Friday, January 15, 2010

Cool Technology of the Week

Recently, BIDMC and Atrius Health began a collaboration that required clinical data sharing and secure email.

I've described the clinical data sharing in a previous blog. Here's the approach we've used to secure email - SMTP over Transport Layer Security (TLS), which ensures all email is encrypted as it travels over the internet.

Configuring TLS varies with the gateway that you are using. We use Proofpoint Protection server as our primary MX servers. Proofpoint makes it very simple to enforce TLS between sites. There is a configuration option that allows you to specify what domains you want to enforce TLS with. (as a default we have opportunistic TLS turned on for every site). You simply add the domain you want to enforce and specify always use TLS.

The advantage of this approach is that it does not require any client side certificates or complex server side certificate management. No special software is needed at the desktop and the encryption is invisible to the user.

Secure email that is as easy as a setting on a gateway - that's cool.

3 comments:

  1. Wes Rishel and I have proposed an expansion of John's "cool idea of the week" over on Wes' blog, available here

    We propose extending the mutually-authenticated TLS model to a large set of certified "health internet nodes" that could form the basis for widespread, simple, secure clinical messaging.

    I believe this approach is consistent with the recent recommendations made by the NHIN Workgroup of the HIT Policy Committee.

    David McCallie MD

    ReplyDelete
  2. Providing TRANSEC ( http://en.wikipedia.org/wiki/Transmission_security ) is always a good idea.

    However, this is NOT secure email. The content will be vulnerable on end user devices, mail relays, and on the sending/receiving mail servers (see http://en.wikipedia.org/wiki/E-mail_encryption). Secure email uses end-to-end encryption as provided by S/MIME or PGP.

    ReplyDelete
  3. And there is some clarification and additional technical details about this at blog.recordnexus.com located here and here that have been discussed with David and Wes as well.

    ReplyDelete