Bob, The FBI 2001 Computer Crime and Security Survey says that over 40% of organizational computer security incidences came from inside the organization so it is probably not a good assumption that security controls can be more lax on a internal network. Plain vanilla email does nothing to address the confidentially and integrity issues you've pointed out so adopting some control for protecting PHI is a prudent idea. One simple way to protect confidentiality and integrity is through encryption although the management of the encryption keys can be extremely complex based on the size of the organization. Other approaches included the use of a PKI such as a secure web-based email system.
As I see it, the real issue is whether or not email can be used at all with PHI. Email follows a discretionary access control model which means I can share any information I have access to at my discretion and so there are really no controls in place to ensure confidentially. I would be very interested to hear others opinions and approaches on this topic. -- Chris Riley, CISSP Information Tool Designers Inc. Secure Virtual Office Solutions http://aegis.info-tools.com/ ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
