Comparing Fax and Email Security
-
Additionally, the notion of authentication also becomes a point of security. Email has the concept of being sent to a person, although things like distribution groups and such do exist, the concept behind email is that it is a person to person transmission device. This can be bypassed, but it requires manual effort. Even at its most basic, email is sent to person@entity.
Fax, however, is sent to a location. It is a place based authentication, not a person. While an individual person may own and have sole access to a fax machine, that is not the concept behind the system. Like home phones, the idea is to send the transmission to a device rather than to a person.
Someone sending an email can identify "to whom" the information was sent, at least by intent. Someone sending a fax can identify "to where" the information was sent by intent.
While additional security can be added to fax or remove from email, the underpinnings of email are based around security in a way that they are not with fax. A fax machine can be configured not to print automatically today, so there are fixes to this kind of issue. But it is not the default assumption of the media. The standard security mechanism for secure fax is to convert it to email highlighting how much more secure email is seen as being.
-
Very nice article. I have been debating this for years. So healthcare practices think a Fax machine makes them HIPAA compliant because it doesn't require encryption...
-
Me, every time I run into this myself...
-
@dbeato said in Comparing Fax and Email Security:
Very nice article. I have been debating this for years. So healthcare practices think a Fax machine makes them HIPAA compliant because it doesn't require encryption...
Pretty much, yes.
-
@dbeato said in Comparing Fax and Email Security:
Very nice article. I have been debating this for years. So healthcare practices think a Fax machine makes them HIPAA compliant because it doesn't require encryption...
I seriously doubt this. The lack of a universal secure drop in option has left healthcare floundering.
I'm curious if government agencies fall into this same pitfall.
Specifically I wonder about the court systems? Do lawyers still fax documents into the courthouse?Direct Messaging was suppose to replace faxing, at least I think that was one of it's goals, but it never really took off. Today we see a small amount of data come through this method.
HL7 interface - again something that was designed to transfer data between medical systems - sadly the central component between two systems required a ton of programming and testing, is super expensive due to human programming time while widely used, had never taken the place of faxing in general. Specialized things like lab results have seen very wide spread use of HL7 from a lab back to the ordering physician office, but inter-office communications.
On top of that many offices today still don't use discreet data. Instead a person dictates reports which are then transcribed. I suppose as long as this data as stored as text, it can more easily transfer electronically versus images (not that images are hard, they are just harder).
I view this problem the same way I view the telephone system. Old communications system that sets a unique connection point to a location. Of course with the advent of cellphones, we granularized a great part of this because cellphones are typically used by a single person whereas a home phone is shared by a family.
So, how do we move from a location based solution to a personalized one that's universal?
Chat clients are what I kinda instantly think of - but look at the mess we have there - gchat, skype, AIM, Allo, HangOuts, FBM, WhatsApp, etc. there are dozens and dozens of options. Unlike the phone system of yesterday, there's not really a single standard fairly universal way of connecting to someone.
If cellular companies decided tomorrow to no longer require a phone number, and instead where just mobile devices to get on the internet - how would you connect to others? How would you connect to restaurants that you needed to talk to directly (nevermind the reason), how about 911 - how would you get emergency services?
-
@Dashrender said in Comparing Fax and Email Security:
@dbeato said in Comparing Fax and Email Security:
Very nice article. I have been debating this for years. So healthcare practices think a Fax machine makes them HIPAA compliant because it doesn't require encryption...
I seriously doubt this. The lack of a universal secure drop in option has left healthcare floundering.
That's hardly the case. The rest of the world had "drop in replacements" in the 1990s. Only healthcare thinks that it is plausible to say that alternatives do not exist. And it is a red herring to demand a "secure" drop in replacement. Fax is not secure, any replacement is fine to get away from it. That the drop in replacement is easily secured today is just a bonus. Healthcare just feels that its level of incompetence and lack of real world capabilities is a viable excuse for not living up to the standards of modern society.
-
@Dashrender said in Comparing Fax and Email Security:
I'm curious if government agencies fall into this same pitfall.
Of incompetence and hope that they won't be expected to live up to the same standards expected of consumers? Yes, absolutely. Just look at the recent email scandals. Or when I worked for the Fed that the Congress was using unencrypted AOL IM for government transmissions.
-
@Dashrender said in Comparing Fax and Email Security:
So, how do we move from a location based solution to a personalized one that's universal?
While ridiculous, email will allow this and always has. Just make a location based email.
These are not realistic concerns. These are things that should have been solved in the early 1990s in five minutes of consideration.
-
@Dashrender said in Comparing Fax and Email Security:
I view this problem the same way I view the telephone system. Old communications system that sets a unique connection point to a location.
And, like phones, was solved long ago with old fashioned fallbacks. The point to point system can be replicated with modern technology even more easily than kept with the old. We simple don't normally do it because it is so silly. But that's not the same as it being a barrier.
-
@Dashrender said in Comparing Fax and Email Security:
Chat clients are what I kinda instantly think of - but look at the mess we have there - gchat, skype, AIM, Allo, HangOuts, FBM, WhatsApp, etc. there are dozens and dozens of options. Unlike the phone system of yesterday, there's not really a single standard fairly universal way of connecting to someone.
None of those mimic fax like email does. Email is and always has been the universal standard. There is no reason not to use it. It's secure, it's universal, it's rock solid, it's well known and understood, it's already needed by every business everywhere and it is not owned by a commercial entity.
-
@Dashrender said in Comparing Fax and Email Security:
If cellular companies decided tomorrow to no longer require a phone number, and instead where just mobile devices to get on the internet - how would you connect to others? How would you connect to restaurants that you needed to talk to directly ...
Um, firstly I have no idea what you mean by this question and I'm confused as you word this as if this isn't a problem solved decades ago. You can use the universal SIP phone system to replace traditional phone numbers - it uses the exact same DNS based mechanism as email. We've had this for nearly twenty years. Most people don't use it or use it often because they get used to dialing SS7 phone numbers and because that crosses the barrier to old fashioned phones. But things like "how do we do that" are long ago solved and very standard. And super simple using mechanisms that even people not familiar with Internet calling are used to already from email.
-
Just for fun, I made a business to business SIP call just now from DCH to NTG. Works great and bypasses the need for PSTN. It's dramatically more secure than legacy telephony, even VoIP to PSTN telephony, and has no costs involved and in many ways is easier to do.
-
If you have SIP based VoIP, you can dial this test service to see direct SIP dialing in action...
[email protected]
-
@scottalanmiller said in Comparing Fax and Email Security:
If you have SIP based VoIP, you can dial this test service to see direct SIP dialing in action...
And there you go.
Most consumers don't have SIP based VOIP access at this point. They'd have to buy and strap it onto something they have today.I'm assuming the cellphones can plug right into this, especially through an app that they then register with a SIP service.
-
@scottalanmiller said in Comparing Fax and Email Security:
@dbeato said in Comparing Fax and Email Security:
Very nice article. I have been debating this for years. So healthcare practices think a Fax machine makes them HIPAA compliant because it doesn't require encryption...
Pretty much, yes.
As you know, with all things HIPAA, there often are no rules or specific guidelines. A small shop has different criteria than a huge healthcare system.
I am sure if the fax machine was out in the waiting room, that would be a violation. If it is behind the counter where patients should not be able to access it, it is probably as secure as it can be.
Whether or not this is truly secure has nothing to do with actual security, rather just falling in line to the HIPAA regulation. Again, as you know @scottalanmiller because you have said this many times.
It's the same reason postal mail is considered HIPAA compliant. But really, how secure is postal mail? It's not.
-
@Dashrender said in Comparing Fax and Email Security:
@scottalanmiller said in Comparing Fax and Email Security:
If you have SIP based VoIP, you can dial this test service to see direct SIP dialing in action...
[email protected]
And there you go.
Most consumers don't have SIP based VOIP access at this point. They'd have to buy and strap it onto something they have today.I'm assuming the cellphones can plug right into this, especially through an app that they then register with a SIP service.
Don't they? Just... install the app and go. There is no "SIP Service" in SIP calling. You don't need a PBX or server. Just fire up any SIP client, or buy a desk phone and add a DNS entry (DDNS often needed.)
It's within the most casual reach of anyone. And for making calls you don't even need the DDNS piece.
-
@BRRABill said in Comparing Fax and Email Security:
I am sure if the fax machine was out in the waiting room, that would be a violation. If it is behind the counter where patients should not be able to access it, it is probably as secure as it can be.
That's like having a computer, with no logins, that is always up displaying emails that anyone walking past can see and, by swiping their hand over, gets a copy in their pocket. There is no real world ability to make email as insecure as "about as secured as it gets" fax.
-
@BRRABill said in Comparing Fax and Email Security:
Whether or not this is truly secure has nothing to do with actual security, rather just falling in line to the HIPAA regulation.
I truly believe any auditor or judge allowing fax is corruption. It does not meet any letter or intent of HIPAA guidelines and is a blatant mocking of the security of the American public. HIPAA was designed for the purpose of making it possible to prosecute people doing things specifically like faxing. It's been abused by those in power to do exactly the opposite, it's been used to curtail security and protect the worst abusers.
-
@scottalanmiller said in Comparing Fax and Email Security:
@BRRABill said in Comparing Fax and Email Security:
Whether or not this is truly secure has nothing to do with actual security, rather just falling in line to the HIPAA regulation.
I truly believe any auditor or judge allowing fax is corruption. It does not meet any letter or intent of HIPAA guidelines and is a blatant mocking of the security of the American public. HIPAA was designed for the purpose of making it possible to prosecute people doing things specifically like faxing. It's been abused by those in power to do exactly the opposite, it's been used to curtail security and protect the worst abusers.
OK, but we are talking about HIPAA here, right?
P.S. Are you getting paid by some strange company to use the word "corruption" this week?
-
@BRRABill said in Comparing Fax and Email Security:
@scottalanmiller said in Comparing Fax and Email Security:
@BRRABill said in Comparing Fax and Email Security:
Whether or not this is truly secure has nothing to do with actual security, rather just falling in line to the HIPAA regulation.
I truly believe any auditor or judge allowing fax is corruption. It does not meet any letter or intent of HIPAA guidelines and is a blatant mocking of the security of the American public. HIPAA was designed for the purpose of making it possible to prosecute people doing things specifically like faxing. It's been abused by those in power to do exactly the opposite, it's been used to curtail security and protect the worst abusers.
OK, but we are talking about HIPAA here, right?
P.S. Are you getting paid by some strange company to use the word "corruption" this week?
Didn't you get the latest drinking game memo. Good thing I don't play, I wouldn't be able to stand up this week!