Comparing Fax and Email Security
-
This question comes up with some regularity because many HIPAA shops believe that fax is allowed and that email is not. The assumption sometimes then becomes that fax must have some property to make it an exception to encryption rules. However, it is more a case of bad auditing and poorly understood HIPAA regulations leading to these beliefs and not facts about the technology.
Regardless of what auditors may or may not be convinced of, what I want to discuss is how fax is the least secure of any technology of this nature. We are talking about the fax protocol and transmission here, not fax or email machines. Fax and email are specific technologies that we can compare, servers and fax machines are not. That's worthy of another discussion, but mostly comes down to "what if someone doesn't set a password on an email server" or "what if someone leaves a fax machine in a waiting room" and so forth. There are points there worth noting, however. The assumed use of email is secure and the assumed use of fax is insecure. There are a few basics worth including as to the design of the system.
First, both protocols are totally without security. If you see the transmission in either case, you get the data, period. One is not more or less secure than the other in this way.
The key differences in protocol security are how easily transmissions are to predict, intercept and capture.
Fax uses legacy analogue pots communications channels that use the SS7 network and are circuit switched. Their carrier lines are predictable and rely on analogue copper cabling for reliable transmission. Because of how analogue carriers work, this means that there is an extremely large, highly predictable path for tapping the lines at either end of the transmission. All of the cabling inside the sender or the receiver location are effectively broadcasting the transmission as are all of the lines in between. This often leaves miles of high risk for targeted attacks at either end.
Email has the advantage of not going over a predictable or necessarily repeating circuit. The sending and receiving locations can easily change. This makes physically tapping the lines dramatically harder. Email in transit is much harder to identify, find and wait for.
Tapping fax lines is trivial. Simple equipment has long existed for this that is within the reach of anyone interested in this kind of activity. Putting a box in a location that will capture all traffic, bidirectionally, is easy. This is casual attack level skills. Ananlogue lines are "chatty".
Email is generally harder. Email traffic is always mixed with incredible amounts of other traffic, difficult to identify and does not travel on analogue lines. While all lines "can" be tapped, tapping WAN links is a different magnitude of skill and risk compared to intercepting fax or voice analogue transmissions and cannot be done reliably from a single location. Fax carries all of the same risk as email, all of it, but with the increased risk of being location specific, using a predictable and repeatable circuit, and using a technology that is trivial to tap without physical interaction discretely from rather some distance away. Any mechanism you use to capture email in transit can be used more easily and more reliably for fax.
Because fax transmissions are discrete and predictable, they are often even easier to capture than voice transmissions. Under common usage they are short and atomic, one document per transmission. In most ways voice and fax are equal, but due to the simple nature that fax machines are rare and voice phones are not there is a nature ease to capturing fax compared to voice. Also because there is an audible modem signature that can be used to trigger a recording that both makes it easier to capture and can make it harder to catch someone doing the recording.
Because of the simplicity of signalling for fax, it is far easier to implement a man in the middle attack, as well. Both are vulnerable to this, but fax is simpler. So simple, in fact, that it can be done without the need for a computer in extreme cases.
-
Additionally, the notion of authentication also becomes a point of security. Email has the concept of being sent to a person, although things like distribution groups and such do exist, the concept behind email is that it is a person to person transmission device. This can be bypassed, but it requires manual effort. Even at its most basic, email is sent to person@entity.
Fax, however, is sent to a location. It is a place based authentication, not a person. While an individual person may own and have sole access to a fax machine, that is not the concept behind the system. Like home phones, the idea is to send the transmission to a device rather than to a person.
Someone sending an email can identify "to whom" the information was sent, at least by intent. Someone sending a fax can identify "to where" the information was sent by intent.
While additional security can be added to fax or remove from email, the underpinnings of email are based around security in a way that they are not with fax. A fax machine can be configured not to print automatically today, so there are fixes to this kind of issue. But it is not the default assumption of the media. The standard security mechanism for secure fax is to convert it to email highlighting how much more secure email is seen as being.
-
Very nice article. I have been debating this for years. So healthcare practices think a Fax machine makes them HIPAA compliant because it doesn't require encryption...
-
Me, every time I run into this myself...
-
@dbeato said in Comparing Fax and Email Security:
Very nice article. I have been debating this for years. So healthcare practices think a Fax machine makes them HIPAA compliant because it doesn't require encryption...
Pretty much, yes.
-
@dbeato said in Comparing Fax and Email Security:
Very nice article. I have been debating this for years. So healthcare practices think a Fax machine makes them HIPAA compliant because it doesn't require encryption...
I seriously doubt this. The lack of a universal secure drop in option has left healthcare floundering.
I'm curious if government agencies fall into this same pitfall.
Specifically I wonder about the court systems? Do lawyers still fax documents into the courthouse?Direct Messaging was suppose to replace faxing, at least I think that was one of it's goals, but it never really took off. Today we see a small amount of data come through this method.
HL7 interface - again something that was designed to transfer data between medical systems - sadly the central component between two systems required a ton of programming and testing, is super expensive due to human programming time while widely used, had never taken the place of faxing in general. Specialized things like lab results have seen very wide spread use of HL7 from a lab back to the ordering physician office, but inter-office communications.
On top of that many offices today still don't use discreet data. Instead a person dictates reports which are then transcribed. I suppose as long as this data as stored as text, it can more easily transfer electronically versus images (not that images are hard, they are just harder).
I view this problem the same way I view the telephone system. Old communications system that sets a unique connection point to a location. Of course with the advent of cellphones, we granularized a great part of this because cellphones are typically used by a single person whereas a home phone is shared by a family.
So, how do we move from a location based solution to a personalized one that's universal?
Chat clients are what I kinda instantly think of - but look at the mess we have there - gchat, skype, AIM, Allo, HangOuts, FBM, WhatsApp, etc. there are dozens and dozens of options. Unlike the phone system of yesterday, there's not really a single standard fairly universal way of connecting to someone.
If cellular companies decided tomorrow to no longer require a phone number, and instead where just mobile devices to get on the internet - how would you connect to others? How would you connect to restaurants that you needed to talk to directly (nevermind the reason), how about 911 - how would you get emergency services?
-
@Dashrender said in Comparing Fax and Email Security:
@dbeato said in Comparing Fax and Email Security:
Very nice article. I have been debating this for years. So healthcare practices think a Fax machine makes them HIPAA compliant because it doesn't require encryption...
I seriously doubt this. The lack of a universal secure drop in option has left healthcare floundering.
That's hardly the case. The rest of the world had "drop in replacements" in the 1990s. Only healthcare thinks that it is plausible to say that alternatives do not exist. And it is a red herring to demand a "secure" drop in replacement. Fax is not secure, any replacement is fine to get away from it. That the drop in replacement is easily secured today is just a bonus. Healthcare just feels that its level of incompetence and lack of real world capabilities is a viable excuse for not living up to the standards of modern society.
-
@Dashrender said in Comparing Fax and Email Security:
I'm curious if government agencies fall into this same pitfall.
Of incompetence and hope that they won't be expected to live up to the same standards expected of consumers? Yes, absolutely. Just look at the recent email scandals. Or when I worked for the Fed that the Congress was using unencrypted AOL IM for government transmissions.
-
@Dashrender said in Comparing Fax and Email Security:
So, how do we move from a location based solution to a personalized one that's universal?
While ridiculous, email will allow this and always has. Just make a location based email.
These are not realistic concerns. These are things that should have been solved in the early 1990s in five minutes of consideration.
-
@Dashrender said in Comparing Fax and Email Security:
I view this problem the same way I view the telephone system. Old communications system that sets a unique connection point to a location.
And, like phones, was solved long ago with old fashioned fallbacks. The point to point system can be replicated with modern technology even more easily than kept with the old. We simple don't normally do it because it is so silly. But that's not the same as it being a barrier.
-
@Dashrender said in Comparing Fax and Email Security:
Chat clients are what I kinda instantly think of - but look at the mess we have there - gchat, skype, AIM, Allo, HangOuts, FBM, WhatsApp, etc. there are dozens and dozens of options. Unlike the phone system of yesterday, there's not really a single standard fairly universal way of connecting to someone.
None of those mimic fax like email does. Email is and always has been the universal standard. There is no reason not to use it. It's secure, it's universal, it's rock solid, it's well known and understood, it's already needed by every business everywhere and it is not owned by a commercial entity.
-
@Dashrender said in Comparing Fax and Email Security:
If cellular companies decided tomorrow to no longer require a phone number, and instead where just mobile devices to get on the internet - how would you connect to others? How would you connect to restaurants that you needed to talk to directly ...
Um, firstly I have no idea what you mean by this question and I'm confused as you word this as if this isn't a problem solved decades ago. You can use the universal SIP phone system to replace traditional phone numbers - it uses the exact same DNS based mechanism as email. We've had this for nearly twenty years. Most people don't use it or use it often because they get used to dialing SS7 phone numbers and because that crosses the barrier to old fashioned phones. But things like "how do we do that" are long ago solved and very standard. And super simple using mechanisms that even people not familiar with Internet calling are used to already from email.
-
Just for fun, I made a business to business SIP call just now from DCH to NTG. Works great and bypasses the need for PSTN. It's dramatically more secure than legacy telephony, even VoIP to PSTN telephony, and has no costs involved and in many ways is easier to do.
-
If you have SIP based VoIP, you can dial this test service to see direct SIP dialing in action...
test.time@sip5060.net
-
@scottalanmiller said in Comparing Fax and Email Security:
If you have SIP based VoIP, you can dial this test service to see direct SIP dialing in action...
And there you go.
Most consumers don't have SIP based VOIP access at this point. They'd have to buy and strap it onto something they have today.I'm assuming the cellphones can plug right into this, especially through an app that they then register with a SIP service.
-
@scottalanmiller said in Comparing Fax and Email Security:
@dbeato said in Comparing Fax and Email Security:
Very nice article. I have been debating this for years. So healthcare practices think a Fax machine makes them HIPAA compliant because it doesn't require encryption...
Pretty much, yes.
As you know, with all things HIPAA, there often are no rules or specific guidelines. A small shop has different criteria than a huge healthcare system.
I am sure if the fax machine was out in the waiting room, that would be a violation. If it is behind the counter where patients should not be able to access it, it is probably as secure as it can be.
Whether or not this is truly secure has nothing to do with actual security, rather just falling in line to the HIPAA regulation. Again, as you know @scottalanmiller because you have said this many times.
It's the same reason postal mail is considered HIPAA compliant. But really, how secure is postal mail? It's not.
-
@Dashrender said in Comparing Fax and Email Security:
@scottalanmiller said in Comparing Fax and Email Security:
If you have SIP based VoIP, you can dial this test service to see direct SIP dialing in action...
test.time@sip5060.net
And there you go.
Most consumers don't have SIP based VOIP access at this point. They'd have to buy and strap it onto something they have today.I'm assuming the cellphones can plug right into this, especially through an app that they then register with a SIP service.
Don't they? Just... install the app and go. There is no "SIP Service" in SIP calling. You don't need a PBX or server. Just fire up any SIP client, or buy a desk phone and add a DNS entry (DDNS often needed.)
It's within the most casual reach of anyone. And for making calls you don't even need the DDNS piece.
-
@BRRABill said in Comparing Fax and Email Security:
I am sure if the fax machine was out in the waiting room, that would be a violation. If it is behind the counter where patients should not be able to access it, it is probably as secure as it can be.
That's like having a computer, with no logins, that is always up displaying emails that anyone walking past can see and, by swiping their hand over, gets a copy in their pocket. There is no real world ability to make email as insecure as "about as secured as it gets" fax.
-
@BRRABill said in Comparing Fax and Email Security:
Whether or not this is truly secure has nothing to do with actual security, rather just falling in line to the HIPAA regulation.
I truly believe any auditor or judge allowing fax is corruption. It does not meet any letter or intent of HIPAA guidelines and is a blatant mocking of the security of the American public. HIPAA was designed for the purpose of making it possible to prosecute people doing things specifically like faxing. It's been abused by those in power to do exactly the opposite, it's been used to curtail security and protect the worst abusers.
-
@scottalanmiller said in Comparing Fax and Email Security:
@BRRABill said in Comparing Fax and Email Security:
Whether or not this is truly secure has nothing to do with actual security, rather just falling in line to the HIPAA regulation.
I truly believe any auditor or judge allowing fax is corruption. It does not meet any letter or intent of HIPAA guidelines and is a blatant mocking of the security of the American public. HIPAA was designed for the purpose of making it possible to prosecute people doing things specifically like faxing. It's been abused by those in power to do exactly the opposite, it's been used to curtail security and protect the worst abusers.
OK, but we are talking about HIPAA here, right?
P.S. Are you getting paid by some strange company to use the word "corruption" this week?