It is often thought that Viruses and Malware are the biggest threats to your personal information, but there is even a greater threat that often goes undetected. Social Engineering is a technique used by people to gather your personal or secure information without you even thinking twice about giving it away. Social Engineering is most often performed over the phone, but could just as easily be done via email, text messaging, or any other form of communication; you can be Social Engineered by anyone.

In the most basic form, Social Engineering is when someone poses as someone else (i.e. a trusted friend or colleague) to trick you into divulging sensitive information.  ”Hey, this is PayPal, please follow this link and re-enter all your banking details — its ok, really!”

Read the rest of this post »

There are several great iPhone Security Apps and a handful of good and simple configuration changes that you can make to your iPhone to greatly enhance you iPhone security and protect your sensitive information and identity.  We have seen security vulnerabilities in iPhone including flaws in pass code access (since fixed), so it makes sense to take proactive measures — especially as attacks on mobile devices are growing rapidly.

Easy Configuration Changes for Security and Privacy

There are several iPhone configuration settings that you should make to start protecting your iPhone.  The first thing to do is “Don’t Jailbreak Your iPhone“.  Jailbreaking removes much of the security inherent in the iPhone and makes it much easier for malicious software or users to gain access.  Furthermore, Apps that you can install on a Jailbroken phone may have not gone though any kind of screening process — you have to “trust” that they are OK.

Read the rest of this post »

Facebook use is ubiquitous–you can even “Like” this post on Facebook right from our blog.  As most people know, the default account settings in Facebook are very weak in terms of security and extremely permissive in terms of privacy (facebook doesn’t really believe in privacy).

For an in depth guide to Facebook’s settings and their security and privacy impact, we recommend reviewing Facebook Security Best Practices by Sophos.

Here, we provide a set of very important and simple changes you can make to your facebook account to significantly improve security and privacy.  You can think of these suggestions as the “low hanging fruit”.

Read the rest of this post »

We are often approached by customers wanting to use their blackberry mobile devices to send and receive email that may contain electronic Protected Health Information (ePHI).  Such customers, when they must abide by the HIPAA and HITECH laws governing medical privacy, must comply with a long set of regulations that covers, among other things, how ePHI may be transmitted over the Internet.

This article deals with the security of sending and receiving email on a Blackberry configured for Internet email services (i.e. it does not apply to those connecting to an Blackberry Enterprise Server and Exchange).

Read the rest of this post »

LuxSci has updated its privacy policy with the help of TRUSTe to ensure that LuxSci abides by the EU Safe Harbor Framework as outlined by the U.S. Department of Commerce and the European Union.  Read LuxSci’s privacy policy.

Lux Scientiae is a licensee of the TRUSTe Privacy Program. TRUSTe is an independent organization whose mission is to build users’ trust and confidence in the Internet by promoting the use of fair information practices. This privacy statement covers the Web site www.luxsci.com. Because this Web site wants to demonstrate its commitment to your privacy, it has agreed to disclose its information practices and have its privacy practices reviewed for compliance by TRUSTe.

If you have questions or concerns regarding this statement, you should first contact the Lux Sceintiae Privacy Officer. If you do not receive acknowledgment of your inquiry or your inquiry has not been satisfactorily addressed, you should contact TRUSTe at TRUSTe. TRUSTe will then serve as a liaison with us to resolve your concerns

Lux Scientiae complies with the EU Safe Harbor framework as set forth by the Department of Commerce regarding the collection, use, and retention of data from the European Union.

Changes to HIPAA as a result of HITECH provisions in the American Recovery and Reinvestment Act are going into effect on February 17, 2010.  These changes seriously impact the requirements on Business Associates and impose significant liability penalties on HIPAA violations.  For a discussion of these and how they relate to email and web services, see: HITECH 2010: HITECH Impact on Email and Web Outsourcing.

In response to these changes and to ensure that both LuxSci and its HIPAA customers are HIPAA-compliant:

• Old BAA Void: All Business Associate Agreements (BAA), formerly known as Medical Privacy Agreements, that current LuxSci customers have by virtue of the old BAA being incorporated automatically in LuxSci’s Master Services Agreement are VOID as of February 17th, 2010.
• New BAA Required: Any LuxSci Customer who is using or plans to use LuxSci for ePHI (electronic protected health information) of any kind (i.e. email, web sites, WebAides, databases, etc) must explicitly sign our new BAA and ARA (Account Restrictions Agreement) before LuxSci will consider itself a Business Associate and the customer’s LuxSci account HIPAA compliant.

LuxSci will be contacting customers that it believes might need to sign a BAA and ARA during the month of February.  However, as LuxSci does not know which customers are using their account(s) for storage or transmission of ePHI, it is up to our customers to contact LuxSci to establish a BAA.

See:

• Lux Scientiae HIPAA Busines Associate Agreement
• Lux Scientiae HIPAA Account Restrictions Agreement
• Medical Privacy / HIPAA in LuxSci’s Privacy Policy

Read the rest of this post »

LuxSci has made some changes to it Privacy Policy.  These changes expand the types of things that LuxSci considers to be confidential and strengthen LuxSci’s confidentiality statement.  The Privacy Policy is posted here – Lux Scientiae Privacy Policy.

Read the rest of this post »

Surprise!  HIPAA has changed, gotten bigger, and grown teeth.

The American Recovery and Reinvestment Act (ARRA, or The Obama Stimulus Bill), signed into law in February 2009, includes new, more comprehensive provisions for HIPAA. These provisions are in a section of the bill known as the Health Information Technology for Economic and Clinical Health Act (HITECH).

For organizations that are already required to abide by HIPAA (i.e. the “Covered Entities” of HIPAA), HITECH adds the following requirements:

Read the rest of this post »

People have asked us if sending an email to someone via BCC (Blind Carbon Copy) is HIPAA-compliant.  For example, a doctor’s office sending a newsletter to its patients via BCC.  The presumption is that because when a message is sent via BCC, the recipient’s email address is not visible in the message that there is no way to identify the individual(s) to whom the message was sent and thus the messages do not contain any “personally identifiable health information” that is protected by HIPAA.

The short answer is “BCC is not good enough“.  For the long answer, read on.

Read the rest of this post »

See also: Video: HIPAA-Compliant Email Services at LuxSci

Performing daily business transactions through electronic technologies is an accepted, reliable and necessary tool across the nation’s healthcare sectors. Therefore, electronic communications have become a standard in the healthcare industry as a way to conduct business activities that commonly include:

• Interacting with web-savvy patients;
• Real time authorizations for medical services;
• Transcribing, accessing and storing health records;
• Appointment scheduling; and
• Submitting claims to health plan payers for payment of the services provided.

Read the rest of this post »