Mr.

Solving HealthCare's eMail Security Problem

Abstract

While healthcare organizations have come to depend heavily on electronic mail, they do

so without a significant email security infrastructure. New Federal law and regulation

place new obligations on the organizations to either secure their email systems or

drastically restrict their use. This paper discusses email security in a healthcare

context. The paper considers and recommends solutions to the healthcare

organization's problem in securing its mail. Because email encryption will soon be a

categorical requirement for healthcare organizations, email encryption is discussed in

some detail. The paper describes details and benefits of domain level encryption model

and considers how PKI is best deployed to support secure electronic mail.

Motivation

It is a simple fact that the US healthcare industry has come to depend heavily on

electronic mail to support treatment, payment and general healthcare operations. Such

use, though, is something of a badly kept secret as most healthcare organizations have

explicit policy which either prohibits or seriously restricts the use of electronic mail for

the transmission of any 'patient identifiable' health information. Historically, the industry

has deemed patient identifiable health information as deserving of special protection,

since, by its very nature, such information is highly confidential. Accepting the 'inherent

insecurity' of electronic mail, healthcare organizations have done little to develop

security infrastructure supporting use of electronic mail for confidential communication

and instead adopted policies forbidding such use. It speaks to the utility of electronic

mail, that even in spite of such policy, as much as 40% of all electronic mail emanating

from healthcare organizations contains health information. A very small percentage of

this email is encrypted or otherwise protected to ensure its confidentiality and

authenticity.

Federal law will prohibit future 'unsecured' use of electronic mail for transmission of

health information. The Health Insurance Portability and Accountability Act of 1996

(a.k.a. Public Law 104-191; a.k.a. HIPAA) obligates healthcare organizations to

implement 'reasonable and appropriate' technical safeguards to ensure that the

confidentiality and integrity of health information is preserved. While 'reasonable and

appropriate' is a legal standard, the HIPAA law also mandates conformity to a set of

security standards promulgated by the Secretary of Health and Human Services.

Although these security standards have not yet been finalized, in August of 1998, HHS

did publish in 45 CFR Part 142 a proposal for that Security Standard. That Notice of

Proposed Rule Making did include a number of specific security implementation

features. Particularly relevant to email use is a specification for encryption of health

information communicated over any network for which the transmitter cannot control

access (45 CFR Part 142.308[d][1][ii]). This restriction clearly is intended to apply to the

healthcare organization's Internet bound electronic mail.

This paper broadly outlines steps that healthcare organizations can take to ensure the

security of their electronic mail use. A substantial portion of this activity has a "Security

101' aspect to it. Healthcare organizations are generally exposed to the same Internet

borne threats as any other type organization. As a result, healthcare organizations do

well to follow the general recommendations for email security provided in documents

such as NIST's "Guidelines for Electronic Mail Security". Healthcare organizations do

have business imperatives and legal obligations, however, that may encumber routine

application of email security best practice. Therefore, this paper will provide a

healthcare industry context to its discussion of electronic mail security.

Risks Associated with Electronic Mail Use

Generally speaking there are three classes of email related risk that the healthcare

organization seeks to mitigate with technical security controls: 1) risks associated with

exposing enterprise resources to a vulnerable SMTP implementation; 2) risk associated

with potentially hostile or malicious content in email messages; 3) risk associated with

the potential interception, modification or redirection of email during transmission.

Server Risk. Organizations develop their email systems to support business

communication. That communication, more likely than not, needs to be bilateral,

therefore, enterprise staff receive business related information as well as send it.

Generally, this means that the enterprise allows messages from the Internet through its

firewalls

...