Mr.
Essay by 24 • September 18, 2010 • 6,036 Words (25 Pages) • 1,556 Views
Solving HealthCare's eMail Security Problem
Abstract
While healthcare organizations have come to depend heavily on electronic mail, they do
so without a significant email security infrastructure. New Federal law and regulation
place new obligations on the organizations to either secure their email systems or
drastically restrict their use. This paper discusses email security in a healthcare
context. The paper considers and recommends solutions to the healthcare
organization's problem in securing its mail. Because email encryption will soon be a
categorical requirement for healthcare organizations, email encryption is discussed in
some detail. The paper describes details and benefits of domain level encryption model
and considers how PKI is best deployed to support secure electronic mail.
Motivation
It is a simple fact that the US healthcare industry has come to depend heavily on
electronic mail to support treatment, payment and general healthcare operations. Such
use, though, is something of a badly kept secret as most healthcare organizations have
explicit policy which either prohibits or seriously restricts the use of electronic mail for
the transmission of any 'patient identifiable' health information. Historically, the industry
has deemed patient identifiable health information as deserving of special protection,
since, by its very nature, such information is highly confidential. Accepting the 'inherent
insecurity' of electronic mail, healthcare organizations have done little to develop
security infrastructure supporting use of electronic mail for confidential communication
and instead adopted policies forbidding such use. It speaks to the utility of electronic
mail, that even in spite of such policy, as much as 40% of all electronic mail emanating
from healthcare organizations contains health information. A very small percentage of
this email is encrypted or otherwise protected to ensure its confidentiality and
authenticity.
Federal law will prohibit future 'unsecured' use of electronic mail for transmission of
health information. The Health Insurance Portability and Accountability Act of 1996
(a.k.a. Public Law 104-191; a.k.a. HIPAA) obligates healthcare organizations to
implement 'reasonable and appropriate' technical safeguards to ensure that the
confidentiality and integrity of health information is preserved. While 'reasonable and
appropriate' is a legal standard, the HIPAA law also mandates conformity to a set of
security standards promulgated by the Secretary of Health and Human Services.
Although these security standards have not yet been finalized, in August of 1998, HHS
did publish in 45 CFR Part 142 a proposal for that Security Standard. That Notice of
Proposed Rule Making did include a number of specific security implementation
features. Particularly relevant to email use is a specification for encryption of health
information communicated over any network for which the transmitter cannot control
access (45 CFR Part 142.308[d][1][ii]). This restriction clearly is intended to apply to the
healthcare organization's Internet bound electronic mail.
This paper broadly outlines steps that healthcare organizations can take to ensure the
security of their electronic mail use. A substantial portion of this activity has a "Security
101' aspect to it. Healthcare organizations are generally exposed to the same Internet
borne threats as any other type organization. As a result, healthcare organizations do
well to follow the general recommendations for email security provided in documents
such as NIST's "Guidelines for Electronic Mail Security". Healthcare organizations do
have business imperatives and legal obligations, however, that may encumber routine
application of email security best practice. Therefore, this paper will provide a
healthcare industry context to its discussion of electronic mail security.
Risks Associated with Electronic Mail Use
Generally speaking there are three classes of email related risk that the healthcare
organization seeks to mitigate with technical security controls: 1) risks associated with
exposing enterprise resources to a vulnerable SMTP implementation; 2) risk associated
with potentially hostile or malicious content in email messages; 3) risk associated with
the potential interception, modification or redirection of email during transmission.
Server Risk. Organizations develop their email systems to support business
communication. That communication, more likely than not, needs to be bilateral,
therefore, enterprise staff receive business related information as well as send it.
Generally, this means that the enterprise allows messages from the Internet through its
firewalls
...
...