|
From: Gyula V. <ma...@dr...> - 2024-03-11 23:59:17
|
The biggest limitation is usually that both the sender and recipient must be using the same system! (e.g. PGP, etc). Unless you're emailing a journalist used to receiving whistleblower information - your recipient probably isn't using any significant encryption. The practical solution to this is rather straightforward for patient messaging - host it on your server (on-site or more commonly rented from a third party like Ocean etc) and send patients a plain e-mail telling them they have a message, with instructions to log in to the server (authenticating with something NOT in the e-mail and in theory secure to the patient) to retrieve it. Unfortunately this isn't practical for external consultants - so we're back to faxing them PHI; or e-mailing them (or switchboard) with our phone #s and having them call us. (Or sticking within our electronic silos - hospital e-mail or eConsult for example). If someone has a more elegant solution - would love to hear it! -- Gyula Voros, MD, CCFP, FCFP (he/him) Assistant Clinical Professor, Department of Family Medicine, McMaster University On Mon, 11 Mar 2024 at 19:42, Eugene Robertus <rob...@ro...> wrote: > Gyula, very nice points. > > We resorted to PGP encryption, which is very-well integrated in Canary > email client for mobili devices, and on Desktop Thunderbird client. This > allows you to ensure 100% end-to-end encryption. It can even work in Gmail > web interface (a plugin required). > > Having said that, this way of emailing requires some configuration and I > only set it to those who are really concerned about security and are > willing to accept limitations. > > Today, with wide use of cloud-based email services, like Google, use of > encrypted email breaks convenience - encrypted emails cannot be read by > Google, so it cannot index them, and you cannot search the content. Some > find it a massive roadblock to encryption adoption, choosing either accept > the risks or avoid email for sensitive data altogether. > > Sorry, my 2 cents... > Eugene > > On 3/11/2024 7:13 PM, Gyula Voros wrote: > > Adrian, correct me if I'm wrong, but that's basically only for internal > e-mails (i.e. between other people on your server). The minute you send > e-mail to another domain it crosses the internet without encryption, > therefore you cannot safely include PHI in the e-mail (except maybe as an > encrypted attachment with the key/password shared via other channels). > > I know gmail has an encryption option where you need to for example text a > code to a second device to decrypt the e-mail, but not sure how widely > implemented such protocols are nor how robust the security. > > I use our hospital-based e-mail to send secure e-mail messages to > specialists. SigMail is also an option with some uptake. Unfortunately > nobody uses PGP which has been around for decades (admittedly, none of > the major providers implemented it seamlessly so it's hard for the > end-user). The problem with all of these is that they are siloed - you can > only safely message people within the silo (and you don't always get a > warning when sending mail outside). > > E-mail was just not designed as a secure technology from the beginning and > I'm not aware of any widely adopted grafted-on hack that would allow what > is required by PHIPA (i.e. sending a message that can ONLY be read by the > intended recipient(s) and nobody else). > > The fact that fax (especially as usually implemented over the Internet) - > which we all use dozens if not hundreds of times daily - has all the same > problems is beyond the scope of my rant, lol. > > > -- > Gyula Voros, MD, CCFP, FCFP (he/him) > Assistant Clinical Professor, Department of Family Medicine, McMaster > University > > > On Mon, 11 Mar 2024 at 18:56, Adrian Starzynski <ad...@ad...> wrote: > >> PIPEDA/PHIPA etc. compliant email = email server in the office. >> I install them. For example, Synology NAS comes with 5 included MailPlus >> licenses (perpetual) but you can buy more for one-time cost (about $50-60 >> each, sold in packages of 5 I believe). It has 90% of the Office365 >> features, no monthly costs for email, and you get data control. You can >> also transfer the licenses from one Synology to another in case you >> upgrade/switch. >> >> -- >> Adrian Starzynski >> ------------------------------ >> *From:* Ahmed Omar via OSCARmcmaster-advanced-users < >> osc...@li...> >> *Sent:* March 11, 2024 5:53 PM >> *To:* osc...@li... < >> osc...@li...> >> *Cc:* Ahmed Omar <ah...@ya...> >> *Subject:* [OSCAR-advanced-users] Secure HIPPA/PHIPA Compliant email >> suggestions >> >> Hello Everyone, >> >> I trust this email finds you well. I'm reaching out with a query that >> might not directly relate to OSCAR but is crucial nonetheless. >> >> Could anyone recommend a standard email service that complies with HIPAA/ >> PHIPA regulations, particularly one recognized in Canada and/or >> Ontario? I'm not referring to patient messaging but rather regular email, >> akin to the now-defunct Ontario One-Mail service. >> >> While researching, I came across ProtonMail, which appears promising and >> HIPAA compliant. However, I'm unsure about its applicability in Canada >> given that it's a non-Canadian service. >> >> Your insights and recommendations would be greatly appreciated. >> >> Thank you kindly for your assistance. >> >> Warm regards, >> >> Ahmed Omar >> >> _______________________________________________ >> OSCARmcmaster-advanced-users mailing list >> OSC...@li... >> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-advanced-users >> > > > _______________________________________________ > OSCARmcmaster-advanced-users mailing lis...@li...://lists.sourceforge.net/lists/listinfo/oscarmcmaster-advanced-users > > > _______________________________________________ > OSCARmcmaster-advanced-users mailing list > OSC...@li... > https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-advanced-users > |
