An Email a Day Could Give Your Health Data AwayOpen Website

Christof Lange, Thomas Chang, Maximilian Fiedler, Ronald Petrlic

Published: 2022, Last Modified: 05 Nov 2023DPM/CBT@ESORICS 2022Readers: Everyone
Abstract: Are doctors allowed to communicate with their patients via email? The GDPR sets the bar high for securing health data: either an end-to-end-encryption (E2EE) or a guaranteed transport encryption needs to be used. As E2EE (with PGP or S/MIME) is not widely used in practice, only a guaranteed transport encryption comes into question. But are doctors’ email servers properly configured and provide such strong security guarantees? As we found out in a large-scale investigation of German medical institutions, this is not the case at all. Only a very small minority of email servers provides state-of-the-art security. In all other cases, communication between doctors and patients via email is not secure and, thus, not permitted with regards to the GDPR.
0 Replies