Security of faxes vs emails

Question

Background

The other day a friend who works in healthcare asked me which method of communication was more secure, faxing or email. He qualified his question by saying that his office faxes patient records all day, every day, which should not surprise anyone.

I scratched my head and rattled off some considerations, private vs hosted email service, but his question really got me thinking.

My Question

Is a sending a fax more secure or less secure than sending an email when communicating sensitive data?

Consider the following simple variations:

Self-hosted private email server vs fax.
Hosted private email server (collocated server for instance) vs fax.
Hosted GMail (for instance, not picking on Google) service vs fax.

Qualifications

For the sake of this question imagine that in each email instance above, basic best practices are being followed.

I am wondering does one method have a greater attack surface than the other. Is 'getting it right' on the security footprint easier in one instance vs the other, fax vs email?

Update

For the purposes of comparison consider the emails / faxes to be coming from patients to healthcare providers and from providers to other providers.

Example:

jane@me.com -> provider@provider.com

or

provider@provider.com -> provider@otherProvider.com

So 'best practices' would cover what the healthcare providers should be doing to guarantee that they are running as secure a system as they can given this scenario.

What do you mean by *basic best practices*? Are you talking about encrypted email (if so, what encryption)? Something else. — Neil Smithline, Sep 21 '15 at 18:13
@NeilSmithline Best practices in the sense that the folks who are guaranteeing the security of each method are competent and well informed. I guess I am not really considering encrypted email service. Most of the situations that my friend described are patients sending their info to the office. So we're probably just talking about TSL/SSL based emails vs a fax. — datUser, Sep 21 '15 at 18:28
Can you update the question to reflect that? As two of the current answers assumed that best practices included end-to-end encrypted email, there seems to be some confusion. — Neil Smithline, Sep 21 '15 at 18:31
@NeilSmithline I tried to clear up what I am considering best practices, I apologize that that was some what broad. Please see me latest edit. — datUser, Sep 21 '15 at 18:37
Every facsimile machine needs to die in a fire. One big joyus fire, so that humanity can move on. — rook, Sep 21 '15 at 19:33
@rook Oh, please do write an answer for this. I'd really love to see your spin on the topic. Aside from the obvious "kill all faxes" of course. — Iszi, Sep 21 '15 at 19:52

Iszi · Answer 1 · 2015-09-21T19:13:38.537

If you're asking whether sensitive information is safer when sent over the phone vs. over the Internet, you're probably looking for protection at the wrong layer.

If "basic best practices" are being followed, then any sensitive information that you don't want to be disclosed to third-parties is going to be protected by end-to-end encryption during transmission. At that point, it really doesn't matter whether the data is transmitted via fax, Internet, or homing pigeon. The encryption is what you rely upon for protection - not the transmission medium or infrastructure.

To address concerns of malicious attachments via e-mail vs. fax, cryptography still comes into play. Only this time, you don't use encryption. You use digital signatures. Then you trust that the sending party won't sign a package that contains a malicious attachment. Arguably, e-mail can be differentiated from faxes here, in that even with cryptography one might still receive a malicious attachment - and it has much more impact on a computer than it does on paper.

In either case, you do need to make sure that parties on both ends have the appropriate cryptographic tools and keys available to them. Again, this goes regardless of the transmission format. You're probably more likely to be able to coordinate support for encrypted & digitally signed e-mails than you are faxes, and that is what gives e-mail a distinct leg up in this discussion.

But again, the point remains that your transmission medium should not be what you rely upon for protecting sensitive data. Protect it before it goes out of your system, and you don't have to worry about the weak link(s) - or any hawks - that may be in between.

And in the end, much of the difference can become moot anyway. What you put into your fax machine is just as likely (if not more likely) to land inside of someone's e-mail inbox these days as it is to actually get printed by another fax machine.

OP has updated question to specifically state that end-to-end encryption is not being considered. — Neil Smithline, Sep 21 '15 at 18:52
@NeilSmithline Strictly, the new verbiage does not preclude end-to-end encryption. The most it does is perhaps state some cases where arranging it may be more difficult (e.g.: patient -> provider). End-to-end encryption is still far from impossible in this case, though "Joe User" may have a difficult time implementing it properly. In which case the solution is to abandon fax/email entirely and give them a secure web portal for communications. — Iszi, Sep 21 '15 at 19:11
And the OP's comment `I am not really considering encrypted email service` doesn't convince you either? — Neil Smithline, Sep 21 '15 at 19:15
@NeilSmithline It still does not invalidate the premise of my answer here, (i.e.: "you're doing it wrong") and also see the new last paragraph where I state how the difference is practically moot anymore. — Iszi, Sep 21 '15 at 19:16

score 7 · Answer 2 · answered Sep 21 '15 at 19:19

Like most things in security, it depends on what you're trying to protect.

Faxes are less susceptible to remote attackers, but more vulnerable to local ones.

Many fax machines sit in a shared environment where anyone in the office might have access to the fax. A fax isn't thought of as secure and generally aren't in secure areas. This makes them subject to simply hanging out near the Fax machine and intercepting a fax.

Faxes are printed to paper which then needs to be disposed of. Disposal isn't always done in a secure way and could be subject to dumpster diving. In addition, some faxes still use a thermal transfer mechanism where getting ahold of ribbon from the fax makes it trivial to see what was transmitted in all the previous faxes.

Email however is more subject to remote attackers. Email is connected to the internet, so there's a far larger pool of attackers, and far greater avenues of attack. It's also MUCH easier to ex-filtrate large amounts of data through email than fax.

Look no further than the massive email breach of Sony. It's not even possible for this volume of data to have spilled through Fax.

Faxes offer little or no means of authentication, compared to email

Spoofing email isn't difficult, but there's several technologies that are designed to identify people trying to spoof an email address like SPF and Domainkeys. There's no technology designed to verify the person who claims to have sent the fax is actually the person who sent it.

.

So fax's are overall low concentration data (decentralised fax machines, situated close to similar paper records) individually less secure where email is highly concentrated data somewhat better protected, this is a very intriguing (and relevant) comparison. — Andrew Russell, Sep 22 '15 at 01:40
Not to mention most fax machines having reprint functions... — Caleb, Sep 22 '15 at 09:07

Jacob Evans · Answer 3 · 2015-09-22T13:33:21.397

I'm not in total agreement with either current answer.

TLDR; You should have both, ZIX is great, You'll have providers & 3rd parties that require fax.

FAX originally was a point-to-point direct line between 2 devices across a controlled network governed by the FCC.

Today, Faxing can be done across 2 main systems, Analog and Digital, or a combination of both.

The problem is control, if you use the internet you give away control to 3rd party hosted systems, some are certified for such use as medical records, these companies maintain massive T1 connections to terminate your eFax to PSTN, and vise versa, so in this instance, I send an email via SMTP (TLS/SSL) to their servers, their servers convert it to a tiff and fax it out their system. When I receive an email from them I either download the TIFF from an HTTPS Site, or they configure a TLS partnership with my premise mail system.

Email it is much harder to control your path, so you would look into a solution that can do this for you, we use ZIX, ZIX maintains a list of controlled gateways that they communicate with via PGP type encryption across the internet. For any destination that is not on this controlled network, they initiate contact with the end user, prompting them to create an account on this controlled network portal, aka ZIX Portal or ZIX Messaging Center.

It's all about access control.

Sources:

Good Luck.

P.S. MITM Attack for Fax...the fax prints out, and the UPS guy picks it up on his way out.

With fax, it's just as hard to control the path anymore. Numbers can be ported or forwarded to any destination, or they could even end up as e-mails anyway. — Iszi, Sep 21 '15 at 19:09
yes absolutely, the actual security of fax has far diminished and there's no regulation or control. — Jacob Evans, Sep 21 '15 at 19:10

score 0 · Answer 4 · answered May 19 '16 at 15:06

0

Security of Faxing, should be questioned. Especially if third party fax servers are used. A fax may be sent to a server for multiple distribution or as storage for local display to terminals.

These local and remote fax servers may not be encrypted and subject to unauthorized use.

answered May 19 '16 at 15:06

patrdcflorida

1

True but faxing can also be simply a point-to-point architecture. I guess in the days of IP based telephony the architecture you point out brings new risks. – datUser May 19 '16 at 20:51

score -2 · Answer 5 · answered Sep 21 '15 at 17:04

-2

Fax-to-fax over traditional POTS telephone circuits is generally thought of as being much more difficult to attack than any messaging system over the internet. It's more difficult for an attacker to gain a eavesdropping or MITM position on the PSTN network than it is for him to do so on a WAN or LAN.

answered Sep 21 '15 at 17:04

mti2935

19,868
2
45
64

4

Eavesdropping on a PSTN line is absurdly easy and fax loggers that can be replayed to retrieve data later are trivial. Such interceptions are also less likely to surface or be detected by IT departments and this might run undetected for longer. Additionally as one party in the link you don't even know if the other end is a POTS or some eFax system in which case you could unknowingly be getting the worst of both worlds. And there is very little you can do to improve this situation. – Caleb Sep 22 '15 at 09:07

score -2 · Answer 6 · answered Oct 13 '17 at 17:30

-2

FAX machine to FAX machine communications is still more secure than e-Mail. Further, to my knowledge NSA does not record and store FAX Transmissions. A good practice when using FAX transmission is be in contact with the recipient prior to or during the transmission process. The process requires real-time synchronization between machines and while nothing is 100% secure including snail mail, the analog FAX is growing at 12% per year, in spite of the fact that the technology is nearly 100 years old.

answered Oct 13 '17 at 17:30

M. Butler

11

3

This is incredibly wrong. 1. it's not more secure than email because you don't have a definition of "secure". 2. You don't know what the NSA records (and regardless of what they record, you should assume they or someone else does, because they simply can). 3. You provide no evidence that the fax medium is growing 12%, which even if it was, doesn't correlate with it being more secure. – Steve Oct 13 '17 at 18:34
1

It would help if you provided sources for your claims. You state that fax is 'more secure', but you do not explain how or why. Phone calls "requires real-time synchronization between machines" and they can be recorded and intercepted. – schroeder Oct 13 '17 at 19:25