This discussion involving techno-geek talk belongs more appropriately on the WEDI SNIP Security Workgroup List. Can we continue it there? See the thread "Re: E-mail Microsoft Exchange Server" in the archives at http://www.mail-archive.com/wedi-security%40lists.wedi.org/.
To subscribe to the WEDI SNIP Security Workgroup List; go to http://subscribe.wedi.org and check off "WEDI SNIP Security Workgroup List." William J. Kammerer Novannet, LLC. Columbus, US-OH 43221-3859 +1 (614) 487-0320 ----- Original Message ----- From: "William J. Kammerer" <[EMAIL PROTECTED]> To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]> Cc: "WEDI SNIP Security Workgroup List" <[EMAIL PROTECTED]> Sent: Tuesday, 04 March, 2003 10:11 PM Subject: Re: E-mail Microsoft Exchange Server Jeff, I don't confuse digital certificates with encryption. Digital certificates are the enablers of encryption. When you have been given your correspondent's public key contained in her digital certificate, you may use the encryption facilities - already built into the popular e-mail clients - to send her messages only she can read. No one signs with "MS" Digital Certificates. There is actually no such thing as a "MS" (Microsoft?) Digital Certificate. The most common kind of digital certificate (or digital ID) is that standardized by ITU X.509; PGP certificates are an alternative. Microsoft products, such as Exchange, Outlook and Outlook Express use ITU X.509 certificates. X.509 certificates are - at least for e-mail - very interoperable among all vendors' e-mail clients. S/MIME encryption is indeed the "default" for e-mail encryption; Microsoft, Netscape and Novell clients support S/MIME out of the box. The whole point of encryption is so "not everyone can read the e-mail" - preferably, only the recipient who possesses the private key can decrypt and read the e-mail. Craig Moen specifically said he was looking for a solution that could be used among the therapists in his agency. Presumably, Craig has some control over the e-mail messaging and clients the therapists use, and thus any of the popular e-mail clients that use the interoperable S/MIME and X.509 standards should be an effective and affordable solution. If each therapist in the organization possesses a digital ID, any of his counterparts can communicate securely with him. And with barely thinking about it - since S/MIME support (encryption and signing) is fairly transparent (if you're lucky) in most of these e-mail clients which support the standards. There's probably no reason for Craig to spend the money to implement a complicated and non-standard secure messaging system when the (almost free) solution is already sitting on his organization's desktops or laptops. Of course, this discussion really belongs on the WEDI SNIP Security Workgroup List; to subscribe, go to http://subscribe.wedi.org and check off "WEDI SNIP Security Workgroup List." William J. Kammerer Novannet, LLC. Columbus, US-OH 43221-3859 +1 (614) 487-0320 ----- Original Message ----- From: "KERBER, JEFF" <[EMAIL PROTECTED]> To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]> Sent: Tuesday, 04 March, 2003 05:08 PM Subject: RE: E-mail Microsoft Exchange Server Do not confuse digital certificates with encryption. "Signing" an email using MS Digital Certificates does not encrypt anything. It only "authenticates" the sender to the receipient -- an only in those cases in which the receipient has the software to do so. If you are "signing" your email using MS Outlook/Exchange, anyone can read the e-mail, they just may not be able to read the certificate to authenticate the e-mail. Again, this is not being encrypted. It is possible that Exchange is deployed to use S/MIME encryption, but it is by no means the default and not everyone can read the e-mail. The best way to communicate with patients in a secure manner, if you choose to implement encryption, is through a secure messaging system. Jeff Jeff Kerber Director, HIPAA Compliance Texoma Healthcare System 903-416-5520 -----Original Message----- From: William J. Kammerer [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 04, 2003 2:55 PM To: WEDI SNIP Privacy Workgroup List Subject: Re: E-mail Microsoft Exchange Server Craig, technology questions regarding security implementations might better be directed to the WEDI SNIP Security Workgroup List. But in any case, you already have practically everything you need to implement secure messaging among and between your therapists. Encryption is a standard feature built-in to your e-mail client software, such as Outlook and Outlook Express, without the need for new licenses or modifying your Exchange Server configuration. Actually, I believe Exchange Server does have the capability for generating digital IDs for each of your e-mail accounts. This saves you the hassle of dealing with Third Party Certificate Authorities (CAs) like Verisign or Thawte for obtaining digital IDs (X.509 certificates). Encryption is of primary importance, which will be available with either CA generated or self-signed certificates. You can easily live without authentication (because each of your employees recognize legitimate e-mails from their colleagues). But you can generate your own certificates with the company recognized as the "certificate authority" by all of the e-mail clients. I communicate regularly using encrypted e-mail with colleagues within and without Novannet - each of us uses standard e-mail clients like Outlook or Outlook Express and we haven't spent a dime for this capability. William J. Kammerer Novannet, LLC. Columbus, US-OH 43221-3859 +1 (614) 487-0320 ----- Original Message ----- From: "Craig Moen" <[EMAIL PROTECTED]> To: "WEDI SNIP Privacy Workgroup List" <[EMAIL PROTECTED]> Sent: Tuesday, 04 March, 2003 02:29 PM Subject: E-mail Microsoft Exchange Server We are a home health agency that provides PT, OT and ST. We communicate regularly with our therapists via e-mail. Patient's summary of progress etc are exchanged and then we copy and paste to a document that we send to the physician. Currently for patient confidentiality we have the therapist de-indentify information in e-mail by removing patient name and using only initials(no address other identiying info is on this document.) During our risk analysis we determined that this is a potential risk in patient privacy because a therapist could inadvertently include the full patient name. With the cost of an additional exchange server(as our e-mail is handled externally at this point) is this "reasonable" to continue as we are without encyption? Any inexpensive alternatives?? If not, does any one have any comments about Microsoft Exchange Server, where each of our staff would have there own e-mail address and we would encrypt by default. We are struggling with "reasonable" because of the cost of the product and the number of licenses we would need to acquire Thanks for your opinion and helpful comments! Craig Moen, MPT Director of Rehabilitation THERAPY 2000 214-467-9787 office 214-741-3655 fax [EMAIL PROTECTED] --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
