Hate to tell you this, but my outlook reports your certificate invalid! So much for theory. In practice, certificates have a significant number of management and administration problems. They expire and can make archived email inaccessible. They require significantly more help desk and seat management time. Additionally, if you have a certificate, you are vulnerable to its use by email based virus that send from your email client once infected. At least web-based / internet browser viewed secure email is secure and reliable based upon the server SSL certificate (different than the distributed certificate that accompanies regular email). Though again the problem with both is lack of Trust. The network is as much the problem as anything. There are "sniffers" that can capture email passing through most ISPs, and MIME can be broken. New "harvester" worms infect your email client and copy/resend emails based upon special criteria. In my opinion, only if there is a true trusted network, can you reasonably assure compliance. Outlook is a great product, but at this time, I personally do not see it as HIPAA compliant for either the Exchange or Internet Email clients, where the email travels over the web. Products like Lok, and any others like it offer a fully secure and trusted solution.
-----Original Message----- From: William J. Kammerer [mailto:[EMAIL PROTECTED]] Sent: Monday, April 29, 2002 7:06 PM To: [EMAIL PROTECTED] Subject: Re: Transmitting Patient Information via Internet (Email) I religiously sign using X.509 certificates (digital IDs), and have had very few problems corresponding with either folks who have given me their certificates (in which case e-mails can be encrypted), or those who have no certificates (in which case, I merely sign). The latter "un-certificated" folks will most likely receive my e-mail showing a red ribbon indicating the message has been signed and giving them an automatic means of importing my certificate (public key) - assuming they are using an S/MIME compatible e-mail client. Others (using AOL - which doesn't support any standard e-mail protocols, let alone S/MIME - or free web browser e-mail) will merely see a pkcs7-signature attachment, which they can safely ignore. My correspondents have used any number of e-mail clients: Outlook, Outlook Express or Netscape Communicator (on Windows or the Mac) and all have worked flawlessly as far as signing and encryption are concerned. Any number of encryption methods have been used among us, e.g., 40-bit RC2, DES and Triple-DES, with nary a concern. Sometimes, though, we have to futz a little to get a digital ID properly associated with an address book entry. But once that's done, secure e-mail Digital IDs or certificates from any number of CAs - usually Thawte or Verisign - have never caused a problem with interoperability using these e-mail clients. I've even had correspondents (who don't trust CAs for some reason) give me self-signed certificates, which I've gotten to work easily. The only serious problem I have run into is one zealous network administrator at a correspondent's company who thinks pkcs7-signature attachments are viruses, and has tuned the virus scanner to throw away my signed missives: I always have to remember to reset the "Sign" button when sending to that company. Other network administrators, I'm sure, are annoyed my correspondents use encryption, as it gets in their way of reading all incoming and outgoing e-mail in their copious free time. In short, any e-mail client which advertises itself as supporting S/MIME has always seemed to work for me and my correspondents. The few technical gotchas are insignificant compared to the problem of getting folks to try it out. All the software they need for secure e-mail is probably already sitting on their desktop: it's just a social engineering problem to deal with the resistance. William J. Kammerer Novannet, LLC. +1 (614) 487-0320 ----- Original Message ----- From: "Jan Root" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; "David Frenkel" <[EMAIL PROTECTED]> Sent: Monday, 29 April, 2002 05:32 PM Subject: Re: Transmitting Patient Information via Internet (Email) One more point to add (sorry to keep raining on a good idea): Interoperability has always been a major challenge to doing secure email. If I buy secure email system X and you buy secure email system Y, can we exchange secure email? Probably not. The Massachusetts component of HealthKey (the Mass. Health Data Consortia) did an interoperability project for secure email. I think they started with 6 (5?) secure email vendors, all of which claimed to have implemented the X.509 (v3?) standard. However, when tested, none of these systems could read each other's email. This was a couple of years ago so perhaps this problem has been solved, but interoperability is something to consider if you are looking at secure email systems. And then there is the problem of trying to send secure email to someone who doesn't have secure email facilities. Vendors have come up with clever ways to deal with this, but it is far from being automatic or transparent. Secure email still seems to be much more difficult than it appears on first blush. Jan Root ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; "David Frenkel" <[EMAIL PROTECTED]> Sent: Monday, 29 April, 2002 03:17 PM Subject: RE: Transmitting Patient Information via Internet (Email) Traditional email systems, are very difficult to make secure. They are subject to numerous potential hazards that affect security and privacy, and thus make them non-compliant. You will notice changing language in the terms and conditions of some "free" web-based email systems already - declaring their non-HIPAA compliance upfront. The problem with traditional email, is several fold I believe. First, there is the simple matter of transmission reliability. Emails are passed through a network of systems, some or all could retain copies of the email - can you get Trusted Party Agreements with each? No way - you NEVER know what systems touch your emails. Emails are also not always received. Other than requesting a "Read Receipt", there is no way to know with a traditional email what ultimately happens to it - take a look at the transmission header info of a few of your own emails and you will begin to see the problem. Security is a big problem in traditional emails. You can use "Certificates" or even PGP encrypt them, this may secure the contents, but you still have the network Trust problems. There is however, a solution for this. There is one company who has developed a new product/service/technology for a full "trusted" email network, with a secure reliable client and server. It appears fully ready to go and solid. The company is LOK technology (www.loktech.com). Their system inherently appears compliant (good enough for the CIA & NSA, former directors of both agencies are on their boards). In addition, they have a secure file transmission service called LOKvault that would replace the traditional FTP approach so many use. While, my company does not yet use it for our clients, I have evaluated it and I am strongly pushing its adoption as the standard for all our compliance implementations. One less issue to worry about. I would strongly encourage all to look at their website for more info. Regards, Dr. Tim McGuinness, Ph.D. Sr. Compliance Specialist & Solutions Architect Certified HIPAA Chief Privacy Officer DynTek Inc. www.dyntek.com ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
