Faxing
-
@Dashrender said in Faxing:
If HIPAA got the hell out of the way, I'd say dump faxing for email ASAP! because it has so many advantages. But it's simply not allowed.
Yes it is. It absolutely is. It's just that fax IS allowed by tradition and so people leverage the excuse to be insecure because, in the end, that was their hope.
-
@scottalanmiller said in Faxing:
@Dashrender said in Faxing:
If HIPAA got the hell out of the way, I'd say dump faxing for email ASAP! because it has so many advantages. But it's simply not allowed.
Yes it is. It absolutely is. It's just that fax IS allowed by tradition and so people leverage the excuse to be insecure because, in the end, that was their hope.
HIPAA in no way prohibits email, actually it specifically allows electronic communications. And for that matter you can use an online secure communication portal, that's what most medical offices around here have. They aren't faxing much
-
@Dashrender said in Faxing:
Sure PGP is uniform standard - but it's a major pain in the ass to configure, and you the end user have to manage the Public/Private keys for yourself, and the Public keys of those your conversing with.
I agree, but that's a software problem, not an argument for fax.
As for direct costs - I guess we'd have to look at the implementations. But I know I can put a fax machine (hell a fax server) some something as simple as a rasberry pi and save the files some disk, all pieces being pretty damned cheap, then toss in a $30/month phone line and I'm golden.
Email is a hell of a lot cheaper than that.
And it's considered HIPAA compliant.
Only because it's grandfathered in.
For a single email account, I can get a free one, but that won't be HIPAA compliant, but then I could rely upon the sender only sending me encrypted items, so I could still be a free if the conditions are right.
Yes, it can be HIPAA compliant, in pretty much all conditions so long as the PHI is protected. You're mixing HIPAA compliance with the HIPAA certification scams.
Sending a fax is as simple as dropping the pages on the machine and typing a phone number, email requires end to end encryption, definitely not easy, and often expensive. How is it good enough? well it was for 20+ years - Thus far, this hasn't been a reason to move away from faxing.
Again, just because it's simple does not make it better in this regard, because we still have to print it, adding additional cost and waste, and there's the quality loss. It's not good enough it's pretty shitty, actually. As I said, if it's good enough, why would anyone use email at all?
the authentication on a fax is the phone number. Could you type the wrong number? sure you could, but even if you did, that's no likely going to cause your information to go to the wrong person, instead it's more likely to cause a complete failure.
It's pretty scary you think a phone number is good enough authentication for PHI. This is really, really terrible security practice. And still, if you do screw up, like the Pizza Hut thing, the fines will be pretty over the top, they don't care about mistakes, only about fining your ass.
The bigger risk is picking the wrong name/number from the address list, the same risk as in email.
The risk with email depends, but it's avoidable, but with fax it is not.
But back to the authentication. In the case of healthcare, when it comes to sharing the data, it's less about a specific person and more about the office at large getting the information - so the number is all the authentication one requires.
Unless it's sent somewhere else, has quality loss, is left in the tray, or someone who isn't allowed to see it does, or someone haphazardly throws it in the regular trash where it leaks out, or does it because they don't care. This happens too.
Of course the fax bashing continues - please understand that I completely and utterly hate HATE faxing... but a secure, easy to use, ubiquitous communication method, especially to a whole office, simply doesn't exist today the same as faxing does. So any solution around email will continue to be met with the added layers of complexity that are part of it in comparison to faxing.
Yes, it does, it's called encrypted email, you're just finding excuses to say it doesn't work. It's as simple as Outlook's built in encryption crap, and all the other security layers are there. I don't need to add in server to server SSL, it's already there. You are literally saying open, modulated analogue data is more secure than encryption that takes the life time of the sun to crack, and the quality loss is acceptable because it has to go to multiple people in the same office, as I said shared mailbox.
-
@Dashrender said in Faxing:
@scottalanmiller said in Faxing:
@Dashrender said in Faxing:
email goes over an unencrypted network that can be easily tapped by spies. Tapping a POTS line (not a SIP trunk) is much harder and requires local access to the end points, or hacking into the phone companies systems.
Not my email. Not anyone's that I know. Email is encrypted end to end in nearly all cases and end to centre is almost all of the remaining cases. If you want to intercept email, unless someone has gone dramatically out of their way to be insecure on purpose, you need access to the datacenter. Local access does nothing for you.
Local access is the easiest thing to get. POTS is the easiest technology to tap. It's so easy to tap that the tools are standard for it and "just work". If you have a POTS listening tool, you just walk up to the line down the street from where you want to listen and voila... you have the entire communications both audio and fax.
but you can't do that from china. That's my point. hell you can't do that from anywhere, but as you said, down the street of whomever you want to tap.
Nobody cares about China except paranoid Americans who think they're dangerous. Not only that, but Chinese people can visit the US, so, tapping a phone line still at higher risk for Chinese eavesdropping than encrypted email or even just data going over SSL.
-
@tonyshowoff said in Faxing:
@Dashrender said in Faxing:
@scottalanmiller said in Faxing:
@Dashrender said in Faxing:
email goes over an unencrypted network that can be easily tapped by spies. Tapping a POTS line (not a SIP trunk) is much harder and requires local access to the end points, or hacking into the phone companies systems.
Not my email. Not anyone's that I know. Email is encrypted end to end in nearly all cases and end to centre is almost all of the remaining cases. If you want to intercept email, unless someone has gone dramatically out of their way to be insecure on purpose, you need access to the datacenter. Local access does nothing for you.
Local access is the easiest thing to get. POTS is the easiest technology to tap. It's so easy to tap that the tools are standard for it and "just work". If you have a POTS listening tool, you just walk up to the line down the street from where you want to listen and voila... you have the entire communications both audio and fax.
but you can't do that from china. That's my point. hell you can't do that from anywhere, but as you said, down the street of whomever you want to tap.
Nobody cares about China except paranoid Americans who think they're dangerous. Not only that, but Chinese people can visit the US, so, tapping a phone line still at higher risk for Chinese eavesdropping than encrypted email or even just data going over SSL.
Or even plain text email. Seriously.
-
As for email in transit, there is no server to server hopping for email.
Email goes from your server directly to the IP defined by the MX records for the receiving domain. This is not the old school days of store and forward.
Of course, it hits any number of routers along the way. But it never hits anything else.
You can easily require all traffic to and from your mail server to use TLS. You will certainly suddenly have complaints from people that their email to you is being bounced.
You could also just setup your outbound email to require TLS while allowing opportunistic TLS on the inbound. Then anyone can email to you and it will attempt to negotiate TLS on all inbound first and will fall back to unencrypted. This has no bearing on HIPAA because it is not data YOU are sending. On the other hand your sent email will all be TLS or it will not send. You will find very few people you need to send to that fail.
-
Please stop saying that I'm claiming that faxes are more secure. I'M Not!
I guess I'll just say, as long as Faxing is grandfathered in, the rest doesn't matter because the expense and complexities of using encrypted email (think PGP or password encrypted zip) won't replace it.
I'm absolutely willing to capitulate the grandfathering is the main, perhaps only, reason it's allowed.
-
@Dashrender said in Faxing:
Please stop saying that I'm claiming that faxes are more secure. I'M Not!
I guess I'll just say, as long as Faxing is grandfathered in, the rest doesn't matter because the expense and complexities of using encrypted email (think PGP or password encrypted zip) won't replace it.
I'm absolutely willing to capitulate the grandfathering is the main, perhaps only, reason it's allowed.
I said nothing of the sort. I said unencrypted email is more secure than faxing. Just clarifying my point of view.
-
You're post just happened to be above mine, I wasn't posting to you JB.. Thanks.
-
Please stop saying that I'm claiming that faxes are more secure. I'M Not!
Really, you didn't? Could've fooled me, you spent a hell of a lot of time not only heavily implying it was secure, but straight out saying it's more secure than email, using arguments from the standpoint of ignorance about how email even functions, thinking it's unencrypted in transit, but still seemingly sticking to these points even after being shown they are wrong.
Scott has been saying for years that regular email is more secure than faxing - that I'll never agree with.
This means you think it's more secure than email, implying you think it's secure, unless you're saying they're both so insecure it doesn't matter, in which case that's wrong.
email goes over an unencrypted network that can be easily tapped by spies. Tapping a POTS line (not a SIP trunk) is much harder and requires local access to the end points, or hacking into the phone companies systems. These alone in my opinion make it more secure - nothing Scott or anyone else has said why an email sent over the internet is more secure than this situation.
Saying fax is more secure than email, in fact blatantly saying it is "more secure."
the authentication on a fax is the phone number.
Implies there's any security at all.
but you can't do that from china. That's my point. hell you can't do that from anywhere, but as you said, down the street of whomever you want to tap.
Implying again it's more secure than email
If you want me to "stop saying that [you're] claiming that faxes are more secure," then stop saying it!
-
Just because SSL can be enabled doesn't mean that it is. Though I will grant that it's used by most major, and many minor vendors today.
-
@Dashrender said in Faxing:
Just because SSL can be enabled doesn't mean that it is. Though I will grant that it's used by most major, and many minor vendors today.
That's definitely true, I think though most major clients give you a lot of BS for not using SSL and won't even work over web access without it, major ones anyway. Again as I said before, these are software problems, they can be made easier. I blame programmers like me, because so many of us are so stupid or we assume users know more than they do.
-
@Dashrender said in Faxing:
Just because SSL can be enabled doesn't mean that it is. Though I will grant that it's used by most major, and many minor vendors today.
Actually, you can be certain of it, I already told you how. I know you run your own Exchange server in house still. So it is very simple to setup.
-
@JaredBusch said in Faxing:
@Dashrender said in Faxing:
Please stop saying that I'm claiming that faxes are more secure. I'M Not!
I guess I'll just say, as long as Faxing is grandfathered in, the rest doesn't matter because the expense and complexities of using encrypted email (think PGP or password encrypted zip) won't replace it.
I'm absolutely willing to capitulate the grandfathering is the main, perhaps only, reason it's allowed.
I said nothing of the sort. I said unencrypted email is more secure than faxing. Just clarifying my point of view.
Ah, but you know that your email is encrypted end to end and you can know if your email is offering encryption to the end user's system. After that it's not your concern in the least. Literally... zero concern on your side. Delivery is complete, handoff is made. Just disable non-SSL/TLS communications and your concerns are all set.