DHHS Begins Using ZixMail Department-wide to Protect Sensitive Information in Emails

DHHS’ Privacy and Security Office has implemented a tool for encrypting emails Department-wide.

July 5, 2018 – Email has become a preferred method for communication between employees, partners and clients across the state. However, emails can be intercepted or mistakenly sent to third parties, compromising privacy.

DHHS handles a lot of confidential information, protected by laws such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which covers protected health information (PHI).  

To ensure the confidentiality of PHI and other personal information, the DHHS Privacy and Security Office has implemented ZixMail, This tool allows emails to be encrypted before they are sent. While some divisions have already been using ZixMail, Department-wide implementation through an Outlook plugin began June 30. ZixMail will work on most Internet browsers and mobile devices. 

Emails from one DHHS account to another DHHS account are encrypted. However, best practice is to always encrypt files containing our most sensitive data. 

If the recipient does not have a @dhhs.nc.gov account, the sender must take action for the message to be encrypted if transmitting confidential information. There are several ways to encrypt an email to send to users outside of DHHS using ZixMail: 

• Employees can type “dhhsencrypt” with a space after it in the beginning of the subject line of a message to trigger encryption.

• Users can also select the “Encrypt & Send” option at the top left of the toolbar on the Message tab through the ZixSelect plugin. 

• Message sensitivity can also be set to confidential through the email Options tab.  Click on the arrow next to “More Options” and set the sensitivity to “Confidential” to encrypt the message.

If a message is not encrypted, the Data Loss Prevention (DLP) system scans the content of all emails sent outside the DHHS email domain and compares it to policies selected to meet federal and state requirements for safeguarding the confidential data. ZixMail automatically encrypts the content if the system deems it necessary.

When an encrypted email is sent to a non-DHHS recipient, they will receive a message in their inbox allowing them to view the message in their browser using the Secure Message Center. Accessing the Secure Message Center requires a one-time registration. After registering, users will be able to log-in to the Secure Message Center with a login they create. If partners outside of DHHS are also using Zix Services, they won’t need to log in to the Zix portal to view the message.

Recipients can also send an encrypted response to a secure message. To do this, they can either reply or reply all to the message. To initiate a secure message, users can utilize the Compose function within the Zix Secure Message Center. 

ZixMail will also make investigation of data breaches more secure and efficient, allowing the Privacy and Security Office to collect information required by various federal agencies if a breach happens. The system can also alert affected users of next steps. 

Employees should continue to follow NCDHHS policies for protecting and safeguarding information, and should be aware of the state’s classifications of data risk. If there is a question as to whether specific material should be encrypted, employees should consult their supervisor, legal team member or other appropriate personnel. If in doubt, sensitive or potentially protected material should always be encrypted.

DHHS employees can access training on ZixMail through the Learning Management System (LMS), accessible through the BEACON portal. 

Employees should direct questions to their Division’s security official or contact Pyreddy Reddy at 919-855-3090 or Pyreddy.Reddy@dhhs.nc.gov.