The servers should be flexible in terms of encryption technology in order to maximize the utility of e-mail, while at the same time the network should be defended from external attacks E-mail Security Issues for HIPAAThe Health Insurance Portability and Accountability Act (HIPAA) came into effect on April 21, 2003. The act is designed to protect the confidentiality, integrity, and availability of Protected Health Information (PHI) for individuals. PHI is defined as information that includes any individually identifiable health information. Healthcare organizations that must comply with HIPAA regulations are known as Covered Entities (CEs). CEs include hospitals, insurance providers, employer health plans, physicians, business partners, and contractors working with healthcare providers.The primary rule within HIPAA that affects e-mail is the Security Rule. Exposed PHI within e-mail is considered a risk that will surface during a HIPAA risk assessment. Covered Entities are required to perform a HIPAA risk assessment and then to adopt appropriate safeguards depending upon the outcome of the assessments they perform. Healthcare organizations have reacted to the new rule in a variety of ways, and with varying degrees of effectiveness. The efficiency of e-mail offers an attractive means to transmit healthcare information from one organization to another; however the need to secure each transmission of PHI has created complications as secure e-mail solutions are new and not fully implemented at many sites that transmit and store PHI. Many encryption technologies require the user to become familiar with the use of plug-ins and other specialized client-side encryption software. Encryption keys must be securely traded between partners, patients, providers, and other network members. More and more employees are involved in transmitting PHI over the internet now than ever before. The increase in the number of employees transmitting PHI has caused administrative costs to increase as the need to train employees in proper use of encryption technologies also increases. As the complexity increases, so does the probability that not all e-mail containing PHI will be encrypted. Doctors, who are always pressed for time, may not take the extra few minutes required to encrypt an e-mail. The clerk handling outbound messages for a nurse may not understand which information requires encryption and which does not. Furthermore, many healthcare administration workers have not been trained on the identification of PHI and subsequent proper handling. The uncertainties and potential liabilities have led some organizations to go so far as to outlaw all PHI in e-mail. Instead of solving the problem, however, these decisions generally force employees to find alternative, and usually insecure, methods of transmitting PHI via e-mail in order to accomplish their jobs. This leaves organizations vulnerable to lawsuits based, at best, on non-compliance with HIPAA and, at worst, exposed PHI. The liability is tremendous leading many insurance providers to be extremely hesitant to provide coverage in the IT space unless sound security practices and compliance can be proven.The same problems arise with client-based encryption technologies that require the user to be trained or to take extra time to accomplish his or her task. The effect is an increase in likelihood that PHI will be transmitted through an insecure channel as rushed or untrained employees break policies set up to protect information.Another issue faced by organizations is a lack of technological standards. Some organizations may be employing technologies such as S/MIME or PGP encryption, while others utilize secure connection technologies such as TLS or HTTPS. The effect is that any two organizations, each complying with HIPAA regulations in their own way, may be unable to communicate electronically due to a lack of standardization within the industry.The solution to each of these issues is to move the encryption responsibility from the individual user to a specialized server, and to utilize a system that can select from a number of encryption technologies depending on the recipients technological capabilities. The server should be capable of applying encryption policies based on heuristics determined by the security officer, administrator, or business rules. Individual users should be able to specify that a message be encrypted, but the encryption should automatically be applied where appropriate regardless of user involvement.Beyond encryption issues, CE's need to maintain system integrity, and availability of information. At all times, the network should not be at risk of downtime due to hacking attempts, Denial of Service (DOS) attacks, spam attacks, phishing, social engineering, or viruses. E-mail Security Issues for Graham-Leach-Bliley ActThe Graham-Leach-Bliley Act (GLBA) was signed by Bill Clinton in 1999 and made fully effective on July 1, 2001. GLBA requires financial institutions, partners and contractors to protect consumers private financial information. It is similar in purpose to the HIPAA regulations governing the use and transmission of information in the healthcare industry. It also imposes many of the same challenges on the financial industry as those faced by the healthcare industry.As with organizations affected by HIPAA and Sarbanes-Oxley regulations, financial institutions are faced with the need to protect confidential data, comply with regulations, keep the network operational and secure, and operate on a budget. The consequences of a failure to perform in any of these areas could result in imprisonment of company officers and fines. It could also have devastating effects on the business itself potentially causing existing and potential customers to lose faith in the companys ability to service their financial needs.As with healthcare organizations and corporate entities, the need to establish centralized policy-based governance over the transmission, encryption, and archival of sensitive information requires a secure server-based solution. The solution should be capable of interfacing with all of an organizations business partners regardless of the partners technological capabilities, and it should be transparent to the user in order to maximize the efficiency and utility of e-mail and encourage adoption of acceptable means of corporate communication.ConclusionThe trend is clearly in the direction of more complex security regulations and an increasing conc
0 Comments:
Post a Comment
<< Home