The following is the fifth (and probably final) post in a series entitled, “Securing your Email.” I’ve spent the majority of the series talking about logistical things like why secure email is important and how to get started with public-key cryptography. If you look back at my first post, you’ll see that the reason I went out and learned all of this (and wrote about it ad nauseum) is because I feel like it’s an incredibly interesting and important topic where medicine meets technology.
Communication throughout the world is becoming more and more electronic, and things are changing rapidly. In the field of medicine five years ago, most institutions (including very large hospitals) were still using paper records. In fact, even today a number of institutions still do. Doctors communicated by telephones and pagers, and records from other facilities were carried in by hand or faxed. With the technological advances in the last 10 years, today a physician could easily be consulted halfway around the world with a simple email, and a copy of an X-ray or CT-scan could be sent electronically. These changes in the way health care is administered presents a new set of problems to the industry.
This electronic age spawned a strong concern about health care privacy in the United States, which was addressed by HIPAA. The health care industry spends an incredible amount of time and resources dedicated to preserving people’s privacy. They spend millions and millions of dollars on “enterprise level solutions” to make sure that they can work online safely. These are not always dollars well-spent, but that’s the topic for another day. Unfortunately these solutions end up restricting health care professionals in such a way as to reduce the utility of the system. As an example, I’m going to talk about email (as you might have guessed).
As I pointed out in my first post, I’ve been thinking about this for a while. How in the world can health care institutions, who are so concerned about privacy and protection of their patient’s data, not be doing more to provide secure email solutions? I think I’m in an appropriate position to answer that question. I’m part of a committee that has been charged with selecting a new email provider for the hospital. We’re currently looking into a number of different vendors, and a question that consistently comes up is about “email security.” We’ve got a number of people on our committee including people from IS, the legal department, and human resources staff as well as physicians, nurses and students. Their “email security” questions have the best intentions. They want to make sure that the solution we choose is going to keep our patients’ data safe.
At the same time, however, I feel like there is a knowledge gap as to what they know about email security. I feel like most (if not all) of the people involved just want someone to say “your email is super-duper secure with our system.” One vendor took it a step further and started talking specifics of cool stuff that their system can do to prevent, for example, someone from emailing Protected Healthcare Information, or PHI, to someone outside of Rush. The problem I (and some members of the legal department) have is that sometimes this information needs to be sent out, for example to a lawyer’s office. From a patient’s perspective, if I request that my physician contact me via email with my lab results as opposed to over the phone, should that be discouraged? But it is, and that’s because some of the people in the IS departments across the land realize how insecure email is. So we need to make it more secure, and in order to do that, we have to understand where its security flaws lie.
The problem is that most institutions don’t look at the problem like that. They don’t get an unbiased assessment of email security. Instead they get a vendor to sell them an “email security solution” in which the vendor defines what secure email is and how their solution fits the bill. I’m not saying that all companies are giving a false sense of security, but it’s definitely a concern. It’s exactly why you have to understand the problem before you go looking for an answer. Things would be significantly different if a group of people like the “free software community” assessed a health care institution’s email security needs. In fact, the purpose of my post is to propose the following: the health care community should embrace the free software community’s model of email security.
Health care institutions have all the right resources already in place. They simply need to implement it. It would be fairly easy the create a public key server for your health care institution. When Housestaff and Physicians begin their tenure, they could easily be required to create a key pair during new employee orientation. Key pairs could be distributed on cheap flash drives for safe keeping and stored on a private server for easy access while on campus. Alternatively, keys could be distributed on smart cards. Since an institution has verified who an employee is, their internal web-of-trust will form easily. As long as someone’s public key has been signed by the company’s IS department, it can be trusted. These key servers could be made to exchange keys with those of other institutions or even external key servers, such as one set up by the NIH or the Department of Health and Human Services. Physicians also often travel to conferences, and “key signing parties” or booths could be set up to create a more full-fledged web of trust.
Having public keys freely available would make it easy for physicians to communicate more securely with one another. They’d be able to trust an email from a colleague. Plus, they’d be able to encrypt emails and attachments containing PHI. Physicians would also be able to communicate with their patients via email more freely. Patients could be given instructions how to acquire the physician’s public key and how to use it. It would be even better to set up a way to simplify the process by just emailing the patient a link so that an encrypted email could be viewed directly on the institution’s website. They wouldn’t need to worry about having the proper GPG client software installed, since they’d just have to click a link and the web page would decrypt the email for them.
Unfortunately, there are many in the health care IS industry that would rather none of this communication go on via email. They are probably smart to have a firm stance that no PHI should be communicated via email at this point since their email system is probably very insecure. The problem with their plan is that both now and in the future PHI is being sent via email and it’s probably not going to stop unless some serious consequences are put into place at individual institutions.
I have to wonder though. If the email system was actually set up securely and properly, why couldn’t PHI be sent via email? Why shouldn’t I be able to request my test results in electronic format from my doctor? These aren’t questions that are going to be addressed by any single institution, unfortunately, and this presents a very big problem in the near future. A number of other industries are currently caught in a downward spiral because they chose not to adapt to the Internet era. Does a similar fate await a health care industry that wants to deny physicians and consumers access to the PHI electronically under the guise of HIPAA and “we know what’s best” for protecting patients rights? Doing so is just going to drive the process more underground, giving them less control over the situation in the future. They’d be better off embracing the idea now and preparing for the future of medicine in an electronic age.