*Attendees*
Jim Jokl, U. Virginia (Co-chair)
Eric Norman, Wisconsin
Tammy O’Brien, Wisconsin
Neal McBurnett, Internet2
Steve Olshansky, Internet2
Todd Picket, Michigan Tech
Jeanette Fielden, Internet2
Kelly Kwiatkowski, Wisconsin
Michelle Gildea, CREN

*Discussion*
Wisconsin S/MIME Project:
The study was started around HIPPA issues regarding a need for policies and technical solutions around e-mail involving patient data. From the policy perspective they want to balance the usability for clinicians with the need for security. The idea was to test out a plug-in solution feasibility for ease of use.

Started by implementing iPlanet certificate management system, originally used a Eudora solution with the WorldCom plug-in to provide S/MIME capabilities. There were a lot of problems with standardization of different versions of Eudora; it was taking a lot of technical administration time to work with it. Now working with Netscape Messenger to provide secure e-mail. Study involves 10 clinicians, physicians and nurse practitioners, who filled out bi-weekly e-mail surveys on users perception of usability of the system. It is the same survey each time to measure satisfaction over time. Have received 48 survey's back.

Each participant has two e-mail accounts, one regular and one secure. When a user is sent a secure e-mail they receive a notice in their regular account, they switch applications, enter the account with their regular mail password and their database password to open the secure e-mail.

Most clinicians receive ~20 e-mails a day and send 10 - 20 a day. This is the total number of e-mails, not just secure. A little less than 50% said they received e-mail that wasn't encrypted and should have been. Of particular Interest is that participants said e-mail they send often didn't need to be secured but e-mail they're receiving should be. There is a marked difference in perception of what they compose vs. what they receive

When asked about burden in retrieving e-mail rated from a 1(no burden) to 5 (very burdensome) they rated it about 2.7. Sending e-mail was also rated a 2.7. Overall almost every survey said the secure e-mail is worth the burden. It is important to note that these are early adopters who volunteered for the survey.

One problem encountered was the outbox and sent mail folder was unencrypted. The user perception was that if the e-mail was sent encrypted it should be stored encrypted particularly on a shared machine.

Administrating this in a diverse environment across many different machines is probably not scalable. It's too complex for a distributed environment. It may be they will try a web based or similar solution. The plug might work if everyone is on the same platform, using the same software etc. Since many of the clinicians are essentially contractors that practice at a number of sites and this complicates standardization even more.

Results and analysis should be available in the late November time frame.

There is a potential opportunity for someone to work on an S/MIME plug-in for Eudora. Some issues are:
1) The certificate store should be the same one already on the machine.
2) Such a plug should make use of the operating system services if they exist.
3) Support of both dual key, single key and the ability to sign and encrypt separately.
4) Co-ordinate with local phone book if the book is extensible and compatible.
5) The ability to designate if local sent mail can be stored as either encrypted or unencrypted.
6) Ability to store other users certificates in the main address book.

Issues:
1) Managing how people change encryption keys. That may be more of a user education issue about backing up previous key before changing it.
2) How do you get information on a changed key to everyone who needs to have it?

Any additionally suggestions are welcome.

Next call is August 29, 2002.