medical institution, which also covers clinics and medical care centers.
- 3.
The same is true for other businesses and authorities as well.
- 4.
In Germany, other than in other European countries, there are 18 DPAs in toal.
- 5.
- 6.
The sourcecode for the project is available at https://git.informatik.fh-nuernberg.de/email-research/medical-institution-email-check.
- 7.
web.de and GMX actually are part of the same company called “1 & 1 Mail & Media GmbH”. Web.de and GMX are very popular freemailing services in Germany; there exist paid premium services as well, though.
- 8.
Since one provider can manage multiple domains (MX records of two providers on one domain) it is actually the sum of the managed domains of all providers.
- 9.
- 10.
And due to an absence of privacy guarantees for private accounts, such medical institutions might violate another term in the service agreement: The Code of Conducts requires: “Don’t engage in activity that violates the privacy of others.”.
- 11.
- 12.
It should be noted that this might not only be the case for Microsoft but for other freemail services (like web.de or GMX) as well; we did not check their service agreements and privacy protection policies in detail, though.
- 13.
We used outlook.com, outlook.de, live.com, live.de, msn.de, msn.com, hotmail.com, hotmail.de for the analysis.
- 14.
Rather, those email accounts will soon be protected with DANE, as Microsoft announced a DANE roll-out for 2022: https://techcommunity.microsoft.com/t5/exchange-team-blog/releasing-outbound-smtp-dane-with-dnssec/ba-p/3100920.
- 15.
It is a good sign that Microsoft started DANE roll-out for Exchange Online in early 2022: https://techcommunity.microsoft.com/t5/exchange-team-blog/releasing-outbound-smtp-dane-with-dnssec/ba-p/3100920.
- 16.
However, 47 of these medical institutions employ a gmx or web.de address and it is not clear whether it is a freemail or a business account.
References
Alle Microsoft 365-Pläne vergleichen \(|\) Microsoft. https://www.microsoft.com/de-de/microsoft-365/business/compare-all-microsoft-365-business-products?market=de. Accessed 14 June 2022
Change your Microsoft 365 email address to use your custom domain. https://docs.microsoft.com/en-us/microsoft-365/admin/email/change-email-address?view=o365-worldwide. Accessed 14 June 2022
Cryptographic Message Syntax (CMS). https://datatracker.ietf.org/doc/html/rfc3369. First CMS RFC that mentions S/MIME. Accessed 15 June 2022
dig(1) - OpenBSD manual pages. https://man.openbsd.org/dig.1. Accessed 18 June 2022
Google Online Security Blog: Google Public DNS Now Supports DNSSEC Validation. https://security.googleblog.com/2013/03/google-public-dns-now-supports-dnssec.html. Accessed 19 June 2022
Google Public DNS. https://developers.google.com/speed/public-dns. Accessed 15 Apr 2022
Mail Transfer Protocol. https://datatracker.ietf.org/doc/html/rfc772. Original Mail Transfer Protocol RFC. Accessed 15 June 2022
Microsoft 365 Single Kaufen - Premium-Office-Paket \(|\) Microsoft. https://www.microsoft.com/de-de/microsoft-365/p/microsoft-365-single/cfq7ttc0k5bf?rtc=1 &activetab=pivot:overviewtab. Accessed 14 June 2022
OpenINTEL. https://www.openintel.nl/. Accessed 24 Mai 2022
PGP Message Exchange Formats. https://datatracker.ietf.org/doc/html/rfc1991. First PGP RFC. Accessed 15 June 2022
shuque/gotls: Diagnostic tool to perform DANE & PKIX authentication of a TLS server. https://github.com/shuque/gotls. Accessed 18 June 2022
Simple Mail Transfer Protocol. https://datatracker.ietf.org/doc/html/rfc5321. Accessed 18 Apr 2022
SMTP Service Extension for Authentication. https://datatracker.ietf.org/doc/html/rfc4954. sMTP Auth Extension RFC. Accessed 15 June 2022
SMTP Service Extension for Secure SMTP over TLS. https://datatracker.ietf.org/doc/html/rfc2487. Original SMTP STARTTLS Extension RFC. Accessed 15 June 2022
SMTP Service Extension for Secure SMTP over Transport Layer Security. https://datatracker.ietf.org/doc/html/rfc3207. Updated SMTP STARTTLS Extension RFC. Accessed 15 June 2022
SMTP Service Extensions for Transmission of Large and Binary MIME Messages. https://datatracker.ietf.org/doc/html/rfc1830. sMTP Chunking Extension RFC. Accessed 15 June 2022
Testing TLS/SSL encryption. https://testssl.sh/. Accessed 15 Apr 2022
Braun, S., Oostveen, A.M.: Encryption for the masses? An analysis of PGP key usage. Mediatization Stud. (2) (2018)
Dukhovni, V., Hardaker, W.: SMTP security via opportunistic DNS-based authentication of named entities (DANE) transport layer security (TLS). RFC 7672, IETF (2015)
Dukhovni, V., Hardaker, W.: The DNS-based authentication of named entities. DANE) protocol: updates and operational guidance. Technical report (2015)
Durumeric, Z., et al.: Neither snow nor rain nor MITM... an empirical analysis of email delivery security. In: Proceedings of the 2015 Internet Measurement Conference, pp. 27–39 (2015)
Foster, I.D., Larson, J., Masich, M., Snoeren, A.C., Savage, S., Levchenko, K.: Security by any other name: On the effectiveness of provider based email security. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 450–464 (2015)
Kambourakis, G., Gil, G.D., Sanchez, I.: What email servers can tell to Johnny: an empirical study of provider-to-provider email security. IEEE Access 8, 130066–130081 (2020)
Lee, H., Gireesh, A., van Rijswijk-Deij, R., Chung, T., et al.: A longitudinal and comprehensive study of the DANE ecosystem in email. In: 29th USENIX Security Symposium (USENIX Security 2020) (2020)
Petrlic, R.: The general data protection regulation: from a data protection authority’s (technical) perspective. IEEE Secur. Priv. 17(6), 31–36 (2019). https://doi.org/10.1109/MSEC.2019.2935701
Zhu, L., Wessels, D., Mankin, A., Heidemann, J.: Measuring DANE TLSA deployment. In: Steiner, M., Barlet-Ros, P., Bonaventure, O. (eds.) TMA 2015. LNCS, vol. 9053, pp. 219–232. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-17172-2_15
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Lange, C., Chang, T., Fiedler, M., Petrlic, R. (2023). An Email a Day Could Give Your Health Data Away. In: Garcia-Alfaro, J., Navarro-Arribas, G., Dragoni, N. (eds) Data Privacy Management, Cryptocurrencies and Blockchain Technology. DPM CBT 2022 2022. Lecture Notes in Computer Science, vol 13619. Springer, Cham. https://doi.org/10.1007/978-3-031-25734-6_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-25734-6_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-25733-9
Online ISBN: 978-3-031-25734-6
eBook Packages: Computer ScienceComputer Science (R0)