Medical Office Information System MSP Billing Update

MedOffIS SUPPORTS SECURE EMAIL

2004.06.07

Overview

One of the most time and labor consuming tasks in maintaining an electronic medical record is importing non-digital patient information such as radiology reports, hospital dictation and consultation/referral letters. This is unfortunate because most of this information is already in digital format at the sender's location but printed to paper for transit. Transmitting digital information securely, however, is not easy. Simply emailing a document to an intended recipient would potentially violate a patient's privacy since the mail could be intercepted in transit or read by unauthorized persons on the destination email server before it is downloaded. Also, it would be impossible to tell whether or not the document was tampered with or was sent by someone electronically pretending to be someone else.

In the last few years, cryptography has matured such that anyone with commonly available software can send encrypted, digitally signed messages. There are potentially many methods of doing this using symmetric or assymetric encryption. Symmetric encryption involves the sender and recipient sharing a common secret on how the message was scrambled. This was the method used by Julius Caesar (and many children thereafter) when he shifted letters by three. Mathematically, there are very secure methods for encrypting a document when receiver and sender share the same secret but unfortunately, there are difficulties transmitting the secret to others and then maintaining the secret. This is why assymetric encryption has become popular. With assymetric encryption, an individual has a private and a public key. With another persons openly published public key, a message can be encrypted such that only someone possessing the corresponding private key can decrypt it. The sender does not ever have to share the private key thereby circumventing the possibility of key interception. The encryption algorithm works both ways so that a sender can "sign" the document with a private key which can only be unencrypted by the public key. Successful decryption of the signature with the public key verifies the authorship of the message. Furthermore, this signature can be done in such a way that successful decryption of the signature means that the message was not tampered with in transit.

This assymetric process is implemented in what is called a "public key infrastructure" or PKI. Currently, there are two main ways to implement a PKI - using PGP ("Pretty Good Privacy") or S/MIME (secure multipurpose internet mail extensions) with X.509 certificates. PGP is a method using public and private key combinations distributed through a "trusted web" (I trust John and John trusts Jane, therefore I must trust Jane) and uses special software which can be downloaded and installed to run in conjunction with email clients such as Outlook. For personal purposes this can be done with open source software but for business use (and to have support for email clients like Outlook), one must purchase an annual software licence from PGP Corporation. S/MIME is a standard developed to use certificates put together in a specific format. The certificates for public distribution contain a public key. A certificate containing the private key can be installed on specific computers. Certificates are only considered valid if a "Certificate Authority" (CA) digitally signs the certificate. Users of a certificate must specify that they trust the "root" (highest level) CA in the tree of trust that is contained in the certificate. There are many commercially available root CA's from which one can purchase a certificate. This involves submitting personal information to the root CA for verification but once one has a certificate from a repudable CA such as Verisign, it will work in most circumstances since almost all computers come preloaded with the public certificates of these high profile CA's.

To avoid the expense and necessity to divulge private information to outside agencies, MedOffIS has created a root certificate authority on a secured computer. X.509 compliant certificates can be generated for individuals personally known by MedOffIS or by a select few designates such as Tetrabyte Computers. Public/Private key combinations will only be distributed by secure means - mostly on a floppy disk with personal onsite installation but occassionally through an encrypted tunnel. The root CA certificate is now available on the MedOffIS website for download (see links below) and installation into a local certificate store on a personal computer. The unique thumbprint of the certificate can be verified on request. Users who have a certificate and trust the MedOffIS root CA will be published on the MedOffIS website so one can easily determine if it is possible to send encrypted email.

Procedure for Downloading MedOffIS Root Certificate Authority Certificate

Click on the link below and download the certificate (MedOffIS.crt) to a directory on your local hard drive (eg C:\downloads). After download is complete, select "open". You will be asked if you wish to install the certificate. Select "Yes". Do not try to open from the website as it will not install unless downloaded to your computer. If you lose the dialog box that asks to open the file after download complete, you can open Windows Explorer, find the certificate and double click on it to initiate installation.

MedOffIS Root CA Certificate (use at your own risk!!)

A certificate revocation list (crl) file containing certificates that have been revoked by the MedOffIS CA can be obtained from the following link

MedOffIS Root CA Certificate Revocation List

Procedure for Obtaining a Personal Certificate With Private Key

Email bill(dot)clifford(at)nospam(dot)northernhealth(dot)ca (remove "nospam(dot)" and replace "at" and "dot" with appropriate symbols). If you are personally known or vetted by someone who is personally known, a certificate will be generated and arrangements made to install the certificate on your computer by secure means. The certificate should be installed with high security so that a password must be entered each time it is used to encrypt, decrypt or sign mail. There is a charge for this process ($100.00 for first certificate, $50.00 annual renewal and $25.00 to replace lost certificates). Training to setup Outlook and use encrypted email is billed at the usual rate of $100/hour). While the PKI methodology on which these certificates are based is robust and care is taken to implement the PKI securely, use of the certificates (root CA and personal) is entirely at the user's own risk. MedOffIS provides this service only on the condition that the end user takes full responsibility for any breach of privacy that may occur while using this system.

Procedure for Obtaining a Recipient's Certificate

Ask the recipient to email you a signed but not encrypted message. Open the signed message and the certificate should automatically be added to your contact list (you will be prompted to make a new entry if the person is not already in your contacts). This certificate does not have to be one generated by MedOffIS but in order for the recipient to accept your mail, the recipient must trust the root CA which generated your certificate. If this was MedOffIS, then the recipient must have the MedOffIS CA certificate installed in his/her trusted CA store. A link to this page can be included in an mail requesting the signed message so that the recipient can download the CA certificate with the above instructions and link. Subscibers to this system are listed here

Using the PKI with Email

It is safest to set up your office email client to encrypt and sign all messages by default. This minimizes the chance of inadvertently sending an unencrypted email. When the client is set up this way, and you do not have a certificate for the intended recipient, the client will generate an error and not send the message. If the PKI is to be used to assist import of documents into an EMR, it is important that an office policy be set up to properly handle the messages so that they are not lost. A designated person should deal with all the incoming and outgoing messages, usually once or twice daily. The incoming messages may have to be printed so that patient related information is reliably seen by the attending physician in a timely manner. Incoming messages that have been saved to the EMR and forwarded in some manner to the attending physician should be moved to a separate folder so that it is always clear which messages remain to be processed.

Medical Office Information Systems
June 7, 2004