Faxing

scottalanmiller

@Dashrender said in Faxing:

There are two main areas that I know use faxing a ton still, Lawyers and Doctors. Both of them require *secure" communications when using something other than fax.

Right, they require things be secure unless their pet insecure technology is used. That's our point. Sure people use it, but no one uses it because it is secure, they use it because they dislike security.

Dashrender

@Jason said in Faxing:

@Dashrender said in Faxing:

As for the fax printing out on a MFP sitting in the middle of the office. Sure, so this is one area where email clearly wins out. Though in my case, in medical cases, there are very little if any limitations on who can/should be able to see anything medical coming in on the fax machine.

So What's the access control method for the Fax machine? is there a door with a biometric lock, pin code or what? Otherwise anyone in the office should be consider as potentially seeing any information sent.

Yep and in a medical office, this is completely expected to be the case.

Dashrender

@tonyshowoff said in Faxing:

@Dashrender said in Faxing:

There are two main areas that I know use faxing a ton still, Lawyers and Doctors. Both of them require *secure" communications when using something other than fax. Secure email is a huge pain in the ass, there is no single uniform standard.

PGP is a pretty damn close uniform standard, combined with SSL in transit. Barring that, an encrypted zip file does a lot too.

Sure PGP is uniform standard - but it's a major pain in the ass to configure, and you the end user have to manage the Public/Private keys for yourself, and the Public keys of those your conversing with.

Faxing is an easy to implement solution that is standard everywhere - like SMS messaging. It's just there, it works, delivering it to an office not a person has always been considered good enough.

Except, it's not. It's more expensive, it has massive quality loss, it has overhead too. How many times have you had to re-fax something because it didn't come across correctly? "Easy" compared to email, no way. If that were true, why would anyone want to even use email with super easy fax machines around?

How is it good enough? Digital copy versus a modulated piece of crap? As I said before, this is a situation where, more often than not, people are using efax on both ends, so essentially paying a lot more for a really, really crappy version of email which is not only not-encrypted, but there's no authentication on either end at all.

As for direct costs - I guess we'd have to look at the implementations. But I know I can put a fax machine (hell a fax server) some something as simple as a rasberry pi and save the files some disk, all pieces being pretty damned cheap, then toss in a $30/month phone line and I'm golden. And it's considered HIPAA compliant. For a single email account, I can get a free one, but that won't be HIPAA compliant, but then I could rely upon the sender only sending me encrypted items, so I could still be a free if the conditions are right.

Sending a fax is as simple as dropping the pages on the machine and typing a phone number, email requires end to end encryption, definitely not easy, and often expensive.

How is it good enough? well it was for 20+ years - Thus far, this hasn't been a reason to move away from faxing.

the authentication on a fax is the phone number. Could you type the wrong number? sure you could, but even if you did, that's no likely going to cause your information to go to the wrong person, instead it's more likely to cause a complete failure. The bigger risk is picking the wrong name/number from the address list, the same risk as in email. But back to the authentication. In the case of healthcare, when it comes to sharing the data, it's less about a specific person and more about the office at large getting the information - so the number is all the authentication one requires.

Of course the fax bashing continues - please understand that I completely and utterly hate HATE faxing... but a secure, easy to use, ubiquitous communication method, especially to a whole office, simply doesn't exist today the same as faxing does. So any solution around email will continue to be met with the added layers of complexity that are part of it in comparison to faxing.

Dashrender

@tonyshowoff said in Faxing:

@Dashrender said in Faxing:

email goes over an unencrypted network that can be easily tapped by spies.

That's pretty unusual these days, and is typically a way to get your email flagged as spam. Server to server SMTP is basically always encrypted now, and client server rarely isn't.

Ok sure, this is generally true, but it's meaningless. it's simply the transfer from one host to another than encrypted. There's no verification that the receiving host is in fact the needed destination host, a MITM could have a host reading everything as it's passing it along to someone else. So sure casual observers are blocked.. but a bad actor like a a government or even an ISP could easily intercept all of that SMTP traffic, pretend to be that SMTP server, accept the mail and then forward it on.

Tapping a POTS line (not a SIP trunk) is much harder and requires local access to the end points, or hacking into the phone companies systems. These alone in my opinion make it more secure - nothing Scott or anyone else has said why an email sent over the internet is more secure than this situation.

That doesn't even matter, because with fax since there's no end to end encryption or authentication, there's situations like that PHI leak several years ago where a Pizza Hut accidentally was faxed tons of medical records. Anyone can read anything, there's no guarantee of who is or who is not seeing it, or even that it arrives. At least emails can bounce back.

You're talking about a small chance of something happening. Again this was more likely a cause because the medical placed had Pizza Hut on speed dial for ordering lunch. But even if that wasn't the case, and the accidental wrong dialing did just so happen to hit upon a life fax line, you're still limited to something like 1 page a min for faxing. While it's possible to send hundreds of pages of faxes.. it's just not that common. So while a problem, the risk of large exposure is small.

As for the fax printing out on a MFP sitting in the middle of the office. Sure, so this is one area where email clearly wins out. Though in my case, in medical cases, there are very little if any limitations on who can/should be able to see anything medical coming in on the fax machine.

That's not true in most environments though, plenty of doctors' offices and other places have the machines sitting there. A pharmacy I used to go to in Kansas had their fax machine to where one could reach over the counter and pull out anything. I couldn't authenticate on their auto-locking terminal though.

While I'm sure this is true in a great many places - that's their problem, not faxes fault for stupid placement.

Sending an email to a single person wouldn't be an acceptable solution for us. We need to make sure we have a team of people who are responsible for accepting and processing faxes. They shouldn't not get handled just because someone is on vacation, etc.

Group mailboxes are not that new of a concept.

Of course they aren't, I suppose if a group box allowed only one copy of the incoming document to be shown to prevent duplicated work, that would be an idea there. At least with the faxes, there's typically only one paper copy (to start with) or one copy in the network location. Unlike it being sent to 10 people.. and the other 9 have no idea if you handled the fax or not already.

Dashrender

@tonyshowoff said in Faxing:

I just don't get it, because you can send a perfect digital copy of something for extremely cheap or a really screwed up copy for very not-cheap. Email is more secure, it's just an illusion that fax is more secure because "phone tapping is difficult," that doesn't even matter if it's getting faxed to a damn Pizza Hut or some other business by accident, or if it's just sitting in the tray, which I've seen countless times around doctors offices, and then maybe it gets thrown in just the trash where anyone can get it. Fax leaves way too much open to chance.

I feel like your view of email is pretty dated, no concept of encryption, group/shared mailboxes, DKIM, etc and using that as a means to criticise it.

Hold on... I feel like you think I've said that email is less secure than Faxing.. or more likely stated.. that faxing is more secure? I'll have to re-read everything, but pretty sure I never said either. both solutions are horribly insecure without adding on a security layer/feature on top of them.
What I am saying is that even without that layer, faxing is more... hmm. something, I don't want to say secure, but it's definitely considered by HIPAA to be allowable, where plain email without encryption is simply not allowed.

If HIPAA got the hell out of the way, I'd say dump faxing for email ASAP! because it has so many advantages. But it's simply not allowed.

Dashrender

@scottalanmiller said in Faxing:

@Dashrender said in Faxing:

email goes over an unencrypted network that can be easily tapped by spies. Tapping a POTS line (not a SIP trunk) is much harder and requires local access to the end points, or hacking into the phone companies systems.

Not my email. Not anyone's that I know. Email is encrypted end to end in nearly all cases and end to centre is almost all of the remaining cases. If you want to intercept email, unless someone has gone dramatically out of their way to be insecure on purpose, you need access to the datacenter. Local access does nothing for you.

Local access is the easiest thing to get. POTS is the easiest technology to tap. It's so easy to tap that the tools are standard for it and "just work". If you have a POTS listening tool, you just walk up to the line down the street from where you want to listen and voila... you have the entire communications both audio and fax.

but you can't do that from china. That's my point. hell you can't do that from anywhere, but as you said, down the street of whomever you want to tap.

scottalanmiller

@Dashrender said in Faxing:

Ok sure, this is generally true, but it's meaningless. it's simply the transfer from one host to another than encrypted. There's no verification that the receiving host is in fact the needed destination host, a MITM could have a host reading everything as it's passing it along to someone else. So sure casual observers are blocked.. but a bad actor like a a government or even an ISP could easily intercept all of that SMTP traffic, pretend to be that SMTP server, accept the mail and then forward it on.

With that argument, the phone company could always do that to the fax. The difference is, email is encrypted and the ISP can't do that.

So this actually makes our point, not yours. This applies widely to faxes and not to email in the real world.

scottalanmiller

@Dashrender said in Faxing:

but you can't do that from china. That's my point. hell you can't do that from anywhere, but as you said, down the street of whomever you want to tap.

So China can get neither. But local you can trivially get fax, but not email. The point remains, fax is vulnerable where email is not.

China is not your threat, in the real world. Real world threats are targeted and that means local matters.

scottalanmiller

@Dashrender said in Faxing:

If HIPAA got the hell out of the way, I'd say dump faxing for email ASAP! because it has so many advantages. But it's simply not allowed.

Yes it is. It absolutely is. It's just that fax IS allowed by tradition and so people leverage the excuse to be insecure because, in the end, that was their hope.

Jason

@scottalanmiller said in Faxing:

@Dashrender said in Faxing:

If HIPAA got the hell out of the way, I'd say dump faxing for email ASAP! because it has so many advantages. But it's simply not allowed.

Yes it is. It absolutely is. It's just that fax IS allowed by tradition and so people leverage the excuse to be insecure because, in the end, that was their hope.

HIPAA in no way prohibits email, actually it specifically allows electronic communications. And for that matter you can use an online secure communication portal, that's what most medical offices around here have. They aren't faxing much

tonyshowoff

@Dashrender said in Faxing:

Sure PGP is uniform standard - but it's a major pain in the ass to configure, and you the end user have to manage the Public/Private keys for yourself, and the Public keys of those your conversing with.

I agree, but that's a software problem, not an argument for fax.

As for direct costs - I guess we'd have to look at the implementations. But I know I can put a fax machine (hell a fax server) some something as simple as a rasberry pi and save the files some disk, all pieces being pretty damned cheap, then toss in a $30/month phone line and I'm golden.

Email is a hell of a lot cheaper than that.

And it's considered HIPAA compliant.

Only because it's grandfathered in.

For a single email account, I can get a free one, but that won't be HIPAA compliant, but then I could rely upon the sender only sending me encrypted items, so I could still be a free if the conditions are right.

Yes, it can be HIPAA compliant, in pretty much all conditions so long as the PHI is protected. You're mixing HIPAA compliance with the HIPAA certification scams.

Sending a fax is as simple as dropping the pages on the machine and typing a phone number, email requires end to end encryption, definitely not easy, and often expensive. How is it good enough? well it was for 20+ years - Thus far, this hasn't been a reason to move away from faxing.

Again, just because it's simple does not make it better in this regard, because we still have to print it, adding additional cost and waste, and there's the quality loss. It's not good enough it's pretty shitty, actually. As I said, if it's good enough, why would anyone use email at all?

the authentication on a fax is the phone number. Could you type the wrong number? sure you could, but even if you did, that's no likely going to cause your information to go to the wrong person, instead it's more likely to cause a complete failure.

It's pretty scary you think a phone number is good enough authentication for PHI. This is really, really terrible security practice. And still, if you do screw up, like the Pizza Hut thing, the fines will be pretty over the top, they don't care about mistakes, only about fining your ass.

The bigger risk is picking the wrong name/number from the address list, the same risk as in email.

The risk with email depends, but it's avoidable, but with fax it is not.

But back to the authentication. In the case of healthcare, when it comes to sharing the data, it's less about a specific person and more about the office at large getting the information - so the number is all the authentication one requires.

Unless it's sent somewhere else, has quality loss, is left in the tray, or someone who isn't allowed to see it does, or someone haphazardly throws it in the regular trash where it leaks out, or does it because they don't care. This happens too.

Of course the fax bashing continues - please understand that I completely and utterly hate HATE faxing... but a secure, easy to use, ubiquitous communication method, especially to a whole office, simply doesn't exist today the same as faxing does. So any solution around email will continue to be met with the added layers of complexity that are part of it in comparison to faxing.

Yes, it does, it's called encrypted email, you're just finding excuses to say it doesn't work. It's as simple as Outlook's built in encryption crap, and all the other security layers are there. I don't need to add in server to server SSL, it's already there. You are literally saying open, modulated analogue data is more secure than encryption that takes the life time of the sun to crack, and the quality loss is acceptable because it has to go to multiple people in the same office, as I said shared mailbox.

tonyshowoff

@Dashrender said in Faxing:

@scottalanmiller said in Faxing:

@Dashrender said in Faxing:

email goes over an unencrypted network that can be easily tapped by spies. Tapping a POTS line (not a SIP trunk) is much harder and requires local access to the end points, or hacking into the phone companies systems.

Not my email. Not anyone's that I know. Email is encrypted end to end in nearly all cases and end to centre is almost all of the remaining cases. If you want to intercept email, unless someone has gone dramatically out of their way to be insecure on purpose, you need access to the datacenter. Local access does nothing for you.

Local access is the easiest thing to get. POTS is the easiest technology to tap. It's so easy to tap that the tools are standard for it and "just work". If you have a POTS listening tool, you just walk up to the line down the street from where you want to listen and voila... you have the entire communications both audio and fax.

but you can't do that from china. That's my point. hell you can't do that from anywhere, but as you said, down the street of whomever you want to tap.

Nobody cares about China except paranoid Americans who think they're dangerous. Not only that, but Chinese people can visit the US, so, tapping a phone line still at higher risk for Chinese eavesdropping than encrypted email or even just data going over SSL.

JaredBusch

@tonyshowoff said in Faxing:

@Dashrender said in Faxing:

@scottalanmiller said in Faxing:

@Dashrender said in Faxing:

email goes over an unencrypted network that can be easily tapped by spies. Tapping a POTS line (not a SIP trunk) is much harder and requires local access to the end points, or hacking into the phone companies systems.

Not my email. Not anyone's that I know. Email is encrypted end to end in nearly all cases and end to centre is almost all of the remaining cases. If you want to intercept email, unless someone has gone dramatically out of their way to be insecure on purpose, you need access to the datacenter. Local access does nothing for you.

Local access is the easiest thing to get. POTS is the easiest technology to tap. It's so easy to tap that the tools are standard for it and "just work". If you have a POTS listening tool, you just walk up to the line down the street from where you want to listen and voila... you have the entire communications both audio and fax.

but you can't do that from china. That's my point. hell you can't do that from anywhere, but as you said, down the street of whomever you want to tap.

Nobody cares about China except paranoid Americans who think they're dangerous. Not only that, but Chinese people can visit the US, so, tapping a phone line still at higher risk for Chinese eavesdropping than encrypted email or even just data going over SSL.

Or even plain text email. Seriously.

JaredBusch

As for email in transit, there is no server to server hopping for email.

Email goes from your server directly to the IP defined by the MX records for the receiving domain. This is not the old school days of store and forward.

Of course, it hits any number of routers along the way. But it never hits anything else.

You can easily require all traffic to and from your mail server to use TLS. You will certainly suddenly have complaints from people that their email to you is being bounced.

You could also just setup your outbound email to require TLS while allowing opportunistic TLS on the inbound. Then anyone can email to you and it will attempt to negotiate TLS on all inbound first and will fall back to unencrypted. This has no bearing on HIPAA because it is not data YOU are sending. On the other hand your sent email will all be TLS or it will not send. You will find very few people you need to send to that fail.

Dashrender

Please stop saying that I'm claiming that faxes are more secure. I'M Not!

I guess I'll just say, as long as Faxing is grandfathered in, the rest doesn't matter because the expense and complexities of using encrypted email (think PGP or password encrypted zip) won't replace it.

I'm absolutely willing to capitulate the grandfathering is the main, perhaps only, reason it's allowed.

JaredBusch

@Dashrender said in Faxing:

Please stop saying that I'm claiming that faxes are more secure. I'M Not!

I guess I'll just say, as long as Faxing is grandfathered in, the rest doesn't matter because the expense and complexities of using encrypted email (think PGP or password encrypted zip) won't replace it.

I'm absolutely willing to capitulate the grandfathering is the main, perhaps only, reason it's allowed.

I said nothing of the sort. I said unencrypted email is more secure than faxing. Just clarifying my point of view.

Dashrender

You're post just happened to be above mine, I wasn't posting to you JB.. Thanks.

tonyshowoff

@Dashrender

Please stop saying that I'm claiming that faxes are more secure. I'M Not!

Really, you didn't? Could've fooled me, you spent a hell of a lot of time not only heavily implying it was secure, but straight out saying it's more secure than email, using arguments from the standpoint of ignorance about how email even functions, thinking it's unencrypted in transit, but still seemingly sticking to these points even after being shown they are wrong.

Scott has been saying for years that regular email is more secure than faxing - that I'll never agree with.

This means you think it's more secure than email, implying you think it's secure, unless you're saying they're both so insecure it doesn't matter, in which case that's wrong.

email goes over an unencrypted network that can be easily tapped by spies. Tapping a POTS line (not a SIP trunk) is much harder and requires local access to the end points, or hacking into the phone companies systems. These alone in my opinion make it more secure - nothing Scott or anyone else has said why an email sent over the internet is more secure than this situation.

Saying fax is more secure than email, in fact blatantly saying it is "more secure."

the authentication on a fax is the phone number.

Implies there's any security at all.

but you can't do that from china. That's my point. hell you can't do that from anywhere, but as you said, down the street of whomever you want to tap.

Implying again it's more secure than email

If you want me to "stop saying that [you're] claiming that faxes are more secure," then stop saying it!

Dashrender

Just because SSL can be enabled doesn't mean that it is. Though I will grant that it's used by most major, and many minor vendors today.

tonyshowoff

@Dashrender said in Faxing:

Just because SSL can be enabled doesn't mean that it is. Though I will grant that it's used by most major, and many minor vendors today.

That's definitely true, I think though most major clients give you a lot of BS for not using SSL and won't even work over web access without it, major ones anyway. Again as I said before, these are software problems, they can be made easier. I blame programmers like me, because so many of us are so stupid or we assume users know more than they do.