Axe the Fax – What’s Happening?
The Ministry of Health has pushed back the deadline for removing the use of analogue fax, at this stage indefinitely. The last timeframe was that a new date was going to be set in 12 – 18 months’ time from now. Regardless of this, it is still highly recommended that you start to decommission the use of fax at your organisation.
The original communications sent out by the Ministry of Health in 2019 can be found here.
Replacement Options – What Are They?
Patient Management System Tools
The preferred option is to replace all fax communication with a combination of PMS provided tools (Manage My Health, MyIndici and other Connected Health Network tools/forms – especially for communications with patient identifiable information)
It is recommended that the above is combined with a business grade email solution that meets the Ministry of Health’s requirements: that the email service and any devices such as scanners, are TLS 1.2 compliant.
Practice Workflows – What do they look like?
The removal of fax can be disruptive to a practice’s normal workflow – where the fax is received and then either scanned into the PMS and attached to the patient or placed into a GPs physical inbox to be checked and dealt with.
There are a couple of options we have discussed with the practices:
Shift to Monitoring Email: Trial having the admin or reception staff monitoring the designated inbox for any incoming communications and manually forwarding or printing them. This can be time consuming as staff will need to remember to check the inbox and action the received email.
Mimic Fax with an Email Inbox: A solution that monitors the designated email inbox and automatically print any emails that arrive. Once successfully printed it marks the email as read and moves it to another folder for reference. This basically mimics the receiving end of the fax communication.
For the sending of scanned documents, your IT provider can configure the practice’s copier or MFD to use the scan-to-email function if it supports this. This does require the practice to add all the destination’s email addresses and manually update them when they change – just like you had to when initially setting up all of fax numbers.
Your IT provider must ensure the correct security settings have been configured on the MFD so emails are sent securely. Please also note, some older legacy devices may not support the required security standards (TLS 1.2) and will need to be replaced.
Email Security – What do I need?
The Ministry of Health has deemed opportunistic TLS 1.2 as a secure transport encryption standard and is a requirement for all health organisations to have implemented as of January 2020. Patients first do a good job explaining what this is here.
There are many business-grade email solutions out there, the preferred recommendation from Primary IT is to use Microsoft’s Office 365 platform for your email needs.
At a base level, Office 365 uses opportunistic Transport Layer Security (TLS) 1.2 to encrypt email transfers. However, as some 3rd party email providers and devices are not configured for TLS 1.2, Office 365 will negotiate with the other party’s email system to determine the most secure method both ends can use.
This could mean if the sending/receiving end (i.e., not Office 365), is not configured to use TLS or lower encryption method, it could negotiate all the way down to sending the email in plain text. (i.e., visible to bad actors snooping traffic between the sender and receiver). There is an option to block emails which do not use TLS 1.2, but this would mean some emails would fail to be sent or received – this is called ‘forced TLS 1.2’ rather than opportunistic.
Extra Security Steps – Email Encryption
There are various ways in which to encrypt emails, the main two being Office 365 email encryption (OME) and Secure/Multipurpose Internet Mail Extensions (S/MIME).
What’s the difference to TLS 1.2?
TLS1.2 is the connection encryption (in-transit only and secures the traffic between two sites) and OME is message encryption (in-transit and at-rest, so secures the message entirely)
Office 365 Email Encryption
Office 365 Email Encryption (OME) is built-in to Office 365 and is the easiest to use, though it usually requires an additional license if you only have a basic Exchange Online license.
This option allows for sending encrypted messages to external parties (email addresses that are not Office 365 users). These users will be redirected to a portal and promoted to login with their Gmail account credentials, if it is a Gmail mailbox, or a One-Time-Password (OTP), where a code is sent to the recipient’s email account, before being able to open and read the email.
Extra Security Steps – Advanced SPAM and Email Filtering
To further protect your email, users, and local network – it is strongly recommended to implement an advanced SPAM and email filtering service. This enhances and catches more spam and malicious emails than the default rules and settings built-in to Office 365 and other email provider’s services.
Historically, we see this service mark about 5 – 15% of total email volume as spam and is used by many NZ government agencies. While it won’t keep out every spam email, it will reduce the number of malicious emails and keep the inboxes at your organisation cleaner and safer.
Often bad actors will take local, regional, or global events, such as COVID-19 and the subsequent release of the COVID vaccine, as an opportunity to target users and trick them into opening malicious emails. Spam has gotten more sophisticated and legitimate looking over the years, which makes them harder to spot and there are already reports of COVID vaccine spam emails circulating within NZ.