Comment by Synthetic7346
6 hours ago
Is this an outdated requirement? What's the attack surface of an email vs fax? Unless they ban phones at the office, someone could just take a photo of the documents the patient faxed or mailed them
6 hours ago
Is this an outdated requirement? What's the attack surface of an email vs fax? Unless they ban phones at the office, someone could just take a photo of the documents the patient faxed or mailed them
> What's the attack surface of an email vs fax?
I believe the primary concern has been while the message is in transit, unencrypted routing over the internet vs. unencrypted over the phone line.
Additionally the storage of email was cited as a concern, making mass data breaches much simpler.
Note that there is a HIPAA approved email service called Direct, as in Direct Messaging / Direct Exchange / Direct Connect.
It's a current requirement. (Source: I'm adjacent to a doctor's office.) Two big advantages of faxes are that 1) they're point-to-point, and 2) there's zero caching between the sender and receiver.
If everyone had a fax machine such that you'd commonly get a working fax receiver if you mis-entered the recipient's number, then #1 wouldn't be such a big deal. But in reality, if you enter a fax number, and the other end actually answers and responds with a screech, it's extremely likely that you're connected to the right party. (Also, I bet 99% of modern faxing is triggered by a nearby computer, or by pressing one of the preprogrammed speed dial buttons on the fax. There aren't that many opportunities to misdial the number in the first place.)
That second is also a big deal. There are no intermediate servers which may be caching and inappropriately storing the data, except maybe the NSA, but what can ya do. The sender may have a cache, in the form of a print spooler. The receiver may have a cache where it temporarily stores inbound faxes and prints them asynchronously. But since both of those devices are owned and controlled by the parties in the communication, that's not a legal issue.
I'm not advocating for faxes. They're a slow, clunky, lossy, pain in the ass. And yet, they do have specific properties that are pretty sweet. I guess the equivalent would be if I could ask you to send a PDF to my specific IPv6 address, and you could peer-to-peer shoot it directly to me. If I typoed the address at all, it's statistically "unlikely" that another person would be listening on that specific IP a that specific time. And if it were truly P2P, then you and I would be the only 2 who ever touched the file, except maybe the NSA, but what can ya do. Alas, I don't see that replacing fax machines any time soon.
> I guess the equivalent would be if I could ask you to send a PDF to my specific IPv6 address, and you could peer-to-peer shoot it directly to me.
That's not exactly complicated if either party owns a web server. Which - last I checked - the government has.
Just give the person who needs to send the sensitive documents a short link like uploaddocuments.gov, have that page ask for some basic identifying info, and have a box for the user to drag and drop a file. At which point the browser will p2p upload that file over HTTPS.
That’s kinda true, but adds a few steps over cmd-P “print to fax”, paste in a phone number, done. And when done, the fax workflow has been tested and approved in courts. It’s a known entity.
I don’t love faxes. This isn’t me saying we should keep them forever. We shouldn’t. Still, there are reasons they’re still widely used for medical stuff today. If CMS or HHS rolled out a new method and told doctor’s offices to start using it if they want to get paid, the industry would switch in a heartbeat. Short of that, any other alternative will take approximately forever.
2 replies →
That's a very 1993 understanding of telecommunications.
Possibly! I haven’t used my Verizon CO badge to work on telco equipment in a few years. How is it fundamentally different now so that my brief description is wrong? I like to learn new stuff!
Most faxes today are between two fax over the Internet services and so are completely pointless.
Amazingly enough, this is actually not true. Many smaller doctors' offices still have a physical fax machine. I work on automation for certain processes in healthcare and a very large proportion of the faxes we receive come from physical fax machines. You can see artifacts on the fax itself and sometimes the cover letter will have a scribbled note.