|
From: Gyula V. <ma...@dr...> - 2024-03-12 03:18:45
|
True - but very few people actually use fax machines any more. It's all Internet based fax solutions, which one must be very careful about using properly to not destroy this end-to-end security. The number of offices I have seen that have an internet fax service, configured to EMAIL them the faxes they receive as PDF attachments, or fax outbound by sending the scanned PHI as an email attachment - boggles the mind. *facepalm* -- Gyula Voros, MD, CCFP, FCFP (he/him) Assistant Clinical Professor, Department of Family Medicine, McMaster University On Mon, 11 Mar 2024 at 20:16, John Robertson <joh...@sh...> wrote: > WRT fax vs email security : > > Is Fax More Secure than Email? Fax is more secure than email, in many > regards. The main thing that can make fax more secure than email is the > limited exposure to the internet and internet connected devices. Fax > machines communicate through phone lines, which are harder to access than > public internet connections.Sep 29, 2023 > > On Mon., Mar. 11, 2024, 16:59 Gyula Voros, <ma...@dr...> wrote: > >> The biggest limitation is usually that both the sender and recipient must >> be using the same system! (e.g. PGP, etc). Unless you're emailing a >> journalist used to receiving whistleblower information - your recipient >> probably isn't using any significant encryption. >> >> The practical solution to this is rather straightforward for >> patient messaging - host it on your server (on-site or more commonly rented >> from a third party like Ocean etc) and send patients a plain e-mail telling >> them they have a message, with instructions to log in to the server >> (authenticating with something NOT in the e-mail and in theory secure to >> the patient) to retrieve it. >> >> Unfortunately this isn't practical for external consultants - so we're >> back to faxing them PHI; or e-mailing them (or switchboard) with our phone >> #s and having them call us. >> >> (Or sticking within our electronic silos - hospital e-mail or eConsult >> for example). >> >> If someone has a more elegant solution - would love to hear it! >> >> -- >> Gyula Voros, MD, CCFP, FCFP (he/him) >> Assistant Clinical Professor, Department of Family Medicine, McMaster >> University >> >> >> On Mon, 11 Mar 2024 at 19:42, Eugene Robertus <rob...@ro...> >> wrote: >> >>> Gyula, very nice points. >>> >>> We resorted to PGP encryption, which is very-well integrated in Canary >>> email client for mobili devices, and on Desktop Thunderbird client. This >>> allows you to ensure 100% end-to-end encryption. It can even work in Gmail >>> web interface (a plugin required). >>> >>> Having said that, this way of emailing requires some configuration and I >>> only set it to those who are really concerned about security and are >>> willing to accept limitations. >>> >>> Today, with wide use of cloud-based email services, like Google, use of >>> encrypted email breaks convenience - encrypted emails cannot be read by >>> Google, so it cannot index them, and you cannot search the content. Some >>> find it a massive roadblock to encryption adoption, choosing either accept >>> the risks or avoid email for sensitive data altogether. >>> >>> Sorry, my 2 cents... >>> Eugene >>> >>> On 3/11/2024 7:13 PM, Gyula Voros wrote: >>> >>> Adrian, correct me if I'm wrong, but that's basically only for internal >>> e-mails (i.e. between other people on your server). The minute you send >>> e-mail to another domain it crosses the internet without encryption, >>> therefore you cannot safely include PHI in the e-mail (except maybe as an >>> encrypted attachment with the key/password shared via other channels). >>> >>> I know gmail has an encryption option where you need to for example text >>> a code to a second device to decrypt the e-mail, but not sure how widely >>> implemented such protocols are nor how robust the security. >>> >>> I use our hospital-based e-mail to send secure e-mail messages to >>> specialists. SigMail is also an option with some uptake. Unfortunately >>> nobody uses PGP which has been around for decades (admittedly, none of >>> the major providers implemented it seamlessly so it's hard for the >>> end-user). The problem with all of these is that they are siloed - you can >>> only safely message people within the silo (and you don't always get a >>> warning when sending mail outside). >>> >>> E-mail was just not designed as a secure technology from the beginning >>> and I'm not aware of any widely adopted grafted-on hack that would allow >>> what is required by PHIPA (i.e. sending a message that can ONLY be read by >>> the intended recipient(s) and nobody else). >>> >>> The fact that fax (especially as usually implemented over the Internet) >>> - which we all use dozens if not hundreds of times daily - has all the same >>> problems is beyond the scope of my rant, lol. >>> >>> >>> -- >>> Gyula Voros, MD, CCFP, FCFP (he/him) >>> Assistant Clinical Professor, Department of Family Medicine, McMaster >>> University >>> >>> >>> On Mon, 11 Mar 2024 at 18:56, Adrian Starzynski <ad...@ad...> wrote: >>> >>>> PIPEDA/PHIPA etc. compliant email = email server in the office. >>>> I install them. For example, Synology NAS comes with 5 included >>>> MailPlus licenses (perpetual) but you can buy more for one-time cost (about >>>> $50-60 each, sold in packages of 5 I believe). It has 90% of the Office365 >>>> features, no monthly costs for email, and you get data control. You can >>>> also transfer the licenses from one Synology to another in case you >>>> upgrade/switch. >>>> >>>> -- >>>> Adrian Starzynski >>>> ------------------------------ >>>> *From:* Ahmed Omar via OSCARmcmaster-advanced-users < >>>> osc...@li...> >>>> *Sent:* March 11, 2024 5:53 PM >>>> *To:* osc...@li... < >>>> osc...@li...> >>>> *Cc:* Ahmed Omar <ah...@ya...> >>>> *Subject:* [OSCAR-advanced-users] Secure HIPPA/PHIPA Compliant email >>>> suggestions >>>> >>>> Hello Everyone, >>>> >>>> I trust this email finds you well. I'm reaching out with a query that >>>> might not directly relate to OSCAR but is crucial nonetheless. >>>> >>>> Could anyone recommend a standard email service that complies with >>>> HIPAA/PHIPA regulations, particularly one recognized in Canada and/or >>>> Ontario? I'm not referring to patient messaging but rather regular email, >>>> akin to the now-defunct Ontario One-Mail service. >>>> >>>> While researching, I came across ProtonMail, which appears promising >>>> and HIPAA compliant. However, I'm unsure about its applicability in Canada >>>> given that it's a non-Canadian service. >>>> >>>> Your insights and recommendations would be greatly appreciated. >>>> >>>> Thank you kindly for your assistance. >>>> >>>> Warm regards, >>>> >>>> Ahmed Omar >>>> >>>> _______________________________________________ >>>> OSCARmcmaster-advanced-users mailing list >>>> OSC...@li... >>>> >>>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-advanced-users >>>> >>> >>> >>> _______________________________________________ >>> OSCARmcmaster-advanced-users mailing lis...@li...://lists.sourceforge.net/lists/listinfo/oscarmcmaster-advanced-users >>> >>> >>> _______________________________________________ >>> OSCARmcmaster-advanced-users mailing list >>> OSC...@li... >>> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-advanced-users >>> >> _______________________________________________ >> OSCARmcmaster-advanced-users mailing list >> OSC...@li... >> https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-advanced-users >> > _______________________________________________ > OSCARmcmaster-advanced-users mailing list > OSC...@li... > https://lists.sourceforge.net/lists/listinfo/oscarmcmaster-advanced-users > |
