Yes, I certainly suppose that unless the server-based virus scanning software has access to the private key of the recipient, it would be impossible for it to read the message and do its "job." This wouldn't be a problem for virus scanning done at the desktop e-mail client, since decryption could be done before the scanning. In the enterprise, private keys could be held at the server for decryption so virus-scanning could be done centrally. I see no problem with that, really, considering all e-mail going into and out of the enterprise using its servers is the property of the organization.
None of this should be interpreted as my endorsement of virus scanners or spam filters. William J. Kammerer Novannet, LLC. Columbus, US-OH 43221-3859 +1 (614) 487-0320 ----- Original Message ----- From: "Terry Swenor" <[EMAIL PROTECTED]> To: "William J. Kammerer" <[EMAIL PROTECTED]>; "WEDI SNIP Security Workgroup List" <[EMAIL PROTECTED]> Sent: Wednesday, 05 November, 2003 08:24 PM Subject: RE: PHI and emails Any thoughts on encrypting emails and virus/trojan protection? I've heard that because the messages are encrypted, the virus scanning software can't parse the file. Terry Swenor Alaska Children's Services -----Original Message----- From: William J. Kammerer [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 2:59 PM To: WEDI SNIP Security Workgroup List Subject: Re: PHI and emails Encrypted e-mail using S/MIME under Outlook, Outlook Express or Netscape Communicator is free and (relatively) easy to use. Barring use of S/MIME - because of a stubborn refusal to use what's already on your computer, or perhaps paranoia about Microsoft or Verisign - maybe PGP is a second-best alternative. A third-best alternative would be to encrypt the Word attachment with PKZIP Professional. ALL these methods require that your correspondent give you their digital certificate (X.509 in the case of S/MIME and PKZip, PGP otherwise) so that you can safely encrypt using her public key. S/MIME and PGP set the standard for encryption. If PHI is worth protecting, why ever would someone not take a little bit of time to learn how to do it properly? William J. Kammerer Novannet, LLC. Columbus, US-OH 43221-3859 +1 (614) 487-0320 ----- Original Message ----- From: "Scott" <[EMAIL PROTECTED]> To: "WEDI SNIP Security Workgroup List" <[EMAIL PROTECTED]> Cc: "'Terry Swenor'" <[EMAIL PROTECTED]> Sent: Tuesday, 04 November, 2003 06:17 PM Subject: Re: PHI and emails I suspected that reading a password-protected .doc would not be as easy as opening it in Notepad so I tested it with a protected .doc I happened to have on my hard drive. I scanned the entire content and found that it was not readable; it appears encrypted, with none of the contents discernable whatsoever. When opening a non-password-protected .doc through Notepad, however, I was able to read the contents so I believe Word encrypts the contents when protected. The example I used was a .doc created in WordXP, attempting to read through Notepad/Windows 2000 but I would expect the same results from all modern versions. As obtainable as "cracking" software may be, it would certainly be a decent, though entirely possible, effort to acquire and use the software to acquire access to someone's PHI. I think a practice must make a decision whether it is taking sufficient precautions to protect the PHI in its custody--and this decision may vary based on the size of the practice, as referred to as the "small practice" solution. What may be prudent care of PHI for a small medical practice may *not* be for a hospital or payer. As such (IMHO), "protecting" PHI with Word password protection would be woefully inadequate for a large practice/hospital/payer but *might* be reasonable for a rural/small practice. Scott Bernay Business Analyst, Keane Inc [EMAIL PROTECTED] ----- Original Message ----- From: "Michael S. White" <[EMAIL PROTECTED]> To: "WEDI SNIP Security Workgroup List" <[EMAIL PROTECTED]> Cc: "'Terry Swenor'" <[EMAIL PROTECTED]> Sent: Tuesday, November 04, 2003 3:26 PM Subject: RE: PHI and emails Hello Terry: Take into consideration that a password protected Word document can be opened in Notepad without knowing the password displaying the content of the Word document (along with other information). Try it yourself and you'll see what I mean. Additionally, there are a number of programs freely available online that will break and/or disclose the password. Personally, I don't feel password protecting Word documents protects the information contained therein - PHI or otherwise. _____ Michael S. White Information Systems Specialist [EMAIL PROTECTED] >I'm soliciting opinions regarding attaching a password protected Word document to an email as a way of protecting PHI. Of course the >password would be sent in a different email. Comments? --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
