HIPAA and other government regulations may help spur the adoption of secure messaging technologies

Despite high concern and regulation around privacy, secure messaging technology has been a tough sell to most companies, including those in healthcare. But easier-to-use technology and a new round of privacy rules might make it a more palatable option.

The past few years have been marked by lively talk about secure messaging with little demand, says David Ferris, president of San Francisco-based messaging and collaboration research firm Ferris Research. But new regulations may change that, he says. The final round of the Health Insurance Portability and Accountability Act takes effect in April and might spur healthcare companies to use it.

Jupiter Media Metrix (South Darien, Conn.) analyst Monique Levy says there's considerable confusion about what HIPAA requires for messaging, but the industry is moving toward secure communications. "I think it's going to be standard practice and ultimately it will make sense to adopt industry-wide," she says.

The market is still in its infancy, worth perhaps $40 million to $50 million a year, says Jonathan Penn, an analyst at research firm Forrester Research (Cambridge, Mass.). Vendors include Authentica (Waltham, Mass.), Entrust (Addison, Texas), PGP (Palo Alto, Calif.), PostX (Cupertino, Calif.), Sigaba (San Mateo, Calif.), Tumbleweed Communications (Redwood City, Calif.), and Zix (Dallas). The reason secure messaging isn't more popular is that it's tough to do, generally requiring both senders and recipients to install the same software on their PCs.

Anticipating HIPAA's requirements was the main motivator for John Willars, IT director and HIPAA security officer at Mission Hospital Inc., to start using secure messaging two years ago. "I wanted to figure out what I could do to be ahead of the curve," he says. Willars started using Sigaba's plug-in for Microsoft Outlook, in conjunction with servers at Sigaba, formally known as Secure Data In Motion Inc. About two months ago, the hospital brought the hardware in-house by acquiring its own e-mail gateway server. A typical use, he says, might be a doctor asking for a report from radiology that would be sent by encrypted e-mail.

Sigaba is typical of how vendors are tackling the major obstacles to secure messaging's use. In addition to authentication and encryption, it can filter viruses and other unwanted content. The critical components are a gateway server that encrypts messages as determined by security policies, an authentication server and a key server. The recipient decrypts the message with a key provided by a key server. Alternately, the recipient's S/MIME system can decrypt the e-mail. While a mail-client plug-in is available for certain uses, secure communication can be conducted without requiring recipients to install any software.

Some IT managers might not be terribly concerned about the risks: Intercepting an e-mail in transit isn't a trivial technical challenge. But other risks include phishing, where e-mail is made to look like it's from a trusted company in order to steal identity information.

However, none of the systems protects against the most likely means of disclosure: the over-the-shoulder peek, or a person leaving a PC with a sensitive message open.

That's why, despite being enthusiastic about Sigaba's capability and ease of use, Mission Hospital's Willars is cautious: "We discourage using e-mail for sending personal health information."