On Thu, 17 Feb 2005 13:23:52 -0500 (EST), David F. Skoll <[EMAIL PROTECTED]> wrote: > On Thu, 17 Feb 2005, Ben Kamen wrote: > > > > 2) All kinds of regulations in the US like HIPAA and financial > > > regulations will force businesses to at least pretend to control > > > outflowing information. Unfortunately, doing this effectively means > > > prohibiting tools like PGP for encrypted e-mail. :-( > > > So much for securing sensitive information with PGP so that only the > > intended parties can read it. > > Well, there's a commercial solution (maybe a few) that work like this: > > 1) Health care agency X needs to send confidential information to client Y. > > 2) Person from X sends confidential mail to a special account, something like: > > [EMAIL PROTECTED] > > 3) A magic process intercepts the mail, stores the confidential info on > an HTTPS server, and sends mail to [EMAIL PROTECTED] saying: > > "You have a confidential message at https://whatever"; > > 4) Y logs in with his/her usernamd and password (which must have been > sent out-of-band -- probably by regular mail) and reads the message. > > This avoids Y having to understand anything about PGP. I think it's a fairly > cool solution. > > Regards, > > David.
Working for a health care related company we see this all the time. It's funny they send the username and password and URL all in the same message. I particularly don't like this whole setup. We have had to prove on a number of occasions that a conversation regarding liability disclosures had indeed taken place. If we have vendor that promises something and we have to go to their website to retrieve the message, then we have to print the message and store it as proof the conversation took place. I am much more comfortable with having a copy of the email electronically in my possession, in a users mail store, archived with all our other corporate mail. Nothing to stop the vendor from deleting an email on their webserver proving they knew of something just go get out of a large claim, and if we didn't print the email we would have no proof. I am a bigger fan of just sanitizing the PHI out of email, manually if need be. But do not like the get your email at this URL scam. Matt _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
