Re: Newbie naive question, perhaps - - be kind
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


sci.crypt archive

Re: Newbie naive question, perhaps - - be kind

From: Paul Rubin <//phr.cx@NOSPAM.invalid>
Date: Sun Oct 16 2005 - 21:31:03 CEST



Tom McCune <news1@DELETE_THISmccune.cc> writes:


> Generally speaking, I think email with clients/patients is a bad


> idea, but if I were going to do so, I would certainly want to use PGP.



I'm sorry but I think you're kidding yourself.  PGP is a pain in the


neck even for techies like me.  Expecting patients to deal with it is


completely unrealistic no matter how simple it is.



> Most clinicians (except possibly for those in institutional


> settings) will not have such an SSL web server available.



Yes, they'd have to decide if they need one enough for it to be worth


making arrangements for it.  It's not THAT big a deal.  It could be


just a simple cgi at a hosting provider with SSL.  I don't know what


the HIPAA requirements for qualifying the hosting provider would be,


but from a technical point of view this can be done to reasonable


standards pretty easily.



> PGP does have a learning curve,



which makes it completely impractical for client communication.



> but even the Current Window option in the Freeware is very simple to use.



It also has to be installed; and lots of patients will use webmail


systems or admin-locked office PC's or whatever.  Sorry, but I think


PGP is the right thing for internal use by the practitioner but a


total non-starter for communication with patients.



> I believe the HIPPA support of 1024 bit asymmetric encryption was


> meant to support the use of S/MIME, but I'm not sure that is really


> easier to learn and use.



That's fine for communication between medical staff who can deal with


the learning curve and can settle on using appropriate mail clients


etc.  You have to expect that patients will use anything from AOL mail


to webmail services to public kiosks, and have enough trouble even


with those.  They'll have ZERO capability of installing and using


special desktop software and they might not even be using their own


PC's.  HTTPS is really the only sensible way to do this.



Also, realistically speaking, email would probably be used mostly for


stuff like setting up appointments, which is maybe not so sensitive.


Still, I think any responsible provider would do even that through SSL.


Received on Mon Oct 17 20:48:29 2005