kokotewan - stock.adobe.com

Why Email Failed To Replace Fax For Secure Document Exchange

Sharing PHI in a HIPAA-compliant fashion using current health IT infrastructure continues to prove a pain point for covered entities.

Sharing PHI in a HIPAA-compliant fashion using current health IT infrastructure continues to prove a pain point for covered entities.                                                                                                    

The ancient Greeks had a bizarre but ingenious method of secure data transmission. Say a local ruler wanted to send a confidential message to a military general in a neighboring city. He would shave his messenger’s head and tattoo the message right on the man’s bald scalp. When his hair had grown back, the messenger would travel to the general, who would shave the man’s head again to read the message.

This brings up two interesting points.

First, the Greeks’ head-shaving method took only a little longer than it takes today to transmit a document using a fax machine. I’m kidding. Mostly.

Second, this approach was probably more secure than the emails your employees are sending and receiving on your network today. And I’m not kidding about that.

ONE REASON FAX IS STILL KICKING (AND SCREECHING AND BUZZING AND HOWLING)

One reason for the surprising staying power of fax — even decades after email became ubiquitous—is that even today, most business email is still not as secure as it needs to be to transmit sensitive data such as electronic protected health information (PHI).

This helps explain why 75 percent of all medical communication is still transmitted by fax according to published reports.

Let’s briefly examine the potential security weaknesses of standard email, even in 2018.

THE SECURITY LIMITATIONS OF EMAIL

You do have several options when it comes to email security — but none of them are anywhere near ideal, yet.

You can try encrypting the messages themselves, but frankly that’s a pain — and it can require enough effort that most users won’t do it, especially when sending or receiving mail from outside your organization which means you probably won’t get full compliance anyway.

Think about it. You receive an email from someone you may not know stating that you have received an encrypted message and directing you to click on a link to a server where you have to log-in using your email address and a password. All that just to access a single message? This approach does not scale, and haven’t we all been training our users to never, ever, click on links in emails, especially those of unknown origin?

Alternatively, you can encrypt your company’s email connections themselves using a standard protocol like Transport Layer Security (TLS), which does shield the communications while traveling over the Internet. But the problem here is that you are protecting only the connection between mail servers. And then who knows what’ll happen? Will your recipient’s email system encrypt its messages all the way to the inbox?

These hurdles to rolling out companywide email encryption help explain why, as a 2017 Ponemon Institute study found, only 36 percent of organizations have fully implemented systems to encrypt their corporate email.

Clearly, there is a need for an end-to-end email encryption solution that will work on any mail system that would allow the seamless exchange of encrypted mail, and with no need to have previously exchanged passphrases. And it has to be guaranteed to work 100% of the time — that is, not on an opportunistic basis as is the case with many public mail systems today.

LEGACY FAX HAS SECURITY WEAK POINTS, TOO

For the reasons I’ve described above, fax is still perceived as more secure than email for transmitting sensitive data. Moreover, we hear plenty of horror stories about covered entities’ email being hacked, exposing patients’ PHI — like this one reported right here on HealthITSecurity—but we don’t read much about hackers intercepting large batches of faxed PHI data.

It’s worth reminding yourself, though, that your legacy fax infrastructure — such as fax machines, fax servers, and POTS fax lines — isn’t necessarily secure, either, and might not withstand an actual audit from HIPAA regulators. Traditional fax processes have security vulnerabilities of their own, including:

  • Paper faxes left unattended on fax machines.
  • Faxes not protected by cover pages.
  • Lack of detailed audit trails for fax messages.
  • Faxes sent to the wrong number.
  • Fax meta-data left in memory on fax machines or multi-function printers.
  • Lack of secure archiving (or destruction) of fax hardcopies.

THE CLOUD-FAX SOLUTION

One way to maintain your staff’s ability to fax but without the security and regulatory downsides of legacy fax infrastructure is to outsource to a HIPAA-compliant cloud-fax service. The right solution will be designed with the unique needs of healthcare companies in mind and will offload your IT team of the responsibilities of managing and troubleshooting onsite fax hardware.

Or you could just ask a few employees to shave their heads.

_______________________________________________________________________________________________

About the author: Brad Spannbauer

A 20 year industry veteran, Brad Spannbauer currently oversees product strategy and planning, and provides direction and market leadership for j2 Cloud Connect's worldwide business as their Senior Director of Product Management. His focus in the Healthcare and Legal verticals led to Brad's involvement with the j2 Cloud Services™ compliance team, where he leads the team as the company's HIPAA Privacy & Compliance Officer. Learn more about eFax Corporate’s HIPAA Compliant Fax Services today.
 

About J2 Global:

eFax Corporate® recently became the first major Cloud Fax provider to achieve HITRUST CSF® Certification. With eFax Corporate, faxes can be securely sent and received by email, from any desktop, tablet, smartphone or from within EHRs via APIs – helping organizations boost productivity, enhance regulatory compliance and eliminate on-site fax hardware.

Dig Deeper on Health data threats