1 / 22

Dr. Maury Pinsk FRCPC University of Alberta Division of Pediatric Nephrology

Shouting from the Rooftops: Improving Email Security. Dr. Maury Pinsk FRCPC University of Alberta Division of Pediatric Nephrology. Dr. V. Uses email to correspond with patients Answers questions Gives test results Changes medications

natara
Download Presentation

Dr. Maury Pinsk FRCPC University of Alberta Division of Pediatric Nephrology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Shouting from the Rooftops: Improving Email Security Dr. Maury Pinsk FRCPC University of Alberta Division of Pediatric Nephrology

  2. Dr. V • Uses email to correspond with patients • Answers questions • Gives test results • Changes medications • All emails are signed with disclaimer for confidentiality • Patient A asks how secure her medical information is

  3. How secure is email? • Depends : • Where it is being sent • What you choose to use it for • How it is being sent

  4. Email - the basics • Your email program is a “mail user agent” • Produces a text file • Sends the file through the internet using a set of instructions that allow commuters to communicate – a “Protocol” • E.g.: SMTP or simple message transfer protocol

  5. Email - the basics • SMTP guides the email to final recipients server • Can route through several servers if necessary • Once it reaches its final destination server, it is stored to disk • The recipient accesses the email using a Post office protocol (POP)

  6. So what are the security issues Sending an email is like sending a postcard Any server through which it passes is an opportunity for eyes to read For the keen individual, it represents an opportunity to alter the contents of the email as well.

  7. So what factors alter the security of the email?

  8. Where is it being sent? • Data that stays on a server is less likely to fall into the wrong hands • More so for dedicated service providers (e.g.: intrauniversity, intrahospital) • Less so for data that leaves a server (e.g.: interhospital or interuniversity)

  9. How is it being sent? Data that is sent unprocessed is vulnerable to breach of confidentiality or integrity What do I mean by processed? Encryption Digital signatures

  10. Encryption • Key a large number used by encryption algorithm to generate cipher code • Public key owner can send you encrypted email securely, but cannot decrypt it • Private key owner can decrypt the email. • The two keys are related, but through very complex algorithms that are difficult to crack

  11. Encryption • Keys are stored, encrypted, on your computer, and used by your email software • Keys can be distributed by owner on disk, by email or via access to repository (key server)

  12. PGP encryption: an extra layer of security for encryption

  13. PGP – decryption – the same in reverse

  14. Encryption, but for whom? • Encryption: keeps on-looking eyes away from sensitive data, but doesn’t verify the source • Authentication and integrity is verified by a digital signature

  15. Digital Signature

  16. Digital signatures

  17. But how do you know the key is from the right person? • Key “forgery” is possible, hence the need for security certificates • Security certificate = digital signature + authentication from another user + public encryption key + user identification

  18. What is being sent? • The best means of preserving data integrity and confidentiality is to decide if it is absolutely necessary to send it the data by email.

  19. Return to Dr. V • Patients informed: • Patient information continues to be transferred over the internet, but patients sign a consent allowing this to happen • Information kept confidential: • Public keys are issued to patients via key server • Patients encouraged to obtain own personal key and distribute public key to Dr. V

  20. Integrity of information confirmed: • Security certificates issued with public key • All correspondence with digital signature.

  21. Further resources • Encryption and digital signature freeware • Pretty Good Privacy (PGP) • http://www.pgpi.org • Guidelines for Patient Privacy • HIPAA Privacy regulations • http://www.hhs.gov/ocr/hipaa

More Related