[olug] [OT] Mail Admins, do you allow encrypted attachments?

Dan Linder dan at linder.org
Tue Dec 29 14:21:02 UTC 2009


On Mon, Dec 28, 2009 at 15:43, Rob Townley <rob.townley at gmail.com> wrote:
> i need to send confidential info to healthcare technology vendor X.
> Healthcare Technology vendor X will not accept encrypted or password
> protected attachments any longer.
> Recipient denies any postini like capability to retrieve the file from
> quarantine or to accept the file.
[..snip..]
> According to the US Health and Human Services, encrypted email is not
> required.  i refuse to send it unprotected.
> https://questions.cms.hhs.gov/cgi-bin/cmshhs.cfg/php/enduser/popup_adp.php?p_faqid=1854
> http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/568.html

This sounds contrary to HIPPA regulations, but a quick Google of
"hipaa email encryption requirements" confirms that the *word* of the
law doesn't cover this.  The *spirit* of the law seems to imply
encryption when sent over a public network, but the courts don't
enforce spirit...

If both recipients are tech-savvy, you could use "uuencode" to convert
the encrypted .ZIP file to a plain .TXT file then send that.  The
remote end would scan a simple text document but wouldn't see the
encoded ZIP data.  If it did, paste the TXT file contents into a DOC
file.  (This is quite a stretch though, and a lot of extra work each
time you send a file.)

It sounds like the "healthcare technology vendor" IT department is out
of synch with the business needs.   This is the underlying reason I
see the most often.

A few customers I work with have their in-bound e-mail filters setup
to only allow a single attachment extension.  That extension is not a
common extension like PDF/ZIP/GIF/JPG/DOC/XLS/etc, rather "xyz" or
"abc".  This keeps 99% of the dumb e-mail spammers attachments out,
and anyone sending a file to them just has to rename the file (i.e.
rename "secret_docs.zip" to "secret_docs.zip.xyz").  The receiver then
can save it, remove the ".xyz", and use like normal.

Sure, a spear-fishing attack could send a trojan ".xyz" file but
that's going to be a risk anytime *any* data is allowed to traverse
the firewall...  If they really want security, they need to have all
their e-mails printed to paper, then hand-delivered to the recipient.
(Just invest in a good recycling solution please...)

DanL

-- 
***************** ************* *********** ******* ***** *** **
"Quis custodiet ipsos custodes?"
    (Who can watch the watchmen?)
    -- from the Satires of Juvenal
"I do not fear computers, I fear the lack of them."
    -- Isaac Asimov (Author)
** *** ***** ******* *********** ************* *****************



More information about the OLUG mailing list