Why you can trust TechRadar
We spend hours testing every product or service we review, so you can be sure you’re buying the best. Find out more about how we test.
Hushmail is a well-established secure email provider that’s been around for 25 years, and this Canadian business aims at particular industries, like healthcare, law, and smaller companies.
Those kinds of organizations often need to share sensitive information, so it makes sense that they’d try to find a secure email provider. But is Hushmail the right option?
Hushmail: Plans and pricing
Hushmail’s healthcare plans start at $11.99 monthly for one basic email account, but it’s worth upgrading to the $24.99 plan for the full experience. When using that pricier plan you get five email addresses, secure web forms and electronic signatures. Upgrade to the $47.99 monthly service and you get ten accounts and web forms. Unsurprisingly, all of those healthcare plans are HIPAA compliant.
Hushmail’s legal and small business plans are a little cheaper than the healthcare versions but don’t include HIPAA compliance or Information Manager Agreements, which are both specific to the healthcare industry.
There are personal plans, too, with an encrypted account with 15GB of storage costing $59.99 annually with a 60-day money-back guarantee. That’s a good price – lower than many rivals, especially if you pay monthly – and the sixty-day refund period is generous, too. And if you pay for three years, it’s even cheaper.
Hushmail: Features
Hushmail’s service allows you to use their domain or your own domain to access secure email, and the service uses OpenPGP encryption for email content, with TLS/SSL deployed to protect emails when they’re in transit and ensure encryption of emails sent to and from non-Hushmail users. PFS and HSTS are also deployed as part of Hushmail’s systems, and Hushmail uses a zero-knowledge model.
That solid start should sate most people, although reliance on OpenPGP means that subject lines aren’t encrypted. And rather than using end-to-end encryption by default, Hushmail hands control back to the user, offering a toggle to activate or deactivate its encryption.
Hushmail can be accessed from your browser and through email apps on PCs, laptops, Android phones, and iOS devices thanks to its POP/IMAP support. There’s a dedicated iOS app, too, but no Android app.
In addition to its toggled encryption, Hushmail has some clever features that benefit its core healthcare and legal audiences.
It’s packed with preset forms that can be used by healthcare and legal professionals to gather data from patients and customers securely, and you can create your own, too – a genuinely valuable addition to the service. ESIGN and UETA-compliant electronic signatures can also be used with Hushmail’s forms and messages.
Medical professionals, in particular, will be pleased to see popular self-administered questionnaires like PHQ-9, GAD-7, PCL-5 and DASS included, too.
To keep things manageable, clients and patients using these features can sign in with their own Google, Apple or Microsoft accounts, so they don’t have to register for another account to interact with your forms or documents.
There’s also an encrypted private messaging center where non-Hushmail users can receive a link to a secure web page to read encrypted messages sent using Hushmail.
That sounds reasonable, but Hushmail has some question marks about its security credentials. IP addresses of Hushmail website visitors are recorded, and your IP address, email, billing address and credit card details are logged – it’s not anonymous.
The organization keeps activity records for eighteen months. Because Hushmail is based in Canada and owned by a US company, it can receive enforceable legal orders to disclose data, including from the US government.
Hushmail isn’t open source, either, and Hushmail can also capture user passphrases for decryption.
The sign-up process could be better, too. There’s no free trial, and you need to hand over your phone number and a current email address when you register.
Elsewhere, there’s no calendar and no cloud storage, and the email storage could be more generous – some of the pricier accounts still only include 15GB of space, which looks miserly when compared to some other services.
Hushmail: Interface and in use
Unsurprisingly, Hushmail’s interface is businesslike and straightforward, with a basic two-pane design, and there doesn’t appear to be an option to switch to a three-pane layout in any of Hushmail’s settings menus.
The responsive mobile view works reasonably well, although some of the lists of forms in the secure form-building module do not display correctly on mobile devices.
Hushmail’s interface falls behind several rivals when it comes to both functionality and visuals, so we’re pleased that Hushmail can be used with third-party clients.
Hushmail: Support
Technical support is available over the phone from 9 am – 5 pm Pacific Time from Monday to Fridays – a solid option for anyone on those Healthcare, Legal or Small Business plans as long as you’re in the right time zone, but less useful for organizations in other countries. Weekend support would have been helpful, too.
Live chat is available, at least, and email support is reliable and relatively fast. One-on-one setup assistance is available on most plans, too, and there’s an extensive online knowledge base.
Hushmail: Security
Hushmail offers end-to-end encryption using open-source OpenPGP. While this is strong encryption for the body of your email, it means recipients and subject lines aren’t encrypted. In transit, emails are protected by an SSL/TLS tunnel and HSTS. Your password is also hashed, and Hushmail uses a zero-knowledge model, so they can’t decrypt your emails without your password.
But Hushmail is far from a no-logging service. IP addresses of visitors to the website are recorded, and when you make a purchase, your IP address, email, billing address, and credit card details are logged and sent to third parties. Even reading or moving emails in the user interface creates a log. Records of activities are kept for 18 months. If the company received an enforceable order under the laws of British Columbia, Canada, they may disclose data in an unencrypted format to governments, including the US.
The competition
Hushmail’s HIPAA compliance and focus on emails and forms make it an ideal option for healthcare and legal organizations, but its security concerns do put some other rivals in the frame.
Products like Proton Mail are also HIPAA-compliant and offer various business pricing plans, and Proton includes a VPN, cloud storage and several other features that Hushmail can’t provide. That said, it’s more expensive than Hushmail.
And if you’re an organization or individual with some worries about Hushmail’s security and privacy features, Tuta is a better option, with more robust security that won’t be held to the whims of the American or Canadian governments.
Final verdict
Hushmail’s secure forms, reasonable security and HIPAA compliance make it a good choice for healthcare organizations that handle sensitive medical data, and it’s ideal for legal firms that need better security, too.
But because Hushmail is based in Canada and owned by a US company, your data can be accessed at the request of those governments, its privacy isn’t as robust as many other services. Hushmail’s awkward sign-up process and lack of additional features don’t help its cause elsewhere.
If you work in a healthcare organization and need Hushmail’s specific features and compliance, then it’s worth investigating. But for everyone else, we’d look elsewhere.
Leave a Comment
Your email address will not be published. Required fields are marked *