encrypted email options?
-
@scottalanmiller said in encrypted email options?:
It's just not as invasive, so people don't feel as secure.
This is definitely true.
-
@IRJ said in encrypted email options?:
@Dashrender said in encrypted email options?:
@IRJ said in encrypted email options?:
@Dashrender said in encrypted email options?:
Believe me - I'm not in the weeds over Scott's post.
But it's likely that my only requirement is HIPAA, not encryption of data at rest, especially on the patient side, etc.
HIPAA doesn't require encryption at rest, even though I have it on my side with O365.
HIPAA doesn't require encryption at rest on the client side - it makes no mention of it.You mention authentication to access - does having access to their own email account count? I think it does, so I believe this is checked off.
Is TLS delivery an industry accepted standard - yes, check
Can I bring my own key - not a HIPAA requirement
Will it integrate into my current solution - well, TLS only itself will integrate seamlessly, but domains that don't support it won't fail for 24 hours, leading to complaints of delivery failure and extreme time for notice.Now I completely agree with your that OME is likely the solution we will employ, if for no other reason that it's what the novice world has come to know as secure/encrypted email.
Actually, one of the things I considering, is - Will management accept the 24 hour delay in notice on failed TLS connections AND do they consider TLS enough to sign off on the HIPAA requirement for secure/encrypted email?
In the past they rescinded the sign off because their family used accounts that didn't support it. Cox has finally moved to a solution that does support it, so that hurdle is removed.You are all over the place, dude.
If you can get away with doing nothing, should you? Doing the bare minimum is pretty bad, when you know its insecure. You as a customer wouldnt want your PHI handled like that would you?
You're not happy with TLS based delivery of your PHI to gmail? So you don't trust gmail security to keep your email secure? it's encrypted on my side at rest (O365) it's encrypted during transit (TLS) and on your side - that's your problem.
Really, once the patient accesses the data via OME, they're likely downloading it in a non encrypted PDF and saving it to their computer where they're just likely emailing it to someone else.
So I'm asking - what benefit does OME bring to the normal user in this environment?
But let's bump this up to something between you and your lawyer - you trust your email system, you assume they trust theirs, and you're using TLS between them - do you need something more? Are you that worried about the IT person reading the emails? If so, should they be working for you? Or is there a requirement to make it impossible for them to access them?
Believe me guys, I totally get where you guys are going with this stuff. But it sounds like you're saying that TLS alone would never be an option for you, and my question is - why not?
And does that outweigh the onus on the end user when accessing attachments on email?
Phishing. Your work has had email addresses leaked before and an attacker could use this as way to target your patients. An attacker would not use a service that is actively scanning for malware, he would send them via email.
Another advantage is that you control the data until they download. Which means you can set links that expire or remove content at anytime. Could the user have downloaded it, sure. However, you control the full delivery process and can actually remove access at anytime. An email will sit in their inbox forever.
LOL - OK that's good for email, but patients also have access to their patient portal - you know.. all that HIPAA data we're trying to protect. We can't set expiration dates on access to those. So if the end user's computer is compromised, there is nothing we can do about that.
-
@IRJ said in encrypted email options?:
Another advantage is that you control the data until they download. Which means you can set links that expire or remove content at anytime. Could the user have downloaded it, sure. However, you control the full delivery process and can actually remove access at anytime. An email will sit in their inbox forever.
Well, think of the email as having been downloaded and now they are the same. In either case, if the patient automatically downloads everything and just leaves it somewhere, it's just there forever. In both cases, you don't care.