ࡱ> n4d,bUPNG  IHDRrNEsRGB pHYs+$PLTEf333333ff3ff3̙tp8!IDATh=k@Dmf&BN  `@BR֡CTBBr]B\yy7/Js>]T@& OJ- UgNI&q ʂ?n(c7N#e~ǁ$ WWZf)IB֠-V0=cC.u?ZB $ZdȺ4}W1'#Mm*%Q17LTbO^ 8-T%FLЧ6ERv%R60H)n]lAR&!!%T%T>jX_VAeߣ}BLUԬX5|_JxLZ@F"⒵Fl  yբt5:X'QءY[ؖ-ڂNykޭocz^3bSApECQQ(K]LmR dA0 3„( s8}h5jvB- '6wV?zNilj65 )yWqtŖ߫|i +0VQUIENDB`nY9>5PNG  IHDRrNEsRGB pHYs+$PLTEf333333ff3ff3̙tp8'IDATh=O@F:,4a0ak& $4F .Aҍĭy}^(_r=-N`PGHN.q`1hfBws\-K$+S٠Eb^:>y?H g95QCSC7`X&\r xͨFBPp&R^.N;śQdK":/ȀҲKB2h$?zLkڌGXs`5qH3UBeR6Ȇ@u? QB~38A+ n5}6vLP| G%3ҁxAol 2jUWFC-ߖfNKH!,*ݐIV8uݷ3}\9WmB033$^ش%t&wJ!-V&,G74B{Ch>Pfr "݆#G/6BU2a^,;ߤ۳JܢԾjfZd.(BQZ?t$*'ÁiD%94}q` ż)󻪜.0?zZЀ 'ҥfF9u%Zup ̇LjցR6S,u`~FeҮHQgϘsa(^}o`ExDUVB>Xx%:GYX,u` 疂E[*&IKԃ(1qIlW%O5iT J@l W0خO2yr,MJ,٪)A%znmv;BX`C8?Xe8lm|wEZa'#9Ĺk ~bO%6˧GUDL9߃a[q/yj#B`qr6=w|Q\u\H-=,m)>=@ze[?ذ>{S;0.0#[W,#sjf3k*e0#{yeB^|YͲZ֟22J<ʌ4%aXfO|~j%sc4QyQasQ.ε%y' xqex!SXiVʌbWìPgBY)D+ "Y*,`"Y*,`"Y*,`"Y*HUPIENDB`nn%H,[e/QPNG  IHDRr3fsRGB pHYs+IDATx^] nJLzzzhZqHChx}fvIτ_x<q?}j֯VF2n2.q|*IVy%\"56F 0jma7/rxmn=62#lGaYhꏰytRY{kzаQN0`+J,.-lmՉK淅 f>'e ﵭڋC0S.vD$ 3C3_`@# #D0g=Lu=aa$g@M҈+0=Y71 @5E,La i@ AtĔx۩x 0 XMxI_#Rfkj'v)aqI#|(4Ƭlߥ(8a/~>R}KM%Xr58a+Z\>-Ǵ~` A6s| jHaWMq s6Qڀ<`nSlA Z! bUeG:`P$ D~G6`^i]1afҏ{a"y3;2BW 1 jsFXI|mG"Z9L4>30nVhv>˧j+ CMQ[! _`Um[!c˪V7gKR{ (I-NU[^ 麒rVkGNA͒suX;X{xJƓZD!'DN Nݟs)gԒMysK'2;13V[*[k#4*[k#Y}xXgkN}GX|rwIa} ;@)`W$` yM {L<keA&70a,җ|;o:wtttnk+:z+X~ތ+i@Ӂa15{-`uqD&ib; Y&&~lΝ=ܽɄzඋck`sW\qxt=ZlP%t&q: eǭvHAɷ6h[Pǭd:ϸyM= ӠEd>ZRXN vښh 퍕[ @&/RXL-*YSQ絫!/o>K. o̝Û:M V椱> {Ͼ w昍T$i1Tfh38& oa'`sZ?`K<c4a#ՖV`91)p dK%eFW_<S⛋vD*' 0֎( 9VXӯLk7bQеzz'hSX| 6xz +tf-ULźաvq឵v)- qk{ ]#N=wYR9g_p;E,Ɩ*Fط6~NV5s,XÉ F`kbbؘ";Mp Z!V,_-Sbw|[;x3\u6IX @|ptkף%s5Vr6{6h ըM{bʝ?.I67N /PՓg M{N %L XMPs%i*WXQPiXEFRlbLc3ЕXXk'0E7MF"jNZ.}NջN˂a\vY"E`E ] LEpuUtj Y2wf:f c)L~+݁"eE46*"CbXaHPl} X~aF4VCOcv#{z=tC5 t-B!ߏCZ2́` HEp‰SaL?9yX=l[3TL 1ռC$tm1IBد?vŁ?P`7=Xc;4vs]lAq"ϲe):ځ$YuZkYSlm:il{fS> ì%ˑ5ö8R{X܊wYip 3u2Ԧ\X$}3 4ZtVwAͫr:˽Vetن.rL0N+95JV"ҦŶ}P? A֖3' 0$6+oJ'"e*ʼ@o 4V/\T؏RYDil Z!V,[0n} į JYuʲ>]+6s+X/>tDb'ݾ_gCփ)F(Gov+ RXYɢQSg;25}NaNJ7d~kX%@@Sdܼ0C#=2Evt)F /M\/! ]C`>V n;},~[잪"t*|ہ*V Sn !ZjqNEN鐀qk"ìj|: /Zvil)V ]dʸU`Y)atrLc,HTD-V.q+Pn^Xv6W`5YY-ZF46*"jl& RUc׶H'!Rb oXמ>0)yLEwW֤ͫڶhηJ6 F6]7cKV+Wvڊh[[t >J}h;R0ɶ FUё/୭>L>tl`/0hE  T߶eRIENDB`nç{/X߉FPNG  IHDRrҧwsRGB pHYs+]PLTEEEM^fff ѳĸĵ۫Bf̙IDATxr0` LKJ?fl `ڕdLEf1]+TUZk "E?)*RV !RZ⢗}$@'!"KbD i#*E(&a"IBD'RBTwEE \De%ҭҭzu_d-[0_YK 4rY`sK49e]CMW.8HA:s '\bIg.v. pҝ;7 JBl~M,s "6V$IHHŵɍhX.3jD.!m@2VՖ4ɍmG sU[[.~17 $չ~u'oZ'uՍMz^ͧmT.|,=ݱ$ IIO&Oњl{ EĈT.q$9Q$KG2ĐM*$R9CjxnR#Z~f+Х]Ftau5ӭxT.a$:H&%ݹD |aFҫ32 q"_@eƅ޻zчC0Ɏh3WB.xqd4w:v5ɦv֩+'i $dOtFҹ  }h*RDsIw F:cȐy6}}&a$:Y XɐY߻c_6uNr^ :M \.%Ib.vɿw 2$5?2e~% $q$= Z9gDCBѐV Ͽ:K-:87eISgYT܈J{NHS~f+Хȷԭn\\l.uɥ|.[K)Ɛ\V06ZA\$:/k;:rIhp.]#KKd+ F4:љR%݌粜nO:u.Z$7OI TaybtbcAkQy:IENDB`E((  b xBitmap Image Paint.Picture0Bitmap ImageBitmap Image Paint.Picture0Bitmap Image Bitmap Image Paint.Picture0Bitmap Image4http://www.imc.org/rfc23154http://www.imc.org/rfc2315Vhttp://www.nist.gov/smartspace/smartSpaces/Vhttp://www.nist.gov/smartspace/smartSpaces/nhttp://www.freep.com/money/business/eside8_20020508.htmnhttp://www.freep.com/money/business/eside8_20020508.htmnhttp://www.freep.com/money/business/enron8_20020508.htmnhttp://www.freep.com/money/business/enron8_20020508.htm<http://shorterlink.com/?RJSU8O<http://shorterlink.com/?RJSU8Of6http://www.cascadebank.com/6http://www.cascadebank.com// 0DArialNew b b9bb 0b 0bDWingdings b b9bb 0b 0b DTimes New Romanbb 0b 0b@ .  @n?" dd@  @@`` 0(7%         !# ()*,-./013ob$4d,bU b$Y9>5b$z9]B| b$%H,[e/Qv b$ua#$O b$ç{/X߉F 0AA@8*ʚ;ʚ;g4ddb 0bppp@ <4ddddbqt 0 b9bg4*d*db 0bp@ pp <4!d!dbp 0 bb<4BdBdbp 0 bb80___PPT10 ?  %O  =1Secure Messaging$Esther Czekalski Czek and AssociatesE-Mail is here to StaytEasy to get (Out Of the Box) Easy to use Interoperability Push B to E B to B B to C C to C (end user to end user) *ruIssues and VulnerabilitiesConfidentiality Unencrypted Kiosks and commercial mail clients Uncontrolled distribution Sensitivity Ignorant Viruses No Audit Error prone, addressing, forwarding, reply Authentication Inadvertent legal record BPIP{PI{ Legal and Ethical Pressures*Legal Precedents Privacy HIPAA GLB Malware6  #Risk, Classification and PolicyWho owns e-mail? What is appropriate use for your e-mail system? Retention Policies Special handling for high risk content? How to handle unsolicited e-mail outside your policies(HIPAA HypotheticalCE's end receives from and sends to any mail client Patient e-mail address linked to medical record during enrollment process CE may selectively block communications from certain patients Patient could indicate sensitivity; appropriate sensitivity level would automate non-repudiation and encryption Review at CE end could escalate sensitivity in CE s system if needed Context based access control; sensitive e-mail could only be read by authorized care givers Authorized care givers can down grade sensitivity for all or part of an e-mail. They can only forward downgraded parts as non-sensitive communications Responses to sensitive e-mail are also (classified for treatment as) sensitive. (Unless explicitly downgraded as above)P)HIPAA Hypothetical Continued{Receipts Care Giver can link message to medical record and/or match to specific e-mail retention policy Non-Sensitive messages and downgraded messages should be matched to a specific retention policy. Those that come in and stay non-sensitive may be deleted All correspondence of appropriate sensitivity indexed by patient, including where patient was only mentioned as content (physician to physician) Audit records created for receiving sensitive e-mail, sending sensitive e-mail, changing classification of e-mail. Auditors can view but not copy or change the actual correspondence that links to an audit record, if it is retained |P| ,Architectures: Client to Client Encryption--  ,Architectures: Client to Client Encryption--   ,Architectures: Client to Client Encryption-- Strengths Maintains push Uses existing clients Forced authentication Weaknesses No longer out of the box Requires understanding beyond some users Virus Detection Support t P=P PZPP = Z 6Architectures: Client to Client Encryption (support)77 Support Issues From Microsoft Outlook Help & (encryption: The process of encoding data to prevent unauthorized access. An encrypted message is unreadable to all but the recipient, who has a public key that will decrypt it because the key matched the private key that the sender used to encrypt it.) Outlook is 2002, (10.3513.3510) SP-1 ^.P&PP&-Architecture: Business to Business Encryption..  -Architecture: Business to Business Encryption..   Architectures: Web Based  Architectures: Web Based ",Case Example: Lancaster Hospital and Sigaba-- &$XCase: Massachusetts Health Data Consortium; Secure Messaging Project YW MThank you to: Terry Grogan, Lancaster Hospital Bill Colbert Javed Ikbal NM/ # % ' * +,.~ b` 3fffff3̙3f̙` ̙3f` ff3f` f33f3f` 3ffƍ` fff3` f33̙` 3f|>?" dZ@$?lKd@   l@  P`lA n?" dd@   @@``PT   @ ` `p>> H @ @  (  .T   "\\   "h  s *"   $0e0e BCDELF>5%8c8c     ?1d0u0@Ty2 NP'p<'p@A)BCD|E?|b4"%>Ul @   `c"$  f\   "n"  0G"r B T??"   <GH "`  T Click to edit Master title style! !*   6D "  RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S    ` ??"`>   ^*     ` ??"`@a   ^*     `4 ??"\5  b* B  s *޽h ? 3fffff3̙3f̙80___PPT10. = Capsules  b } u P  (  T p  "p  6L7"@  F 0 "  BT:G0* "pp  F 0 rZ    # "  n" B 0G" R r  T??"L    <8> "4 `   W#Click to edit Master subtitle style$ $    `@ ??"`>   b*     `G ??"`@a   ^*     `J ??"`0  b* "    fdLG0* ??"p   T Click to edit Master title style! !B  s *޽h ? 3fffff3̙3f̙80___PPT10. =0  *(     0ޚ P    X*   0     Z* d  c $ ?    0  0  RClick to edit Master text styles Second level Third level Fourth level Fifth level!     S  6, _P   X*   6 _   Z* H  0޽h ? 3380___PPT10.)Y b tl (  x  c $xW p   x  c $LX4 `     <Y  `www.czekandassoc.com H  0޽h ? 3380___PPT10.@DW b `W(  r"  S  `   r  S t p  +  6"`   +http://www.nist.gov/smartspace/smartSpaces/, ,"#0+H  0޽h ? 3fffff3̙3f̙80___PPT10.   b RJp(  r"  S d `   r  S      s *'"``0  N If you give me six lines written by the most honest man, I will find something in them to hang him. - Cardinal Richelieu:} dH  0޽h ? 3fffff3̙3f̙80___PPT10.5 b \T4(  4r" 4 S ,D `   r 4 S E    4 s *HF"`0  XProposed HIPAA Regulation  Each organization that uses communications or networks would be required to protect communications containing health information that are transmitted electronically over open networks so that they cannot be easily intercepted and interpreted by parties other than the intended recipient, and to protect their information systems from intruders trying to access systems through external communication points. When using open networks, some form of encryption should be employed.  >  DH 4 0޽h ? 3fffff3̙3f̙80___PPT10. a$  b $(  r"  S U `   r  S V   H  0޽h ? 3fffff3̙3f̙80___PPT10.`0 b 0(  x"  c $<] `   x  c $^   H  0޽h ? 3fffff3̙3f̙80___PPT10._ 0 b 0(  x"  c $T `   x  c $Ĥ   H  0޽h ? 3fffff3̙3f̙80___PPT10.;@\ b  ((  (r"  ( S  `     (0 lA ? j0288896P@s    ( c $X   +Description of Signing   (0 ZA ?AA ? Pp   X ( 0  , ( 0  Sue obtains certificate and sends a signed e-mail to Leroy. Public and private key pair created Certificate Authority binds public key to Sue s identity with its own private key Sue uses her private key to sign message Sue includes public key/certificate in message Leroy uses public key/certificate to verify signature 0< ! < ( < f  5SUE  ( <̰ 4  7LEROY H ( 0޽h ? 3fffff3̙3f̙80___PPT10.#  b h`  T(  Tr" T S ~ `    T 6h  .Description of Encryption  T < f  5SUE  T < 4  7LEROY .  T  AP@s .  T  APp X"  T 0P B   T 6 p0  R"Leroy sends encrypted mail to Sue.# # T < 0N ^Leroy (his client) creates a session key to encrypt the message Leroy uses Sue s public key to encrypt the session key Sue uses her private key to decrypt the session key Implementations require both parties to have key pairs and certificates\! ! H! w4HH T 0޽h ? 3fffff3̙3f̙80___PPT10.`jL b h`D(  Dr" D S  `   r D S  ` `  " D < GH @@ :   D 6|d 0p^Z :  D s *"`@0 GPreserve Easy to get (Out Of the Box) Easy to use Interoperability Push"H  ? D s *d"`@ Improve Confidentiality Unencrypted Kiosks and Yahoo Uncontrolled Distribution Viruses Sensitivity No Audit Error prone Authentication Inadvertent legal recordV ? Q ?PH D 0޽h ? 3fffff3̙3f̙80___PPT10.+ b @\+(  \r" \ S 7 `   r \ S 8 00   \ 6Ы"``  QSupport Intuitive Interface Help Files On-line documentation Help Desk EscalationR JH \ 0޽h ? 3fffff3̙3f̙80___PPT10.@Q b @(  @r" @ S pI `    @ BA @0    @0 ZA  ?AA ?  K@  . @  A. @  A`@\ . @  A  . @  A `F . @  AX.  @  A| @ HA 0 0  RB @ s *D RB @ s *D@ RB @ s *D  RB @ s *DRB @@ s *D RB @@ s *DP  RB @ s *D P XR @ 0 R H @ 0޽h ? 3fffff3̙3f̙80___PPT10.~  b |tx (  xr" x S T `    x 6_ `@ ` vStrengths Maintains push Uses existing clients No new learning curve Forced authentication Protects Privacy Integrates with virus protection and content filtering Weaknesses Only protects e-mail in transit, between the gateways t PP P6PP  6 x s *a"`@0" GPreserve Easy to get (Out Of the Box) Easy to use Interoperability Push"H  ? x s *f"`@ Improve Confidentiality Unencrypted Kiosks and Yahoo Uncontrolled Distribution Viruses Sensitivity No Audit Error prone Authentication Inadvertent legal recordV ? Q ?PH x 0޽h ? 3fffff3̙3f̙80___PPT10.0/ b jb0(  0r" 0 S t `   F 0 S A 0@  . 0  A0P. 0  A`\ . 0  A p d .  0  AgH .  0  A`|RB  0 s *DRB 0 s *DRB 0@ s *DP RB 0@ s *D@RB 0 s *D0  XR 0 0p mB  0 <hz   : Web Server   0 <x~0 `   3SSL u 0 0h  Internally the mail works like enterprise mail. External clients are sent an e-mail telling them that they have mail on the web server Enrolled external client logs in with assigned password and ID Privacy is protected with SSL H 0 0޽h ? 3fffff3̙3f̙80___PPT10. b (  r"  S  `     6\ ` ` Strengths Integrates well with antivirus, content filtering and other policy tools (retention) Kiosks and Yahoo More control over distribution Forced authentication & Privacy Weaknesses Loses most push New user interface, password and ID Support t PP P<PP  <  s * "`@ GPreserve Easy to get (Out Of the Box) Easy to use Interoperability Push"H  ?  s *"`@H Improve Confidentiality Unencrypted Kiosks and Yahoo Uncontrolled Distribution Viruses Sensitivity No Audit Error prone Authentication Inadvertent legal recordV ? Q ?PH  0޽h ? 3fffff3̙3f̙80___PPT10.@i   b s k 0 (  r"  S , `     NA  $    NA  $     NA  p A    <H   ; Mail server    <X P t  YSigaba Gateway    <w : Key server  RB  s *D  XB  0DppXR  0` }   < D  >Encrypted Mail   HA 0L  XB  0D0   <GF . DClient retrieves key   <7 f UMail is encrypted at the gateway Authenticated client retrieves key and decrypts mailV VH  0޽h ? 3fffff3̙3f̙80___PPT10.p[y b y(  r"  S  `   r  S 0 ` `  D  0p Featured Case Presented by: Ben Littauer, the Project s Technical Lead :G lK G  < * 5And Thank you! Esther Czekalski www.czekandassoc.com"6 !!H  0޽h ? 3fffff3̙3f̙80___PPT10.k#0 ##$"(  $X $ C     " $ S   0   ! Email has become corporations' preferred mode of communication. Email use in the U.S. will grow from 3.2 billion daily emails to over 9 billion by 2003. Creative Networks reports that 52% of business critical information is stored within a messaging system today. http://www.disappearing.com/why/index.html now Omniva Policy Systems All apply to other forms of messaging. Wireless between people, wireless from equipment to records Read from Smart Space http://www.nist.gov/smartspace/smartSpaces/  Smart Spaces offer services provided by embedded devices, that are accessed and interconnected with portable devices carried or worn into the spaces. Then the combination of imported and native devices can support the information needs of the current users. Mobile and stationary Smart Spaces may: identify and perceive users, their actions, and even goals; facilitate interaction with information rich sources; provide extensive presentation capabilities; anticipate user needs during task performance; provide improved records and summaries for later use; support distributed and local collaboration.  A visionary Smart Space scenario:  5:30 a.m., September, 2007. Federal Emergency Management Agency Headquarters (FEMA), Mount Weather, Northern Virginia George, a group leader with the FEMA is currently sleeping peacefully at home; dreaming of his upcoming vacation. However, hurricane Sandy unexpectedly changed course during the night and is just then impacting the Florida coast south of West Palm Beach with one hundred and forty mile per hour winds. Power and civilian communication systems are failing under the lashing winds and rain. George's smart office PC, Grover, receives a Priority Emergency Advisory and routes it to his pager, downloads a header paragraph and actuates its emergency management tones. George sends an acknowledgment and stumbles out of bed. "Gonna be an interesting day," he says to himself. Presently, driving to the National Situation Awareness (SA) Center, George voice-dials Grover via a smart station embedded in his car. "Grover here, George. Ready for options, what should I do?" "Arrangements. Reserve an SA Room at my office complex for the next two days; also one near the scene." "Reserving SA Rooms, one at FEMA HQ and one at West Palm Beach. Ready for new option" "Staffing. Alert members of Team Charley and have them report to my SA Room at FEMA HQ; also contact a team at Boca Raton center." "Grover here. Alerting team Charley. Also I have confirmation on SA room six for today and tomorrow here, and a mobile Situation Awareness Center manned by Team Whiskey south of West Palm Beach in Florida." "George Signing off." "I will expect you in about ten minutes, please slow down," said Grover retrieving George's position and speed from the smart station in the car. George arrives at headquarters within a minute of the time Grover projected. Three members of Team Charley have arrived before George. They have been identified by their smart badges, speaker identification, and face recognition as they begin to set up the Situation Awareness room. The wall screen divides into work and input areas along the bottom, and opens a picture window to the mobile SA center on the scene at the top. There is high-speed fax at the front of the SA room which effectively allows the members of both teams to pass hard copy through the virtual windows from room to room. Field members of Team Whiskey will be wired for sound and video. Their dialog will be transcribed by speech recognizers and the feeds stored on an audiovisual server. George has a set of computer agents to filter these text streams from Team Whiskey in the field and to route the video to a window on the wall screen when critical matters develop. From HIPAALIVE, subject: TELEMEDICINE  Does anyone see a problem using phone lines to transmit unencrypted video and audio of students(minors) from schools to physicians including psychologists to perform evaluations? These issues will just get more critical with progress. Statements about its use Medical Economics Magazine says About 10% of physicians go online regularly with their patients. P#8! ?"  \x##b H $ 0޽h ? 3380___PPT10.)Y*60 558:5(  8X 8 C     4 8 S    0   <4@2Oldie but Goodie Dow, July 2002  The audit of Dow Chemical Co.'s Michigan e-mail server turned up several violations of the company's computer policy and has led to the termination or discipline of some workers, a company spokesman said. &  A September survey of 1,244 people by Vault.com, a New York-based human resources Internet company, found that more than eight in 10 people sent personal e-mail at least once a day. Nearly 40 percent said they sent five or more personal computer messages every day. And almost six in every 10 surveyed said they had received sexually explicit or otherwise improper e-mail messages at work. &  As in the Dow case, employees generally don't get in trouble if they've received an inappropriate e-mail, as long as they promptly delete it. Experts say most employees run into problems if they print the message, send it to others, store it on computers or keep it on their screen. Many employees don't realize employers have the right to examine their computer systems and read through personal e-mail, even messages workers thought had been deleted. "A lot of people would be totally freaked to discover whatever they have put on computer or wherever they have been on the worldwide Internet is subject to review," said Linn Hynds, an attorney who leads the labor and employment department at the Honigman Miller Schwartz and Cohn law firm in Detroit.  Courts have ruled that computers at work are company property and that companies have the right to look through information sent and received on them, Hynds said. Employers must make their policies clear before they can rightfully take action for inappropriate use of computers, he said. Recently: Enron/Anderson e-mail Enron/Anderson e-mail: http://www.freep.com/money/business/eside8_20020508.htm  Levin also disclosed a series of e-mails written last October by a senior Enron official, whom he did not name, suggesting transactions in Enron stock that raise the possibility of insider trading. He said he had referred the documents to the U.S. Securities and Exchange Commission, which is conducting a civil inquiry of Enron and Andersen.  http://www.freep.com/money/business/enron8_20020508.htm These are e-mails and documents that reflect differences" between the Chicago headquarters and the Houston audit team over Enron, he said. "If these documents showed internal arguments . . . wouldn't you expect those to be destroyed?" Hardin labeled the government's case a "rush to judgment" to find Andersen officials who, according to the indictment, "corruptly persuaded" others to wipe out documents. But prosecutors suggested Andersen was still smarting from a $7 million fine paid to settle Securities and Exchange Commission allegations that Andersen had issued false and misleading reports on behalf of Waste Management Inc. Andersen also agreed to an injunction in which it promised not to break SEC rules again A news article about how companies are violating SEC retention policies for e-mail http://shorterlink.com/?RJSU8O  Last November, the S.E.C. reiterated its view that e-mail messages are covered by the law and must be retained. The law states that firms must preserve the documents "in an accessible place" for two years after the messages are written.   The notices from the regulatory division of the N.A.S.D. were sent to the firms recently, according to the people close to the investigation. Nearly a year ago, that regulator began looking into how closely research analysts at brokerage firms interact with their investment banking colleagues in drumming up interest in stocks underwritten by the firm and how analysts are compensated for their work. Twelve large and midsize firms are under investigation by the association.  The people close to the investigation said that policies on e-mail retainment among the largest brokerage firms seem to vary widely. If the firms are found by regulators to have mistakenly deleted messages that they were supposed to keep, they could face fines extending into the high six-figures. If the firms destroyed the messages purposefully, penalties are more significant, including suspension or expulsion from the securities industry.   Prosecutors say that under New York state law, a firm that deleted e-mail messages that it was required to maintain could be found guilty of falsifying business records. If the destruction of the e-mail messages was found to be intentional, the firm could face a felony charge. HIPAA Health Information Portability and Accountability Act Administration Simplification consists of Transactions, Privacy and Security  Each organization that uses communications or networks would be required to protect communications containing health information that are transmitted electronically over open networks so that they cannot be easily intercepted and interpreted by parties other than the intended recipient, and to protect their information systems from intruders trying to access systems through external communication points. When using open networks, some form of encryption should be employed.  Gramm Leach Bliley Gramm-Leach-Bliley Act 15 USC, Subchapter I, Sec. 6801-6810 Sec. 6801. Protection of nonpublic personal information (a) Privacy obligation policy It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information. (b) Financial institutions safeguards In furtherance of the policy in subsection (a) of this section, each agency or authority described in section 6805(a) of this title shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards - (1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer. Creates complex rules about what can be disclosed http://www.ftc.gov/privacy/glbact/glb-faq.htm#A Malware where you do virus protection, at the desktop or at the server will have to be appropriate to how you do encryptionZ!7Z8g0 7 F| C7Z8* e/v00a0 H 8 0޽h ? 3380___PPT10.g  0 0X(  XX X C      X S   0    H X 0޽h ? 3380___PPT10.#0 jbP`(  `X ` C     b ` S |  0   Unfortunately, most difficult case, I like it best PKI, Public Key, Pivate Key, Certificate Two things you need to know Private and public key Certificate Difference between PGP and S/MIME I got my key from Verisign following links from Microsoft, which said it would be free. It was free for 60 days, cost $14.95. I can distribute it as above and/or put it on a key distribution server of Verisigns s Other ways people get certificates, other vendors sell them, a company can bring up its own PKI TRUST From a security standpoint, the trust level is as good as the enrollment process>D H ` 0޽h ? 3380___PPT10.%\ 0 H@`d(  dX d C     @ d S :  0   " Intuitive Interface: If I am unfamiliar with a feature the interface will help me use it appropriately Options that show details about encryption key, show details about mine. Help Files: will offer me more information to use that feature intelligently, explain options See above On-line documentation: will offer insites into process that give me a deeper understanding of why or how a particular feature is used  When the recipient receives the digitally signed message, they can save the certificate containing the public key to their contact list. Now when the same sender sends them a digitally signed message that is also encrypted (so others can't read it) the public key on the recipient's computer allows him or her to read (decrypt) the message. This is because there is a match between the private key and the public key. The recipient in turn sends a digitally signed message with their certificate so that the original sender can verify their identify and read their encrypted messages. Help Desk will be able to do all of the above. First help desk call was immediately escalated Escalation is used to verify bugs, initiate needed enhancements based on customer experience (in any of the above). Escalation engineer was very professional, sympathetic. Took a couple of days for him to research what was happening as he kept getting different answers to the question of whether and why I needed a certificate of my own to send encrypted mail. His final answer was that both parties needed a certificate if they either wanted to send encrypted mail. He would not/did not feel it was his responsibility to state why. (good reason=encrypted mail is always signed) zZh I ^   K / / t  ;PH d 0޽h ? 3380___PPT10.@b0 ^Vt(  tX t C     V t S A  0   Touch lightly, Ben will cover in more depth In reality there are probably two servers One that handles distribution of mail within the company and another that handles mail for ougoing.H t 0޽h ? 3380___PPT10.D0 |T(  |X | C      | S h  0   VBAlternately, the client could be authenticated with a certificate H | 0޽h ? 3380___PPT10._ 0 *(  X  C       S ld  0   ,Lends to outsourcing/ASPH  0޽h ? 3380___PPT10.-CG 0 W(  X  C       S i  0   YEWho buys first? False sense of confidence (mail is always encrypted?)H  0޽h ? 3380___PPT10.^ 0 0((  X  C     (  S 4p  0   PActually the public key is used to encrypt a session key. This session key travels with the message and Sue uses her private key to decrypt the session key. Testing in both Lotus Notes and Microsoft Outlook required that the sender have a certificate, as well as the receiver s public key to encrypt. Review of the standards, I found most helpful: PKCS#7: Cryptographic Message Syntax, Version 1.5 http://www.imc.org/rfc2315 Which described: signed-data content type message digest Enveloped-data content type signed-and-enveloped-data content type&_1 ~0H  0޽h ? 3380___PPT10.q.;0 ::>:(  X  C     9  S   0   @97With Courier method, client needs browser, encrypted part of message comes as an attachment Separate authentication and signing from key exchange PKI can be used to: Authenticate users Sign content Don t use PKI for key exchange Key server generates key Desktop/server encrypts content Authenticated recipient gets key from server Terry Grogan Manager, Information Security Lancaster General 1. The patient will be registed in the authentication server "out of band". We're looking at handing them a little information letter with their initial password on it when we enroll them in person (at the hospital registration area, in the physician practice, etc). The "enroller" (any doctor, office manager, registration clerk), will bring up a web screen (inhouse), and enter the patient's email address. If it's not in the system, it will generate an initial password. If it's in the system, it will say so, and the patient will be reminded he/she is already registered and be given instructions/assistance on changing password if they forget it. 2. Patient will go home, go to the website we have on their sheet of paper (an SSL page we host), enter their email address and the initial password. They'll be presented with a webpage that will allow them to pick a password based on formation rules we give them (at this point, we're going to ask for 8-10 characters in length with at least one alphabetic character and at least one number - we don't want to make this too cumbersome, and I feel this will be secure enough). Patient will then choose twosecret questions -they can be any questions they want. We'll give instructions on how to make a good question (e.g. something that won't change). They'll also type in the answers to these questions. 3. Now, when the doctor communicates with the patient, the email goes through our mail system to the Sigaba gateway (still inside our firewall). We will have a policy on the gateway that says "if this email address is in your database encrypt, otherwise send in the clear". (There are several ways to do this - one being filtering for certain "key words", another being for the initiator to start the subject of an email with a key word - we didn't like any of these. Based on my experience with web filtering software, filtering for key words never works). The drawback to the way we're doing it, is that everything that goes to that email address will be encrypted. However, we feel this is far outweighed by the benefits of not relying on the sender to remember to type a "key word" or the product to look for a "filter/trigger word". The email is so easy to open, having it encrypted shouldn't be an issue. 4. When the patient receives an encrypted email, it will have a "clear text" message that will tell them to to open the attached encrypted html file. When they click that open they will be asked for their password (they have to be connected to the internet, but with the way people use email, we don't see this as an issue). The password they enter will be compared to the one on file for their email address. If it matches, a very small (less than 2k) XML transfer takes place and the encryption key is sent to the receiver and the html document is unencrypted. The person can read it, print it, copy it, or just close it. Once closed, it returns to the encrypted state. There are no clients needed on the patient end - that's the beauty of this solution. It doesn't care what you use for email as long as your email supports java 1.1 (all popular ones do as do all current browsers (web-based email),so do older ones back to IE 3.0 and Netscape 2.0). Sigaba has in beta (which they promised in contract to have working for us by June), a secure reply to the courier email so the patient could even reply to the email and it would come back to us securely. I am interested in this because I would like to send an HTML template (form) securely to a patient that will be a pre-registration form for elective procedures they will have in the hospital in the next day or two. They could fill it out and send it back securely. Think of what this would do for our registration process. >>>>> As for privacy sensitivies, these were definitely considered and why I finally chose Sigaba. I didn't want the "ASP model" & - we wanted everything internal - and I wanted LOTS of auditing& We're not planning on using end-to-end encryption - which is available from Sigaba - but plan on using corporation - to - end encyrption. In other words, we'll use a gateway to encrypt the email before it leaves the organization, and decrypt it as it comes back in. We talked about allowing encryption right from the desktop, but then discussed some of the issues with others needing access to email and not being able to read it because it was encrypted, etc. >>>>>>>>>>>>>> 1. Tumbleweed 2. PGP 3. ZixIT 4. PostX 5. Sigaba These were my requirements: 1. Industry standard security 2. Easy to install on my end 3. No client-side software needed 4. "Lights-out" admin - I didn't want to babysit this all day, and I didn't want to run a 24x7 help desk just for email 5. User self-administration (on the recipient end) 6. Ability to encrypt at a "gateway" rather than require eachinternal user to encrypt. 7. Auditing and Reporting available. After looking at these 5, we narrowed it down to PostX and Sigaba. We decided to go with Sigaba because security was better and so was price. Here are some of the things I like about Sigaba: They offer what I believe is the simplest email solution out there. They have easy to install plug-ins for most popular email clients (including Yahoo and Hotmail), and they even offer a unique service - which we plan on using - called Courier. (allows us to send secure email to someone that does not have/doesn't want to install a plug-in). They have an ASP type model where "key management" (not the nightmare of PKI, by the way) is handled by them. I talked to several of their current clients - including a law office of just 6 lawyers and a dozen or so clients who love how easy it was to get this running, and start sending encrypted email. One of their other clients is McKesson/HBOC, who is using this currently in a pilot mode, but plans to eventually provide electronic bills securely to their clients. They also have several banks. (e.g. Cascade bank http://www.cascadebank.com/, where they offer under their "contact us" icon, the ability for customers to download the Sigaba client and communicate with the bank securely). Their security is industry standard - AES. The authentication process is separate from the encryption process. Users are "self-managed" - can reset their own password, etc once you've gotten them established with an initial "out of band" password. The auditing is really good - you know every time anyone opens a piece of secure email. You can also "expire out" a piece of email (e.g. if the person doesn't open it in 30 days, they can't open it).v   +ZnLPW# ;, p.Zn]f0+H  0޽h ? 3380___PPT10. Ny0 (  X  C       S r  0   wCzek and Associates, my consulting entity, reflects my interest in Security at the User Interface Professional life started with PCs Now connect us to each other Ignorance of the importance of privacy and security This project Volunteering for HIPAALIVE mailing list (talk about HIPAA later) cases are from health care issues universal Looking for pilots, Ben Littauer H  0޽h ? 3380___PPT10.8@y{0 (  X  C       S D  0   yMUST BE KNOWN TO EMPLOYEES! Certificates on diskette in top drawer Legal requirements Needed even if you outsource (ASP)H  0޽h ? 3380___PPT10.=  0 (  X  C       S   0    H  0޽h ? 3380___PPT10.z: 0 (  X  C       S T  0    H  0޽h ? 3380___PPT10.[~;0 (  X  C       S   0   Going to look next at three architectures Signing and encryption, client to client Business to Business Web based Any or multiple approachesH  0޽h ? 3380___PPT10.`ݹ; 0 0(  X  C       S L  0    H  0޽h ? 3380___PPT10.>xyD@(](br 7l kQ- -H|D@_7LcfIIs~sNFJCKlk3?vloz=iQ^?[vTizQ>ǿd|;huzן'56Ez|Sɲ+ZjL9Ԋ?#_ȒOҦ/Lkc OȠ%TVe,I9Xߦڃ[1<|Gh Ci+NSm8 vb*r!||1D)̋b r\1!r%_%Dr   o}p???? 59G1ڧgs7'%x~A9$2 *:&6.Oz(q?ZVs8|ݿ=ӯ=Ϫň,Wڗi?Oe?yob9ZRcbK3CfZ6Rugz|7;=:Pᵯ~$o{/$__jT=w]wCQEQEQE"_(R/ū2RyW_ N;@WvO.My"/c_#0 Ì(/Ë[0 uh| ^C5I^Ny"Sy ΜƆz6fa\A44n8r\b"/S^U~kz(q,Jū<'e/C^E^Y2חɑȰN^vːWcy?%s}"/ʒ yye\_Ƅp:ײamo#4LxUPSZdKU x',כ,: SZ<~W1"/"/w"/"/w*6uA\_Y"d2E^!/"$UpDO^DO^C^%)ǯ!/j=^ x@J9%U^CMJaG^BuSLy%c2;'yD+5ō'D2en2-p*T']RT0PPHfĒGM 6N+ūRJ,J˫wm>P5^,¤m]ˮ$n?N^/_xYGy{ %>5 y.ޱ?̇W1ȫ0^y+{\6\,<kndR:5/. r==jF|]Wc +˯ /t^/_"#xْD$@ b  @2þCaU<7\Q; L-6-k-X:'[|Em=geLɼض<=)u? Ԧyx@93AL/#_oǻT]^ ?5_+_ Q@k~k1enkaZ9%f_. "(T,q9Xs]A-97|dGBfETFcA m("2.Q D.w×:&D+EՑU5<\o777÷[;;%|GGEmD'CaI3QY9y      O§`E (a?YV 8L?^vύ_Eϳ>iUW+7H#K6<昣%5v)ѱ4~lR+vJh#f70s5ήZG22O=Џ]~ȩzuQ8~}{H=(((;UyF-[NaV[A^nE y:Bv//RwN^䕓 r+"!^*ꭔ‹BYVWJoI^5%++PEPh*X!ɫF)Ba{ÒWPER٬M]22ޜ&HYN0U)JQx%xMɎy+i|Qϔ ͫ>/O0_ՍWʿ>_VG3zˢ}be-j//!/[䥾:1eBڗR/pTdP]]U%/8g vɫ"^V7N^yx^. KK[GΛp S2/NịE^IT^ņOV[A^ny3Eىy%aE Txy]UZ@)eQ ʎRE EJ  *,(,KHPL$BbO!4!Ә4}3}Y=stf{w޹sk=?P}5[; 3dߘg fMmů\2 fƼY`̚O-~s7ԉs=s2\gK͕kgs1{ 3ujn3%܌KkO\7xpJc_|=%ߓN>Wdd1;!AvFދL.f|ds˜!=Lfd^ȇ'1E "LCCO DC"#G BDBF>|6cN@NDNB!'# M>i?|9 "r:r͙Rdrr6%\rrcuS7߭syM\r<5YFU\?d\~n{V*we}o0ا6+l ]*ڟ;/ýG]hM7\nFc@D~܅܍܃ycA'O!?G~02< [w? !DG@DBUHKW%ԥU:D;RN~@EKWe5KWEW?t \A#W!l}sDItHUHkuz\4]%VװG V6 jU*i^/hr_lZn_AWՙе"}ؕک͞kg\;5W l}Yk%-WWבm5Jp_P6q*vv*}Aq\;JUHKWvjkĥPU_uJUHKW8WbW1]ٿF*~@KWzW -]\+vݴhT }p⺺C 1#QkM|k3Gl[qε-E iFM8VƞVNrLg;צkٽ^KWkkuջJh\h㉦ZIWmy%: Zs%/(tr] ^RhksJh]8tU:\KWq?e*vRp Կ>:ѸJWI ^_Gj‰KWU]%~Ք!\tXքnFqݮU9rΪ}h6}A\1<&aEպWkKsu tAϵ[_Vs֗C?b_rpt*7ʉKWq?ղz&2u ׿6kqD\qt\U2gVHUHKW뀓ke@Wq?t=n25WkJ\[Sϵe\[P6@[~@E+voK9_*Wu} ݿUKW~ PJW;_4GJm#XS>}|U]-{J&i<]tջJhZ$U&.]Ů<׶+%|]W˗Up_0_[6_[6bJv5vKmwkL*7*uKu z=]fF|cccWFV.~ P״ɲжUBt]Q2.Vt]W3rDr*6 痻uUfћCNWU괾V޺U31G5VRCg_,sWI{Ti[ε]@}37f9צո׿2ksm_VeU8qD8L:tuu t ϵ] 1<]# 1WkkJ{⹶pkY@BVN\-]Ůջ`yGϭWt E;õrԙuægi}6[:T[?*Z+iWkiWki%sÕ+i-‰JZ ~-ޮVBԕZhݷH[+i6+iv6ki#v6k7ikq m]]ѵSvvڵkk*Of]ԢrBM(8 ILuO% 0`q_S0qz4r/xiw +~]sSZn!"@&(\c'`f\^`itkm. p D.ZOh+'0` hp    (0Secure MessagingeEsther Czekalskie CapsulesekaEsther Czekalskie46hMicrosoft PowerPointP@`{<@@)UG(g     x- @ !w--'̙- @ !w--'--$CZ6U6O7J8F:A<=?8B5E1I.M+Q)V'Z&_%e%j%o&u'z)~+.158=AFJOUZ !%*.258;=~?z@uAoAjAe@_?Z=V;Q8M5I2E.B*?%<!:876 6Z6--'3f--$      --'--($      --'. 3f@Arial-2 sSecure Messaging .Courier New(z(h,fbh--. ff@Arial-2 Esther Czekalski    .-.@Arial-$2 Czek and Associatesm     .--. 3f@Arial-%2 Twww.czekandassoc.com  .-Z՜.+,D՜.+,     5On-screen ShowCzek and Associates* Arial WingdingsTimes New Roman Capsules Bitmap ImageSecure MessagingE-Mail is here to StayIssues and VulnerabilitiesLegal and Ethical Pressures Risk, Classification and PolicyHIPAA HypotheticalHIPAA Hypothetical Continued-Architectures: Client to Client Encryption-Architectures: Client to Client Encryption-Architectures: Client to Client Encryption7Architectures: Client to Client Encryption (support).Architecture: Business to Business Encryption.Architecture: Business to Business EncryptionArchitectures: Web BasedArchitectures: Web Based-Case Example: Lancaster Hospital and SigabaYCase: Massachusetts Health Data Consortium; Secure Messaging Project  Fonts UsedDesign TemplateEmbedded OLE Servers Slide Titlesl 8@ _PID_HLINKSA$$http://www.imc.org/rfc2315,http://www.nist.gov/smartspace/smartSpaces/8http://www.freep.com/money/business/eside8_20020508.htm8http://www.freep.com/money/business/enron8_20020508.htmhttp://shorterlink.com/?RJSU8Ohttp://www.cascadebank.com/(_Esther CzekalskiEsther Czekalski  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Root EntrydO)Pictures"Current UserSummaryInformation(PowerPoint Document(,DocumentSummaryInformation8Root EntrydO) @Pictures"Current User&SummaryInformation(_MFMF