[ Thursday, November 29, 2007 ]
I've often stated that encrypting email is just peachy, but it may be misdirected if that's the only encryption you do. It's like locking your car doors while flying down the highway but leaving them unlocked while the car's in the driveway overnight. Sure, you'll stop Tom Cruise from parachuting onto your car, Mission:Impossible style, but is that really the biggest risk you face, and are you overreacting to a minor risk while neglecting a big one?
What's the risk of your data "at rest" being lost, stolen, or altered? If it's on a portable device, that's probably the biggest security risk you have. Someone could break into your office and steal your desktop computers. It's less likely they'd steal the servers, but still possible. But laptops? Hell, they're easy to take, and easy to sell. Easier when they're out of the office, but even in the office they could be snatched.
Isn't protecting that data a little more important that worrying about someone intercepting an email in mid-cyberspace? So, how to do it: Bruce Schneier
has some pretty good, and downright easy, advice. So before you get all antsy about encrypting email, start by encrypting the info that's most likely to get out.
By the way, unless you absolutely have to, don't email PHI, unless it's behind a firewall, or you have the patient's explicit permission (and a HIPAA-compliant authorization). If you do email PHI, remove any identifying markers from it. Even if you're encrypting it, you still don't know who you're dealing with on the other end or how they'll protect it once they've got it, and if you send the decryption key via the same method, encrypting won't have done any good if the recipient isn't who you think it is.
Jeff [11:09 AM]
Blogger: HIPAA Blog - Edit your Template