[mjevans]

The solution is: Do not FAX or use phone lines to transmit data.

Practically though there isn't a 'good enough' standard from an end user perspective. The very things that make FAX a poor security standard make it user friendly.

  * Fire and forget
  * 'Just works'
  * Short, simple destination identifier
  * No real crypto or other security.

A real solution would be for everyone to use (good) key-based SFTP transfers. This isn't that hard to setup (once you've done it once) but it IS difficult to have end users use such software.

The next best thing is FTPS, but that has account management issues (since if you were doing client certs, which are an option here as well, you'd just use SFTP).

What makes both of those harder are the lack of integration in to the existing infrastructure (clinics/hospitals don't have, E.G., WinSCP / FileZilla and/or another SFTP client already setup and in their whitelist of allowed software) and having end user accounts.

Ah also, SFTP has the benefit of transferring time-stamps correctly. FTP, even wrapped in a TLS connection, still doesn't have a standards approved way of transmitting file time-stamps.

[bankster]

Tons of great information on this thread. The idea that in the year 2017 we are transmitting sensitive data at modem speed technology is somewhat mind boggling. The fax server market is very mature and has evolved, however the transport has not. etherFAX has created the largest ecosystem when it comes to fax and healthcare (https://etherfax.net/solutions/etherfax-sen). etherFAX supports and serves every major fax server application and EMR. Having over 6 million connected endpoints in healthcare allows for end-to-end encrypted transmissions and guaranteed delivery, without traversing the PSTN. The Fax Federation (faxfederation.com) allows for other fax server providers (like Twilio) to join said ecosystem.