�ݺ�ߣ

HIPAA Success Story
How Texoma Healthcare System Identified &
Addressed its Secure E-mail Requirements

21 August 2003 Presented by
Texoma Healthcare System
& Tovaris

Agenda

An Overview of E-mail in Healthcare
The Obligatory HIPAA Review
E-mail Encryption and HIPAA Compliance
The THCS Experience
The Highlights and “Take-aways”

Copyright ©2002 Tovaris, Inc.
Copyright ©2003 Tovaris
All All Rights Reserved.
Rights Reserved.
All Rights Reserved.


S,

ES
sT
Rights Reserved.

se
lea
re ail
ris m E-
va
To cure d
se ate
nd
2001

ma diu
m
on nd me
pti
c ry s a ns
En es tio
sin ica
bu un
us mm ed
ito co
2000

iqu al as
Ub rson ele
)r
pe cy
iva
Pr
od
Go
ty
Brief History of E-mail

ret
(P s,
P tie
PG rsi
ive t
un en
in m
se ern
1990

d u gov
rea d
sp , an
ide rch
W ea se
d
res ea
rel
PC
IB
M ted
lga
mu
1980

pro
rds
da
an
St
”
ted
en y rch
inv d b ea
1970
il “ he Res
ma nc
E- au ed
T l anc
NE dv cy
PA e A gen
AR fens ts A
De ojec

1960
Pr

The Obligatory HIPAA Review

Defining Covered Entities
The Privacy Rule and Security Rule
– 164.530(c)(1) and (2) a.k.a. “Mini-Security
Rule
– Security Rule, Technical Specifications
164.312 (a)(2)(iv) (Addressable)
– Security Rule, Technical Specifications
164.312 (e)(2)(ii) (Addressable)
April 14, 2003 and April 21, 2005
Reasonable Effort

Rights Reserved.

E-mail Security Vulnerabilities

Alice,
Sender Here is John
Recipient
Smith’s lab
result.
-Bob

Internet

Rights Reserved.

Potential Attacks at
Each Stage

• Mail server hack • Internet sniffing • Mail server hack
• Malware install • DNS spoofing • Malware install
• Intranet sniff • Mail router hack • Intranet sniff
• Unencrypted E-mail • Unencrypted E-mail • Unencrypted E-mail

Internet

Rights Reserved.

Encryption is a Solution

• Mail server hack • Internet sniffing • Mail server hack
• Malware install • DNS spoofing • Malware install
• Intranet sniff • Mail router hack • Intranet sniff
• Unencrypted E-mail • Unencrypted E-mail • Unencrypted E-mail

Internet

Rights Reserved.

The THCS Experience

Our decision-making team
– CIO and CFO
– HIPAA Compliance Officer, CPO
– Operations
– Decision Support
– Network Manager
– IS Support Services

Rights Reserved.

The THCS Experience

Requirements Analysis
– Ease of use
– Zero client footprint (senders and recipients)
– Key distribution and management
– Proven encryption technology
– Control of message store

Rights Reserved.

The THCS Experience
Three Challenges
THCS users can’t use encryption—it’s too
difficult!

How do we send secure messages to
recipients with no digital certificate?

Manual certificate exchange is impossible to
manage with our business partners.

Rights Reserved.

The THCS Experience

Minimum system requirements for
SecureMessenger message retrieval
– Message retrieval is intuitive
– Message links are common industry practice
(airlines, banks, greeting cards)
– Works with AOL, Yahoo!, Hotmail

Can’t assume recipients will be able or willing to
download, install, or use a plug-in or separate
secure E-mail application
– Individual recipients
– Physicians
– Business associates

Rights Reserved.

The THCS Experience

Product Review and Selection
– Concentrated on secure messaging vendors
– Avoided complicated PKI vendors
– Understood HIPAA regulations
– Demos
– In-house trials

Rights Reserved.

The THCS Experience

Implementation and Integration
– Well-documented install preparation and
process
– Drop it in and go
– Excellent training

Rights Reserved.

SecurE-mail Gateway™
E-mail security appliance component of TESS that provides seamless E-mail encryption and
decryption services to THCS employees, clinicians, and other enterprise users, and remote
recipients.

2. Content filtering system
1. Internal email filters messages, forces
communications encryption where required
as usual Corporate Outer
Firewall Firewall

Desktop User 2

Content
Mail Server 3
Filtering

1 4
SecureMail
Web User Gateway Internet

3. SecureMail Gateway 
encrypts all messages
that have been flagged 4. SecureMail Gateway 
for encryption either by sends mail OR forwards
Mobile user, policies, or content encrypted mail to MTA
Device User filtering system for Internet delivery

Rights Reserved.

Unified Secure Messaging Platform
Product Description
SecureMail Gateway™ • Plug-and-play email security appliance
S/MIME • Automatic certificate lookup and harvesting
Appliance • Automatic encryption and decryption
• Digital signatures

SecureMessenger™ • SecureMail Gateway™ universal secure
messaging feature
Universal
• Enables secure email to any recipient,
Secure requiring only:
Delivery – Web browser (SSL-capable)
– Email address and application
SecureTier™ • Scalable backbone network
Global • Connects SecureMail Gateway appliances
Certificate • Management and distribution of standard
Network X.509 digital certificates (public keys)
• Automatic certificate lookup on every message

Rights Reserved.

The THCS Experience

Authentication of Non-S/MIME Recipients
– Establishing a pass phrase
– Communicating the pass phrase

Rights Reserved.

��𳦳ܰ��ѱ��Բ��™:
Manual Message Flag

All communications
with the system are
initiated via E-mail;
no plug-ins needed

Simply type “secure-”
in front of the recipient
address or in the
Subject line, and
security is assured.
Rights Reserved.

��𳦳ܰ��ѱ��Բ��™: Encrypt

Customizable interface
SECURE MESSAGE CENTER

1. Enter clue (challenge)
2. Enter password (response)
3. Establish message lifetime
4. Request real-time message
tracking/delivery receipt
5. Click button to always use
this clue/password and other
settings for this recipient

Rights Reserved.

��𳦳ܰ��ѱ��Բ��™:
Notify

Link will invoke
web browser
and establish
the secure SSL
connection for
the recipient.

Rights Reserved.

��𳦳ܰ��ѱ��Բ��™:
Decrypt

Recipient
authenticates
him/herself to
receive secure
SECURE MESSAGE CENTER message:
• Password
• Account number
• Provider number
• Shared secret

Rights Reserved.

��𳦳ܰ��ѱ��Բ��™: Pickup

Recipient sends a
secure reply with
attachments

View security level
and digital signature

Tovaris user views
message reply in her
inbox, securely

Rights Reserved.

��𳦳ܰ��ѱ��Բ��™: Verify

Recipient verifies
encryption, signature
integrity, originator
identity, and
certificate validity

Rights Reserved.

��𳦳ܰ��ѱ��Բ��™: Reply
Recipient can reply securely back to sender, with
unlimited file attachments. Original sender
receives secure message in his own inbox when
message has been replied to by recipient.

��𳦳ܰ��ѱ��Բ��™: Track

Sender receives instant, secure notification by E-
mail when SecureMessenger message has been
retrieved by recipient.

Rights Reserved.

Simple Web Administration

Rights Reserved.

The THCS Experience

Usage and Maintenance
– What maintenance?
– Measuring usage
– Assuring usage

Rights Reserved.

Addressing User Compliance

Rights Reserved.

Addressing Three Secure
Messaging Challenges
THCS users can’t use encryption—it’s too difficult!
No client application or plug-in—SecurE-mail Gateway
is a fully integrated E-mail security device
How do we send secure messages to recipients with
no digital certificate?
SecureMessenger Web delivery to all recipients with
no remote storage of keys or messages
Manual certificate exchange is impossible to manage
with our business partners.
Certificate harvesting and SecureTier automate
certificate distribution, retrieval and management
activities

Rights Reserved.

Texoma’s Key “Take-aways”

“Reasonable effort” toward HIPAA compliance
Able to send secure E-mail to any recipient
Turn-key E-mail security with little user overhead
Little to no ongoing management burden
Able to find and retrieve recipients’ certificates
by default on every message sent
Able to integrate secure E-mail with mail system,
anti-spam/virus and content scanning systems
Plug into existing corporate data sources for
seamless Web delivery authentication

Rights Reserved.

�ݺ�ߣ

THCS And Tovaris

More Related Content

THCS And Tovaris