Faxes, Security Theater, and Blaming HIPAA

Last post I wrote about seeing a new doctor and how her office made, um, creative use of PDF forms.

The other so-unfunny-it’s-almost-funny part of the story is how the sheer incompetence on the part of both my old and new doctors offices lead to me having to hand deliver my medical records.

Five weeks before the appointment I delivered a copy of the transfer request for my medical records to Hostile Medicine Ltd in person. I did this to avoid any ambiguity regarding whether or not they received the request, and also because one of their redeeming characteristics is they are open Saturdays.

Which is kinda revolutionary for a doctor. Being available for customers when they need you isn’t really the medical industry’s thing.

As recounted before, I was emailing with the new doctor’s office right up until the day before the appointment. I asked if they had my records during that email thread.

they still haven’t faxed us anything yet.



I snicker when I see fax numbers. I tend to see them in correspondence and ads for doctors, lawyers, and accountants. People who, for the most part, think the jury is out on this whole technology thing, while at the same time managing simple information with a distorted view of its complexity and security requirements. We can send emails from devices in our pockets. My freaking landscaper sends email invoices. But doctors still fax things to each other.

I can imagine what some of you are saying right now. “But faxes are more secure! HIPAA! HIPAA! ”

When you say that, is it because you think the phone network is secure and can’t be hacked?

Or because every fax machine in the world speaks a well-documented protocol that would be pretty easy for someone to eavesdrop on?

Or because you have no idea who is at the fax machine on the other end when your doctor sends that oh-so-private-bill to your insurance company but dials the number incorrectly?

The idea that faxes are any more secure than plain text email is unvarnished bullshit.

And the excuse that “HIPAA doesn’t allow that in email” is also bullshit. Here is explanation of the rules from HHS itself.

And beyond that, let’s try some critical thinking: why is it that you can release your records to be sent to another doctor or the insurance company, but you can’t get information emailed to you? Why are emails from your insurance company or doctor (if your lucky enough to have one that will use it) devoid of any useful information at all?

Probably because many of the people administering your medical information can’t handle critical thought. Or they are controlled by lawyers. (Is that redundant?)

Refusing to email records and redacting any emails you do send to the point of being little more than links is security theater. It’s making you take off your shoes and leaving your water bottle in the trash.

And lest we forget, email isn’t the only option doctors have to send information between each other and to you. Try a quick search for “secure file transfer”.

So, I called Hostile Med and after 1 disconnect and 30 minutes on hold was told that they mailed a disk three weeks earlier.

I called the new doctor’s office. I was told they don’t accept disks. Because they have “a very strict firewall.”

2608113Firewalls don’t keep you from copying files from disks. There are security apps that will do that, but they are not firewalls.

Am I being tough? I don’t think so. It’s 2015. You work in an office and your primary job is to communicate with the outside world. Learn how it works. This stuff is not new anymore.

Yes, it’s sad and lame that, in 2015, Hostile Med is mailing CDs with medical records. But a policy that won’t allow someone to insert a disk and read from it is the computing equivalent of making everyone take their shoes off at the airport. Enable Windows Defender and copy the damn files.

I asked why, when they had apparently received the disks weeks earlier, they didn’t tell me there was a problem. That email went unanswered. Maybe the firewall stopped it.

So I went to the Hostile Med, got copies of the relevant records, and brought them with me.

After my appointment the receptionist gave me the CDs they had been sent.

Yes. Disks. There were two.

She told me they were unusable. I couldn’t resist: “You mean because of your firewall?”

No, they couldn’t figure out what was on them. So either the story changed or my question about why they waited weeks before raising a flag (and only after being asked,) made them think that they should take a look at the disks.

I brought the disks home and inserted them in a drive to take a look.

First, they were identical. In identical envelopes with the same postmarked date. So, emailing let’s say – password-protected PDFs – is not secure, but mailing 2 identical disks to someone only expecting one is?

After a few minutes of playing around (and Googling) I figured out that the files on the disks were compressed with WinAce. (No. I never heard of it either, and it doesn’t give you any additional security features at all.) The disk(s) had no instructions whatsoever on them as to how to extract the files. They were effectively what we called “coasters” back in the days when we actually used disks.

The funny bit though is that the compressed data took up about 3.4 Megabytes. CDs hold around 670 Megabytes. Why bother compressing the files at all?

And the decompressed data? You guessed it! 3.4 Megabytes.

A failure on all fronts. And as long as throwing up security! and HIPAA! and computers are hard! are acceptable excuses, the failures will continue.

Leave a Reply