Is sending patient data via email safe?

Sending medical photos by email and text is widespread, but it should not be happening! Email is inherently insecure. Unless you are using a special email encryption service, information is not encrypted. Email is like sending a postcard. Any number of people can view it along the way.

Email is usually sent in plain text from your computer or smartphone, through your Internet Service Provider, to an email server. It is then ordinarily sent unencrypted to the recipient's email server where the computer or smartphone of the recipient fetches it via their Internet Service Provider. Some emails will be encrypted when sent from one email server to another if the sender and recipient are both using the same email provider. Some special email encryption products encrypt messages before they leave your computer and then decrypt them at the recipient's end. This process is known as end-to-end encryption. Although more secure, it is inconvenient, requiring both the sender and recipient to be using the same system. Further, the same server that stores the data often stores the keys used to encrypt and decrypt messages. That is like storing the keys right next to the padlock.

So what options do we have?

1. If you are only sending emails to recipients within your network (i.e. you have the same domain, and your email server encrypts data) then this level of security is probably considered secure enough, for the time being anyway. That does not help if you want to email someone external.
2. You can zip and password-protect a file you want to send and attach it to an email. The password should be secure, and you will have to tell the password to the recipient verbally. Unfortunately, this practice is not very practical.
3. Of course, you can use a service like PicSafe. All data is encrypted and decrypted using a key acquired from a PicSafe Key Server. Here, the data and the keys are never on the same server.