• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 350
  • Last Modified:

Does Exchange 2007 with an SSL certificate (3rd party verification not self-generated) encrypt in order to use a fax server with Exchange that contains PHI?

We have a fax server that does not have IIS and is behind a firewall. Our Exchange server (which does have IIS and also behind the firewall) is covered by our SSL for the OWA and ActiveSync. I want to have the fax server integrate with Exchange in order to help us work towards having a smaller paper footprint. Our faxes contain PHI from insurance companies and medical facilities. I know that Outlook 2007 and Exchange OWA "encrypt" email if directed through port 443 but is it safe for sending faxes through the system or does it violate HIPAA?
0
Thom Gann
Asked:
Thom Gann
  • 2
  • 2
1 Solution
 
Dave HoweCommented:
the fax server should be using SMTP (not owa) to send the email - the encrypted form (called smtps or smtp/tls) is fully supported on 2007 and in fact can be enforced (rejecting non-TLS mail on that listener; you would probably want to set up such an enforcing listener specifically for this task)
0
 
Thom GannIT Systems ManagerAuthor Commented:
The fax server does use SMTP but the HIPAA violation would come when someone opens their email on a PDA or OWA because then the email with the fax attachment would be vulnerable. It is for this instance that I am trying to research to what degree the SSL encrypts the email. If it does not keep it contained in encrypted format no matter the access point then I will not able to move to a fax server solution with Exchange, rather a folder delivery which defeats the entire purpose. I do appreciate your feedback.
0
 
Dave HoweCommented:
That is purely a config issue, but yes, you should not be serving either OWA or RPC-over-HTTP without it being HTTPS - that being the case, it should be heavily encrypted in both cases.

However, the normal mode of access on the lan (MAPI) is not so heavily encrypted, and of course that is purely transport encryption - the data itself will be stored, unencrypted, in the email database (and probably in backups too)
0
 
Thom GannIT Systems ManagerAuthor Commented:
Everything is now over HTTPS and the backups are not an issue as they are completely inhouse and not available outside of IT. Thank you for the help.
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now