Re^2: [OT] E-mail security

I think that this is an excellent suggestion. The only problem is that generally the people getting the e-mail have no computer knowledge. I deal with HIPAA every day and have found out how scary their lack of the computer side has been. I transmit the new X12-834 standard file out to over 20+ customers, they all require that it be slightly different, nice standard :-) The log-in to each company's website type interface is currently one of the most used, but a real pain since they all use different methods and it takes time.

PGP and PGP self-decrypting archives have been the best choice for me. Check into it, it will cover your a$$ if they decide to come for you. It also lets you back away from training every customer to some point. It should be integrated into every mail application and should just be the standard as far as I'm concerned, but others here do know a lot more then me on the subject (I'm not being flip, they really do). I PGP everything that might even look like Protected Information...

Good luck, Politicians and computers, SCARRY...

Comment on Re^2: [OT] E-mail security

Replies are listed 'Best First'.
Re^3: [OT] E-mail security by hbo (Monk) on Aug 16, 2004 at 05:52 UTC
Good luck, Politicians and computers, SCARRY... Ah, HIPPA. Well, that's a case of having far too detailed requirements! 8) But it does answer the question of how sensitive the data is. I'd have to agree that end-to-end encryption, as one component in an overall security architecture, is probably called for in this case. `"Even if you are on the right track, you'll get run over if you just sit there." - Will Rogers`	[reply]
Re^3: [OT] E-mail security by bradcathey (Prior) on Aug 16, 2004 at 12:17 UTC
Thanks mkenney, nice to see someone dealing with HIPAA. Questions: are your customers receiving encrypted e-mails? And if so, are you encrypting them with PGP and then sending? Or are you sending encrypted attachments? If you wouldn't mind a bit more detail, I'd appreciate it. —Brad "Don't ever take a fence down until you know the reason it was put up." G. K. Chesterton	[reply] [d/l]
Re^4: [OT] E-mail security by mkenney (Beadle) on Sep 10, 2004 at 02:56 UTC
They are not receiving the e-mail encrypted but encrypted files. It is an uphill battle to get them to just get set-up with PGP from start to finish. The encryption technology is now out there. We need a standard that everyone can use. In my opinion EVERYTHING should be encrypted without user interface...	[reply]
Re^3: [OT] E-mail security by nimdokk (Vicar) on Aug 16, 2004 at 12:55 UTC
It should be integrated into every mail application and should just be the standard as far as I'm concerned, but others here do know a lot more then me on the subject (I'm not being flip, they really do). I PGP everything that might even look like Protected Information... I agree with you there. I deal with HIPAA every day, not with email, but with electronic data transfers, primarily the mechanism, not file layouts (thats for someone else with more patience for such things than myself :). One of the tools we use is a product called SilverKey (its not perfect but its pretty decent). It creates a 448-bit encrypted exe that can be extracted with a password (like a self-extracting Zip file). We encrypt just about everything, regardless of whether it is PHI or not, and try to get our customers/vendors to do the same for incoming data. Our security folks just implemented secure email using Zixmail (don't know anything about it) that checks the content of the message and will encrypt if necessary. HIPAA can be a nightmare somedays, but I personally think some of it is a good thing, and about time too :-)	[reply]
Re^4: [OT] E-mail security by mkenney (Beadle) on Sep 10, 2004 at 02:52 UTC
PGP has the self de-crypting archive idea. Whe you get to the password level, the rest is just fluff from what I understand. The password becomes the weak point. Make them long and random...	[reply]