Proposal for Wisconsin Collaboration on Secure
advertisement
Disclaimer This “Email Security Whitepaper” is Copyright 2003 and 2004 by the HIPAA Collaborative of Wisconsin (“HIPAA COW”). It may be freely redistributed in its entirety provided that this copyright notice is not removed. It may not be sold for profit or used in commercial documents without the written permission of the copyright holder. This “Email Security Whitepaper” is provided “as is” without any express or implied warranty. This “Email Security Whitepaper” is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. HIPAA COW has not yet addressed all state pre-emption issues related to Email Security. DRAFT E-MAIL SECURITY FOR THE HEALTH CARE INDUSTRY: A PROPOSAL FOR COLLABORATION IN WISCONSIN Draft Version 2.1 January 13, 2005 Version 1.0 addressed the need for secure E-mail, defined business requirements, discussed four approaches, and identified sample products. Version 2.0 adds a proposal for a collaborative, standards-based approach to secure E-mail between organizations in Wisconsin. Version 2.1 includes an additional product summary. © Copyright 2002-4 HIPAA COW DRAFT Page 1 of 35 Introduction Within the past ten years, we have experienced a significant change to the way that we communicate. We send electronic messages, referred to as e-mail, to communicate with friends and family and for business purposes. E-mail is an abbreviation for the term electronic mail, a way of transferring information electronically. E-mail users can send messages to others by specifying E-mail addresses. The message will travel from the sender’s computer through an internal computer network or for final delivery via the Internet. Is E-mail Secure? E-mail may be an efficient and cost effective way of transmitting data, but how secure is this method of information distribution? Many e-mail messages contain information that could be regarded as sensitive by either the sender or the receiver. In the case of the health care industry, messages may even include Electronic Protected Health Information (ePHI). ePHI is defined as being individually identifiable information that is maintained in any form by a health plan, clearinghouse, or provider and related to health condition, treatment, or payment. The Health Insurance Portability and Accountability Act (HIPAA) requires health care institutions to comply with information privacy and security standards. Many of these institutions have drafted policies that forbid the transmission of protected health information via e-mail. Other institutions which have local area networks have permitted the transmission of protected health information, but only to other employees on the institution’s local computer network. While neither the HIPAA privacy nor security rule expressly requires it, most security professionals believe secure Internet e-mail is a reasonable step for a health care institution to take in order to abide by the HIPAA requirement to “ensure the integrity and confidentiality” of ePHI. What Risks Exist? The most likely risk is that someone could mistakenly send information to the wrong individual. This risk can be best addressed through properly communicated policies and a thorough training program. Health care institutions have invested time and money on information privacy awareness for employees for good reason. Though a much slighter risk, e-mail sent over the Internet has the possibility of being read by others in addition to the intended recipients, especially at relay points. Some of the inherent risk of unencrypted e-mail is described below. Internet e-mail is sent to relay servers, saved for a period of time on the local drive, then sent to the final server of its intended recipient. Since the messages are sent unencrypted, they are also stored unencrypted on the relay server. Anyone with access to the relay server has the capability of reading the e-mail. © Copyright 2002-4 HIPAA COW DRAFT Page 2 of 35 Some relay servers store copies of the messages even after they have been sent off to the final recipient. Again, anyone with access to the relay server could read the message. If the message is stored on the system, it could remain in storage for months or years before someone actually reads the message. If the messages were encrypted, however, an unauthorized user would not be able to read the messages. Relay servers are also targets of intruders trying to break into other networks. The SMTP service which is used by a majority of mail programs is always listed on the SANS/FBI Top Twenty List as a favorite target of hackers. Intruders breaking into a relay server have the ability to read any messages that are stored on the system. Again, if the messages were encrypted, they could not be read. E-mail traverses the Internet through infrastructure equipment (routers, switches, hubs, etc). Often an e-mail will flow through multiple network devices before reaching its final recipient. Any e-mail that is sent unencrypted may be monitored while in transit. Encrypted messages are not able to be read. E-mail that is unencrypted could be intercepted, read, and altered at the junctures mentioned. Motivated intruders could intercept the message and alter it before it reaches its final destination. They could add or remove items in the message and then alter the original sender’s headers. A person replying to the altered e-mail would actually be replying to the intruder; the original sender would never receive the reply. The result is compromised critical protected health information. As previously mentioned, encrypting the contents of the e-mail could prevent this. What Are The Business Requirements For Secure Internet E-mail? Encryption Secure e-mail basically means e-mail that is encrypted at a sufficiently robust level, usually at least 128 bits. Most e-mail systems can encrypt e-mail in transit and at rest within the given system. Encryption is a mathematical way to scramble (encrypt) and unscramble (decrypt) digital information. Encryption helps ensure confidentiality and privacy of information. Strong encryption (128-bit key length or greater) provides sufficient assurance that e-mail transmitted over the Internet will not be disclosed to unauthorized third parties. Encryption strength is relative and a function of key size and encryption method. The bigger the number the longer it will take to crack the encryption code. For example, a 40-bit key can be cracked in a matter of hours, while a 128-bit key will take approximately 149 trillion years to crack, according to the National Institute of Standards and Technology.1 1 Computer Security Division, National Institute of Standards and Technology, “Advanced Encryption Standard,” URL: http://csrc.nist.gov/CryptoToolkit/aes/aesfact.html (January 28, 2002). © Copyright 2002-4 HIPAA COW DRAFT Page 3 of 35 B2B Focus The focus of this paper is organizations rather than individuals. The primary business use of Internet E-mail today is between organizations; thus the most pressing need is for a business-tobusiness (B2B) solution. Business-to-consumer (or client) (B2C) use of E-mail is growing but currently less common. There is also greater immediate pressure for secure B2B E-mail because B2C privacy concerns can be at least temporarily addressed by obtaining client authorization for the use of E-mail. The requirements and preferred solutions for these two kinds of use vary. Any solution for secure Internet e-mail should first meet the B2B requirements but not be inconsistent with supporting B2C needs. E-mail System Integration Most organizations have a legacy commitment to their e-mail systems and the messages within them. E-mail systems are not going away anytime soon. The secure Internet e-mail solution should recognize this commitment and work seamlessly with these existing systems. Simplicity of Use The e-mail system integration requirement dovetails with another requirement: use of secure Internet E-mail should be transparent to the user. The effective interoperability of most e-mail systems today has accustomed users to a high ease-of-use standard. Sending, receiving, reading, and storing secure Internet e-mail should be done through the organization’s current e-mail system with minimal complexity and training for the user and little need for desktop support. Enforcement The secure Internet e-mail solution should help ensure that e-mail that should be secure actually is. Rather than rely solely on the user at the desktop to always remember and to make correct decisions about selecting the secure option for individual e-mail, some products can manage encryption based on who the recipient or sender is or based on other business rules. Continued Protection From E-mail-Borne Threats It is nearly impossible to conduct virus checking or content filtering on encrypted e-mail. Some secure e-mail solutions interfere with these key activities. Record Management Most e-mail systems store e-mail on the user’s desktop and/or the organization’s servers. The organization thus controls the retention and disposition of these important records. Not all secure Internet e-mail solutions support this control. Some vendor solutions store sent e-mail on their servers, and sometimes recipients have no control over received e-mail. Also, some solutions encrypt in such a way that organizations cannot access stored email of current or previous employees. Collaboration Among HIPAA security and privacy requirements, secure Internet e-mail is especially challenging because an organization cannot implement it alone. Secure Internet e-mail by its © Copyright 2002-4 HIPAA COW DRAFT Page 4 of 35 nature requires collaboration between sending and receiving parties. Every organization has multiple such parties. Solving secure Internet e-mail requires collaboration among business partners. Regional voluntary organizations formed to help covered entities comply with HIPAA, like the HIPAA Collaborative of Wisconsin (HIPAA COW), are well situated to promote such collaboration. Choice One outcome of collaboration could be agreement for all members to use the same product. This would be one approach to solving a continuing problem of limited interoperability of vendor secure Internet e-mail solutions. A better approach is to encourage purchaser choice via competition among multiple vendors with interoperability based on standards. Whether through the HIPAA security rule or otherwise, the federal government does not appear to be establishing a standard. Voluntary standards through vendor and purchaser collaboration will hopefully provide the needed interoperability. Future Requirements The immediate requirement of secure Internet e-mail for HIPAA compliance is encryption to avoid impermissible disclosure of ePHI. Some vendor solutions for secure Internet e-mail provide capabilities for other requirements to which organizations will need to attend in the future. One is authentication of sender and receiver of secure Internet e-mail. Related functions are digital signatures, proof of receipt, and non-repudiation (eliminating the ability to deny the identified party sent a valid message). Is there a solid technology foundation? Public key cryptography is a well-established technology that uses private and public “keys” to encrypt and decrypt information. For example, if X wants to send Y an encrypted e-mail, X first obtains Y’s public key. X encrypts his or her message with this public key and sends the encrypted e-mail to Y. Y decrypts the e-mail using his or her own private key. X needs to obtain a public key from everyone to whom he or she wants to send an encrypted e-mail. Y has to do the same. After awhile, these keys expire. There has to be a source for valid keys. This technology is sometimes called PKI for Public Key Infrastructure—all the technology and administration involved in distributing and managing valid public keys. This technology works well and is supported by most major e-mail systems today (with some vendor interoperability issues). It also addresses the identification, digital signature and nonrepudiation requirements. Most observers believe PKI will be the long-term solution for secure Internet e-mail. Multipurpose Internet Mail Extensions (MIME) is the standard that allows interoperability between e-mail systems. S/MIME (Secure MIME) is a standard on top of MIME that allows interoperability for secure e-mail using PKI technology. The State of Wisconsin has adopted S/MIME as a draft standard for secure e-mail for its agencies. The main reason S/MIME and PKI have not been widely adopted is the complexity of administering the keys. As implemented in e-mail systems, keys are managed by the individual users at their desktops. Most users find the process confusing. Managing revoked and expiring © Copyright 2002-4 HIPAA COW DRAFT Page 5 of 35 certificates (which contain the keys and support the “trust model” needed to ensure that a public key belongs to whom it says it does) is a significant task for individuals and organizations. What approaches are there? There are four principal approaches to securing Internet e-mail. A. End-to-end (desktop) encryption Client Decrypts Desktop-to-Desktop (End-to-End) E-mail client Client encrypts Internet Interior Firewall E-mail server ... Exterior Firewall Exterior Firewall S/MIME PGP This approach uses S/MIME or other standards such as Pretty Good Privacy (PGP). Each individual user has a digital certificate/key. The e-mail is encrypted at the sending desktop and remains encrypted until it is decrypted at the receiving desktop. Technically this can work well, but it has several disadvantages. Managing the keys is burdensome. Keys are no more secure than the desktops through which they are administered. Because users can store e-mail encrypted with their personal key, management can lose control over these records, finding it extremely difficult if not impossible to decrypt messages deleted by employees or to access e-mail of separated employees. © Copyright 2002-4 HIPAA COW DRAFT Page 6 of 35 It is nearly impossible to conduct virus or content filtering on encrypted messages. The Wisconsin Department of Health and Family Services (DHFS) is currently piloting S/MIME desktop encryption with a few Medicaid HMOs. It is using GroupWise version 6 desktop clients to encrypt and decrypt e-mail. A few additional HMOs that wanted to pilot could not because their e-mail system versions were too old or did not support S/MIME at all. Due to the small number of users in each organization and the small number of organizations that are involved, the key management burden on users has been acceptable. Once keys are exchanged, sending and receiving secure e-mail is little different from those that are unencrypted. Other communities, including the Commonwealth of Massachusetts and the New Zealand government, have attempted pilots of desktop S/MIME and have abandoned intentions to use the technology for broad-based deployment. Below is a short list of the many commercial products available that implement this approach to secure e-mail: DespatchBox CipherPackPro Encryptek MailMarshal Secure Omniva ShyFile ZipLip ZixMail © Copyright 2002-4 HIPAA COW DRAFT Page 7 of 35 B. Gateway-to-gateway (domain or server level) encryption Gateway-to-Gateway E-mail client Encryption/ Decryption Internet Interior Firewall E-mail Filtering, server anti-virus, archiving, etc services Secure Messaging Gateway ... Exterior Firewall Exterior Firewall This approach uses similar technology to desktop encryption but performs the encryption and decryption at a server rather than at a desktop client. Rather than assign each user a digital certificate/key, the keys are assigned at an organizational level. This has several differences from the desktop approach. There are radically fewer keys to manage. Users are not burdened with key management. Messages are encrypted over the Internet between organizations but can be decrypted within the organization. E-mail is stored on the servers of sending and receiving organizations and remains under their control. Management retains control over its records. Virus checking and content filtering are possible. Applications can use gateways to send or receive messages. “Trust” is established at the organizational rather than the individual level. © Copyright 2002-4 HIPAA COW DRAFT Page 8 of 35 This approach can work seamlessly with legacy e-mail systems—the user sends, receives, manages e-mail within their e-mail client. Administration is simpler, user burden is reduced, and organizational control over e-mail is retained. A major potential drawback is that identification occurs at the organization level rather than specific to individuals. For most business purposes, however, establishing “trust” at the organizational level should be sufficient. With this approach, business partners trust each other to manage their internal affairs such that specific users within each organization are reliably identified with means other than unique digital certificates (e.g., email addresses). New Zealand’s SEE Mail initiative is a gateway encryption environment deployed in over 40 agencies, and Massachusetts has completed a pilot program that demonstrated the potential of this approach. A number of commercial products employ encryption of e-mail at the server level with some being deployed on an internal server, others on a third-party gateway. A few of these are listed below. MailX3 A-Lock HushMail IronMail Tovaris SecureMail Gateway ZipLip © Copyright 2002-4 HIPAA COW DRAFT Page 9 of 35 C. Secure Web Mail Secure Web Mail 3- send E-mail with url E-mail client 1- send E-mail as usual 2- set clue and password Interior Firewall E-mail server ... Internet Exterior Firewall Web Mail Server Exterior Firewall Secure Web Mail E-mail client 5-User accesses secure web-site 4-Sender provides clue and passphrase Internet Interior Firewall SSL E-mail server © Copyright 2002-4 HIPAA COW Web Mail Server DRAFT ... Exterior Firewall Exterior Firewall Page 10 of 35 In this approach, the sender posts a sensitive message to a secure Web site using an encrypted transmission.2 An unencrypted e-mail that points to an obscure URL is then sent to the recipient. The recipient accesses the sensitive message at the URL using a secured session. The recipient uses an ID and password to access the secure session. The password is provided through a separate contact such as a telephone call or through self-registration by the recipient. This approach has the following advantages and disadvantages: The recipient only needs a Web browser and Internet access. Users and organizations do not need to manage keys (beyond those used for session security). Messages cannot be sent, read, or managed through existing E-mail systems. The message resides on the provider’s server and can be removed at any time by the sender. in many systems cannot be downloaded, stored, or managed by the recipient except by cutting and pasting the text or saving the HTML page. Users must manage IDs and passwords for each partner with whom they conduct e-mail this way. Strong user identification, nonrepudiation and proof of receipt may be less rigorously supported. Cannot perform virus scanning and content security checks due to use of SSL sessions for viewing and downloading. This approach has the noted disadvantages compared to approaches that preserve an integration with existing e-mail systems. On the other hand, its main advantage is that such systems are not needed. This approach is the best alternative for business-to-client (B2C) secure Internet e-mail. Some of its disadvantages are lessened where many of the recipients (such as patients) will conduct secure Internet e-mail with only a few partners (such as doctors). It also works reasonably where one party (e.g., a doctor) conducts secure Internet e-mail with many others (e.g., patients). Where this works less well is where many parties conduct secure Internet e-mail with many other parties. One such solution that utilizes a secure Web site for the retrieval of e-mail is EnsuredMail. 2 Session encryption uses either Secure Socket Layers (SSL) or Transport Layer Security (TLS), both of which use a server level digital certificate. © Copyright 2002-4 HIPAA COW DRAFT Page 11 of 35 D. HTML Attachment Approach In this approach, the message and any attachments to be secured are encrypted and placed in an HTML attachment to an unsecured e-mail. Java code in the attachment requires authentication of the recipient before it allows the attachment to be opened, decrypted, and the secured information read. The unsecured message is received by the recipient through his or her usual email system and can be stored and later managed by the recipient in his or her Inbox. To access the secure information, the recipient opens the attachment which launches his or her browser and activates the Java code. This approach has several significant advantages and a couple serious disadvantages. The recipient needs no additional software beyond a browser. The recipient uses his or her existing e-mail system to receive, open, and manage received messages. The recipient does not need a commercial e-mail system but can use Web services such as Hotmail (so this solution also works relatively well for B2C). Proof of receipt can be supported in certain vendor products. Through the Java code, senders can control the message after delivery, restricting access to the sender only or removing access after a predetermined period of time. Because of the above sender controls, the recipient and his or her organization can lose control over the received message. This is primarily a one-way mechanism, and each partner must establish its own method of HTML Attachment E-mail client 4-Java authenticates, decrypts 2-Sender provides identifying info 1-send Email as usual Internet ... Exterior Firewall E-mail server Appliance 3-Appliance encrypts in HTML attachment and sends as normal Email © Copyright 2002-4 HIPAA COW DRAFT Exterior Firewall Page 12 of 35 sending secure e-mail. This approach is particularly proprietary, with different vendors using different encryption formats and algorithms. Virus checking and content security checks cannot be performed on these encrypted attachments. What is the Secure Messaging Gateways (SMG) Initiative? The most pressing need, at least for health care organizations, is for a current capacity for secure Internet E-mail between organizations (B2B). If possible, the current solution should be consistent with the longer-term answer and provide a ready migration course to it. The long term secure E-mail answer appears to be based on digital certificates and the S/MIME standard, and will eventually offer individual authentication whether it is desktop based or not. For now, the best approach for inter-organization secure Internet E-mail seems to be the gateway-to-gateway option. The Gartner Group recognizes that “the market is moving toward a preference for serverside approaches”3. Giga “recommends S/MIME solutions with an option of Web-based or HTML-attachment delivery”.4 (Both advisory firms believe desktop S/MIME will be the long term standard). A specific type of gateway-to-gateway secure Internet E-mail holds special promise: Secure Messaging Gateways (SMG). SMG is an emerging protocol for server-to-server encryption using S/MIME. S/MIME provides the protocol and format for such encryption, but SMG provides additional conventions for organization-level certificates instead of individual certificates. At the March 2001 HealthKey Summit in Chicago, five vendors demonstrated the interoperability of their Secure Messaging Gateways. The Massachusetts Health Data Consortium (MHDC) is currently finalizing the SMG protocol and is piloting its production use in Massachusetts, where interoperability remains somewhat an issue. The Open Group (www.opengroup.org) is a voluntary organization that promotes open standards and operates a product certification service for protocols such as UNIX, WAP, and LDAP. The MHDC is currently collaborating with the Open Group to establish a product certification program for the SMG protocol. Their targets are to finish the SMG protocol5 and begin certifying products in the spring of 2004. The Commonwealth of Massachusetts and members of the MHDC are ready to purchase these products once they are identified. Several major vendors are currently involved in this effort.6 “Management Update: Tips on How to Implement Secure Messaging”; October 8, 2003. “Secure E-Mail Creates New Model and Minimum Requirement for EBPP”; July 3, 2002. 5 The protocol will consist of a Gateway Message Profile of S/MIME Version 3.1 Message Specification, containing a standards message format, message processing conventions, and simple mechanism for Domain Certificate exchange. 6 Brute Squad Labs, BT Global Services, Syntegra, MailQube, Mitre Corp, Nexor, Novell, PostX, Sigaba, Tovaris, and Tumbleweed. 3 4 © Copyright 2002-4 HIPAA COW DRAFT Page 13 of 35 How can we achieve secure Internet E-mail in Wisconsin? As noted earlier, secure Internet e-mail is not a challenge individual organizations can solve themselves. Instead, cooperation between business partners is necessary. Collaboration is needed between and among using organizations and vendors. Such collaboration can lead to consumer choice between competing vendor products, with interoperability assured by certification based on standards. The initial interest of this whitepaper was to take the first educational step toward the interchange of secure e-mail (often containing protected health information) between major health care business partners in Wisconsin: county and municipal agencies. public and private health care providers. HMOs. other public and private payers including Medicaid and Medicare. A limited but growing need to securely transmit e-mail to participants in programs and members of the general public is currently a lesser concern to secure business-to-business e-mail. The second purpose of this whitepaper is to facilitate a consensus approach to secure e-mail between a majority of health care business partners in Wisconsin. A Wisconsin Forum for Collaboration The Workgroup for Electronic Data Interchange (WEDI) was a principal behind the creation of HIPAA. WEDI encourages regional collaboration among entities covered by HIPAA through the Strategic National Implementation Program (SNIP). The nonprofit HIPAA Collaborative of Wisconsin (COW) is a WEDI SNIP affiliate serving private and public parties impacted by HIPAA. HIPAA COW is an ideal forum to establish a consistent approach to secure Internet e-mail in Wisconsin, based on the health care core that must address secure Internet e-mail for HIPAA compliance. An endorsement of the SMG approach by HIPAA COW and voluntary commitment by its participating organizations to acquiring products from SMG certified vendors can provide the necessary foundation for an interoperable solution in Wisconsin. Once organizations acquire certified products, their interoperation could be monitored by HIPAA COW and success heralded through it. A Core of Government Procurement Wisconsin state government agencies are currently consolidating IT resources. The Department of Administration has issued a bid for consolidated E-mail services for 40,000 users and 50 agencies. A mandatory requirement is that the solution must support server to server message encryption using the S/MIME Gateway Profile defined by The Open Group. © Copyright 2002-4 HIPAA COW DRAFT Page 14 of 35 Not only will this consolidation establish a large Wisconsin user base for SMG, but as is common with state contracts, the winning vendor has the option of extending the contract terms to municipalities and other public bodies having authority to award public contracts. The state contract will be a boost to at least one vendor that has obtained SMG certification and will support the national effort by adding another participating state. Disclaimer This “Email Security Whitepaper” is Copyright 2002 by the HIPAA Collaborative of Wisconsin (“HIPAA COW”). It may be freely redistributed in its entirety provided that this copyright notice is not removed. It may not be sold for profit or used in commercial documents without the written permission of the copyright holder. This “Email Security Whitepaper” is provided “as is” without any express or implied warranty. This “Email Security Whitepaper” is for educational purposes only and does not constitute legal advice. If you require legal advice, you should consult with an attorney. HIPAA COW has not yet addressed all state pre-emption issues related to Email Security. Therefore, this form may need to be modified in order to comply with Wisconsin law. Authors Primary: Ted Ohlswager, Department Health and Family Services Contributing: Michael Pynch, Wipfli Larry Boettger, Inacom Information Systems Richard Bucheger, Department Health and Family Services Ralph Chapman, AEBS Bob Diehl, Department Health and Family Services Hema Vadodaria, MPC Solutions © Copyright 2002-4 HIPAA COW DRAFT Page 15 of 35 Appendix A E-mail Security Product Pricing End-to-end encryption Adhaero http://www.adhaero.com/E-mail_Protection.htm http://www.adhaero.com/WhitePapers/AdhaeroDocTechnicalOverview.pdf Features Encryption software built into Microsoft Office environment as a plug-in. Contents of e-mail encrypted prior to being sent across the Internet. E-mail cannot be copied (copy and paste or screen capture), printed, and can be set to be destroyed on a specific date. Message can be prevented from being read before the selected date. Message can be prevented from being forwarded to third party. Encryption – 448 bit BLOWFISH algorithm Secure key generation and management List Price The product costs $350 per user/computer. Volume discounts exist for 25 or more users. © Copyright 2002-4 HIPAA COW DRAFT Page 16 of 35 Gateway-to-gateway encryption A-Lock http://www.pc-encrypt.com/_site/alock/features.mhtml Features Encryption using the widely recognized BLOWFISH algorithm. The unregistered version of A-LOCK is limited to 56-bit encryption. The USA and Canada registered version allows passwords up to 448 bits (56 characters). Works with all e-mail programs. List Price Quantity 1 2 - 10 11 – 25 26 – 50 51 – 100 100+ Very large quantity Price $29.00 $26.10 $23.20 $20.30 $18.85 $17.40 Custom quote License is a one-time charge. Web site handles all automatically: 1. Purchaser can pay by credit card and Web site sends out a URL for the quantity of registrations purchased. 2. User visits the URL and enters the “client code” along with the Product Code and the e-mail address. 3. Web site sends a registration code until it reaches the quantity purchased. Alternate method of payment via Purchase Order or by check. Similar URL is established. For very large quantities, can package specifically with a set registration code. © Copyright 2002-4 HIPAA COW DRAFT Page 17 of 35 End-to-end encryption Authenex http://www.authenex.com/products.cfm?menu3variable=products http://www.authenex.com/products_asafe.cfm?menu3variable=asafe Features E-mail attachments are encrypted and can only be opened by the intended recipient. Security is managed via two factor authentication, a password, and a USB token (Authenex A-Key). 128-bit Advanced Encryption Standard (AES) User must know the ESN number of the sender’s token in order to decrypt an e-mail’s attachment. Difficult to use with third parties who do not own an Authenex A-Key. Contents of e-mail are not encrypted. List Price Contact Vendor for pricing. © Copyright 2002-4 HIPAA COW DRAFT Page 18 of 35 End-to-end encryption CipherPack http://www.cipherpack.com/overview.htm Features CipherPack creates a single Windows executable (.EXE) file which contains the decryption and decompression code as well as the encrypted file itself. The user just runs it, and when the correct key is supplied, the file decrypts. Without the correct key, the original file contents can never be seen. CipherPack Pro contains all the features and advantages of CipherPack but with even greater encryption strength by implementing the industry recognized and approved SHA-1 secure hashing algorithm and the Federal Information Processing (FIPS) Advanced Encryption Standard FIPS-197 (AES). CipherPack Pro also includes a secure file wipe option. List Price CipherPack without media is $39.99 CipherPack with media is $49.99 + $5 Worldwide Airmail CipherPack Pro without media is $69.99 CipherPack Pro with media is $79.99 + $5 Worldwide Airmail Please contact CipherPack for corporate pricing details (Orders of over 10 units) © Copyright 2002-4 HIPAA COW DRAFT Page 19 of 35 End-to-end encryption DespatchBox http://www.youritsecure.com/index.pl?s=product&item=160 http://www.youritsecure.com/referrer.pl/ps/160 Features Protects e-mails and attachments through the application of encryption and digital signatures, providing confidentiality, guaranteed message integrity, authenticity, and nonrepudiation. Ensure client confidentiality is met Protect sensitive or confidential mail A secure channel between sender and recipient Guarantee e-mail authenticity Seamless integration with popular e-mail clients Encryption and digital signature technology without the administration headache Tracking and audit reports to guarantee delivery Move large files with ease DespatchBox combines PKI technology (Baltimore Technologies as standard) with a hybrid end-to-end encryption capability. All of the cryptography that secures the file/message occurs on the client machine through the use of a client plug-in. (MS Outlook, Lotus Notes, or Web based). This plug-in is a digitally signed, scriptable COM object that uses 1024 bit keys or larger and Triple DES encryption to create a wrapper around each file/message. Each file/message is signed and encrypted using a public/private key system so that the data is completely confidential. Only the recipient can decrypt the message at their client machine. List Price Contact Vendor for pricing. © Copyright 2002-4 HIPAA COW DRAFT Page 20 of 35 End-to-end encryption Encryptek http://www.mailx3.com/ Features E-mail enhancement service for Windows 95/98/NT/2000 that provides a secure method for e-mail communication. Strong security and encryption options. 1024 bit encryption. (Was unable to find description of exact encryption used.) Destroy your e-mail after a set date, after a number of days after the message was first read, or after a specific number of times the message was read. The ability to password-protect an encrypted e-mail message. Works with the computer's existing e-mail program. Other e-mail programs besides your primary e-mail program can also be specified to work with MailX3. Optional message tracking. List Price Contact Vendor for pricing. © Copyright 2002-4 HIPAA COW DRAFT Page 21 of 35 Secure WebMail EnsuredMail by Critical Mass Mail, Inc. http://www.ensuredmail.com/index.html Features E-mail Encryption Gateway: Enables secure messages, attachments, and replies. EnsuredMail software products provide peace of mind for clients ranging from small businesses to Fortune 500 companies to the United States Air Force and the ATF. The company has corporate customers in the US and the UK and end-users in over 70 countries. Currently Ensuredmail’s patent-pending software is one of only a handful of security products to be awarded the US Government’s most stringent security certification (FIPS 140-1). EnsuredMail provides federally certified security and reliable read-receipts, covering two of the most critical needs for HIPAA compliance: Encrypt confidential patient information easily and effectively, in accordance with new laws Track e-mails sent and the identities of parties accessing them Comply with new regulations to avoid large fines and punitive measures Sign e-mail messages with industry standard X.509 digital signatures List Price Licensing for the product is generally based upon the number of people initiating encrypted e-mail. It is sold as a one-time purchase with software maintenance being the only ongoing expense. Many of our customers license software for only a portion of their employees. For example, it is fairly common for us to see a company of a few thousand people only need a few hundred licenses for our Gateway. Despite the fact that external recipients can securely reply with or without attachments, they have no impact on the licensing cost. Our typical minimum licensing cost is $10,000 for a 100-user perpetual license, but we will sometimes sell a 50-user license for $5,000. Maintenance is an additional 15%. Installation services can be done by the end-customer, but are generally done by EnsuredMail or one of our resellers. A typical installation requires 2-3 man days of professional services, including the time for advance preparation and administrator education. The installation itself is generally done in one day. The per-user licensing cost drops substantially after the first 100 users. For installations over a few thousand © Copyright 2002-4 HIPAA COW DRAFT Page 22 of 35 seats, we switch over to a site license. © Copyright 2002-4 HIPAA COW DRAFT Page 23 of 35 Secure Web Mail MOVEit DMZ by Standard Networks, Inc. http://www.stdnet.com/moveit/ Features MOVEit DMZ is a web based, secure messaging and file transfer system. It resides on a secure server in your "de-militarized zone" attached to your firewall. This enables it to be accessed through the firewall from both inside and outside of your network. MOVEit DMZ improves productivity and collaboration between employees, partners and patients by enabling easy and secure messages or file transfers. It is easy to implement as there is no buying user licenses, installing client software, managing encryption keys, burdening e-mail systems with files, or allowing e-mail attachments through firewalls. MOVEit DMZ includes important capabilities that low-cost secure ftp servers lack, and for far less money than high-end e-mail encryption solutions charge. Secure Messaging enables authorized users to exchange messages, with or without attachments, using their existing Web browsers. E-mail notifications can automatically alert users that specific files and messages have arrived or been viewed/deleted/downloaded. MOVEit DMZ allows users to securely transfer files up to 4 gigabytes in size. Most organizations have restrictions on the size of e-mail file attachments they allow. Supports web browsers like Firefox, Internet Explorer, Mozilla, Netscape, Opera, and Safari via HTTPS (HTTPS Secure). Use of Java, ActiveX, plugins, or thirdparty encryption apps such as PGP are not required. An optional, free, MOVEit Wizard can be used to provide advanced file transfer capabilities, including integrity checking for file non-repudiation. Secure Storage. Files are encrypted while at rest using built-in US government FIPS certified 256-bit AES encryption. Secure ftp servers typically store files 'in the clear' meaning anyone hacking the server can read the file. MOVEit DMZ automatically re-encrypts all the files and messages it receives, before writing them to disk, eliminating the need to use PGP. Failover and Scalability to provide the same high availability in multi-server loadbalanced environments that MOVEit DMZ has earned a reputation for on single servers. © Copyright 2002-4 HIPAA COW DRAFT Page 24 of 35 Automatic File Compression reduces file transfer times by 50% on average when using MOVEit clients. Automatic Resume supports MOVEit and third-party file transfer clients that are able to automatically resume interrupted transfers (aka Checkpoint Restart). NAT-friendly Encrypted FTPS to and from networks using Network Address Translation. Firewall-friendly passive FTPS using as few as 4 open firewall ports, not the typical 64,000 ports. Supports secure web form data collection and management, including data conversion to CSV and XML file formats. Has comprehensive audit trails in a built-in ODBC accessible database contains each user, file, message, web form posting, and administrative action. Has built in reporting capabilities (audit data can be easily exported for use by third party report and tracking applications). Authorization: MOVEit DMZ enables administrators to set specific authorizations on a per user basis that govern which folders on MOVEit DMZ an end-user can access, and what actions they can and cannot take in regard to the files in each folder. Authentication: MOVEit DMZ requires a valid user name and password in order to log in. The user name and password are tied to the authorizations listed above. MOVEit DMZ offers a variety of password management options to the administrator, including aging, length, characters, and an old password history file. These can be used to force users to adopt robust passwords. Supports external authentication options with LDAP, Secure LDAP, RADIUS Server, and ODBC databases. Session Aging: MOVEit DMZ can be set to automatically logout users whose sessions have not been active for a configurable period of time. This means users need to re-authenticate/login again. Caching: MOVEit DMZ restricts the browser from caching MOVEit DMZ pages. List Price © Copyright 2002-4 HIPAA COW DRAFT Page 25 of 35 MOVEit DMZ with Secure Messaging licensing is $12,000-$15,000 depending on the customer’s requirements. This price includes maintenance and support and unlimited users, messages, file transfers, and storage. MOVEit DMZ runs on a dedicated Windows 2003 Server or Windows 2000 Server. © Copyright 2002-4 HIPAA COW DRAFT Page 26 of 35 Gateway-to-gateway encryption HushMail https://www.hushmail.com/about.php?PHPSESSID=3f481d4d0bf7edd93687fcaa505a24c 6&subloc=how http://corp.hush.com/info_center/document_library/hush_patent_wp.pdf Features HushMail uses industry standard algorithms as specified by the OpenPGP standard (RFC 2240). The Hush Encryption Engine™, gives the company exclusive ownership of a revolutionary process that combines PKI with secure roaming capability. In addition, the Hush Encryption Engine™ automates the exchange of public and private keys, thus eliminating the complexities associated with traditional PKI transactions. Hush Key Server Network is a global distribution of networked servers and is the repository for the management of Hush Key records. A Hush Key record includes a Hush Key pair, which is the digital identity of the user, required for encryption, decryption, digital signing and verification along with the user sign-up information. Hush Communications will command a fee for the management of these records. Different e-mail services: HushMail, HushMail Private Label, and HushMail Professional List Price Account Type Setup* Cost** Premium $9.99 $3.99 32MB Storage © Copyright 2002-4 HIPAA COW DRAFT Page 27 of 35 Standard $9.99 $1.99 5MB Storage Additional Features Customization $240 $0 customize the mail client with your logo, colors Administration $240 $0 retrieve usage statistics, administer e-mail accounts within your domain * one-time fee ** monthly fee per account © Copyright 2002-4 HIPAA COW DRAFT Page 28 of 35 Gateway-to-gateway encryption IronMail by CipherTrust http://www.ciphertrust.com/ironmail/policy_enforcement.htm Features E-mail gateway appliance Anti-Spam – Control volume of unwanted, offensive, and constantly evolving spam Anti-Virus – block known and unknown viruses and worms before they get to the mail server Web-enabled e-mail protection prevents intercept, redirect, or modification of Web-based e-mail Secure Delivery - Create a trusted e-mail network beyond the firewall with serverto-server and server-to-client encryption Secure Platform - Detect and block suspicious, mischievous, or unauthorized activities within the mail system and secure the entire e-mail infrastructure Policy enforcement – possible to define, monitor and enforce, e-mail policies List Price $15,500 direct; software, support, and licensing for first year, 500 users, $9,575 © Copyright 2002-4 HIPAA COW DRAFT Page 29 of 35 End-to-end encryption MailMarshal Secure http://www.messagingsolutions.com/MarshalSoftware/Marshal_Brochure_2001.pdf http://www.messagingsolutions.com/MailMarshal_Secure.htm Features Uses industry standard S/MIME protocols, making it compatible with encryption capable desktop applications including Microsoft Outlook and other S/MIME compatible gateways Offers a variety of encryption options up to and including the industry recommended 168-bit triple DES Also supports RC2 (40 or 128 bit) and DES (56 bit) encryption Provides signing authentication, confirming the sender’s identity Allows separate encryption of messages for Escrow archiving (proof of sending) Supports SHA1 and MD5 signing algorithms Detects whether the content of a signed or encrypted e-mail has been altered Can retrieve certificates from a remote store through LDAP List Price Contact Vendor for pricing. © Copyright 2002-4 HIPAA COW DRAFT Page 30 of 35 End-to-end encryption Omniva http://www.disappearing.com/ http://www.disappearing.com/products/policy_manager/policy_manager_ds.pdf Features Exchange secure e-mail and control access and retention with suppliers, customers, and partners – independent of their e-mail systems. Control access to company confidential e-mail and prevent forwarding of sensitive e-mail. Enforce e-mail retention policies and enable compliance with complex retention policies. Encryption during delivery and authentication after delivery secures the message over its lifecycle. Preventing forwarding, copying, printing, and/or expiring, the message ensures post-delivery confidentiality. Preventing deletion even by the sender for pre-set periods helps meet internal or mandated retention policies. Policy enforcement is extended to include offline and wireless handheld access. List Price Contact Vendor for pricing. © Copyright 2002-4 HIPAA COW DRAFT Page 31 of 35 End-to-end encryption ShyFile (developed and solely owned by Dr. Bootz GmbH, Germany) http://www.cipher-encryption.com/encryption-software.html Features 6144bit Text and E-mail Encryption Software Make up a 32-character symmetric key Enter the text you wish to encode Attach secure ShyFile to your e-mail Recipient simply uses a browser to decode That's it. No fuss. No Trusted Third Party. No Public Key. Keep your current e-mail settings. Any recipient of a harmless HTML file encoded by ShyFile containing your text does NOT need to have the software installed to be able to decode. List Price $59 Per User © Copyright 2002-4 HIPAA COW DRAFT Page 32 of 35 Gateway-to-gateway encryption Tovaris SecureMail Gateway http://www.tovaris.com/products/ Features A network appliance e-mail proxy positioned at the e-mail server level, it performs encryption and decryption of e-mail and attachments for users. List Price Tovaris' solution suite integrates into existing IT infrastructures. Therefore, capital commitments are low, implementation costs are small, and end users require very little, if any, training. "Entry-Tier" One (1) SMG-1000X appliance* Up to 250 user seats Remote installation/training services (6 hours) List Price: $9,995 (* w/ redundant server: $14,995) "Mid-Tier" Two (2) SMG-1000X appliances Up to 1,000 user seats Remote installation/training services (6 hours) List Price: $27,995 "Top-Tier" Two (2) SMG-2000X appliances Up to 2,500 user seats On-site installation/training services (1 day) List Price: $49,995 + T/E © Copyright 2002-4 HIPAA COW DRAFT Page 33 of 35 End-to-end AND Gateway-to-gateway encryption ZipLip https://www.ziplip.com/ps/app/services/home.jsp Features ZipLip provides the most comprehensive suite of secure delivery methods in the market, providing solutions for all of the following types of users with a full range of options for senders and recipients of enterprise e-mail. ZipLip supports both desktop or gateway software for senders of secure e-mail. By providing both PKI and Non-PKI mechanisms for secure delivery, the ZipLip Secure E-mail Gateway provides as much security as is necessary for organizations with or without PKI in place. Moreover, based on industrial security standards, J2EE and Web services (SAML, S/MIME v.3, x.509.v.3 certificates, XKMS, PKCS #7, PKCS #12, LDAP, etc.), ZipLip interoperates and leverages any existing PKI deployment or certificate authority. Secure Storage The security architecture of ZipLip is built on top of the Java Security and the Java Cryptography Engines (JCE). The two main modules within this framework are the Symmetric Security framework and Encryption Service Provider (ESP) framework. Policy-Based Storage Each application can provide policy-based storage by having a storage router that routes user data to appropriate storage unit based on parameters such as account type, type of application data (secure mail, insecure mail, etc.), and user domain. The storage unit enforces the policy on the data and stores it appropriately. List Price +1000 Users = $50,000 Yearly >500 Users = $32,000 Yearly >50 Users = $10,000 Yearly © Copyright 2002-4 HIPAA COW DRAFT Page 34 of 35 End-to-end encryption ZixMail http://www.zixcorp.com/solutions/ Features Offers a portfolio of secure e-messaging encryption and protection services Compliant to existing systems: available as a stand-alone application or integrates with existing Internet or Intranet confidentiality as a point-to-point desktop encryption service that ensures that a message arrives unaltered and unable to be opened by anyone but the intended recipient. Authentication and non-repudiation with third party time stamping. Currently used by a number of health organizations, including Humana. (Was unable to find description of exact encryption used.) Also ZixWorks : address all your e-messaging needs, from secure e-mail to integrated anti-virus, antispam, content scanning, and archiving. List Price $50 Per User or Custom Price for Gateway = Averages $30 Per User © Copyright 2002-4 HIPAA COW DRAFT Page 35 of 35
