The Health Insurance Portability and Accountability Act of 2001 (HIPAA) mandates the privacy of Protected Health Information (PHI). This requires encryption of any e-mail that contains PHI.
Desktop-to-desktop encryption with it's attendant key management infrastructure is not necessary to meet the requirements of HIPAA. Several companies have developed e-mail software that encrypts e-mail at the domain boundary for transmission over public networks. When this project started, none of these products was able to exchange encrypted e-mail with any other product.
The Massachusetts Health Data Consortium (MHDC) challenged the vendors of e-mail products that encrypt mail at the domain boundary to demonstrate interoperability. In 2002, a group of vendors met that challenge and did indeed demonstrate interoperability.
However, this demonstrated was based on modified versions of the vendors' products. By the end of Q1/2003, it was clear that the changes made to achieve interoperability were not going to be available in commercial off-the-shelf software.
THE CERTIFICATION PROGRAM
|
MHDC approached the Messaging Forum for help in addressing their need to meet the requirements of HIPAA. In July 2003 a joint project involving the Messaging Forum and the members of MHDC was established, with the objective of establishing a Certification Program to establish the baseline for interoperability and to identify products that conform to that baseline.
- The first phase of the project involved the definition of the problem to be solved. By excluding digital signatures and automated key exchange, the problem was constrained to the level where a solution was achievable.
- A profile of the IETF S/MIME standard was developed to establish a baseline for interoperability. This selected a number of options that were not fully defined in the base standard, including a common encryption model, certificate format and a simple mechanism for key exchange.
- A testing protocol was developed to enable product vendors to demonstrate that their products interoperate successfully with products from other vendors.
The program was developed within 12 months and launched in July 2004, at which point products from 4 vendors were certified.
Since that time, members of MHDC have procured and succesfully deployed products from different vendors.
|
 |
Much more information about the S/MIME Gateway certification program may be found elsewhere on this site:
 certification program
 register of cerified products
Work will start in April 2006 on the development of the next version of the S/MIME Gateway Certification program.
- The development of the S/MIME Secure Messaging Architecture, has identified a number of areas where it is difficult to exchange encrypted e-mail between systems that encrypt/decrypt e-mail at the desktop and those that encrypt/decrypt e-mail at the domain boundary. This will inhibit the deployment of secure e-mail.
- The first version of the S/MIME Gateway Certification program was specifically designed to meet the needs of a constrained community of organizations with existing business relationships, where manual key exchange is practical. To be usable in larger communities, some form of automated key exchange must be developed.
- While the Healthcare Community had no immediate requirements for digital signatures, this is needed by other users.
|
