O365 and encrypted mail to other email systems
-
@Dashrender said in O365 and encrypted mail to other email systems:
#1 while potentially painful, is more ensuring that there will never be a failure.
No, it ensures that there is almost always a failure. I know places using these systems right now (hospital) that can't get prompt IT support because they have to send emails to third parties, get them to unencrypt and then transfer over TLS on their behalf because the systems aren't reliable. I deal with this every few days. Reliable is the last thing that these systems are.
-
@Dashrender said in O365 and encrypted mail to other email systems:
#2 is a pain, because when it fails a different solution will have to be found/used to communicate with that contact.
Use non TLS email for that if you want. but you can just send the payload, still safer than faxing. So totally HIPAA compliant.
-
@scottalanmiller said in O365 and encrypted mail to other email systems:
@Dashrender said in O365 and encrypted mail to other email systems:
First the easy one, #3 isn't HIPAA compliant, so it's out.
That's not true. If that were true, faxing would be out. You know that faxing is okay, so you know that this is okay. It's that easy.
Seriously bro! we need to have a face to face on this one! I understand the insecure portions you talk about, but for some deity's sake - you have yet to convenience me why faxing is so much more insanely insecure than email - But that's for another time!
Leave faxing out of this conversation and give me another example why #3 would be compliant?
-
@Dashrender said in O365 and encrypted mail to other email systems:
Seriously bro! we need to have a face to face on this one! I understand the insecure portions you talk about, but for some deity's sake - you have yet to convenience me why faxing is so much more insanely insecure than email - But that's for another time!
We have. It's covered. Faxing is the well known least secure possible option. Every aspect of it, every one, is the least security possible. You can't make a system less secure without resorting to public broadcast systems like bulletin boards.
-
@Dashrender said in O365 and encrypted mail to other email systems:
Leave faxing out of this conversation and give me another example why #3 would be compliant?
What do you mean? It's not my burden to bear. You have to show why it is NOT compliant as you made the claim. I know that it's safer than faxing, by a LOT. So... either faxing isn't allowed (it is) or email is okay (based on being more secure.) It's that simple.
-
@scottalanmiller said in O365 and encrypted mail to other email systems:
@Dashrender said in O365 and encrypted mail to other email systems:
Disagree Zix does have one Pro: able to send notice of desire to communicate, but TLS isn't available, so you must use another more painful means.
Nope, you can make rules for TLS that allow you to send notification but not the payload.
You just repeated what I said. Now, since Zix doesn't give a shit about TLS, it only ever uses it's secure portal (to the best of my knowledge) all secure messages are sent using their painful method, but a notice about that message is sent via to the client over whatever, TLS or not is available to the server.
-
@Dashrender said in O365 and encrypted mail to other email systems:
@scottalanmiller said in O365 and encrypted mail to other email systems:
Frame it more like this, at least to yourself:
TLS Pros Compared to Zix: Cheaper, Standard, Nearly all customers get an effortless experience.
Zix Pros Compared to TLS: None
Disagree Zix does have one Pro: able to send notice of desire to communicate, but TLS isn't available, so you must use another more painful means.
Regarding failure to send TLS. Just because it fails does not mean you have no way to communicate the need to contact the office. You have a couple of options here.
With the sole purpose of being used to send an email to failed parties telling them that you were unable to securely email them and that they need to contact the office, you can do this:
2.a Setup a simply Gmail/Outlook.com account for the practice
2.b Setup a basic Linux box and make use of the built in Postfix to send email (via some application probably) from your own domain. Basically a second email server that does not have the TLS restriction.
2.c Possibly have a single email account on your Exchange server that is immune form the TLS requirements. Not even sure if this is possible when you set TLS as wildcard required. -
You are making the mistake of thinking that HIPAA dictates specifics, it does not. The only reason that unencrypted email is ever questioned is because encrypting it is so easy. That's why faxing is given a free pass... there is no means of securing it. So no one cares. Same with postal mail. Totally insecure, no one cares. Email is simple to secure, so you are expected to secure it - and you can. If the other party does not, that's after your role is complete.
-
@scottalanmiller said in O365 and encrypted mail to other email systems:
@Dashrender said in O365 and encrypted mail to other email systems:
Leave faxing out of this conversation and give me another example why #3 would be compliant?
What do you mean? It's not my burden to bear. You have to show why it is NOT compliant as you made the claim. I know that it's safer than faxing, by a LOT. So... either faxing isn't allowed (it is) or email is okay (based on being more secure.) It's that simple.
If this were all that mattered, then I would completely agree with you, but clearly it's not.
I suppose, in this case, Faxing is given a pass that it, as a technology, does not have to fit within the requirements of HIPAA's stated laws.
-
@Dashrender said in O365 and encrypted mail to other email systems:
@scottalanmiller said in O365 and encrypted mail to other email systems:
@Dashrender said in O365 and encrypted mail to other email systems:
Disagree Zix does have one Pro: able to send notice of desire to communicate, but TLS isn't available, so you must use another more painful means.
Nope, you can make rules for TLS that allow you to send notification but not the payload.
You just repeated what I said. Now, since Zix doesn't give a shit about TLS, it only ever uses it's secure portal (to the best of my knowledge) all secure messages are sent using their painful method, but a notice about that message is sent via to the client over whatever, TLS or not is available to the server.
But you can do that with Exchange, too. But never have the uselessly painful portion.
-
Zix = painful for everyone
Excahnge = Painful for almost no one -
Does the email bounce back if it can't make a secure connection?
-
@Dashrender said in O365 and encrypted mail to other email systems:
I suppose, in this case, Faxing is given a pass that it, as a technology, does not have to fit within the requirements of HIPAA's stated laws.
If that were true, faxing would be listed as an exception. But it is not. The rules are simply lax enough that faxing and therefore email are allowed.
-
@Dashrender I think that the gold standard here is S/MIME.
It requires that you (as a sender) have an S/MIME Private Key and signed Certificate and know your recipient's Public Key/Certificate.
It requires that the receiver has matching S/MIME Private Key and signed Certificate to the Public Key/Certificate that the sender had when sending the email.The S/MIME Private Keys / Certificates have to be configured on each device where the senders and receivers are sending / receiving email from/to.
Everything else, IMHO, is non-secure!
The S/MIME Certificates and Private Keys and be acquired individually by users or distributed to users from your own managed PKI.
-
@JaredBusch said in O365 and encrypted mail to other email systems:
@Dashrender said in O365 and encrypted mail to other email systems:
@scottalanmiller said in O365 and encrypted mail to other email systems:
Frame it more like this, at least to yourself:
TLS Pros Compared to Zix: Cheaper, Standard, Nearly all customers get an effortless experience.
Zix Pros Compared to TLS: None
Disagree Zix does have one Pro: able to send notice of desire to communicate, but TLS isn't available, so you must use another more painful means.
Regarding failure to send TLS. Just because it fails does not mean you have no way to communicate the need to contact the office. You have a couple of options here.
With the sole purpose of being used to send an email to failed parties telling them that you were unable to securely email them and that they need to contact the office, you can do this:
2.a Setup a simply Gmail/Outlook.com account for the practice
2.b Setup a basic Linux box and make use of the built in Postfix to send email (via some application probably) from your own domain. Basically a second email server that does not have the TLS restriction.
2.c Possibly have a single email account on your Exchange server that is immune form the TLS requirements. Not even sure if this is possible when you set TLS as wildcard required.I tend to agree, I don't think Exchange will allow you to make a single account immune.
and yes, an external account to your main domain would be the way to solve this, for the notice at least, then you have to find another way to actually get the data to them.
-
What happens if the customer gives you a wrong phone number for fax? Or if they give you a wrong address? What is your responsibility to delivering the message if you don't have the correct information?
-
@scottalanmiller said in O365 and encrypted mail to other email systems:
@Dashrender said in O365 and encrypted mail to other email systems:
@scottalanmiller said in O365 and encrypted mail to other email systems:
@Dashrender said in O365 and encrypted mail to other email systems:
Disagree Zix does have one Pro: able to send notice of desire to communicate, but TLS isn't available, so you must use another more painful means.
Nope, you can make rules for TLS that allow you to send notification but not the payload.
You just repeated what I said. Now, since Zix doesn't give a shit about TLS, it only ever uses it's secure portal (to the best of my knowledge) all secure messages are sent using their painful method, but a notice about that message is sent via to the client over whatever, TLS or not is available to the server.
But you can do that with Exchange, too. But never have the uselessly painful portion.
That's interesting - so you know that exchange can have a second transport option created that will send a generic notice to a NON TLS recipient and not send the original email? That would be cool. Still need a solution for the actual message content at that point, but that's for another discussion.
-
@coliver said in O365 and encrypted mail to other email systems:
Does the email bounce back if it can't make a secure connection?
I would assume the Exchange user in this case would get a delivery denied notice.
haven't confirmed yet. -
@bogdan.moldovan said in O365 and encrypted mail to other email systems:
@Dashrender I think that the gold standard here is S/MIME.
It requires that you (as a sender) have an S/MIME Private Key and signed Certificate and know your recipient's Public Key/Certificate.
It requires that the receiver has matching S/MIME Private Key and signed Certificate to the Public Key/Certificate that the sender had when sending the email.The S/MIME Private Keys / Certificates have to be configured on each device where the senders and receivers are sending / receiving email from/to.
Everything else, IMHO, is non-secure!
The S/MIME Certificates and Private Keys and be acquired individually by users or distributed to users from your own managed PKI.
Thanks for playing, this is not part of a viable solution.
-
@coliver said in O365 and encrypted mail to other email systems:
What happens if the customer gives you a wrong phone number for fax? Or if they give you a wrong address? What is your responsibility to delivering the message if you don't have the correct information?
And unlike email which is "untappable" locally, fax is trivial to tap at either end. Even if you secure your own end (you can't) you have zero control over the other end and their fax can be intercepted because they even know that you tried to send one.