I’ve been going to the doctor a lot lately (knee problem, boring story), and I had to sign a consent-to-being-emailed form. On this form, which I regrettably forgot to nab a copy of to post here, it was explained to me, the patient, that the practice’s use of email is “secure, but not encrypted.” They labored to assure me that their computers are protected by passwords, but that no content is going to be encrypted.
I, of course, am a software developer and understand what this means: namely, that the information is not secure. Further, I’m not even sure what they’re trying to reassure me about, understanding what I do about computers and security. I’m safe against the other doctors in the practice learning my medical history? Or perhaps the assistants and administrative employees? Those people almost certainly could get access if they wanted it, and I don’t care, because it is their job to know enough to help me.
Sending information unencrypted over email is just letting anyone have it. Sending it through an encrypted protocol is giving it away only to the practice’s email provider, the receiver’s email provider, and (obviously) the NSA. Since you’re a doctor’s office, I have no reason to believe you have spent a single minute thinking about your technological infrastructure, and thus no reason to trust your email provider. I use gmail, and I have good reason not to trust Google. So you’re sending my medical information to at least two parties I don’t trust.
I don’t care about this at all. My perspective on security is that all security is security theatre and if someone wants to break into my house or my email or anything else badly enough, they will succeed. But I know this. I don’t care because I am (somewhat) informed. I know that assuming my data is secure is simply incorrect, so I assume that the entire world can see it instead, and make choices accordingly.
I do, however, care pretty deeply that to an uninformed reader of that consent form, who understands the everyday meaning of the word “secure” and has more or less zero understanding of encryption, or email transport, or anything else related to computer security, it sounds like the practice is taking meaningful precautions. I don’t know if it would stand up in court — I believe there are laws saying that when one party is drastically misleading the other party who is direly uninformed on the material, that isn’t valid — but it still pisses me off. I don’t even think the practice knows they’re misleading their patients. They probably don’t know anything about computer security either. But it’s just all so wrong and sad.