Download Shouting from the Rooftops: Improving Email

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
Document related concepts

Lag wikipedia , lookup

Computer security wikipedia , lookup

Remote Desktop Services wikipedia , lookup

Wireless security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Web of trust wikipedia , lookup

Transcript 
Shouting from the
Rooftops:
Improving Email
Security
Dr. Maury Pinsk FRCPC
University of Alberta
Division of Pediatric Nephrology
Dr. V



Uses email to correspond with patients
 Answers questions
 Gives test results
 Changes medications
All emails are signed with disclaimer for
confidentiality
Patient A asks how secure her medical
information is
How secure is email?

Depends :



Where it is being sent
What you choose to use it for
How it is being sent
Email - the basics

Your email program is a “mail user agent”
 Produces a text file
 Sends the file through the internet using a
set of instructions that allow commuters to
communicate – a “Protocol”
 E.g.: SMTP or simple message transfer
protocol
Email - the basics

SMTP guides the email to final recipients
server



Can route through several servers if
necessary
Once it reaches its final destination
server, it is stored to disk
The recipient accesses the email using a
Post office protocol (POP)
So what are the security
issues



Sending an email is like sending a
postcard
Any server through which it passes is an
opportunity for eyes to read
For the keen individual, it represents an
opportunity to alter the contents of the
email as well.
So what factors alter the security
of the email?
Where is it being sent?

Data that stays on a server is less likely
to fall into the wrong hands


More so for dedicated service providers (e.g.:
intrauniversity, intrahospital)
Less so for data that leaves a server (e.g.:
interhospital or interuniversity)
How is it being sent?


Data that is sent unprocessed is
vulnerable to breach of confidentiality or
integrity
What do I mean by processed?


Encryption
Digital signatures
Encryption

Key
a large number used by
encryption algorithm to
generate cipher code
owner can send you encrypted
email securely, but cannot
decrypt it
owner can decrypt the email.

Public key

Private key

The two keys are related, but through very
complex algorithms that are difficult to crack
Encryption


Keys are stored, encrypted, on your
computer, and used by your email
software
Keys can be distributed by owner on disk,
by email or via access to repository (key
server)
PGP encryption: an extra layer of
security for encryption
PGP – decryption – the same in
reverse
Encryption, but for whom?


Encryption: keeps on-looking eyes away
from sensitive data, but doesn’t verify the
source
Authentication and integrity is verified by
a digital signature
Digital Signature
Digital signatures
But how do you know the key is
from the right person?


Key “forgery” is possible, hence the need
for security certificates
Security certificate = digital signature +
authentication from another user +
public encryption key + user
identification
What is being sent?

The best means of preserving data
integrity and confidentiality is to decide if
it is absolutely necessary to send it the
data by email.
Return to Dr. V


Patients informed:
 Patient information continues to be
transferred over the internet, but patients
sign a consent allowing this to happen
Information kept confidential:
 Public keys are issued to patients via key
server
 Patients encouraged to obtain own personal
key and distribute public key to Dr. V

Integrity of information confirmed:


Security certificates issued with public key
All correspondence with digital signature.
Further resources

Encryption and digital signature freeware

Pretty Good Privacy (PGP)


http://www.pgpi.org
Guidelines for Patient Privacy

HIPAA Privacy regulations

http://www.hhs.gov/ocr/hipaa
Related documents
Chapter 12 - Key Terms
Chapter 12 - Key Terms
All Definitions for
All Definitions for
50 Word Company Description 100 Word
50 Word Company Description 100 Word
a common digital Europe
a common digital Europe
Are you looking for an easier way to initiate and
Are you looking for an easier way to initiate and
Database Security
Database Security
BitLocker Drive Encryption Self
BitLocker Drive Encryption Self
Pr sentation PowerPoint
Pr sentation PowerPoint
Network Security: It`s Time to Take It Seriously
Network Security: It`s Time to Take It Seriously
CryptoOddsAndEnds
CryptoOddsAndEnds
Database Confidentiality
Database Confidentiality
CSCI 3140 Module 3 – Logical Database
CSCI 3140 Module 3 – Logical Database