O365 and encrypted mail to other email systems
-
@scottalanmiller said in O365 and encrypted mail to other email systems:
@Dashrender said in O365 and encrypted mail to other email systems:
@TAHIN said in O365 and encrypted mail to other email systems:
That said, there is no requirement, HIPAA or PCI or otherwise, that places the burden of safety of that email in your hands. Once it's over the wire encrypted, it's no longer your problem. But I do understand it's value; we used Barracuda email encryption whenever we would (be forced to) send PHI to another doctor office.
Interesting - I'll agree that it's not my concern about the PHI after it's received, but you can't ensure that all data being sent to other email servers is being sent over TLS short of disabling your server's ability to send except over TLS. And while I agree that the failure rate would be low, it's no lower than the desire from my management to be able to send 500 MB files over email to people. So the failure rate is there, and will be noticed and problematic.
You think that the failure rate of a system like this will be lower? Guess who can't open these emails... anyone. Because it's a separately encrypted system. You are going to have so many people pissed off because you are withholding their personal data until they set up accounts with some third party who controls their data. That's going to be a much bigger issue, I guarantee it.
And ensuring secure deliver is zero concern to you. Offering it is all that you care about.
Again, I'm back to disabling my server from sending to any email server that doesn't have TLS then.
-
@TAHIN said in O365 and encrypted mail to other email systems:
@Dashrender see my note above regarding compliance. You can compare it to FAX.
If I send PHI over fax to a fax machine in a remote location, it is the responsibility of the remote party to keep it secure.That's not really true. It's their responsibility after they have received it. But until then, it is yours, because you sent it wide open and until the transmission was completed you were the sole arbiter of security. Fax is the least secure, most suable transmission medium I can imagine and I've threatened my own bank with exposing my bank data for accepting faxes before.
Fax has no security and there is no burden on the recipient until so late in the process as to be pointless.
-
@Dashrender said in O365 and encrypted mail to other email systems:
@scottalanmiller said in O365 and encrypted mail to other email systems:
@Dashrender said in O365 and encrypted mail to other email systems:
@TAHIN said in O365 and encrypted mail to other email systems:
That said, there is no requirement, HIPAA or PCI or otherwise, that places the burden of safety of that email in your hands. Once it's over the wire encrypted, it's no longer your problem. But I do understand it's value; we used Barracuda email encryption whenever we would (be forced to) send PHI to another doctor office.
Interesting - I'll agree that it's not my concern about the PHI after it's received, but you can't ensure that all data being sent to other email servers is being sent over TLS short of disabling your server's ability to send except over TLS. And while I agree that the failure rate would be low, it's no lower than the desire from my management to be able to send 500 MB files over email to people. So the failure rate is there, and will be noticed and problematic.
You think that the failure rate of a system like this will be lower? Guess who can't open these emails... anyone. Because it's a separately encrypted system. You are going to have so many people pissed off because you are withholding their personal data until they set up accounts with some third party who controls their data. That's going to be a much bigger issue, I guarantee it.
And ensuring secure deliver is zero concern to you. Offering it is all that you care about.
Again, I'm back to disabling my server from sending to any email server that doesn't have TLS then.
That's because it's the only logical answer.
-
@TAHIN said in O365 and encrypted mail to other email systems:
@Dashrender said in O365 and encrypted mail to other email systems:
But then also comes the part when the first time some one is sued because you emailed their PHI to them, and they didn't secure it, and because it was sitting unencrypted in their easy to guess gmail account - the courts will sadly rule against us saying that we're the ones with the money so we should be the ones making sure they secure their shit.. SIGH
In all honesty I don't think that could ever happen. The judge would be putting unlawful burden on an organization and the appeal would last about 3 minutes.
I could only hope you're right. But well you know.... 'merica.
-
@TAHIN said in O365 and encrypted mail to other email systems:
@scottalanmiller said in [O365 and encrypted mail to other email systems](/topic/9231/o365-and-encrypted-mail-to-other-email-the user almost certainly does not have a Microsoft account and instead of sending them their data we've are forcing them to sign up with a third party vendor who is holding their data until they get them as a customer (even if only as a free one.)
Yeah, the fact that it has to be an entire MS account on the part of the recipient would be a dealbreaker for me.
Yeah, I don't like that "a third party owns your data" thing. It is the same with Zix and everyone else. I'd find that very distasteful as a customer. It's my data, you have a secure way to send it to me already, why do I have to make an account with a third party to get my own data over a channel that is already secure?
-
@Dashrender said in O365 and encrypted mail to other email systems:
@TAHIN said in O365 and encrypted mail to other email systems:
@Dashrender said in O365 and encrypted mail to other email systems:
But then also comes the part when the first time some one is sued because you emailed their PHI to them, and they didn't secure it, and because it was sitting unencrypted in their easy to guess gmail account - the courts will sadly rule against us saying that we're the ones with the money so we should be the ones making sure they secure their shit.. SIGH
In all honesty I don't think that could ever happen. The judge would be putting unlawful burden on an organization and the appeal would last about 3 minutes.
I could only hope you're right. But well you know.... 'merica.
I'll keep saying this, unplug the fax if you even remotely feel this to be true.
-
@TAHIN said in O365 and encrypted mail to other email systems:
@scottalanmiller said in [O365 and encrypted mail to other email systems](/topic/9231/o365-and-encrypted-mail-to-other-email-the user almost certainly does not have a Microsoft account and instead of sending them their data we've are forcing them to sign up with a third party vendor who is holding their data until they get them as a customer (even if only as a free one.)
Yeah, the fact that it has to be an entire MS account on the part of the recipient would be a dealbreaker for me.
how is this any different than setting up a Zix account? or a Barracuda one?
-
@Dashrender said in O365 and encrypted mail to other email systems:
In all honesty I don't think that could ever happen. The judge would be putting unlawful burden on an organization and the appeal would last about 3 minutes.
I could only hope you're right. But well you know.... 'merica.
Hey if you're part of a corporation fighting against a little guy, America is JUST the place you want to be lol.
-
@scottalanmiller said in O365 and encrypted mail to other email systems:
@TAHIN said in O365 and encrypted mail to other email systems:
@scottalanmiller said in [O365 and encrypted mail to other email systems](/topic/9231/o365-and-encrypted-mail-to-other-email-the user almost certainly does not have a Microsoft account and instead of sending them their data we've are forcing them to sign up with a third party vendor who is holding their data until they get them as a customer (even if only as a free one.)
Yeah, the fact that it has to be an entire MS account on the part of the recipient would be a dealbreaker for me.
Yeah, I don't like that "a third party owns your data" thing. It is the same with Zix and everyone else. I'd find that very distasteful as a customer. It's my data, you have a secure way to send it to me already, why do I have to make an account with a third party to get my own data over a channel that is already secure?
Because it's not really secure. The admins of the system of email you use have full access to that data.
-
@Dashrender said in O365 and encrypted mail to other email systems:
No, that doesn't hold up. Encryption at rest is yet a third issue. Both of these mechanisms decrypt along the chain. Only the recipient, literally only they, can decide to be encrypted at rest. That's never something that you can force. You can force it on the sender's side, and this isn't doing that here. But you have to trust the recipient to store it in an encrypted fashion and... none will.
Eh? That's not how I understand how it works - most systems, the way I have seen it work, work as you mentioned - think GPG/PGP, the file is encrypted by me, emailed to them, then they can enter a password to open the file. Opening the file effectively takes it out of email. The original file inside email is still encrypted, unless the end user removes it from email and puts the unencrypted version back into their own system, therefore you'll still have email encrypted at rest.
If you send me an email and I open it to read it, GPG, Zix, PDF, 7Zip, doesn't matter... once I am opening that file, it is unencrypted. For me to save it and use it, I'm not going to save it encrypted, that's ridiculous. The natural progression of things means that you've forced me to use a system that is complicated and heavy in effort and actually caused me to save the file locally to be able to access it. So instead of the naturally more secure "storing it in email" system, it's not pushed me to store it locally.
If your goal is secure at rest, you've effectively social engineered that out of the system. In no case are you responsible for it at rest and in no case can you force it, but by doing this you are going dramatically out of your way to make it the least likely to happen.
-
@Dashrender said in O365 and encrypted mail to other email systems:
how is this any different than setting up a Zix account? or a Barracuda one?
You get a barracuda account so you can log in to un-encrypt your email. You get a MS account so you can be tracked/get sold/receive spam.
-
@Dashrender said in O365 and encrypted mail to other email systems:
@scottalanmiller said in O365 and encrypted mail to other email systems:
@TAHIN said in O365 and encrypted mail to other email systems:
@scottalanmiller said in [O365 and encrypted mail to other email systems](/topic/9231/o365-and-encrypted-mail-to-other-email-the user almost certainly does not have a Microsoft account and instead of sending them their data we've are forcing them to sign up with a third party vendor who is holding their data until they get them as a customer (even if only as a free one.)
Yeah, the fact that it has to be an entire MS account on the part of the recipient would be a dealbreaker for me.
Yeah, I don't like that "a third party owns your data" thing. It is the same with Zix and everyone else. I'd find that very distasteful as a customer. It's my data, you have a secure way to send it to me already, why do I have to make an account with a third party to get my own data over a channel that is already secure?
Because it's not really secure. The admins of the system of email you use have full access to that data.
Yeah... it defeats the whole purpose, to me. Cumbersome and it is all there to fool non-technical people into accepting it as secure when, in reality, nothing of substance changed. It's just a money grab from Scott Adams' "Stupid Rich" category. Which is fine, I'm all for draining the wallets of the stupid rich, but that's all that it is.
-
@Dashrender said in O365 and encrypted mail to other email systems:
@TAHIN said in O365 and encrypted mail to other email systems:
@scottalanmiller said in [O365 and encrypted mail to other email systems](/topic/9231/o365-and-encrypted-mail-to-other-email-the user almost certainly does not have a Microsoft account and instead of sending them their data we've are forcing them to sign up with a third party vendor who is holding their data until they get them as a customer (even if only as a free one.)
Yeah, the fact that it has to be an entire MS account on the part of the recipient would be a dealbreaker for me.
how is this any different than setting up a Zix account? or a Barracuda one?
It's not and that's why I would never use any of them. They are ridiculous systems that make me hate vendors. I have one customer that is forced to use this and they don't work and they can't communicate and cause no end of issues. It's so awful to hoist this on users. They ask for email and this is like saying "ha ha, we technically sent you an email but f you, you can't just read it like you meant." It's complying with the letter of their request but not the spirit.
-
I'm getting confused Scott - Data at rest isn't currently a requirement to be encrypted, but damn, when the next rounds of legislation come, I'm sure it will be.
Is email something you don't care about at this time because once I mail it, assuming I only allows TLS based connections, it's not my concern anymore? Therefore send it and don't worry?
That's a new thought. One I've never seen until @TAHIN post above. Interesting.
As to your question about failure rate, sure people will complain about the requirement to login to get access to secure communications, hell they complain about having to create a logon to get access to the PHI in an online EHR. But I haven't see it be any more difficult than setting an the EHR logon, so it would be passed over quickly.
-
@TAHIN said in O365 and encrypted mail to other email systems:
@Dashrender said in O365 and encrypted mail to other email systems:
how is this any different than setting up a Zix account? or a Barracuda one?
You get a barracuda account so you can log in to un-encrypt your email. You get a MS account so you can be tracked/get sold/receive spam.
I'd say the other way around. I would never sign up for Barracuda, they are famous for their lack of security. I do not trust them at all.
-
@Dashrender said in O365 and encrypted mail to other email systems:
I'm getting confused Scott - Data at rest isn't currently a requirement to be encrypted, but damn, when the next rounds of legislation come, I'm sure it will be.
It literally cannot be. If they did that, every medical practice would just back up and be done. You can't control data at rest for transferred data, ever. Period, it's actually a crime to try to do that as you'd have to hack their systems.
-
I believe Barracuda, from their web interface after you log in and decrypt you email, gives you a Deliver option, that will deliver the unencrypted version to the original destination.
-
@Dashrender said in O365 and encrypted mail to other email systems:
Is email something you don't care about at this time because once I mail it, assuming I only allows TLS based connections, it's not my concern anymore? Therefore send it and don't worry?
That's a new thought. One I've never seen until @TAHIN post above. Interesting.
That's what we've been saying for years Email is secured from you to the customer. Or, the customer can decline security if they want (not take TLS.) You can optionally only send via TLS if you are that concerned, that's semi-valid.
But all modern or 99% of modern email systems are secure from the sender to the recipient. Literally from the send button until they read it. Nearly all Exchange, Zimbra, Gmail and other email systems are all secure by default. Not just between systems, but internally and to the end user's workstation. So the security is incredibly thorough.
-
@scottalanmiller said in O365 and encrypted mail to other email systems:
I'm getting confused Scott - Data at rest isn't currently a requirement to be encrypted, but damn, when the next rounds of legislation come, I'm sure it will be.
It literally cannot be. If they did that, every medical practice would just back up and be done. You can't control data at rest for transferred data, ever. Period, it's actually a crime to try to do that as you'd have to hack their systems.
The only resolution to legislation like that would be for the hospital to keep everything on-prem. Nothing would be transferred. Patients would log into a message box on their datacenter. This is currently how EHR applications with patient logons provide other information to patients.
(edit - provide, not deliver)
-
@TAHIN said in O365 and encrypted mail to other email systems:
I believe Barracuda, from their web interface after you log in and decrypt you email, gives you a Deliver option, that will deliver the unencrypted version to the original destination.
Totally bypassing the whole point and tricking the sender into thinking that they secured something that they did not.