qsl Mmmm, you are comparing sectors whose answers to security problems is to claim identity theft
Nope I am talking about security/data breaches by industry sectors. Ask google is a good way to get a first high level insight on the general trends before eventually diving into the studies to get reliable sources
qsl Note the time difference between these statements.
During this very quick search, I saw statistics going back to 2009 and 2013 showing healthcare sector was always in the top ranked industries. So this was obviously already the case before the "recently changed with standards" you are mentioning.
So you just demonstrated that the fax is intrinsically insecure - which by the way was my point - and to mitigate this you need to couple it with phone calls in a process that is quiet inconvenient since both parties must be available at the same time.
By the way about your process
qsl 2. I check your credentials
You didn't mention any credentials previously sent. So let's assume in point 1. I tell you on the call "Doctor, my secret word is "******" (there might be people around me listening, there can be people around the doctor, you could be on loudspeaker, a 3rd party can listen to the call - PSTN lines are not secured, and (T.30 Fax protocol has no encryption btw). This supposes that both parties physically met before otherwise the doctor cannot have it on his whitelist. Also it doesn't tell anything on how this whitelist is secured. Also what proves me that it is actually you who answer the phone in 1. It is a one way trust, the patient has no mean to be sure he's actually talking to the doctor or an accredited collaborator.
qsl 3. I contact you again using your whitelisted information, have you verify what data you want, and your fax number.
Except that I can call from any location and I can sent the fax from anywhere and if I send a fax from my company I usually do it via Outlook/Microsoft Exchange connected to a fax gateway service and the number that will be displayed (unless it is masked) might be the phone number of the gateway. It seems you are taking lot of assumptions. Phone numbers can easily be deviated so at best binding the patient to given numbers is an additional safety but surely not a security.
qsl 4. Once I have collected the the information, I call again, verify your credentials, and that I am sending the fax NOW.
I lost you here. I don't get why you call the patient 2 times in a row (at 3. and 4.) and why you ask for his credentials again. Also what's the need of sending a fax if the patient already provided all the info on the phone ?
qsl 5. Fax is sent, the fax machine verifies the number
I have never seen a fax machine that verifies the phone number, but okay... as said already the person could dial from another location (I.e: I am ill on holiday or on my secondary house, ...).
qsl Try doing that with an encrypted network, running any modern OS and app, with cloud storage. 🙂
A few points here
- You already give the solution in your statement : asymmetric encryption (key pairs) is the widely used way to mitigate this problem. Another way is the blockchain (proof of work).
- You mix secured data transfer and secured data storage (+ as you said in point 5. of your demonstration "securing the information is now your problem"
- If the transferred data are intercepted by a 3rd party, if it's a fax, it's game over since it's unencrypted by design. Otherwise, the 3rd party will still have to find a way to decrypt the data.
- If the fax machine is connected to a network, a hacker can send it a corrupted image to access its buffer and download anything left in the buffer.