It’s not always obvious
I work part-time for a mental health center in the IT department. Yesterday, I attended a mandatory HIPAA training meeting. In the training, I was told fax is the approved secure method and email was not. I’m really confused about this issue. I researched it on the net, but I haven’t come up with a really solid reason why email is less secure than fax if it truly is. While I recognize the limitations of email, transferring via the net could be accessed at any point, yet I feel fax is even less secure. For one, the fax physically lies around until somebody picks it up and you have no assurance that it’s the right person. Two, while I understand that a landline would be more secure than the net, if the fax goes directly from point A to point B, in reality, phone calls are transmitted via microwave towers as well and since fax is unencrypted, they could be accessed as easily as email. My feeling is that if we used PGP that email would be more secure than fax. My boss and I both respect your opinion. Can you clear up which is more secure?
Become a Patron of Ask Leo! and go ad-free!
Fax vs. email
So, the bottom line is that my opinion runs along the same lines as yours. I don’t really consider fax to be any more or less secure than plain text email. I understand why email would not be allowed. Because it is plain text, you are sending information from one person to another (potentially sensitive), but anybody who has access to the network or the computers in between those two points can essentially read that material.
The most common scenario, for example, might be on a service like Gmail or Hotmail. That email is sitting on a third-party server. It’s not your server. It’s not the recipient’s server. It’s some third-party (like Google or Microsoft) and theoretically, the email could be viewed by someone else. That of course is a violation of HIPAA regulations.
Fax is a little bit more difficult to argue along those lines, but I believe that the same thing is true. When you send a fax via phone… first of all realize that a fax is an audio transmission. It is (as you said) unencrypted so what that means is that you send a fax from point A to point B, anybody who can listen in on that phone line can receive the fax as well. Anybody with any kind of eavesdropping equipment, anybody who even happens to pick up the same line as that particular fax happens to be getting sent on can in fact receive the fax and as a result, see it.
I actually take this one step further. My concerns go a little bit further than this. A fax really is nothing more than an image of a document, which means that it’s also very, very easy to forge. In fact, in many cases, fax signatures are considered legal. In other words, they are considered as binding as a physical signature on a piece of paper. Given how easy faxes are to forge, that just really boggles my mind.
Follow the laws
Now, the real problem here is not so much the technology involved but the laws. Again, I’m not a lawyer, I don’t want to infer in any way that I am. But, I definitely would strongly recommend that you – whatever you do – you do what the HIPAA regulations require you to do whether they make sense or not. Because even when you do something that makes total technological sense, if it happens to run afoul of the regulations, you could still get in trouble which is kind of frustrating, I understand. But it is what it is.
Encryption
In reality, I’m with you also that PGP (any kind of encrypted email) is much more secure than any of the above.
What it really means is that the email is encrypted at the start. So anywhere between the start, between sending and reception, it is unintelligible to anybody who might actually happen to get a copy of it as long as they don’t have the appropriate encryption or decryption key.
PGP, being a public key system, means that you could say that “this message” can be unencrypted by only “this” specific recipient, the specific recipient who holds this specific public key.
So, yeah, absolutely! Encryption of almost any sort (although it needs to be strong enough) is going to be stronger than, is going to be more secure than either fax (over voice lines) or email (plain text email) over the internet.
So, ultimately like I said, I won’t really say that email or fax is stronger, or that fax or email is less secure (or more secure) than email or fax. I believe them to both be fairly unsecure.
Security is difficult
If I were writing the HIPAA regulations, for example, I would insist that all of that kind of communication be encrypted. The problem with encryption (and I’ve written about this before) is that encryption is… as it turns out, is “hard.”
Not hard technologically. That’s been solved. It’s hard to implement in a public way – in a way that is consistent across multiple computers:
- Installing PGP? That’s really hard to do in common email programs (Thunderbird happens to have a great plug-in that just does it).
- Having people manage their own public and private keys? That’s really difficult for the average consumer.
- Same thing for other encryption schemes, other certificate schemes, other public and private key schemes, and so forth.
It’s all a level of complexity that A) hasn’t been standardized across email systems or email programs and B) is fairly confusing to the average consumer. And it usually is the average consumer who’s at the receiving end of some of this protected communication.
So, I can’t really give you an answer about what to do to make HIPAA more secure. You’ve just got to follow the rules of HIPAA. But, in terms of the technologies involved, I would prefer to see encrypted email.
In fact, one of the things that you will find if you’ve got a good health care provider is that they will not send you email. They will instead direct you to a web-based interface to their system on which you can read that message. The message may then be encrypted on their server. It’s encrypted in transit because it’s an https connection to their server. And thus, the only place it’s visible to the user (to anybody) is when it’s being displayed by the authorized and logged in consumer; or when it’s being accessed by the authorized and logged in provider at the other end.
I agree with you. I have a phone number that is similar to the local Hydro Utility’s Fax #. My number is also not that far off from a local medical facility’s fax. Worse, my phone number is similar to a government office’s fax.
You would be surprised at the stuff that lawyers fax me! They think they are faxing client data to the utility. Hooks ups, disconnections, moves, property purchases, billing disputes… WHEW! If I were “the type”… what trouble could I cause! And when I tell them that they did… they get mad at ME! (Their error, my fault?)
As for the medical clinic…. I once got an emergency fax of a patient’s entire history! He was close to death, and I spent an anguished hour finding the person who faxed it, so they could re-fax it to the “right place”.
The government office, once sent me enough data to completely steal a person’s identity. Oh horrors! I called them, set them straight, and shredded it. I do admit: It felt cool to have the power over a civil servant’s job in my hands for a few minutes, though… I can’t be that evil! I did the right thing!
I like my phone number, and am unlikely to change it, but when I get fax call after fax call, well, just to stop the calls, I hit receive print on the fax.
It seems they are simply keying in the phone numbers wrong. I guess the phone directory software on their machines is too complicated to use. How else?
As for emails, I do get the odd spam and the odd junk mail. But, I have actually gotten few emails from women dying to meet Leo, and emailing me by accident. I do know such things happen though. An employee sending a bad joke to the boss instead of a co-worker.
The whole issue is not so much people wanting to intercept your stuff, I think….. but people who send stuff to the wrong people, either through error, ignorance, or carelessness.
And that is the big danger: Not eavesdropping, but sending a fax or email to the wrong place.
Hi Leo,
I’ve never understood how this is even a problem.
Couldn’t I type up a note, encrypt it with safe-house or whatever, and email the file as an attachment to ask-leoatask-leodotcom. Then call you on the phone and tell you the password? Safehouse is really easy to use, and I know you like truecrypt. Just so we were using the same program.
Wouldn’t this work?
26-Oct-2012
Errors in transmitting sensitive data are a big problem. In my experience, fewer errors are made with fax, and more errors are made with email. (Almost no errors are made with snail mail.) Here are three real world considerations.
Generally, fax transmissions are point to point. There is one sender and one receiver. Even broadcast faxes are sent one at a time by the sending fax device. The one-click send capability of email may be convenient, but I receive several emails a week either never intended for me, or just sent to a convenient email list/group, even if I was not an intended recipient.
Worse, emails can be deliberately or accidently forwarded with a few clicks. Most fax users must print and reload a machine to forward a fax. (Caveat, yes there are paperless fax systems that facilitate thoughtless forwarding – but see the next/last point)
Third, all of the data, sensitive or not, is incorporated into the fax document for the recipient to see directly. However, a harmless looking emai may have sensitive health information in an enclosure, where it is not so obvious to a recipient or their admin assistant. This leads to unknowing forwarding of sensitive information to a nonauthorized party.
I use email for almost everything, but I try to send sensitive information by US mail. When time is critical, I’ll use fax if I can. If I have to use email for sensitive information, I put ‘CONFIDENTIAL’ in the email subject line and also ‘DO NOT FORWARD’ in the text.
Excellent article. Many Healthcare Providers (including myself) wrestle with this. I still have two questions: 1) If Gmail settings are set to force gmail to stay in HTTPS, does this affect the security? My understanding was that only the intended recipient could read the email. 2) Is there a low cost and easy-to-understand way to encrypt individual emails? I use Truecrypt for my data on my hard drive, but that would only help for attached files and isn’t easy to understand or the technologically challenged. Thank you for your article.
2) I’m a big fan of GPG encryption, and it meets the low-cost criteria by being free, but I know of no truly simple solution for the general consumer. This is where a lack of standard (or several competing standards) are working against the consumer. Generally I recommend transferring sensitive information as an encrypted attachment, using something like 7-ZIP, or Axcrypt to encrypt/decrypt the file, and sharing the encryption password via some other channel.
26-Oct-2012
There are encryption boxes you can put in line with the fax machine. If you turn on the encryption box, the fax gets sent encrypted. Should anyone try to “listen in” they would only receive garbage.
However, like encrypted email, it requires both sender and receiver to have the same system. Hopefully, if your employer has not implemented encrypted email that they’ve implemented encrypted faxes.
Another problem with faxes is the fax machine is going away. Our fax at work runs through the computer network. If our system gets hacked, then the faxes are available as well.