Mail to kp.org, ucsf.edu,sfdph.org,dmhc.ca.gov, scriptSiteRX.com opp12y encrypted?
 

Updated: Title with more domains to make/keep OP current.

Mail to kp.org, ucsf.edu,sfdph.org,dmhc.ca.gov, scriptSiteRX.com domains opportunistically encrypted?

Apropos Opportunistic SSL/TLS encryption on incoming emails --https://blog.fastmail.com/2009/04/16/opportunistic-ssltls-encryption-on-incoming-emails/
IIRC, there's also Opportunistic SSL/TLS encryption on OUTGOING emails. And I vaguely recall there was a some kind of post showing the fraction of mail that is actually encrypted at some point (I haven't tried to find it...)

My question is, is outgoing mail to the kp.org domain normally encrypted? I'm considering sending email there (to the records department -- oak-roi@<that domain> ) and will not do it if it isn't, and don't have a good way to message the department if I can't email it. I've been admitted to the hospital and will be here for at least another week. (The alternative is to resort to faxing with an internet fax service, which is arguably slightly less or more secure than unencrypted email.)

I'm not worried about STARTTLS downgrade attacks
-- http://www.emaildiscussions.com/showthread.php?t=71133&highlight=smtp+encryption.

If anyone from fastmail can check the logs to answer this question, I'd appreciate it. I suppose I can open a support request, but the answer could be generally useful, so I'm asking here.

I suggest using their secure message service. See:
https://share.kaiserpermanente.org/a...-care-quality/

Bill

It's not available to former members.:mad::eek:

They lock you out - no access to online records. Awful if it's unexpected, as was the case with me.

But as a member, it's great to be able to email your doctors and pharmacist, etc and get replies securely!

2017-05-15T03:50:24.281947-04:00 gateway1 postfix-out/smtp[2091062]: Trusted TLS connection established to mail2.kp.org[162.119.233.53]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
2017-05-15T03:50:26.208210-04:00 gateway1 postfix-out/smtp[2091062]: 789442086A: to=<oak-roi@[...]

Yes, they are.

Thanks BronG!

Emailed 'em. Turns out they have a secure email system that kicks in when they reply.
It's separate from the usual one for current members, but lets me reply securely. It says you have a reply, click here to set up an account so you can read the message, and doing so drops me into a web app that supports replies, etc.

BronG, can you check ucsf.edu too?

gateway2 postfix-out/smtp[2967920]: Trusted TLS connection established to cuda.ucsf.edu[64.54.247.181]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

yep, they all look like this.

Cool, thanks. Kind of a weird way to ensure security, but weirdly effective.

And for others, note that if you can look at the email headers, you can see whether the connection was encrypted. E.g. from the header of a message I received:

Received...
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))

BronG, can you check dmhc.ca.gov too?

(Elvey - this was your email to them)

2017-08-28T21:05:01.140957-04:00 gateway2 postfix-out/smtp[1605279]: Trusted TLS connection established to dmhc-ca-gov.mail.protection.outlook.com[216.32.181.42]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)

Thanks. (:eek: Pleasant surprise to see Microsoft got with the program on this. I would hazard a guess that all connections to MX that resolve to *.mail.protection.outlook.com are normally opportunistically encrypted. :) )

Regular email is NOT prohibited by HIPAA
 

FYI:

Please be aware that HIPAA - regulated healthcare entities ARE allowed to send PHI via regular mail:
https://www.hhs.gov/hipaa/for-profes...x.html*states:
"...*the Privacy Rule does not prohibit the use of unencrypted e-mail ...**Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b).*"

So regular email is generally appropriate if a patient requests it or if, because of safeguards that have been applied, such as the ones that this thread shows have been applied, normal email between identified parties is encrypted already.

Some of those HIPAA-compliant systems are much worse than others, so this can be valuable info. So I reposted this outside the FM board, here: http://www.emaildiscussions.com/showthread.php?t=74378, along with a poll: Surprised? Y/N?

apple.com
 

BronG, can you check apple.com (as in product-security@apple.com) too? :D
And maybe the top n destinations fastmail/ME sends mail to?

Bump. Also, scriptSiteRX.com?

Obviously apple.com is fine: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

scriptsiterx.com uses Google for MX, so they're good too, though only 128 bits:


TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)