Jump to content


Photo

Interaction of TLS & outbound HIPAA/PCI content scanning

HIPAA PCI TLS encryption

  • Please log in to reply
2 replies to this topic

#1 Dean Wilson

Dean Wilson
  • Members
  • 4 posts

Posted 21 December 2012 - 12:27 PM

Our company has requirements to meet both PCI & HIPAA standards. We have been using the outbound email content scanning feature on our Barracuda Anti-spam 100 for some time. The feature works well, other than the customer resistance to logging into the secure email website. Mostly this relates to the volume of HIPAA related emails that are sent out.

In attempt to resolve this, we implemented TLS on the barracuda. After installing the SSL certificate, we tested the new configuration. The results were not what we had expected. It seems that the appliance implements the HIPAA content scanning before verifying TLS transport as an option. The net effect is that all outbound emails with HIPAA content are still routed to the secure website interface.

Can an option be put in place to flip the order of TLS & HIPAA content scanning? Specifically, the first thing that the appliance should check is if an email can be sent securely via TLS. If yes, then send the email via TLS. If no, then scan the email for HIPAA related content. If there is HIPAA content, send to the secure web site; if no HIPAA information is found, send via unencrypted email.

I know this function/feature is offered on other platforms, as our customers were able to reconfigure their gateways in a manner similar to our request after we implemented TLS.

#2 Iowa Solutions

Iowa Solutions
  • Members
  • 3 posts

Posted 11 January 2013 - 03:29 PM

I have to agree. If a message can be delivered to the recipient over TLS, it should happen. Only after that should the Secure Messaging service come into play. I'm frankly astonished that it's not at least an option to set things up this way.

TLS Delivery Possible?
Yes = Deliver via TLS
No = Does it need to be encrypted?
Yes = Encrypt via Barracuda Message Center
No - Deliver via normal SMTP

As new buyers of twin clustered systems, we're genuinely disappointed in the current implementation of the secure message delivery system.

#3 Josh Metzger

Josh Metzger
  • Members
  • 2 posts

Posted 28 October 2015 - 08:24 AM

I agree, this would be quite useful to our company and allow us to get rid of a competing encryption product that offers similar functionality to what you describe.