Comment by kerblang
5 hours ago
Under HIPAA requirements emailing personal medical info is a massive no-no. Admittedly, this is for the patient's protection, and of course being blind is not much of a secret... but it's completely understandable that email would be strongly discouraged. Nobody wants to get in trouble for breaking the rules.
Honestly, being able to accept a fax is great, although I would think any properly outfitted modern office that does accept fax would be able to route them straight to document storage rather than a printer. There are probably even internet services that can just act as a fax dumpster and hold PDF/image file for perusal at one's leisure. Yes even the govt can figure this sort of thing out.
Is this an outdated requirement? What's the attack surface of an email vs fax? Unless they ban phones at the office, someone could just take a photo of the documents the patient faxed or mailed them
> What's the attack surface of an email vs fax?
I believe the primary concern has been while the message is in transit, unencrypted routing over the internet vs. unencrypted over the phone line.
Additionally the storage of email was cited as a concern, making mass data breaches much simpler.
Note that there is a HIPAA approved email service called Direct, as in Direct Messaging / Direct Exchange / Direct Connect.
It's a current requirement. (Source: I'm adjacent to a doctor's office.) Two big advantages of faxes are that 1) they're point-to-point, and 2) there's zero caching between the sender and receiver.
If everyone had a fax machine such that you'd commonly get a working fax receiver if you mis-entered the recipient's number, then #1 wouldn't be such a big deal. But in reality, if you enter a fax number, and the other end actually answers and responds with a screech, it's extremely likely that you're connected to the right party. (Also, I bet 99% of modern faxing is triggered by a nearby computer, or by pressing one of the preprogrammed speed dial buttons on the fax. There aren't that many opportunities to misdial the number in the first place.)
That second is also a big deal. There are no intermediate servers which may be caching and inappropriately storing the data, except maybe the NSA, but what can ya do. The sender may have a cache, in the form of a print spooler. The receiver may have a cache where it temporarily stores inbound faxes and prints them asynchronously. But since both of those devices are owned and controlled by the parties in the communication, that's not a legal issue.
I'm not advocating for faxes. They're a slow, clunky, lossy, pain in the ass. And yet, they do have specific properties that are pretty sweet. I guess the equivalent would be if I could ask you to send a PDF to my specific IPv6 address, and you could peer-to-peer shoot it directly to me. If I typoed the address at all, it's statistically "unlikely" that another person would be listening on that specific IP a that specific time. And if it were truly P2P, then you and I would be the only 2 who ever touched the file, except maybe the NSA, but what can ya do. Alas, I don't see that replacing fax machines any time soon.
> I guess the equivalent would be if I could ask you to send a PDF to my specific IPv6 address, and you could peer-to-peer shoot it directly to me.
That's not exactly complicated if either party owns a web server. Which - last I checked - the government has.
Just give the person who needs to send the sensitive documents a short link like uploaddocuments.gov, have that page ask for some basic identifying info, and have a box for the user to drag and drop a file. At which point the browser will p2p upload that file over HTTPS.
3 replies →
That's a very 1993 understanding of telecommunications.
1 reply →
Most faxes today are between two fax over the Internet services and so are completely pointless.
1 reply →
It's also funny because at work our fax machines don't print unless we go over and print it. The machine just converts the fax to PDF.
This is an indictment of email more than anything.
Reminds me of a typical conservation with my bank
“Hello sir, before we get started, for security measures, please provide this information about your account”
Hmm I dont have this on hand, let me log in to my account and look at the settings and read it verbatim back to you, proving I’m not compromising this user at all
“Thank you, sir!”