The problem with all of this is that a large encryption infrastructure that covers multiple vendors is a nightmare that I don't even want to start working with. Having some very high level experience with encryption this is a big game, and there is no real way to work it out for this situation. Our 1st response was across the board e-mail encryption, however you have to ask yourself, does this really protect PHI. If you share your encryption with all of your external users, not all of whom are PHI related sites, then your user selects the wrong recipient presto you now have a HIPPA violation. All the policies in the world will not prevent this. So then you have to start asking yourself, how do I cover this. One of the options that I asked about was if we had an internal policy (it's government, they love policy) that prohibited the external transmission of PHI via e-mail. The angry comments I got from our personnel was just amazing, but after hearing them some were valid. So the next step was that all PHI e-mail transfers would be done as attachments, utilizing strong file level encryption (not self-decrypting) and strong passwords. Next step how do you work out the transfer of passwords, who makes the passwords, who controls the passwords. This is not going to be easy. Do we need HIPPA, well probably we do, however most of what HIPPA covers from a technical standpoint is just in keeping with best practices. The one thing HIPPA is not going to beat is human nature, and human nature is why we have the HIPPA violations to begin with.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 26, 2003 9:50 AM To: Exchange Discussions Subject: RE: Exchange server level encryption On Wed, 26 Feb 2003, at 9:33am, [EMAIL PROTECTED] wrote: > It sounds like they're pushing for 100% encryption of all email, which is > well beyond my understanding of the expectation under the law. While I don't know about this particular case, I've seen such reactions before in similar, non-HIPPA cases. It goes something like this: Security becomes a concern. Of course, you cannot have security without a good security policy that defines your information assets, risks, threats, counter-measures, and so on. Nor can you have security without user understanding and education. So the IT guys tell the PHBs that their existing policy of driving blindly through the fog is a bad idea. The PHBs react by coming up with crap ideas like "everything must be encrypted" (without even knowing what encryption actually *is*). Actually fixing their management structure would cost too much. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
