Faxing
-
email goes over an unencrypted network that can be easily tapped by spies. Tapping a POTS line (not a SIP trunk) is much harder and requires local access to the end points, or hacking into the phone companies systems. These alone in my opinion make it more secure - nothing Scott or anyone else has said why an email sent over the internet is more secure than this situation.
As for the fax printing out on a MFP sitting in the middle of the office. Sure, so this is one area where email clearly wins out. Though in my case, in medical cases, there are very little if any limitations on who can/should be able to see anything medical coming in on the fax machine. Sending an email to a single person wouldn't be an acceptable solution for us. We need to make sure we have a team of people who are responsible for accepting and processing faxes. They shouldn't not get handled just because someone is on vacation, etc.
Don't get me wrong, I want to get rid of faxes as badly as the next guy on these forums. DM's will hopefully provide us with this. DM's are accepted by our EHR on behalf of our providers, and we task the EHR to dump them into a centralized bucket that our staff are tasked to check and manage.
I just wish this HIE/cert setup could be applied to email globally for free, but verifying ownership of an email account isn't free, so this is likely to never happen.
Though Secure DNS would be a great first step toward making it much less expensive. Secure DNS could publish the public cert for your domain's email server, at least ensuring that you're email server is where the email came from, though getting user level verification would still be difficult.
-
@Dashrender said in Faxing:
email goes over an unencrypted network
Um, you do realize the majority of email is encrypted in transit (SSL).. just not at rest. There are very few providers not supporting encryption in transit now. If your server is setup for it, it will negotiate
-
@Dashrender said in Faxing:
As for the fax printing out on a MFP sitting in the middle of the office. Sure, so this is one area where email clearly wins out. Though in my case, in medical cases, there are very little if any limitations on who can/should be able to see anything medical coming in on the fax machine.
So What's the access control method for the Fax machine? is there a door with a biometric lock, pin code or what? Otherwise anyone in the office should be consider as potentially seeing any information sent.
-
Fax machines will be the first wave in the zombie apocalypse.
Melt them with thermite now to prevent this. -
@Dashrender said in Faxing:
Scott has been saying for years that regular email is more secure than faxing - that I'll never agree with.
That's a good scientific position to take with anything.
There are two main areas that I know use faxing a ton still, Lawyers and Doctors. Both of them require *secure" communications when using something other than fax. Secure email is a huge pain in the ass, there is no single uniform standard.
PGP is a pretty damn close uniform standard, combined with SSL in transit. Barring that, an encrypted zip file does a lot too.
Faxing is an easy to implement solution that is standard everywhere - like SMS messaging. It's just there, it works, delivering it to an office not a person has always been considered good enough.
Except, it's not. It's more expensive, it has massive quality loss, it has overhead too. How many times have you had to re-fax something because it didn't come across correctly? "Easy" compared to email, no way. If that were true, why would anyone want to even use email with super easy fax machines around?
How is it good enough? Digital copy versus a modulated piece of crap? As I said before, this is a situation where, more often than not, people are using efax on both ends, so essentially paying a lot more for a really, really crappy version of email which is not only not-encrypted, but there's no authentication on either end at all.
"DM"
I absolutely agree with you there needs to be something better in place. I think both fax and email are inadequate, because they don't really fit with the healthcare industry. My guess is, though, it'll have to be something built upon email since that is a standard available in far more places than fax machines. Regardless, it'll have to be an open standard, whatever it is, because there are no ubiquitous closed standards on the Internet.
-
@Dashrender said in Faxing:
email goes over an unencrypted network that can be easily tapped by spies.
That's pretty unusual these days, and is typically a way to get your email flagged as spam. Server to server SMTP is basically always encrypted now, and client server rarely isn't.
Tapping a POTS line (not a SIP trunk) is much harder and requires local access to the end points, or hacking into the phone companies systems. These alone in my opinion make it more secure - nothing Scott or anyone else has said why an email sent over the internet is more secure than this situation.
That doesn't even matter, because with fax since there's no end to end encryption or authentication, there's situations like that PHI leak several years ago where a Pizza Hut accidentally was faxed tons of medical records. Anyone can read anything, there's no guarantee of who is or who is not seeing it, or even that it arrives. At least emails can bounce back.
As for the fax printing out on a MFP sitting in the middle of the office. Sure, so this is one area where email clearly wins out. Though in my case, in medical cases, there are very little if any limitations on who can/should be able to see anything medical coming in on the fax machine.
That's not true in most environments though, plenty of doctors' offices and other places have the machines sitting there. A pharmacy I used to go to in Kansas had their fax machine to where one could reach over the counter and pull out anything. I couldn't authenticate on their auto-locking terminal though.
Sending an email to a single person wouldn't be an acceptable solution for us. We need to make sure we have a team of people who are responsible for accepting and processing faxes. They shouldn't not get handled just because someone is on vacation, etc.
Group mailboxes are not that new of a concept.
Don't get me wrong, I want to get rid of faxes as badly as the next guy on these forums.
Sure doesn't seem like it.
DM's will hopefully provide us with this. DM's are accepted by our EHR on behalf of our providers, and we task the EHR to dump them into a centralized bucket that our staff are tasked to check and manage.
If they're not open standard, then they're garbage and nobody will implement them beyond maybe a couple.
Though Secure DNS would be a great first step toward making it much less expensive. Secure DNS could publish the public cert for your domain's email server, at least ensuring that you're email server is where the email came from, though getting user level verification would still be difficult.
These are both already solved by DNSSEC and DKIM. There's an irony where, these kinds of things don't exist on fax and can't, hell, even if an email is spoofed there's at least headers which can show this, but I can fax from any fax machine to any number and then it's simply believed to come from the proper source, that's just insane.
I just don't get it, because you can send a perfect digital copy of something for extremely cheap or a really screwed up copy for very not-cheap. Email is more secure, it's just an illusion that fax is more secure because "phone tapping is difficult," that doesn't even matter if it's getting faxed to a damn Pizza Hut or some other business by accident, or if it's just sitting in the tray, which I've seen countless times around doctors offices, and then maybe it gets thrown in just the trash where anyone can get it. Fax leaves way too much open to chance.
I feel like your view of email is pretty dated, no concept of encryption, group/shared mailboxes, DKIM, etc and using that as a means to criticise it.
-
@Dashrender said in Faxing:
email goes over an unencrypted network that can be easily tapped by spies. Tapping a POTS line (not a SIP trunk) is much harder and requires local access to the end points, or hacking into the phone companies systems.
Not my email. Not anyone's that I know. Email is encrypted end to end in nearly all cases and end to centre is almost all of the remaining cases. If you want to intercept email, unless someone has gone dramatically out of their way to be insecure on purpose, you need access to the datacenter. Local access does nothing for you.
Local access is the easiest thing to get. POTS is the easiest technology to tap. It's so easy to tap that the tools are standard for it and "just work". If you have a POTS listening tool, you just walk up to the line down the street from where you want to listen and voila... you have the entire communications both audio and fax.
-
@Dashrender said in Faxing:
... or hacking into the phone companies systems.
Which is what hacking actually refers to. Those are the systems that people are famous for getting access to, not computer systems. The singular most famous "computer hacker" didn't hack computers, he hacked phones.
-
@scottalanmiller said in Faxing:
@Dashrender said in Faxing:
... or hacking into the phone companies systems.
Which is what hacking actually refers to. Those are the systems that people are famous for getting access to, not computer systems. The singular most famous "computer hacker" didn't hack computers, he hacked phones.
Model trains before phones
-
@Dashrender said in Faxing:
There are two main areas that I know use faxing a ton still, Lawyers and Doctors. Both of them require *secure" communications when using something other than fax.
Right, they require things be secure unless their pet insecure technology is used. That's our point. Sure people use it, but no one uses it because it is secure, they use it because they dislike security.
-
@Dashrender said in Faxing:
As for the fax printing out on a MFP sitting in the middle of the office. Sure, so this is one area where email clearly wins out. Though in my case, in medical cases, there are very little if any limitations on who can/should be able to see anything medical coming in on the fax machine.
So What's the access control method for the Fax machine? is there a door with a biometric lock, pin code or what? Otherwise anyone in the office should be consider as potentially seeing any information sent.
Yep and in a medical office, this is completely expected to be the case.
-
@tonyshowoff said in Faxing:
@Dashrender said in Faxing:
There are two main areas that I know use faxing a ton still, Lawyers and Doctors. Both of them require *secure" communications when using something other than fax. Secure email is a huge pain in the ass, there is no single uniform standard.
PGP is a pretty damn close uniform standard, combined with SSL in transit. Barring that, an encrypted zip file does a lot too.
Sure PGP is uniform standard - but it's a major pain in the ass to configure, and you the end user have to manage the Public/Private keys for yourself, and the Public keys of those your conversing with.
Faxing is an easy to implement solution that is standard everywhere - like SMS messaging. It's just there, it works, delivering it to an office not a person has always been considered good enough.
Except, it's not. It's more expensive, it has massive quality loss, it has overhead too. How many times have you had to re-fax something because it didn't come across correctly? "Easy" compared to email, no way. If that were true, why would anyone want to even use email with super easy fax machines around?
How is it good enough? Digital copy versus a modulated piece of crap? As I said before, this is a situation where, more often than not, people are using efax on both ends, so essentially paying a lot more for a really, really crappy version of email which is not only not-encrypted, but there's no authentication on either end at all.
As for direct costs - I guess we'd have to look at the implementations. But I know I can put a fax machine (hell a fax server) some something as simple as a rasberry pi and save the files some disk, all pieces being pretty damned cheap, then toss in a $30/month phone line and I'm golden. And it's considered HIPAA compliant. For a single email account, I can get a free one, but that won't be HIPAA compliant, but then I could rely upon the sender only sending me encrypted items, so I could still be a free if the conditions are right.
Sending a fax is as simple as dropping the pages on the machine and typing a phone number, email requires end to end encryption, definitely not easy, and often expensive.
How is it good enough? well it was for 20+ years - Thus far, this hasn't been a reason to move away from faxing.
the authentication on a fax is the phone number. Could you type the wrong number? sure you could, but even if you did, that's no likely going to cause your information to go to the wrong person, instead it's more likely to cause a complete failure. The bigger risk is picking the wrong name/number from the address list, the same risk as in email. But back to the authentication. In the case of healthcare, when it comes to sharing the data, it's less about a specific person and more about the office at large getting the information - so the number is all the authentication one requires.
Of course the fax bashing continues - please understand that I completely and utterly hate HATE faxing... but a secure, easy to use, ubiquitous communication method, especially to a whole office, simply doesn't exist today the same as faxing does. So any solution around email will continue to be met with the added layers of complexity that are part of it in comparison to faxing.
-
@tonyshowoff said in Faxing:
@Dashrender said in Faxing:
email goes over an unencrypted network that can be easily tapped by spies.
That's pretty unusual these days, and is typically a way to get your email flagged as spam. Server to server SMTP is basically always encrypted now, and client server rarely isn't.
Ok sure, this is generally true, but it's meaningless. it's simply the transfer from one host to another than encrypted. There's no verification that the receiving host is in fact the needed destination host, a MITM could have a host reading everything as it's passing it along to someone else. So sure casual observers are blocked.. but a bad actor like a a government or even an ISP could easily intercept all of that SMTP traffic, pretend to be that SMTP server, accept the mail and then forward it on.
Tapping a POTS line (not a SIP trunk) is much harder and requires local access to the end points, or hacking into the phone companies systems. These alone in my opinion make it more secure - nothing Scott or anyone else has said why an email sent over the internet is more secure than this situation.
That doesn't even matter, because with fax since there's no end to end encryption or authentication, there's situations like that PHI leak several years ago where a Pizza Hut accidentally was faxed tons of medical records. Anyone can read anything, there's no guarantee of who is or who is not seeing it, or even that it arrives. At least emails can bounce back.
You're talking about a small chance of something happening. Again this was more likely a cause because the medical placed had Pizza Hut on speed dial for ordering lunch. But even if that wasn't the case, and the accidental wrong dialing did just so happen to hit upon a life fax line, you're still limited to something like 1 page a min for faxing. While it's possible to send hundreds of pages of faxes.. it's just not that common. So while a problem, the risk of large exposure is small.
As for the fax printing out on a MFP sitting in the middle of the office. Sure, so this is one area where email clearly wins out. Though in my case, in medical cases, there are very little if any limitations on who can/should be able to see anything medical coming in on the fax machine.
That's not true in most environments though, plenty of doctors' offices and other places have the machines sitting there. A pharmacy I used to go to in Kansas had their fax machine to where one could reach over the counter and pull out anything. I couldn't authenticate on their auto-locking terminal though.
While I'm sure this is true in a great many places - that's their problem, not faxes fault for stupid placement.
Sending an email to a single person wouldn't be an acceptable solution for us. We need to make sure we have a team of people who are responsible for accepting and processing faxes. They shouldn't not get handled just because someone is on vacation, etc.
Group mailboxes are not that new of a concept.
Of course they aren't, I suppose if a group box allowed only one copy of the incoming document to be shown to prevent duplicated work, that would be an idea there. At least with the faxes, there's typically only one paper copy (to start with) or one copy in the network location. Unlike it being sent to 10 people.. and the other 9 have no idea if you handled the fax or not already.
-
@tonyshowoff said in Faxing:
I just don't get it, because you can send a perfect digital copy of something for extremely cheap or a really screwed up copy for very not-cheap. Email is more secure, it's just an illusion that fax is more secure because "phone tapping is difficult," that doesn't even matter if it's getting faxed to a damn Pizza Hut or some other business by accident, or if it's just sitting in the tray, which I've seen countless times around doctors offices, and then maybe it gets thrown in just the trash where anyone can get it. Fax leaves way too much open to chance.
I feel like your view of email is pretty dated, no concept of encryption, group/shared mailboxes, DKIM, etc and using that as a means to criticise it.
Hold on... I feel like you think I've said that email is less secure than Faxing.. or more likely stated.. that faxing is more secure? I'll have to re-read everything, but pretty sure I never said either. both solutions are horribly insecure without adding on a security layer/feature on top of them.
What I am saying is that even without that layer, faxing is more... hmm. something, I don't want to say secure, but it's definitely considered by HIPAA to be allowable, where plain email without encryption is simply not allowed.If HIPAA got the hell out of the way, I'd say dump faxing for email ASAP! because it has so many advantages. But it's simply not allowed.
-
@scottalanmiller said in Faxing:
@Dashrender said in Faxing:
email goes over an unencrypted network that can be easily tapped by spies. Tapping a POTS line (not a SIP trunk) is much harder and requires local access to the end points, or hacking into the phone companies systems.
Not my email. Not anyone's that I know. Email is encrypted end to end in nearly all cases and end to centre is almost all of the remaining cases. If you want to intercept email, unless someone has gone dramatically out of their way to be insecure on purpose, you need access to the datacenter. Local access does nothing for you.
Local access is the easiest thing to get. POTS is the easiest technology to tap. It's so easy to tap that the tools are standard for it and "just work". If you have a POTS listening tool, you just walk up to the line down the street from where you want to listen and voila... you have the entire communications both audio and fax.
but you can't do that from china. That's my point. hell you can't do that from anywhere, but as you said, down the street of whomever you want to tap.
-
@Dashrender said in Faxing:
Ok sure, this is generally true, but it's meaningless. it's simply the transfer from one host to another than encrypted. There's no verification that the receiving host is in fact the needed destination host, a MITM could have a host reading everything as it's passing it along to someone else. So sure casual observers are blocked.. but a bad actor like a a government or even an ISP could easily intercept all of that SMTP traffic, pretend to be that SMTP server, accept the mail and then forward it on.
With that argument, the phone company could always do that to the fax. The difference is, email is encrypted and the ISP can't do that.
So this actually makes our point, not yours. This applies widely to faxes and not to email in the real world.
-
@Dashrender said in Faxing:
but you can't do that from china. That's my point. hell you can't do that from anywhere, but as you said, down the street of whomever you want to tap.
So China can get neither. But local you can trivially get fax, but not email. The point remains, fax is vulnerable where email is not.
China is not your threat, in the real world. Real world threats are targeted and that means local matters.
-
@Dashrender said in Faxing:
If HIPAA got the hell out of the way, I'd say dump faxing for email ASAP! because it has so many advantages. But it's simply not allowed.
Yes it is. It absolutely is. It's just that fax IS allowed by tradition and so people leverage the excuse to be insecure because, in the end, that was their hope.
-
@scottalanmiller said in Faxing:
@Dashrender said in Faxing:
If HIPAA got the hell out of the way, I'd say dump faxing for email ASAP! because it has so many advantages. But it's simply not allowed.
Yes it is. It absolutely is. It's just that fax IS allowed by tradition and so people leverage the excuse to be insecure because, in the end, that was their hope.
HIPAA in no way prohibits email, actually it specifically allows electronic communications. And for that matter you can use an online secure communication portal, that's what most medical offices around here have. They aren't faxing much
-
@Dashrender said in Faxing:
Sure PGP is uniform standard - but it's a major pain in the ass to configure, and you the end user have to manage the Public/Private keys for yourself, and the Public keys of those your conversing with.
I agree, but that's a software problem, not an argument for fax.
As for direct costs - I guess we'd have to look at the implementations. But I know I can put a fax machine (hell a fax server) some something as simple as a rasberry pi and save the files some disk, all pieces being pretty damned cheap, then toss in a $30/month phone line and I'm golden.
Email is a hell of a lot cheaper than that.
And it's considered HIPAA compliant.
Only because it's grandfathered in.
For a single email account, I can get a free one, but that won't be HIPAA compliant, but then I could rely upon the sender only sending me encrypted items, so I could still be a free if the conditions are right.
Yes, it can be HIPAA compliant, in pretty much all conditions so long as the PHI is protected. You're mixing HIPAA compliance with the HIPAA certification scams.
Sending a fax is as simple as dropping the pages on the machine and typing a phone number, email requires end to end encryption, definitely not easy, and often expensive. How is it good enough? well it was for 20+ years - Thus far, this hasn't been a reason to move away from faxing.
Again, just because it's simple does not make it better in this regard, because we still have to print it, adding additional cost and waste, and there's the quality loss. It's not good enough it's pretty shitty, actually. As I said, if it's good enough, why would anyone use email at all?
the authentication on a fax is the phone number. Could you type the wrong number? sure you could, but even if you did, that's no likely going to cause your information to go to the wrong person, instead it's more likely to cause a complete failure.
It's pretty scary you think a phone number is good enough authentication for PHI. This is really, really terrible security practice. And still, if you do screw up, like the Pizza Hut thing, the fines will be pretty over the top, they don't care about mistakes, only about fining your ass.
The bigger risk is picking the wrong name/number from the address list, the same risk as in email.
The risk with email depends, but it's avoidable, but with fax it is not.
But back to the authentication. In the case of healthcare, when it comes to sharing the data, it's less about a specific person and more about the office at large getting the information - so the number is all the authentication one requires.
Unless it's sent somewhere else, has quality loss, is left in the tray, or someone who isn't allowed to see it does, or someone haphazardly throws it in the regular trash where it leaks out, or does it because they don't care. This happens too.
Of course the fax bashing continues - please understand that I completely and utterly hate HATE faxing... but a secure, easy to use, ubiquitous communication method, especially to a whole office, simply doesn't exist today the same as faxing does. So any solution around email will continue to be met with the added layers of complexity that are part of it in comparison to faxing.
Yes, it does, it's called encrypted email, you're just finding excuses to say it doesn't work. It's as simple as Outlook's built in encryption crap, and all the other security layers are there. I don't need to add in server to server SSL, it's already there. You are literally saying open, modulated analogue data is more secure than encryption that takes the life time of the sun to crack, and the quality loss is acceptable because it has to go to multiple people in the same office, as I said shared mailbox.