Solving HealthCare’s eMail Security Problem Essay -- essays research p

Solving HealthCare’s eMail Security Problem Abstract While healthcare organizations have come to depend heavily on electronic mail, they do so without a significant email security infrastructure. New Federal law and regulation place new obligations on the organizations to either secure their email systems or drastically restrict their use. This paper discusses email security in a healthcare context. The paper considers and recommends solutions to the healthcare organization’s problem in securing its mail. Because email encryption will soon be a categorical requirement for healthcare organizations, email encryption is discussed in some detail. The paper describes details and benefits of domain level encryption model and considers how PKI is best deployed to support secure electronic mail. Motivation It is a simple fact that the US healthcare industry has come to depend heavily on electronic mail to support treatment, payment and general healthcare operations. Such use, though, is something of a badly kept secret as most healthcare organizations have explicit policy which either prohibits or seriously restricts the use of electronic mail for the transmission of any ‘patient identifiable’ health information. Historically, the industry has deemed patient identifiable health information as deserving of special protection, since, by its very nature, such information is highly confidential. Accepting the ‘inherent insecurity’ of electronic mail, healthcare organizations have done little to develop security infrastructure supporting use of electronic mail for confidential communication and instead adopted policies forbidding such use. It speaks to the utility of electronic mail, that even in spite of such policy, as much as 40% of all electronic mail emanating from healthcare organizations contains health information. A very small percentage of this email is encrypted or otherwise protected to ensure its confidentiality and authenticity. Federal law will prohibit future ‘unsecured’ use of electronic mail for transmission of health information. The Health Insurance Portability and Accountability Act of 1996 (a.k.a. Public Law 104-191; a.k.a. HIPAA) obligates healthcare organizations to implement ‘reasonable and appropriate’ technical safeguards to ensure that the confidentiality and integrity of health information is preserved. While ‘reasonable and appropriate’ i... ...tration, â€Å"45 CFR Part 142 - Health Insurance Reform: Security and Electronic Signature Standards† Federal Register Vol 63, No. 155 August 12, 1998 (1998): 43242-43280. URL: http://aspe.hhs.gov/admnsimp/nprm/secnprm.pdf 11. Partner, Chris and Glaser, John â€Å"Myths about Healthcare IT Spending† Healthcare Informatics, July 2002 URL: http://www.healthcare- informatics.com/issues/2002/07_02/myths.htm 12. Perigee.net Corporation , â€Å"Perigee.net (Home Page)† URL: http://www .perigee.net/main.html 13. Ramsdell, Blake â€Å"S/MIME Version 3.1 Message Specification - draft-ietf-smimerfc2633bis- 03.txt January 16, 2003 URL: http://www.ietf.org/internet-drafts/draft-ietf-smime-rfc2633bis-03.txt 14. Dean, T and Ottaway, W. â€Å"RFC 3182 - Domain Security Services using S/MIME†. October, 2001. URL: http://www.ietf.org/rfc/rfc3183.txt?number=3183 15. United States Code, Title 18, Part I, Chapter 119, Section 2511† URL: http://www 4.law .cornell.edu/uscode/18/2511.html 16. Whitten, Alma and Tygar, J.D. â€Å"Why Johnny Can’t Encrypt:- A Usability Evaluation of PGP 5.0† Carneigie Mellon University School of Computer Science Technical Report CMU-CS 98-155. December, 1998 URL: http://www.cs.cmu.edu/~alma/johnny.pdf