Email and information security

by

Email security
Image ©iStock.com/Balefire9

More commonly these days, our practice management systems (PMS) are able to distil a patient’s records and send the package via email. This is a tremendously convenient tool for us – it is a lot quicker and cheaper to do it this way than struggling with the arcane and temperamental fax machine.

However, bear in mind very personal data is frequently on these records – for instance, clinical notes may have comments to explain, for example, why some tests or treatments were turned down.

Email is even less secure than sending a postcard through the post. When you send an email it doesn’t necessarily go straight to the recipient’s e-mail account, but might be routed through one or more computers before it gets there. That is the beauty of the internet. Any one of these computers could be compromised and be running software put there to skim the data passing through it, sending copies elsewhere and allowing someone else to read the email.

Then there is the possibility of mistyping an email address (as happened to Stoke-on-Trent City Council in 2012). Protection of data is required by the Data Protection Act, and failing to safeguard it can open people and practices up to criticism, adverse publicity and liability.

That’s all very easy to say, but how to protect it? Encryption of email is possible and can be easy if it’s all set up in advance. It is usually buried in the depths of the menu system of an email program like Thunderbird or Outlook, but really isn’t the sort of thing to be setting up when trying to send a referral practice a history.

What usually happens is called “asymmetric encryption” and is where you have a password or more complex “key” to encrypt the email to a specific recipient (they give this to you). That same password cannot be used to decrypt it – they have a different one for that.

Email security

The reply happens in reverse. Normally people append their “send-me-stuff key” to the bottom of their emails after their signature so that it’s always there, and email programs will usually add these to their “key chain”.

The trick is both parties need to be set up to do this, and from experience talking “decryption keys” late at night usually results in agreeing to use the fax machine.

I look forward to all PMS doing this automatically, and being able to interact with each other – say with a drop-down list of practices to send a record to – without people having to know what’s involved and doing things manually.

As another example, when I look at most practices’ “labs” emails, accounts encryption is never used – it’s all in plain text. This is, of course, fine as long as nothing goes wrong – you don’t get caught. But how often do you, for example, change the access password to this account? If the answer is “erm” or “never”, then it’s as open to being accessed and abused by former staff members as never changing the combination on a door or safe, and ultimately part of the fault lies with the person responsible for the lax security routines.


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *