Those "message centers" aren't just about security, they're also about compliance. For example, insurance companies need to be HIPAA-compliant which requires that they can only send health-related info to other HIPAA-compliant systems, which means signing a BAA (a contract) with those other systems. There's no way to do that with email (your insurance company can't sign a contract with every potential email host in the world, and they don't even know where the email will ultimately end up after they send it) so practically speaking, they're not legally allowed to send any health info via email.
It's extremely difficult to accurately identify which emails have health info and which ones don't (even something like a person's name or IP address could count depending on the context) so they just default to sending everything through their message center. No amount of email security could change that.
Somehow they mail letters with info.
Encrypted email wouldn’t require a BAA.
I'm not a lawyer, but I'm currently working on getting my company HIPAA-compliant, so I know more than the average person about this.
My understanding is that there's a thing called the "conduit exception" which basically says that if data is transiently passing through a channel and it's not being looked at, it's ok. But wherever the data lands must be HIPAA-compliant.
This seems crazy to me, but that's how it works I think. For example, if you encrypt PHI and store it in AWS without signing a BAA with them, that's a HIPAA violation, even though the data is encrypted and Amazon can't see it. But if you send encrypted data through AWS without actually storing it, that's fine.
Mail is specifically mentioned as a thing that qualifies for the conduit exception. I'm not totally clear why it isn't a HIPAA violation the moment it arrives at a destination (it's not in-transit at that point, and it's potentially not in the possession of the intended recipient either), but it seems pretty well accepted that it's not.
All that to say: I think encrypted email would still require a BAA because it's being stored, not just transmitted.
> My understanding is that there's a thing called the "conduit exception" which basically says that if data is transiently passing through a channel and it's not being looked at, it's ok. But wherever the data lands must be HIPAA-compliant.
Sounds like they needed fax to be compliant, and came up with some moon logic to make that happen.
Honestly, I think it's just because it's a crime to open someone else's mail. For whatever reason that sort of policy isn't extended to encrypted data in the cloud.
It was a law written in the 90s, it should be updated and modernized.
Same goes for phones (and by extention, fax). Since wire tapping is already illegal, it doesn't need to be secure (at least going by the law).
I agree the laws need an update. I'd imagine a general 'common communication channels' or whatever would work, rather than specifing every single one that's allowed to be used. That way, it's still illegal to snoop on your communications, regardless of whether they happen by post, phone, email, SMS, Whatsapp, or whatever else we end up using in 20 years.
It's a crime to open someone else's mail and generally speaking the post office does a pretty good job of reliable delivery. Even if an address is a bit wrong/corrupted, it can likely be delivered just from the name and the zipcode.
Email is a lot harder. The older SMTP standard sends emails unencrypted so there's a possibility of a MITM reading the email. But also addresses if you get them wrong can end up in the wrong hands. For example, if someone sends an email to cogman10, I'll get it, but if they go to cogman1O I won't get it. A lot of the nuance of how secure and when it's secure gets erased by auditors to just "email is insecure".
Isn't the post office heroics normally when it's not deliverable? If the sender wrote down 744 Evergreen Terrace but they meant 742, that mail will be delivered to your neighbor and hopefully they'll redirect it to you.
The post office is heavily regulated not to open your letters with severe criminal penalties if they do. An attacker also can't quietly X-ray your letter in transit to get a sneaky copy.
They also send faxes to providers as well. It's kind of ridiculous when you think of it.
Dollar bills are essentially untracked, good everywhere, secure, work no matter what. Same goes for normal mail, and it's a federal offense to tamper with it.
Nothing electronic will ever be secure, unless it is never, ever networked. Networking changes "touch physical thing" into "everyone on the planet plus their bots" can touch it.
Even if you pass harsh laws, you need to geogate network connections to only within that legal jurisdiction. Otherwise, it's pointless.
The real, true problem is anonymousness. I used to advocate for, now I'm done. The problems anonymity solve, are a gnat compared to the ones it creates.
I'm all for ipv8, but with a unique ID in the packet identifying the person directly.
I can't drive a car, own a gun, drive a boat, buy explosives, ply many trades, and 100 other things without a license. Maybe unrestricted internet access is in that category, and bad behaviour means it is revoked.
The Internet was a toy for a long time. Now it's the backbone of all commerce, industry, personal communication, with life threatening implications at times.
Play time is over.
Botnet operator says "Hey I'll pay you $1000 to use your connection for a month."
And you go to jail.
You might go to jail, you might make $1000. Crimes usually require criminal intent.
I think a lot of the HIPAA compliance can be signed away when you authorize them to send your medical information over email/voicemail/sms, but I'm not a lawyer, and my doctor doesn't email me anything but a link to log in to their EPIC portal.
It is frustrating to know that we can digitally sign and encrypt messages but don't because "it's too hard for normal people".
With HIPAA, is it not possible to simply encrypt the message? The "forgot password" flow for their message center is probably email anyway.
I can upload my public key to SourceHut and all email from them becomes signed and encrypted. It's a one-time process to generate long-lived keys and another to set up with SourceHut and that's all I need to do.
So much work is done for HIPAA compliance, and then the only authentication required is a birth date.