Secure Email Integration for HIPAA Compliance Information

Current Situation

• Business customers need to send confidential / personal information via email, and they need to send this to non-Intranet users
• Company Security Policy (HIPAA compliance) requires confidential information to be encrypted in emails outside of the company firewall

The following alternatives were identified
1.Pull Type Architecture
2.End-to-End Encryption via S/MIME v3
3.Providing users with extranet facing outside the company firewall mail server (Variation of Infonet)
4.Pretty Good Privacy (PGP) Encryption
5.Transport Layer Security (TLS), Boundary-to-Boundary Encryption

The following changes are required for application interface by any Email Encryption alternative
1.Restrict the emails addresses in the "To" field for emails/notifications to valid emails
2.Restrict the emails addresses in the "To" field for emails/notifications to specific email domains 3.Prevent users from typing in email addresses

Advantages and Disadvantages of Alternatives
Alternative -1 A: Pull Type Architecture (all users treated the same)
Description:
• This option is suitable for systems that have a large user base and implement several automated alerts. The emails generated are recreated as webpages and hosted within the company firewall. The recipients are sent email alerts with the url of their message webpage and a token. The recipients authenticate using their id and the token to access their email message. There is security required to access the information via the link / URL, etc. (This was assumed to be within the Company Firewall.) This does not address emails going outside of the company firewall.
• Pros:
– No additional software installation required
– Uses proven standards such as SSL/Https
– Does not require any certificates
• Cons:
– Requires customization of the application to build this functionality
– Does not meet Business Client’s perceived requirement (the information be contained in the email)
– This does not address emails going outside of the company firewall (referrals or lab results).
• Complexity:
– Medium (Due to management of tokens)
– Recipient needs to use the VPN to get into the company Intranet
– High Level Effort Estimate:
• Requires COTS involvement (maybe 2 resources)
• Mini solution (Infrastructure hosting team)
• Application development team (revise reporting) – 2 resources

Alternative -1 B: Pull Type Architecture (only applies to users Outside the company firewall)
Description:
• This option is suitable for systems that have a large user base and implement several automated alerts. The emails generated are recreated as webpages and hosted within the company firewall. The recipients are sent email alerts with the url of their message webpage and a token. The recipients authenticate using their id and the token to access their email message. The users inside the company firewall should have a company Lotus notes account, and can get confidential information through Lotus Notes.
• Pros:
– No additional software installation required
– Uses proven standards such as SSL/Https
– Does not require any certificates
• Cons:
– Requires customization of application to build this functionality
– Does not meet Business Client’s perceived requirement (the information be contained in the email)
– This does not address confidential content information within emails going outside of the company firewall (referrals or lab results).
• Complexity:
– Medium (due to management of tokens as well as the need to be able to identify that this is an outside user as opposed to a internal user)
– Recipient needs to use the VPN to get into the company Intranet

Alternative -1 C: Pull By sftp Type Architecture (requires Outside users identification & ID’s)
This option is suitable for systems that have a large user base and implement several automated alerts. The emails that are generated are for notification only that a report or file exists on a secure ftp site. This report or file is then available for the user to pull it. The recipients authenticate using a secure ftp ID and password (This was assumed to be inside the company Firewall.)
This does not address emails going outside of the company firewall. If the user doesn’t have access to company Intranet, this solution is not feasible (Referrals).
The user would require a secure ftp client and certificates
Pros:
– No additional software installation required on the server side (clients would need a secure ftp)
– Uses proven standards such as SSL/Https
• Cons:
– Requires customization of application to build this functionality
– Does not meet Business Client’s perceived requirement (the information be contained in the email)
– This does not address confidential content information within emails going outside of the compay firewall (referrals or lab results).
– Users would need an additional ID and password (may be able to use existing ID).
• Complexity:
– Medium (Due to management of ID’s and certificates)
– Recipient needs to use the VPN to get into the company Intranet

Alternative -2: End to End Encryption via S/MIME v3.---
Description:
• The client will utilize the X.509 Certificates for both the sender and the receiver to encrypt the message. The message will remain encrypted from client to client. Internal users can use their VPN PKI certificates while partners will be required to purchase their own certificates. (Could use digital signatures from the server to the user to verify the right person…)
• Pros:
– Uses proven standards such as RSA-based encryption and X.509 Certificates.
– Most email client platforms claim cross platform compatibility.
– No customization of COTS application required.
– Medium implementation cost (purchase RSA certificate, people receiving need to purchase as well, and need a package to encrypt the message)
• Cons:
– Cross Platform compatibility is still an emerging feature in these products
– Places burden on the end users for certificate management (harvesting certificates, enrolling, revocation etc)
– High Maintenance and Support cost (to support end users)
– Risk that security-checking email services such as policy based message scanning and antivirus scanning could be bypassed, potentially violating company security policy standards, since the message is encrypted end to end.
– Since Lotus Notes is not on the server, we would need to add an encryption tool on the server.
– Requires software approval / deviation due to not being in company standard software category
• Complexity: Medium

Alternative -3 PROVIDING USERS WITH EXTRANET FACING, OUTSIDE THE COMPANY FIREWALL MAIL SERVER (Variation of Infonet)
Description:
• This option is suitable for all types of user bases and Email models. Company will host an Email Server for Partner mailboxes within the company firewall for all company partner companies to share secure communication. The partner users will connect to the External Email Server via a secure tunnel and access the emails through either Outlook, iNotes Client or Notes Client. Need to research if the messages stored in the external notes server are encrypted or not.
• Note: Company could provide the outside vendors a Lotus Notes account and Account ID. However, company policy may not support giving outside suppliers email access who do not have a COE seat. Client (COTS vendor) would still need to encrypt, so we’d still need a tool for that.
• S/MIME is an extension that allows additional functionality and it uses certificates to manage, although certificates are costly.
• Pros:
– It will be a single vendor based solution eliminating all needs for cross platform compatibility.
– There is no requirement for key management
– Low cost of maintenance and support.
• Cons:
– Implementation costs higher than option 2 (certificates already in place, so no additional cost for those)
– Need to research security compliance at the External Notes server.
– Not sure if internal IT would support, given complexity of changes to the infrastructure.
– Business customers may not want to force people to have a company email ID.
– There’s a risk that company may lose HIPAA exemption because outside electronic transmissions of medical information may require auditing.
• Complexity: High

Alternative -4 PRETTY GOOD PRIVACY (PGP) Encryption
Description: The sending server will utilize a Public Key to encrypt the message, and the receiver decrypts the message with a Private Key. Company requires Private Keys for its users. Private keys would need to be purchased and managed for outside users.
• Pros:
– Uses proven standards (PGP)
– Most email client platforms claim cross platform compatibility.
– No customization of COTS application required.
– Medium cost (purchase Private Keys for the client)
• Cons:
– End user would need to install key.
– Key management must be performed by a Certificate Authority (IT vendor or other organizations)
– High Maintenance cost (to support end users)
– Would need an encryption tool on the server
– Risk that security-checking email services such as policy based message scanning and antivirus scanning could be bypassed, potentially violating company security policy standards, since the message is encrypted end to end.
• Complexity: Medium

Alternative -5 Transport Layer Security (TLS), Not an end-to-end encryption solution.
Description: TLS is a variation of the tried-and-true Secure Sockets Layer (SSL) protocol that we use to protect Web traffic. Using TLS to encrypt communications between two email gateways has a number of security benefits. First, each mail server authenticates to the other, making it harder to send spoofed email. Second, the contents of the emails sent between the two servers are encrypted, protecting them from prying eyes while in transit. Finally, the encryption of the conversation between the two hosts makes it exceedingly difficult for an attacker to tamper with the email's contents.
· Pros:
o Secure transfer from server to server.
o Digital signatures sent and received from the server level.
o TLS and SMTP are extremely interoperable
o Do not need a digital certificate to run TLS on the mail server
· Cons:
o Not highly scalable
o This solution is dependent upon the security environment of the receiving server, which may not be compatible with company security policy requirements.
· Complexity:
o Low-medium

Comparison (Equal Weight)


Comparison (Weighted)



Recommend: Alternative #2
End to End Encryption via S/MIME v3
We recommends Alternative #2 for the following reasons:
•Emails with Confidential and Personal data are encrypted outside Company Firewall
•Proven Industry Standard

Sending Party Considerations (Our Company):
•Does not need to manage specific certificates (Use Existing PKI)
•An encryption module needs to be added to the Mail server
•Requires software approval/deviation
•Requires hosting approval
•Requires Security Policy approval

Receiving Party Considerations (Partners):
•All recipients would be required to have a approved email domain account
•Encrypted emails may violate partner's email security-checking process and/or policy
•Use the company's PKI system without any certificate management
•OR email user would have to purchase/manage/renew his/her own certificate

Encryption Modules
•Appliance Module: Entrust Messaging Server

• Software Module: CompanyCRYPT

Configure IIS to be a Smart Host for Exchange Server

Step 1: Verify the Installation of the SMTP Service
In Control Panel, open Add/Remove Programs, click Add/Remove Windows Components. Click the Internet Information Services (IIS) component, click Details, and then verify that the SMTP Service check box is selected.
If it is not selected, click to select it, click OK, and then follow the installation directions that are displayed.

Step 2: Configure the SMTP Service to Relay for Internal Domains
Depending on the scenario, it may be necessary to configure the SMTP service to relay inbound messages for your internal domains.
1. Click Start, point to Programs, click Administrative Tools, and then click Internet Services Manager.
2. Expand the tree under the server name, and then expand the Default SMTP Virtual Server. By default, you should have a Local (Default) domain with the fully qualified domain name of the server.
3. Configure the domain for inbound:
a. Right-click the Domains icon, click New, and then click Domain.
b. Click Remote, click Next, and then type the forwarder.yourcompany.com in the Name box. Click Finish.

Configure the domain for relay
1. In the properties for the domain that you just created, click to select the Allow the Incoming Mail to be Relayed to this Domain check box.
2. If this is being set up for a internal domain, you should specify the server that receives e-mail for the domain name by the IP address in the Route domain dialog box.
3. Click the forward all e-mail to smart host option, and then type the IP address of the server that is responsible for e-mail for that domain in square brackets.
Note: Typing the IP address of the server in brackets is necessary so that the server recognizes this is an IP address and not to attempt a DNS lookup.

Step 3: Specify the Hosts That You Want to Openly Relay to All Domains
Note:
Anyone can send to the domains that you specified in Step 2.

This step is for hosts, which are most likely your internal servers that would need to send to all domains on the Internet. It is not recommended to not have any restrictions because anyone can use your server as an open relay. It is recommended to only allow the minimum, necessary hosts to openly relay to all domains. To do so:
1. Open the properties of the Default SMTP Virtual Server.
2. On the Access tab, click Relay.
3. Click Only the list below, make sure the list is empty. Check the checkbox before “Allow all computers which successfully authenticate to relay, regardless of the list above”.

Configure SMTP on IIS (Windows 2003)

Step 1: Verify the Installation of the SMTP Service
In Control Panel, open Add/Remove Programs, click Add/Remove Windows Components. Click the Internet Information Services (IIS) component, click Details, and then verify that the SMTP Service check box is selected.
If it is not selected, click to select it, click OK, and then follow the installation directions that are displayed.

Step 2: Configure the SMTP Service to Relay for Internal Domains
Depending on the scenario, it may be necessary to configure the SMTP service to relay inbound messages for your internal domains.
Click Start, point to Programs, click Administrative Tools, and then click Internet Services Manager.
Expand the tree under the server name, and then expand the Default SMTP Virtual Server. By default, you should have a Local (Default) domain with the fully qualified domain name of the server.

Configure the domain for inbound:
Right-click the Domains icon, click New, and then click Domain.
Click Remote, click Next, and then type the forwarder.gm.com in the Name box. Click Finish.

Configure the domain for relay
In the properties for the domain that you just created, click to select the Allow the Incoming Mail to be Relayed to this Domain check box.
If this is being set up for a internal domain, you should specify the server that receives e-mail for the domain name by the IP address in the Route domain dialog box.
Click the forward all e-mail to smart host option, and then type the IP address of the server that is responsible for e-mail for that domain in square brackets. IP of forwarder.yourcompany.com is:
[168.208.12.12]
Note: Typing the IP address of the server in brackets is necessary so that the server recognizes this is an IP address and not to attempt a DNS lookup.
Click OK.

Install SMTP service under Windows Server 2003

The version of Microsoft IIS that ships with Windows 2003 contains a service that you can use to deliver mail using SMTP. To install this SMTP service, perform the following steps:
1. Start the Control Panel Add/Remove Programs applet.
2. Click Add/Remove Windows Components.
3. After the Windows Components Wizard appears, select Applications Server and click Details.
4. Select Internet Information Services (IIS), then click Details.
5. Select SMTP Service, then click OK as this figure shows.
6. Continue to click OK to close all other dialog boxes until you're back at the Windows Components Wizard page, then click Next.
Windows 2003 will copy the files required for the SMTP service (you might be prompted to insert the installation CD-ROM) and configure the service. You can also install the SMTP service through the E-mail Services tool, which is a POP3 component that automatically installs SMTP. Windows 2003 configures the SMTP service to use a default server, and you can use the IIS Manager to modify the server settings.

Determine MDAC version
Determining which version of MDAC is installed on a computer at any given time presents certain difficulties because individual MDAC files may have been replaced by an errant installer, which complicates the situation. Component Checker is probably the most useful tool that is available for verifying MDAC installations. Component Checker is available for download from Data Access and Storage Developer Center MDAC Downloads.


Install and Use the Component Checker Tool
The most reliable way to determine which version of MDAC is installed is to compare the version number of each MDAC DLL file to a list of the DLL files that are shipped with each MDAC version. The Component Checker can help you to do this. It checks the files on the computer, compares them to a list from each version of MDAC, and reports the closest match.To install Component Checker, follow these steps:
1. Browse to the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?FamilyId=8F0A8DF6-4A21-4B43-BF53-14332EF092C9&displaylang=en (http://www.microsoft.com/downloads/details.aspx?FamilyId=8F0A8DF6-4A21-4B43-BF53-14332EF092C9&displaylang=en)
2. Click the link to download Component Checker. When you are prompted by the browser, save Cc.exe (a self-extracting executable file) to the desktop.
3. On the desktop, double-click Cc.exe; this extracts the Component Checker files and installs to the default location, C:\Comcheck.
To use Component Checker to check the MDAC version, follow these steps:
1. From the Start menu, click Run.
2. In the Open text box, type c:\comcheck\comcheck.exe and then click OK.
3. In the Component Checker - Choose Analysis Type dialog box, select Perform Analysis of your machine and automatically determine the release version, and then click OK.
4. The program attempts to identify the MDAC version on your computer by scanning all of the core MDAC files and registry settings. This process normally takes several minutes. When finished, you should receive the following message:
The MDAC version that is closest to the version on your computer is 'XXXX'.
5. Click OK.
6. A summary of the Component Checker scan appears. Note that the Dir, FileDescription, and FileSize errors can be safely ignored.

Check the Version Information Stored in the Registry
Although not the most reliable way to check the MDAC version, checking the registry for the version information is an easy way to double-check this information (if you are not experiencing any MDAC-related issues).The version information is found in the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\DataAccess\FullInstallVer
To check the registry, follow these steps:
1.On the Start menu, click Run.
2.In the Open text box, type regedit and then click OK; this starts Registry Editor.
3.In the Navigation pane, drill-down to the following path:
HKEY_LOCAL_MACHINE\Software\Microsoft\DataAccess
4.In the Details pane, look in the Name column for FullInstallVer and Version. Each of these keys will have corresponding version information in the Data column.
5.When finished, click Exit on the Registry menu to close Registry Editor.