Archive for October, 2009

E-Mail Encryption: Gateway or End-to-End

Wednesday, October 28th, 2009

E-mails that transfer information with patient information should be encrypted so that only authorized parties can decrypt the information.  There are two ways to encrypt e-mail: end to end or at the gateway. Before selecting an e-mail encryption solution decided if you want (or need) End to End or Gateway.

..

End to end e-mail encryption protects e-mails stored inside each e-mail box (either on a server or locally stored on computer). End to end e-mail encryption protects messages from being read by e-mail administrators and anyone that has access to the user’s e-mail box or computer (if using POP3 or IMAP to retrieve messages). Although it requires client software to be deployed to all users it is the most comprehensive method of encrypting e-mail.

..

Gateway encryption does not protect messages in each users mailbox. It does, however, encrypt and decrypt messages as they leave from and arrive to the e-mail server. Gateway encryption is easier to deploy because it does not require client software deployment to each user. Instead, email is encrypted and decrypted using policies or even keywords inside messages.  Since all messages are required to pass through an encryption gateway (even emails that do not require encryption) substantial hardware could be required to host the e-mail gateway encryption system. Since the gateway performs the encryption and decryption function the sensitive messages stored in each user’s mailbox are decrypted and are not protected.

..

There are various software packages that sell e-mail encryption solutions. There are even hosted e-mail encryption services that for a monthly or yearly fee provide you with software and a service to encrypt e-mails. The key question to consider is whether or not you need e-mails to be secured inside the e-mail box or if its sufficient for e-mails inside the e-mail box to be unencrypted but encrypted on the way in and out of your network. Remember that sent e-mails are typically stored in your “sent items” folder. Do these sent e-mails need to be encrypted? If so, you need an End to End solution.

..

Still not sure which is right for you? Feel free to e-mail or call us and we will be more than glad to explain this important topic in more detail.

Reblog this post [with Zemanta]


Tags: ,
Posted in Encyption | 1 Comment »

Congress to HHS: Remove the harm assessment!

Saturday, October 3rd, 2009
Kansas Governor :en:Kathleen Sebelius speaks w...
Image via Wikipedia

In a strongly-worded letter sent and signed by six congressmen to HHS Secretary Kathleen Sebelius the message was clear: remove the harm assessment that lawmakers rejected when writing the privacy regulations into ARRA. The harm standard essentially says that in case of a breach the covered entity must make an assessment of whether or not the breach can cause reputational, financial, and other types of harm.  This leaves open the possibility that a covered entity could decide to act in its own interest and make the decision not to follow the directives written into the breach notification ruling.

..

There are, of course, two sides of the sword. On one hand it’s difficult to enforce a policy with subjective elements present, such as the harm assessment. It is unlikely that a covered entity would risk the substantial fines, now as high as $1.5 million, and the possibility of criminal prosecution to avoid notification in case a serious breach occurs. However, the harm assessment leaves that possibility open.

..

A drawback to removing the harm assessment is that it is possible that, ironically, that too many breach notifications are sent to people, thereby creating a “boy that cries wolf” effect. In a perfect world breaches would never happen, so there would not need to be a reason to notify people. However, we all know that not to be the reality. Breaches do occur, intentional or not. And people need to be notified as soon as possible. Should covered entities be given the privilege of deciding the severity of the harm and potentially choosing not to notify people? We shall see the next steps Congress and HHS will take.

Reblog this post [with Zemanta]

Tags: , , ,
Posted in ARRA, HIPAA, Regulation, Rulings, Section 13402 | No Comments »