Implementing Secure Email Solutions for PHI. Ann Geyer Tunitas Group ageyer@tunitas.com 209-754-9130

Implementing Secure Email Solutions for PHI Ann Geyer Tunitas Group ageyer@tunitas.com 209-754-9130

First Observation Secure email infrastructure software deployed to healthcare Early California adopters (1998-99): SJHS, CHW, Scripps, Sutter, PacifiCare Vendors targeting healthcare market: Tumbleweed, Sigaba, Clearswift, TFS, Omtool, Zix, CertifiedMail Few HCO have broadly utilized their email encryption options Encrypted email Is still the exception, even for the early adopters Where encryption occurs, it is typically the result user activity

What s Holding Secure Email Back? Administering secure email is challenging! Neither of the existing mgmt models works well Secure web application Doesn t make sense to administer external email recipients as if they were users of your email system Ordinary SMTP mail Secure email requires new skill sets for both administrators and users Encryption methods and keys must be negotiated with recipients User can be trusted to get email address right But only 1 0f 10 persons found to properly install and use their encryption software ( Why Johnny can t encrypt ~ http://www.cs.cmu.edu/`alma/johnny.pdf )

Secure Email Administration Policy Aspects Email containing PHI sent to an external recipient is a DISCLOSURE subject to HIPAA privacy & security requirements Duty of the enterprise to ensure that the disclosure is properly authorized and documented Disclosures and the method need to be governed by enterprise policy and procedure Also need some ability to monitor and enforce policy Secure email management must be sensitive to policy

Secure Email Policy 3 Items relevant to email policy Sender identity and role Recipient category, domain, and role Message contents, including the nature of PHI included Policy objectives Should message be sent? Is the disclosure appropriate? Is the recipient s encryption key available? Subsequent actions if message is not sent Verify authorization and purpose User training on privacy or data use policies Key acquisition Report suspected privacy/security incident Subsequent actions, if message is sent Copy to HIM dept or Acctng of Disclosure Log

Secure Email Policy Developing policy is itself challenging Email is a business tool Secure email policy constrains its use Many internal stakeholders Compliance -- respond to privacy and disclosure regs Users -- expectations of personal privacy and convenience IT -- implement and maintain, cost Multi-disciplinary effort Comparable to creating enterprise HIPAA privacy policy, but with a strong technology component Not an email administrator or security personnel assignment Requires executive approval and support

Secure Email Administration Workflow Aspects Email system acquires knowledge of recipients in ad hoc manner Two basic problems User needs to identify & potentially authenticate recipient System needs to acquire or exchange encryption material Argues for a new workflow Procedure to authorize the sending of secure email to a particular recipient Procedure to negotiate encryption keys that minimizes sender involvement Procedure to document results Methods to minimize latency Works both ways Consider how your organization will support receiving encrypted email

Secure Email Administration Peer Aspect Typical HCO has 40K plus recipients in its email directory Even small orgs have too many recipients to manage secure email on a case by case basis Recognize and take advantage of solutions that peers have adopted Determine how trust and interoperability issues between mail domains get resolved Recognize physicians and other independent practitioners as having their own solution requirements

Peers Translates into a PKI problem S/MIME (PKI) has the greatest promise for secure email on an industry scale Solutions are certified and interoperable PKI Bad Rep Poor integration tools User support costs Certificate sources PKI Support from Professional Associations CMA/MEDePass -- California physicians and staff AMA/Verisign Members of AMA physician database AAMT -- US medical transcriptionists Prof assn interested in supporting secure email solutions for their members

Conclusions Recognize that secure mail solutions require more than technology Acquire enterprise support through multistakeholder policy formation effort Avoid myopia by recognizing that external recipients are your peers in securing email messages Capitalize on community solutions such as the multiple association support for PKI and S/MIME Assist email security administrators to develop the workflow to support negotiation of encryption parameters Remember that encryption is only part of email security Take training requirements serious, surprisingly few email administrators have background in email security or PKI

California Community Trial Motivation Recognize the limitations of SSL for peer communication Strongly motivated to protect the use of email as a business tool Develop set of best practices for implementation and policy decisions Validate push certificate distribution model and improved s/mime workflow Support association certificate activities Persuade peers to add s/mime to their solution options

California Community Trial Activities -- Implementation Profile email use CE, BA, Third Party Department to department (what type of PHI) With infrastructure requiring negotiation (B2B) Without infrastructure requiring direction (B2b) Encryption Options s/mime gateway esmtp StartTLS Push certificates for client/desktop users Association certificates for professional class users Strategies for TP with proprietary approaches Webportals, webmail, required clients

California Community Trial Activities Policy Key initiation and exchange When is secure channel required What pre-requisites are required to establish a secure channel Can employees individually establish secure channels with TP What enterprise communication is required Will enterprise accept unencrypted PHI Will enterprise send unencrypted PHI if TP will not establish a secure channel

California Community Trial PKI Certificates for Client/Desktop Recipients Any available source of certificates Enterprise knows recipients email addresses As long a certificate has known email address, it is useful Push Certificates from PK3I Association Certificates California Medical Association providing certificates for physicians and staff American Association for Medical Transcription providing certificates for transcriptionists and clients All certificates will conform to ASTM Healthcare Certificate Policy and its certificate profile

California Community Trial New Key Distribution Model Push certificates from PKI Innovations, Inc (PK3I) Enterprise requests email certificate from server Server generates the keypair and creates the certificate Send certificate to requestor Sends certificate and keypair to email recipient Requestor communicates one-time pin/password to recipient to install keys and certificate in email client For Microsoft products, one click install For other products, 2-5 steps depending on how the product has deviated from IETF standards for key storage

Typical Workflow

Typical Workflow

Typical Workflow

Improved Workflow

Success Factors Maintaining compliance Employees will use email for communications Without an email encryption alternative, enterprise risks non-compliance Preventing unnecessary costs Implementing a non-email alternative will only add costs Email will not be turned off Registration and user support for trading partner employees is significant Maintaining business independence Adding an email security solution to other options

Background Resources

HealthKey Sponsored Collaboration Mass HealthData Consortiumn domsec interop trails Demonstrated s/mime based interoperability between vendor s/mime gateway implementations Tumbleweed, TFS, Clearswift (as Baltimore), DICA, Vanguard Ongoing multi-enterprise s/mime gateway project CareGroup, Tufts, Commonwealth of Mass For more info: www.mahealthdata.org/mhdc/mhdc2.nsf/documents/ahin-smg Joe Miller, jmiller@mahealthdata.org, 781-768-2501

Vendor ~ Tumbleweed Early product entrant Significant healthcare installed base S/mime gateway and redirect products Imports any X509 certificate stores in directory Creates proxy certificates for enterprise email accounts Full service product line Gateway, malicious content, virus scanning For more information http://www.tumbleweed.com Mike Fiore, mike.fiore@tumbleweed.com, 925-242-2316

Vendor ~ TFS Technologies Feature rich gateway product Includes openpgp support in addition to s/mime Includes certificate server for optional certificates for end users Consider use for individual signature at the desktop Free server solution for non-pki based security Supports automated distribution of symmetric key (password) via IVR (voice response), fax, (possibly alternate address) email For more info http://www.tfstech.com John Casey, john.casey@tfstech.com

Vendor ~ Clearswift Inheritor of Content Technologies Sold off by Baltimore in its downsizing Emphasis on policy creation and management Supports distributed policy management Supports multiple message delivery mechanism with optional plugins s/mime gateway; http; technology licensed from sigaba For more information http://www.clearswift.com Farren West, farren.west@clearswift.com, 425.460.6062

Vendor ~ OmTool Secure gateway integrated with Exchange / Outlook Supports s/mime Alternate non-pki solutions based on zip / pdf encryption Always acquires receipts / supports security / signature of return mail Provides integration of email with fax systems Fax / scan -> secure email ; fax -> (internal) email Provides security layer for HP Digital Sender Very slick solution, a Tunitas Group favorite For more information, Thad Bouchard, bouchard@omtool.com

California Healthcare PKI Solutions CMA / MEDePass Focus on California physicians & staff High assurance model 2nd year of operation Will help market PKI based solution to your physician community Contact Terry Fotre DO, tfotre@medepass.com, 415-882-5152 American Association for Medical Transcription Certificates for transcriptionist (certified / non-certified) High assurance model for certified transcriptionist Online registry Go live in 3Q, 2003 Will train subscribers in secure email use Contact Ray Smith, ray@aamt.org, 209-341-2445

Technical Resources IETF DomSec spec RFC2383 - Domain Security Services using S/MIME Standards basis for use of s/mime gateways http://www.ietf.org/rfc/rfc3183.txt NIST guidelines on email security http://csrc.nist.gov/publications/drafts/pp-electronicmailsecurity- RFC.pdf Excellent technical resource Network design discussion SMTP / POP server hardenning Common vulnerabilities and exposures Email security is not just about encryption!

About Tunitas Group Tunitas Group specializes in electronic commerce, communications and data exchange strategies for healthcare organizations. Core Expertise Biometrics and smart cards Directory applications and schema Electronic signature Email and EDI security solutions mgmt Internet security solutions HIPAA compliance planning Privacy & security policy design PKI planning and design Security assessment project Security risk analysis Internet technologies and protocols Workflow design Clients include Blue Shield of California California DHS California Medical Assn Catholic Healthcare West El Camino Hospital PacifiCare St. Joseph Health System Social Security Administration