4 Replies Latest reply on Feb 21, 2013 7:27 AM by DrewTenenholz

    Repost from Adv. Discussion - Secure email (DIRECT Project-compliant) via FileMaker - Ideas?

    DrewTenenholz

      All --

       

      Does anyone have any ideas about how to send/receive SECURE email as described below?

       

      This is a bit of a stretch, because it is a question about sending/receiving highly secure email with FileMaker, which is certainly not a 'core function' of a database application. However, it is an essential element of an Electronic Medical Records solution built with FileMaker that I'm working on. I'm open to plugins, web services, etc. to achieve this ability, so all suggestions are welcome.

       

      In order for this EMR to qualify U.S. federal standards for 'Meaningful Use-Stage 2', I need to be able to send/receive email messages which are secured according to the DIRECT Project standard (http://wiki.directproject.org/ApplicabilityStatementforSecureHealth+Transport) which says in part:

      SMTP, S/MIME, and X.509 certificates to securely transport health information over the Internet. Participants in exchange are identified using standard e-mail addresses associated with X.509 certificates. The data is packaged using standard MIME content types. Authentication and privacy are obtained by using Cryptographic Message Syntax (S/MIME), and confirmation delivery is accomplished using encrypted and signed Message Disposition Notification. Certificate discovery of endpoints is accomplished through the use of the DNS. Advice is given for specific processing for ensuring security and trust validation on behalf of the ultimate message originator or receiver.

       

       

       

      As I understand it, the idea is to send email in much the same way https website content is delivered. An email address is registered with a 'certificate authority' (as yet undefined), and any messages received from that address are checked first to ensure that the sender is who they say they are, then that the message they sent has not been altered since it was sent and is finally the message content (both text and attachments) is decrypted and made available to the end user.

       

      The resources I've found so far are the DIRECT project referenced above and the open-source software platform called CONNECT (http://www.connectopensource.org/), but none of this helps me see a way to send these sorts of email.

       

      Any help is greatly appreciated.

       

      -- Drew Tenenholz

       

      P.S. My opinion is that although this sounds like a rather complicated and overly protective way to send email, once health care providers are using this regularly (as early as 2014), it will soon become a worldwide standard, and every application that sends mail will need to be able to handle mail like this. So, while we have our script step "Send Mail ", and it has some useful options, it will eventually need to support these options as well.

        • 1. Re: [Repost from Adv. Discussion] - Secure email (DIRECT Project-compliant) via FileMaker - Ideas?
          AlanStirling

          Hi Drew

           

          I have just checked the CNS-Plugins website, looking at the spec for SMPTit pro.

           

          Here is a link to their Knowledgebase, where I searched for 'Authentication''

           

          I think that many of the terms used on this page are other names for the security protocols you require.

           

          http://www.cnsplug-ins.com/Plug-ins/SMTPit_Pro/Knowledge_Base/Articles/Setting_up_the_Plug-in_to_work_with_your_Mail_Server?h=authentication

           

          Best wishes - Alan Stirling, London UK.

          • 2. Re: [Repost from Adv. Discussion] - Secure email (DIRECT Project-compliant) via FileMaker - Ideas?
            DrewTenenholz

            Alan --

             

            Thanks for the pointer to SMTPit.  Unfortunately, I need something a bit more involved. 

             

            The settings in SMTPit are pretty much the same as those under the Script Step Send Mail .  While these sorts of 'standard-secure' email settings can make sure that the last step between the reader and their mailbox has been encrypted, it doesn't address two requirements I need to fulfill:

             

            1) Verify that the sender is who they say they are using public certificate discovery (much the same way that when you go to a  httpS web site, your browser checks to see that the SSL certificate belongs to the certified owner, valid, and is not expired or shows you a warning if something is not right).

             

            2) Confirm that the message enclosed in the envelope has not been tampered with and is decrypted using the valid certificate above.

             

            I know this seems like a level of security we don't expect from email, but the current implementation is for personal medical records, and I believe that if the technology becomes available in the health care arena today, it will become standard soon after that.

             

            Still looking....

             

            -- Drew Tenenholz

            • 3. Re: [Repost from Adv. Discussion] - Secure email (DIRECT Project-compliant) via FileMaker - Ideas?
              RonSmithMD

              Most ISPs secure their mail server with a certificate just like a web server and can communicate server to server via SSL or TLS. I have run a mail server for some 15 years and have always had a certificate from a well-known certificate authority and the server defaults to secure communications.

               

              S/MIME is a mess actually and has limited ability to be generally used in most capacities. Each pair of communicators has to share the other's personal S/MIME certificate before secure communications can begin. Can you imagine requesting a patient's S/MIME certificate? Heck I an hear them replying "where is that on my insurance card?"

               

              Send Mail in FileMaker can use SSL or TLS to communicate directly with mail servers and if that mail server is secured with a certificate and is itself not the recipient's mail server then it will usually try to communicate with that recipient's mail server securely.

               

              Ron

               

              Ron Smith, MD, 'The Pediatric Guide For Parents'

               

              Want to know more about me and my family? Take a look at the free ebook about my daughter below.

               

              Forever And A Day For Laura Michelle

              • 4. Re: [Repost from Adv. Discussion] - Secure email (DIRECT Project-compliant) via FileMaker - Ideas?
                DrewTenenholz

                Ron --

                 

                I share your frustration with what I'm asked to create here.  Unfortunately, I'm trying to meet the current federal requirements for Meaningful Use Stage 2 certification, so what I want is pretty unimportant.  So, I'm still looking for a way to implement this much less standard email protocol.

                 

                Here in Massachusetts, there is a program currently being set up by the state government to create a state wide ACRONYM (HIE or NwHIN or whatever) that I may be able to use.  They've told me that they will support XDR and SMTP as methods to interact with their system.  I'm hoping that this will be able to satisfy the requirement for the certification test later this year, since I'm pretty sure the current tools in FileMaker will be adequate.

                 

                I do believe that if some smart IT company out there made getting a personal certificate and individual message authentication just about as easy as it is to get an anonymous/unsigned email account, then many ordinary email users would adopt it, simply to cut down on the spam they receive.  Maybe this is going to be the way mail is done in five years; the problem is I need it now.

                 

                -- Drew Tenenholz

                 

                >S/MIME is a mess actually and has limited ability to be generally used in most capacities. Each pair of communicators has to share the other's personal S/MIME certificate before secure communications can begin. Can you imagine requesting a patient's S/MIME certificate? Heck I an hear them replying "where is that on my insurance card?"