Q. Sometimes I need to email occupational medicine (and
indeed other) reports to clients who aren't on Healthmail. Is it sufficient to password protect the document (it is an attachment in Word form)?

The password is NOT sent by separate email, it is either sent by text or is already known to the person at the receiving end.

The answer is: it depends on the strength of the password or passphrase used and the version of Microsoft Office you use. If your Microsoft Word or Office version is Office 2007 or Office 2013 or Office 2016, or later, then you are fine. These versions use Advanced Encryption Standard (AES) 128 bits with the addition of Secure Hash Algorithm (SHA-1 or SHA-2) and provide strong file encryption. If you are using Office 2003 or earlier, then the encryption is weak, and it is time to upgrade.

Be aware that Microsoft Word allows you to password protect the document in two ways. You can choose to set a password to open the document; this is what you want. Or you can set a password to modify the document. This allows recipients to view but not edit a file. This type of password is easily cracked and should be avoided. Stick to using a password to open the document. If you don't want recipients to easily modify a document, then save it as portable document format (PDF) in Word and then password protect the PDF file.
If you are thinking of updating Microsoft Office, then you should look at the subscription option for Microsoft Office 365 Business. This provides you with an Outlook email address and the ability to download the Microsoft Office applications, including Word, PowerPoint and Excel, to your desktop or laptop.

Passphrase rather than Password

The second part of encryption strength relates to the password or passphrase you use. Preferably use a passphrase with random words and numbers. For example, 'Gate Fox Happy 41'. Passwords tend to be hard to remember and easy to crack. Passphrases are easier to remember and harder to crack. Remember not to share passphrases across different services and sites and to write your passphrases down somewhere or put them in a password manager software application, such as Password, LastPass or KeePass. If you have a strong passphrase and restrict it to one site or service or recipient for encrypted files, then you don't need to worry about changing it every few months. Only change it if you have been hacked.