As many in the health industry know, HIPAA is in place to protect patient information from being tied to medical conditions.  A good rule to live by is if it’s identifiable information you are transmitting, it should be encrypted and password protected.  Basically, electronic records are the same as with physical records; they must be kept under lock and key with limited need to know access even among employees of the same practice. 

 

The difficulty comes in that with the rapid advancement of electronic record keeping, the security becomes much more difficult and at first cumbersome to implement and maintain.  However, it is like any habit and can catch on quickly and spread relatively easily once a few are involved.  Just like a lock and key, the security must be periodically checked and changed/updated to meet the ever-changing standards. 

 

Since privacy and security of systems is such a broad scope to cover, this document will focus on:

1. Creating and implementing security between two parties, Party A & Party B

2. Party A encrypting information using Party B's 'public key' and transmitting the encrypted item to Party B

3. Party B receiving  encrypted information from Party A and decrypting it using Party B's 'secret key'

Throughout this document you can consider yourself (the provider) as Party A and the Patient/recipient as Party B.

 

This document assumes that you are maintaining and are aware of the security of and access to your data, system(s) and network connections. 

 

Following the guidelines in this document will allow you to securely transmit information electronically to another party; however, we do not assume any responsibility for how you use this information in your own right. 

 

If you do not feel completely comfortable with the process laid out in this document, please contact us to discuss and evaluate your security practices; we may be able to help you refine and implement security practices to fully meet your specific needs. 

 

There are many other methods and programs that will allow encryption and password protect, however we feel this process is the most general purposed. 

Also, we believe this process combines a relative ease of use with maximum security protection and with each party being responsible for their portion of the secure digital information transfer.

For more information about HIPAA requirements and Encryption laws by country please use the following resources to be sure you are obeying the laws as they pertain to you and your situation.

U.S. Department of Health & Human Services

Crypto Law Survey (Encryption laws by country)

Gpg4Win Home Page

GnuPG Home Page

International PGP Home Page

TrueCrypt Home Page

 

First, here is a little information on how the security process will work.  This will define the general steps of the overall process and the document will continue defining the way to accomplish this outline in a Microsoft Windows operating system. 

(Note: contact us for options accommodating other O/S's using OpenPGP)

 

To comply with industry standards we must encrypt and password protect our information before sending it electronically.  We can perform this process relatively easily once we have setup our system to do so with OpenPGP (or Open-Pretty-Good-Privacy).  The name is deceiving, because when it is implemented and maintained appropriately; it is one of the few publically distributable encryption methods that is currently almost impossible to break using the technology and knowledge available today. 

 

The basic principles are first that you create two OpenPGP keys for yourself, Party A.  One 'Public Key' to distribute and encrypt information and one 'Secret Key' with a pass phrase to be maintain privately and to decrypt information that was encrypted with your 'Public Key'. 

 

Second, Party B must also create two OpenPGP keys, one 'Public Key' and one 'Secret Key' of their own as well.  Both Party A and Party B's OpenPGP keys are unique to each Party and each key in each Party is completely tied to its counterpart key for that Party using the pass phrase that created them (i.e. Party A's ‘Public Key’ is completely tied to Party A's ‘Secret Key’ just as Party B’s ‘Public Key’ is tied to Party B’s ‘Secret Key’ with their respective pass phrases). 

 

The next step will be for Party A and Party B to exchange their 'Public Key' with the other Party (i.e. Party A sends Party A's 'Public Key' to Party B and Party B sends Party B's 'Public Key' to Party A) The ‘Public Keys’ can be sent by any electronic method because it is only used to encrypt information to be sent to you or said party, no one (beside the Parties who’s ‘Public Key’ was used to encrypt the information), can decrypt the information without a corresponding ‘Private Key’ and pass phrase. 

 

Now that the 'Public Keys' of each Party have been exchanged Party A can use Party B's 'Public Key' to encrypt information meant for Party B and Party B can do the same for information meant for Party A using Party A's 'Public Key'.  Once the information has been encrypted it can be securely transmitted to the intended party electronically by almost any means of transmission.

 

Now when Party B has received information from Party A that was encrypted using Party B's 'Public Key'; Party B can then decrypt the information using Party B's 'Private Key'.  When Party B tries to decrypt the information using Party B's 'Private Key' Party B is prompted to enter the pass phrase Party B used to create the OpenPGP keys. 

 

Upon entering the correct pass phrase, Party B can now use the information as it was intended by Party A while Party A can be assured only the person with both Party B's 'Secret Key' and pass phrase have access to that information after Party A's initial transmission.

 

Since Party B has Party A's 'Public Key' as well; Party B can encrypt and have Party A decrypt using the same method but Party A will use Party A's own 'Secret Key' and pass phrase to complete the process.

 

There is plenty of more detailed information out there, which lays out this process and concept of 'Public Key' security much better than this document; however, a basic understanding of the above will allow you to configure your system to encrypt/decrypt files.

 

More Information

-Gpg4Win’s Documentation (Compendium) explains the above with pictures and great examples

(Highly recommended to read through the “Part I: For Novices” of their documentation as this will give you a more thorough understanding of how the security works)

http://www.gpg4win.org/documentation.html

-Pretty Good Privacy Overview (note: we will be using the OpenPGP variation, not the proprietary format owned by Symantec)

http://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP

-Public Key Cryptography Overview

http://en.wikipedia.org/wiki/Public-key_cryptography

 

 

The first step is to install the software which will allow you to create OpenPGP keys and also allow you to encrypt/decrypt files and information.  To do this, we recommend and will outline Gpg4Win's setup and usage.  Gpg4Win is an open-source free-for-commercial and private-use program that wraps OpenPGP into a nice package that makes it easy to work with keys and file encryption on the Windows operating system. 

 

Overview of Gpg4Win Software Download

Use the following link to download the latest version of the Gpg4Win software:

http://www.gpg4win.org/download.html

(At the time of writing the current version is: Gpg4win 2.1.0 released 2011-03-15)

 

Overview of the Gpg4Win Install Process

The documentation for the installation process is thoroughly documented in Gpg4Win's Compendium

http://www.gpg4win.org/documentation.html

Again, it is highly recommended that you read through the "Part I: For Novices" as it covers majority of the topics in our Tutorial here.

• For the install, you will double click the downloaded install software from the previous step above.

• Click OK to select "English" (unless you have another language preference)

• You will then click the "Next" button twice, through the "Welcome" and "License Agreement" Screens

 

• Upon reaching the screen shown above, you want to make sure you have "GPA" checked as well as "Kleopatra","GpgOL","GpgEX", and "Gpg4win Compendium"; and then you will click the "Next" button again. (See more below under 'Hints and Tricks for Further Security and Encryption option’s for more information about the "Claws-Mail" option)
• You will click the "Next" button two more times, through the "Install Location" and the "Install Options" screens

• You will then click the "Install" button on the "Start Menu Options" screen.

 

• You will be prompted by the above message and you will click the "OK" button as well for any other messages that may appear after the one above.

 

• Once the screen above appears, you will click the "Next" button again

 

• On this screen, check the box for "Root certificate defined or skip configuration" and then click the "Next" button

 

• Uncheck the "Show the README file" and then click the "Finish" button

• Restart your computer after you have clicked the "Finish" button (even if you are not prompted to do so, it is highly recommended to restart at this point)

 

Overview of the Key Creation Process in Gpg4Win

• After your computer has the Gpg4Win installed and you have restarted the system, browse to the Start Menu->All Programs->Gpg4Win folder and run "GPA" program contained within

 

• When the program first launches, you should see the prompt above and will click the "Generate key now" button

• Enter the name you are known  by, because others will use this to recognize your Public, and then click "Forward"

 

• Enter your correct email, because this will be used for others to recognize your Public Key, and then click the "Forward" button

 

• Make sure "Create backup copy" is selected and click the "Next" button

 

• When prompted to "Enter passphrase" type in a secure passphrase here that you will not forget, if you forget this passphrase you will not be able to decrypt information that was encrypted using your public key and would have to create a new public key and re-distribute that to everyone who sends encrypted information to you  (The documentation suggest you make your passphrase by, selecting a sentence from a song that has meaning to you, then using every 3rd character in that sentence to form your passphrase, however the more symbols, numbers, capital and lowercase letter combinations you enter, the more your passphrase strength will increase)

• For best results we recommend that your passphrase be at least 15 characters, that includes at least two Symbols, two Numbers, two Capital Letters, and two Lowercase Letters and should not follow any dictionary words or phrasing that would be easily guessed by an attacker; basically if your private key is obtained by an attacker, they would still have to breakthrough your passphrase to decrypt information and the more complex your passphrase the more decades/centuries it will take the attacker to break through

 

• Once your "pinentry" window shows a "Quality" of 100% and green, you can click the "OK" button

• You will be prompted to 're-enter' your passphrase, then click the "OK" button

 

• You will be prompted to choose a file location and name for your backup OpenPGP keys.
• It is recommended you save this file to a flash drive and keep it in a secure location but do not keep your passphrase in the same location as this backup or your original keys(i.e. on your computer)  This can be viewed the same as leaving your key in the lock of your house door when you leave.

 

• Upon receiving the message above, your OpenPGP keys have been backed up successfully

• Click the "Close" button and you should see your Key listed in the GPA window

 

• This key set can now be used to encrypt information that only you can decrypt or to sign information for verification by others who have a copy of your Public key (see below for more on receiving a Public Key from someone)

 

 Overview of Receiving a Public Key from Party B

• Party B will install Gpg4Win and setup their own public and private key with pass phrase

 

• Once installed, Party B will highlight their keyset in GPA's Key Manager and click the "Export" button

 

• Party B will be prompted to Name and select the location to save their Public key and then they will click the "Save" button

• Once this Public Key file has been saved, Party B can  transfer the file by any electronic means to Party A (this file is only used to encrypt information intended for Party A, once Party B has encrypted information for Party A, Party B will not be able to decrypt and alter the information, only Party A with their Secret Key and Passphrase can decrypt the information at that point)

• When Party A has received the Public Key file from Party B, Party A will open their GPA Key Manager

• Party A will then click the "Import" button

 

• Party A will browse to where they saved Party B's Public Key, highlight it and click the "Open" button

 

• Party A will then Receive a message stating '1 public keys imported', they can click the "Close" button

 

• Party A will now see Party B's public key in their Key Manager

• Party A can now use this Party B Public Key to encrypt information intended to be sent to Party B and can be sure only Party B with their Party B Secret Key and Passphrase can decrypt the information

 

Overview of Encrypting with Party B’s Public Key and Signing with Party A’s Public Key a File and then Sending it to Party B

This portion will only cover encrypting a single file at a time; there are more detailed options for multiple files that are well documented in Gpg4Win's Compendium

http://www.gpg4win.org/documentation.html

(Chapter 18-Signing and Encrypting Files under the Part II 'For Advanced Users')

• Now that Gpg4Win is installed and the Party A OpenPGP keys and passphrase have been setup and the Party B Public Key has been imported, you can easily encrypt and sign files to send to Party B.

 

• You will select 'Sign and encrypt' from the menu options for that file

 

• You will want to make sure 'Sign and Encrypt (OpenPGP only)' radio button is selected
  (note there are other features here you can review in the Compendium for Gpg4Win)

• Click the 'Next' button

 

• When prompted 'For whom do you want to encrypt?’ you will select the person whom you want to send these files.  In this example we will choose Party B's public key and click the 'Add' button
• Note you can add multiple Public Keys here, each public key you add will allow that person to decrypt the information as well, so only add those you want to be able to decrypt this information to this section.
  (note if you add yourself (Party A), you will be able to decrypt the file as well, otherwise you will not be able to decrypt it once you have encrypted it for that user and you will have to re-encrypt the original file again if it was/needed to be updated)

 

• Next you will be prompted to choose who to sign the file as, by default it will select your primary key set (Party A) but you may update and select any key set that contains both a public and private key pair

 

• 

• You will be prompted to enter the Passphrase you selected for Signing Party.

 

• Once you receive this window, your file has been successfully encrypted and you can send the new encrypted file to the intended Party B.  Be extremely sure you select the *.GPG file, as this is the encrypted file and normally will be a blank paper sheet icon, that cannot be opened by normal means.

• You can attach the encrypted file, along with your Party A public key, so when Party B receives and decrypts your file, they can also import your Party A public key, then Party B can encrypt and send information intended for Party A

 

Overview of Party B Decrypting the file using Party B’s Secret Key and Pass Phrase and Verifying the Signature of Party A with Party A’s Public Key

• Once Party B has received the email attachments from Party A, they will want to first Import Party A's Public Key to their own key ring (same process as Overview of Receiving a Public Key from Party B just replacing Party A with Party B and vice-versa in that section)

 

• This shows Party B's OpenPGP key set and Party A's Public key are both available

• Now Party B will right click the encrypted .gpg file sent by Party A

 

• Then Party B will select 'Decrypt and verify' from the menu options

 

• When prompted with the above, Party B will click the 'Decrypt/Verify' button
  (other options are detailed in chapter 18 of the Gpg4Win Compendium)

 

• Party B will be prompted to enter their Passphrase to decrypt the information

 

• After receiving the message above Party B can open and work with the original file, knowing the file has not been tampered with or intercepted since it left Party A

 

 Hints and Tricks for Further Security and Encryption options

 

Passphrase Hints

• The longer the passphrase the more difficult it will be to break
• The more complex the passphrase the more difficult it will be to break
• When creating a passphrase be sure to note that it is not PassWORD but PassPHRASE, it is encouraged to use sentence format and multiple words to create higher security

• Chapter 4 in the Gpg4Win Compendium gives an excellent overview of "The passphrase" and it is highly recommended reading

 

Recovering OpenPGP keys from the flash-drive backup

• To recover your OpenPGP keys after a disaster, simply insert your flash drive into your system

• In GPA, import the key set into your Key Ring (just as you would import a public key in the above sections)

• You will be prompted to enter your passphrase for that key set

• After successful import, you will be able to decrypt files being sent to you from other parties that had your Public Key

 

Root certificate Options

• Gpg4Win also has the option to use Certificate based encryption

• This allows a user to trust your relationship as valid by using a root certificate that can be purchased to verify your identity

• This option is well outside the scope of this document, however it is documented thoroughly in the Gpg4Win Compendium

 

Full Email Encryption Options Using OpenPGP

• If you are using Outlook 2003 or 2007 (Outlook 2010 is currently unsupported), when Gpg4Win is installed it should have added this add-on to your Outlook and you can use it to encrypt and sign your emails entirely as well as attachments

• More information about this is in the Gpg4Win Compendium in the Part III Annex-A Information on the GpgOL Outlook Extension chapter

 

Multiple file encrypting/compression options

• Multiple files can be selected and encrypted at one time, just by selecting all the files you want to encrypt before you right click to encrypt/sign the files

 

• With this and for smaller sized single file options you can use the Archive feature to create a single compressed encrypted and signed file

 

• When the receiving party decrypts/verifies the archive, they must select the “Input file is an archive” check box to process it correctly

 

Encrypting Files and entire File Systems for Private Use with TrueCrypt

• TrueCrypt is an Open-Source (free-for commercial and personal-use) program which allows a user to encrypt files for personal use, storage and decryption or entire file systems (such as an entire flash drive)

• Unfortunately this is outside of the scope of this document as well, fortunately they have extensive documentation available to ease the process http://www.truecrypt.org/docs/

• The basic overview is:
• Create a TrueCrypt Volume
• Select the container for a single file you can copy and move as you wish, that stores files inside
  (the rest of the overview assumes you selected this option to create)
• Select the non-system partition/drive for additional attached drives (usb flash drives, external hard drives or internal drives other than your root system drive)
• Select the Encrypt the system partition or entire system drive to encrypt your entire computer
• Refer to the documentation on the Standard/Hidden volumes, normally you will want Standard
• Select where to create the TrueCrypt container file
• Refer to the documentation on the Encryption Options, the default selection will normally suit the needs of most
• Choose the size of your TrueCrypt volume, note that it cannot be larger than the available free space on the drive the file is being stored on and the larger the file the more information it can hold encrypted
• Set the password for the volume, it is very important that you do not forget this password (almost impossible to recover information in a TrueCrypt volume without the password) and the more complex it is the stronger the security will be for the volume
• You will select the Volume Format (normally I prefer NTFS, however the default FAT should be fine as well)
• Move your mouse around randomly and for a few seconds inside the Volume Format window (this makes the encryption significantly stronger)
• Click format and depending on the size of the Volume it may take a while to encrypt and create
• Once the volume is created you can exit the creation wizard
• In the TrueCrypt window, select a system drive to mount your Volume
• Select the volume file to mount, then click the 'Mount' button
• You'll be prompted to enter your password
• Then you will see the file appear mounted next to your system drive letter you chose
• When you browse to that drive, you can add/remove files from the volume just as you would any normal drive
• When you dismount the drive in TrueCrypt that will re-lock and encrypt the information and your password will need to be entered again to access

 

Other 3rd Party Secure Messaging Subscription Based Options

• 3rd party subscription based messaging options provide an easier alternative to having end users manage their own security keys

• With this method you'll use the system to send the user a message, when the user receives your message it will actually be a link to the messaging service server; the user will be prompted to create a user name and password if they don't already have one and then will be able to read your message securely on the messaging server

• This option is easier to manage; since users are not in charge of the security at all with this method

• Example Services (note these options are not "recommended" just merely examples of the services available at the time of writing this document, research and evaluate each option on your own or call us to discuss more about these options)
• Trend Micro
  http://www.trendmicro.com/us/enterprise/network-web-messaging-security/email-encryption/index.html
• Voltage
  http://www.voltage.com/vsn/index.htm