Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Which is more secure: fax or email?

I work part-time for a mental health center in the IT department. Yesterday,
I attended a mandatory HIPAA training meeting. In the training, I was told fax
is the approved secure method and email was not. I’m really confused about this
issue. I researched it on the net, but I haven’t come up with a really solid
reason why email is less secure than fax if it truly is. While I recognize the
limitations of email, transferring via the net could be accessed at any point,
yet I feel fax is even less secure. For one, the fax physically lies around
until somebody picks it up and you have no assurance that it’s the right
person. Two, while I understand that a landline would be more secure than the
net, if the fax goes directly from point A to point B, in reality, phone calls
are transmitted via microwave towers as well and since fax is unencrypted, they
could be accessed as easily as email. My feeling is that if we used PGP that
email would be more secure than fax. My boss and I both respect your opinion.
Can you clear up which is more secure?

In this excerpt from
Answercast #63
, I look at the safety and security behind fax and email
systems.

Become a Patron of Ask Leo! and go ad-free!

Fax vs. email

So, the bottom line is that my opinion runs along the same lines as yours. I
don’t really consider fax to be any more or less secure than plain text email.
I understand why email would not be allowed. Because it is plain text, you are
sending information from one person to another (potentially sensitive), but
anybody who has access to the network or the computers in between those two
points can essentially read that material.

The most common scenario, for example, might be on a service like Gmail or
Hotmail. That email is sitting on a third-party server. It’s not your server.
It’s not the recipient’s server. It’s some third-party (like Google or
Microsoft) and theoretically, the email could be viewed by someone else. That
of course is a violation of HIPAA regulations.

Fax is a little bit more difficult to argue along those lines, but I believe
that the same thing is true. When you send a fax via phone… first of all
realize that a fax is an audio transmission. It is (as you said) unencrypted so
what that means is that you send a fax from point A to point B, anybody who can
listen in on that phone line can receive the fax as well. Anybody with any kind
of eavesdropping equipment, anybody who even happens to pick up the same line
as that particular fax happens to be getting sent on can in fact receive the
fax and as a result, see it.

I actually take this one step further. My concerns go a little bit further
than this. A fax really is nothing more than an image of a document, which
means that it’s also very, very easy to forge. In fact, in many cases, fax
signatures are considered legal. In other words, they are considered as binding
as a physical signature on a piece of paper. Given how easy faxes are to forge,
that just really boggles my mind.

Follow the laws

Now, the real problem here is not so much the technology involved but the
laws. Again, I’m not a lawyer, I don’t want to infer in any way that I am. But,
I definitely would strongly recommend that you – whatever you do – you
do what the HIPAA regulations require you to do whether they make sense or not.
Because even when you do something that makes total technological sense, if it
happens to run afoul of the regulations, you could still get in trouble which
is kind of frustrating, I understand. But it is what it is.

Encryption

In reality, I’m with you also that PGP (any kind of encrypted email) is much
more secure than any of the above.

What it really means is that the email is encrypted at the start. So
anywhere between the start, between sending and reception, it is unintelligible
to anybody who might actually happen to get a copy of it as long as they
don’t have the appropriate encryption or decryption key.

PGP, being a public key system, means that you could say that “this message”
can be unencrypted by only “this” specific recipient, the specific recipient
who holds this specific public key.

So, yeah, absolutely! Encryption of almost any sort (although it needs to be
strong enough) is going to be stronger than, is going to be more secure than
either fax (over voice lines) or email (plain text email) over the
internet.

So, ultimately like I said, I won’t really say that email or fax is
stronger, or that fax or email is less secure (or more secure) than email or
fax. I believe them to both be fairly unsecure.

Security is difficult

If I were writing the HIPAA regulations, for example, I would insist that
all of that kind of communication be encrypted. The problem with encryption
(and I’ve written about this before) is that encryption is… as it turns out, is
“hard.”

Not hard technologically. That’s been solved. It’s hard to
implement in a public way – in a way that is consistent across multiple
computers:

  • Installing PGP? That’s really hard to do in common email programs
    (Thunderbird happens to have a great plug-in that just does it).

  • Having people manage their own public and private keys? That’s really
    difficult for the average consumer.

  • Same thing for other encryption schemes, other certificate schemes, other
    public and private key schemes, and so forth.

It’s all a level of complexity that A) hasn’t been standardized across email
systems or email programs and B) is fairly confusing to the average consumer.
And it usually is the average consumer who’s at the receiving end of some of
this protected communication.

So, I can’t really give you an answer about what to do to make HIPAA more
secure. You’ve just got to follow the rules of HIPAA. But, in terms of the
technologies involved, I would prefer to see encrypted email.

In fact, one of the things that you will find if you’ve got a good health
care provider is that they will not send you email. They will instead direct
you to a web-based interface to their system on which you can read that
message. The message may then be encrypted on their server. It’s encrypted in
transit because it’s an https connection to their server. And thus, the only
place it’s visible to the user (to anybody) is when it’s being displayed by the
authorized and logged in consumer; or when it’s being accessed by the
authorized and logged in provider at the other end.

Subscribe to Confident Computing! Tech problem solving & safety tips & a weekly confidence boost in your inbox every week.

I'll see you there!

10 Reasons Your Computer is Slow

Slow Computer?

Speed up with my special report: 10 Reasons Your Computer is Slow, now updated for Windows 10.

NOW: name your own price! You decide how much to pay -- and yes, that means you can get this report completely free if you so choose. Get your copy now!

6 comments on “Which is more secure: fax or email?”

  1. I agree with you. I have a phone number that is similar to the local Hydro Utility’s Fax #. My number is also not that far off from a local medical facility’s fax. Worse, my phone number is similar to a government office’s fax.

    You would be surprised at the stuff that lawyers fax me! They think they are faxing client data to the utility. Hooks ups, disconnections, moves, property purchases, billing disputes… WHEW! If I were “the type”… what trouble could I cause! And when I tell them that they did… they get mad at ME! (Their error, my fault?)

    As for the medical clinic…. I once got an emergency fax of a patient’s entire history! He was close to death, and I spent an anguished hour finding the person who faxed it, so they could re-fax it to the “right place”.

    The government office, once sent me enough data to completely steal a person’s identity. Oh horrors! I called them, set them straight, and shredded it. I do admit: It felt cool to have the power over a civil servant’s job in my hands for a few minutes, though… I can’t be that evil! I did the right thing!

    I like my phone number, and am unlikely to change it, but when I get fax call after fax call, well, just to stop the calls, I hit receive print on the fax.

    It seems they are simply keying in the phone numbers wrong. I guess the phone directory software on their machines is too complicated to use. How else?

    As for emails, I do get the odd spam and the odd junk mail. But, I have actually gotten few emails from women dying to meet Leo, and emailing me by accident. I do know such things happen though. An employee sending a bad joke to the boss instead of a co-worker.

    The whole issue is not so much people wanting to intercept your stuff, I think….. but people who send stuff to the wrong people, either through error, ignorance, or carelessness.

    And that is the big danger: Not eavesdropping, but sending a fax or email to the wrong place.

    Reply
  2. Hi Leo,
    I’ve never understood how this is even a problem.
    Couldn’t I type up a note, encrypt it with safe-house or whatever, and email the file as an attachment to ask-leoatask-leodotcom. Then call you on the phone and tell you the password? Safehouse is really easy to use, and I know you like truecrypt. Just so we were using the same program.
    Wouldn’t this work?

    Absolutely, there are many encryption approaches that would work. There’s no *standard* one, though, meaning that you and your recipient have to agree on what encryption would be used, and both need to have access to the tools and so forth. The real problem this article addresses is that FAX, like almost all email, is *not* encrypted, and thus intercept-able by others.

    Leo
    26-Oct-2012

    Reply
  3. Errors in transmitting sensitive data are a big problem. In my experience, fewer errors are made with fax, and more errors are made with email. (Almost no errors are made with snail mail.) Here are three real world considerations.

    Generally, fax transmissions are point to point. There is one sender and one receiver. Even broadcast faxes are sent one at a time by the sending fax device. The one-click send capability of email may be convenient, but I receive several emails a week either never intended for me, or just sent to a convenient email list/group, even if I was not an intended recipient.

    Worse, emails can be deliberately or accidently forwarded with a few clicks. Most fax users must print and reload a machine to forward a fax. (Caveat, yes there are paperless fax systems that facilitate thoughtless forwarding – but see the next/last point)

    Third, all of the data, sensitive or not, is incorporated into the fax document for the recipient to see directly. However, a harmless looking emai may have sensitive health information in an enclosure, where it is not so obvious to a recipient or their admin assistant. This leads to unknowing forwarding of sensitive information to a nonauthorized party.

    I use email for almost everything, but I try to send sensitive information by US mail. When time is critical, I’ll use fax if I can. If I have to use email for sensitive information, I put ‘CONFIDENTIAL’ in the email subject line and also ‘DO NOT FORWARD’ in the text.

    Reply
  4. Excellent article. Many Healthcare Providers (including myself) wrestle with this. I still have two questions: 1) If Gmail settings are set to force gmail to stay in HTTPS, does this affect the security? My understanding was that only the intended recipient could read the email. 2) Is there a low cost and easy-to-understand way to encrypt individual emails? I use Truecrypt for my data on my hard drive, but that would only help for attached files and isn’t easy to understand or the technologically challenged. Thank you for your article.

    1) NO – https only encrypts the connection between your computer and gmail. Period. It does NOT encrypt the mail itself, and the mail could be visible on other legs of its journey.

    2) I’m a big fan of GPG encryption, and it meets the low-cost criteria by being free, but I know of no truly simple solution for the general consumer. This is where a lack of standard (or several competing standards) are working against the consumer. Generally I recommend transferring sensitive information as an encrypted attachment, using something like 7-ZIP, or Axcrypt to encrypt/decrypt the file, and sharing the encryption password via some other channel.

    Leo
    26-Oct-2012

    Reply
  5. There are encryption boxes you can put in line with the fax machine. If you turn on the encryption box, the fax gets sent encrypted. Should anyone try to “listen in” they would only receive garbage.

    However, like encrypted email, it requires both sender and receiver to have the same system. Hopefully, if your employer has not implemented encrypted email that they’ve implemented encrypted faxes.

    Reply
  6. Another problem with faxes is the fax machine is going away. Our fax at work runs through the computer network. If our system gets hacked, then the faxes are available as well.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.