Encrypted email

I work for a company that does hospital software. One of the things we're investigating is the possibility of sending encrypted emails (or encrypted email attachments) of patient information to doctors as an alternative to faxing. However, there are certain requirements for whatever system we implement.

It has to be secure. No vulnerabilities, no weak encryption.

We're looking for something accessible to the doctors. I have no idea what's considered "standard". The doctors need to be able to access the encrypted emails/attachments on their office systems, which is almost certainly going to be running Outlook. So there needs to be software that hooks easily into Outlook, is user-friendly, is professional, and available (either free or not excessively priced).

The emails will be generated by a server component, written in C#, running on an XP or 2000 server. So whatever we use needs to be accessible by us programmatically as well, through some kind of API.

I've never done any kind of email encryption stuff before, so I'm hoping to benefit from your collective wisdom. Anyone have any suggestions of where to start?

You looking to buy something that does this (plenty of email encrypting apps that hook into the MTA of the mail server) or are you doing this in-house?

Unless you have a huge department to do this in-house I would greatly advise getting an app that does this because it is not trivial. Sharing of keys (or whatever your encrypting/unencrypting logic will be) is a management nightmare.

PM me if you want more info... my company has already built this type of thing.

PAR

Look into PGP.

The easiest way to go user-wise but the hardest to plan (because it will need to be thought-out thoroughly) is to invest in and use smart cards. Since you most likely issue badges to your hospital employees, finding card stock that does the bar code/mag strip and a smart card shouldn't be too difficult but this way you can put the keys right on the card and put a smart card reader at every station (there are even keyboards with them built in).

Planning will be important though for how you handle lost cards, deployment of hardware and the cards and training the users on the new techniques. HIPAA is a b|tch, we've got laptops that some homehealth people use and we're now encrypting the database on the laptops locally as last year a laptop was misplaced and the FBI had to be called. The person that lost the laptop was let go. Very ugly.

Quintin_Stone wrote:

I work for a company that does hospital software. One of the things we're investigating is the possibility of sending encrypted emails (or encrypted email attachments) of patient information to doctors as an alternative to faxing. However, there are certain requirements for whatever system we implement.

It has to be secure. No vulnerabilities, no weak encryption.

We're looking for something accessible to the doctors. I have no idea what's considered "standard". The doctors need to be able to access the encrypted emails/attachments on their office systems, which is almost certainly going to be running Outlook. So there needs to be software that hooks easily into Outlook, is user-friendly, is professional, and available (either free or not excessively priced).

The emails will be generated by a server component, written in C#, running on an XP or 2000 server. So whatever we use needs to be accessible by us programmatically as well, through some kind of API.

I've never done any kind of email encryption stuff before, so I'm hoping to benefit from your collective wisdom. Anyone have any suggestions of where to start?

Also, SIGABA is used by a lot of health care companies (including mine) and it ties directly into Outlook.

par wrote:

You looking to buy something that does this (plenty of email encrypting apps that hook into the MTA of the mail server) or are you doing this in-house?

Probably looking to buy, but right now just getting information on what the options are and what's available. We need to have plans in place for both ends, creating the encrypted emails from our server ap and a process for doctors to decrypt on the other end.
[color=white].[/color]

Eezy_Bordone wrote:

The easiest way to go user-wise but the hardest to plan (because it will need to be thought-out thoroughly) is to invest in and use smart cards. Since you most likely issue badges to your hospital employees, finding card stock that does the bar code/mag strip and a smart card shouldn't be too difficult but this way you can put the keys right on the card and put a smart card reader at every station (there are even keyboards with them built in).

These are actually doctors outside the hospital, as far as my understanding goes. Primary care physicians of the patients, who will receive documents from the hospital. The hospitals will not be able to issue card readers to them and it's unlikely there will be any interest at all for them to get readers on their own.
[color=white].[/color]

Dr.Ghastly wrote:

Also, SIGABA is used by a lot of health care companies (including mine) and it ties directly into Outlook.

Thanks, I'll check that out.