Secure email Preserving confidentiality in your office

SCOT Computer Laboratory 27 Oct 2000

Doug Stetson, MD FAAP dstetson@aapscot.org

Why

Communicate with colleagues (confidentially)

Communicate with patient (confidentially)

Protect messages on your hard drive

Necessary (in 2 years or so)

Ethical obligation

HIPAA

Rules on preservation of confidentiality

Penalties for breeches ($$$ and jail time)
http://aspe.hhs.gov/admnsimp/

Security

Obligation to protect commensurate with risk

Encryption likely adequate

Real risk: unauthorized use by authorized users

Available now

Common email programs support

Outlook, Outlook express

Eudora

Cost is minimal

Technology is simple

Two sources for secure email

Email based – S/MIME

Web-based – SSL

S/MIME – vocabulary (the techy stuff)

Certificate = id card with expiration date and source

Certificate Authority = fiduciary, like a bank

Key pair = public and private key pair (long numbers)

Hash = compact, unreadable representation of a document created using a key

Technology: extremely hard to guess one number, knowing the other

Symmetrical Key Encryption

Standard protocol

Long number "key"

Scrambles the information

Recover with same key

Impractical to decypher

Public Key Encryption

Asymmetical

Related keys

Use one to encrypt

Use other to encrypt or decrypt

Digital Signature

Create hash with private key

Recreate hash with public key

Match means

Related key pairs used

No change to the document

LEGALLY BINDING

S/MIME – Secure Multipurpose Internet Mail Extensions

Built into recent email programs

No expense

– signing documents

Create a document (email)

Sign with private key (mouse click)

Document sent with attachment: hash made with private key, public key, details of the certificate, and identification of the certificate authority

– reading a signed document

Open document

Assertion of writer identity

Assurance that document has not been altered

Capturing the public key (mouse click)

– encrypting a document

Create the document

Encrypt with a key (mouse click)

Optionally, sign

– reading an encrypted document

Open document with your private key (automatic)

Optionally, examine certificate of the signer

– getting keys

Certificate Authorities

Fiduciary bodies

Examples

Verisign: http://www.verisign.com

Thawte: http://www.thawte.com
Pretty Good Privacy
- Web of trust
- http://www.pgpi.org

Web based secure email -- SSL

Secure communication between computers and servers

Automatic handling of keys and certificates

Mail stays within a particular server

Same security as for web commerce credit cards

Web based secure email – examples

Medical

Commercial

E1Mail: http://www.e1mail.com
Zixmail: http://zixmail.com

Security Alert

For S/MIME, all security rests at the windows logon password!