RE: CRIME secure mail programs/internet

From: Christiansen, John (SEA) (JohnC@private)
Date: Fri Nov 30 2001 - 11:49:54 PST

  • Next message: Jere Retzer: "Re: CRIME secure mail programs/internet"

    Uh-oh. I spot a number of issues here. First off, if you concern is whether
    or not you are HIPAA compliant for not using encryption, it is too soon to
    know for sure - there is no final security regulation out. But from the
    standpoint of risk management, this is very inappropriate. Home PCs as
    workstations, maybe, but ONLY under strict policy controls which include
    prohibitions against PC uses which could compromise data security - that's
    more important that encryption, if I had to rank them. (Using Hotmail, on
    the other hand, seems to be going to the opposite extreme, if anything.) I
    can tell you that over the past several months I have been giving talks to
    physician practices around the state of Washington (for the medical
    association) and this is the kind of practice we red-flag and warn against.
    (Let me know off-list if you want more info on the WSMA materials.) This
    goes in spades for the advice I give hospital clients, who are even more
    information-system dependent and can afford better solutions. 
    From: John R. Christiansen 
    Preston | Gates | Ellis LLP 
    701 Fifth Avenue, Seattle, Washington 98104 
    *Direct: 206.613.7118 - *Cell: 206.799.9388 
    * johnc@private 
    Reader Beware: Internet e-mail is inherently insecure. Unencrypted e-mail
    may be accessible to unauthorized viewers, e-mail content may have been
    modified or corrupted, and e-mail headers or signatures may incorrectly
    identify the sender. If you wish to confirm the contents of this message or
    identity of the sender, or wish to arrange for more secure communication
    please contact me using a communications channel other than a "reply" to
    this e-mail. Thank you.
        
    -----Original Message-----
    From: Heidi [mailto:mcps@private]
    Sent: Friday, November 30, 2001 8:18 AM
    To: CRIME
    Subject: CRIME secure mail programs/internet
    
    
    As I have seen here on the list that some do not recommend that Outlook or
    Outlook Express be used for e-mail due to security holes, I would appreciate
    recommendations. This would be for people working on home computers, who
    have medical information stored on their systems.  These are only connected
    to a network when they log in to transfer their work to the network. When
    the work is transferred they log in using a VPN.  Otherwise, they are
    stand-alone PCs, which are used by some of the people for their work, as
    well as personal internet use.  Hotmail is being used on the network end to
    send information to the home PCs.  The concern here is when these people are
    surfing the internet that the medical files would be vulnerable to access,
    especially after reading the latest advisory sent below, in relation to
    internet explorer and previous postings I have read here on the list about
    not using Outlook.  This system for these people is fairly new and they are
    in the learning stages of file protection, VPN, etc.  
    Also, does any one in the medical related industry know what the dates are
    that we will have to be complaint using encryption on our files, and if
    there will be training provided using the required encryption, etc. to meet
    the compliance requirements for HIPA?  . I have been asked by my employer to
    relay any of this information regarding security issues back to them.  Thank
    you for any help in advance. Heidi
    This is the latest advisory I make reference to:
     
    National Infrastructure Protection Center 
    "Multiple Vulnerabilities in Microsoft Internet Explorer - All Versions" 
    Assessment 01-028 
    29 November 2001
    You can respond to me individually at mcps@private <mailto:mcps@private> .
    Thank you, Heidi Henry
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:36:13 PDT