Wednesday, June 29, 2011

Email vs Postal Mail Security

"If can send this document by postal mail, why can't I email it?"

Saying that email is like a postcard, that anyone can read and even write on, is usually not enough to highlight the differences. After all, there are so many emails out there, people think, that email is "protected by numbers." And anyone can also open my envelope and read my postal mail.

What's the difference?

To further clarify the difference, it is useful to consider the different roles of an email service provider versus a postal mail or courier service in terms of security of medical records. A health care organization (HCO) must comply with HIPAA (medical records privacy rules) to assure the privacy of a patient's Protected Health Information (PHI). To send PHI, the HCO has a legal obligation to sign a Business Associate Agreement (BAA) with any service provider that may become aware of the PHI, assuring that the PHI will be protected as determined by HIPAA.

The US Post Office and courier services do not need to have a BAA to transfer mail. It is legally understood in HIPAA terms that the usual "sealed envelope" is enough to protect the PHI and deny potential access to it by the service provider -- even though access is clearly possible by the service provider personnel, and would require just opening the envelope.

However, "opening the envelope" would have to be done by someone first going through the physical access controls of the mail provider, is a physical act that can be done only one envelope at a time, takes time and space, can be observed and reported by a co-worker or someone else (including video surveillance). Typically, several people need to be involved and would need to collude in an entire mesh of secret events. Further, "opening the envelope" is still likely to leave traces that the recipient can see.

This is not the case with electronic records, such as electronic PHI (ePHI). A factor that militates against ePHI is the fact that although paper and electronic records are both vulnerable to subversion, it is a lot easier and faster to read what is in an electronic record somewhere, or search for specific information, than it is to read or search what is on paper in a closed envelope.

HIPAA enforcement and patients are also well aware that electronically one can read, search, and even modify a million records with as little as a few keystrokes, for example from a cybercafe in Moldavia or somewhere in China.

These are critical vulnerabilities that need to be addressed when using ePHI - for example, that mass disclosure and potential subversion can be so readily accomplished from the safety of a remote laptop or phone, and that it would be unavoidable or even undetectable.

To answer these concerns, the email provider must demonstrate a number of barriers, including defense in depth. This should be based not only on cryptographic assurances, but how they are distributed, and how ePHI entering the email provider is bound to communication channels in a manner that the ePHI is rendered demonstrably inaccessible to an attacker, both through physical access controls and through cryptographic protocols.

Moreover, the email provider should include a step-by-step description of the process, available for auditing, so that when someone asks, "What if the intruder succeeds in breaking into the system to change X?" this can be clearly answered, for example, by (i) to change X would cause a subsequent binding failure, thus it would be detectable except with parallel access to Y and Z, which are independently inaccessible; or (ii) knowledge of an alternate (and attacker-desirable) value for X is computationally impossible to achieve during the PHI lifetime period, and the effort could not be leveraged to any other X.

In short, the email provider should use not just cryptography but also other techniques to make it is as impossible as desired to tamper with the PHI. This includes server actions to protect each client and to protect the servers from malicious use of the clients.

In addition to the foregoing barriers, "opening the envelope" by the email service provider staff or online attackers would require having the keys to do so. However, where and how to securely keep the keys from insiders, and who watches the watchers?

Looking at NASDAQ, Epsilon, Citibank, and other high-profile "secure service provider" breach cases in 2011, shows a bleak view as not even large organizations could prevent such attacks.

However, these requirements can be easily met by an email service provider using the ZSentry Sans-Target technology, because online servers and personnel simply do not have the keys to do it, there is no copy of the keys anywhere, and the keys are too large for a trial-and-error attack to succeed in practice.

Further, ZSentry treats the email body as a "data blob" and does not scan it. There is also no condition whereby the ZSentry service or personnel could be made aware of the ePHI, providing even stronger protection for an email service provider using ZSentry services for encryption.

Therefore, in addition to assuring that the ePHI is encrypted and de-identified, an email service provider can use the ZSentry technology to technically prevent anyone, including own personnel and online attackers, from breaking the encryption or the de-identification.

More info in answer to the question "Why is ZSentry secure?" in