Frequently we are approached by customers who have automated systems that need to send out secured emails on demand and without any manual interaction.  These could be web site response systems for sensitive information, health care labs emailing results which need to meet HIPAA compliance, or other situations where the email messages must all be secured.

LuxSci’s SecureLine service provides a means for encrypting some or all outbound email messages using any combination of 4 different email encryption techologies: SMTP TLS, PGP, S/MIME, and SecureLine Escrow (secure message pickup).

Read the rest of this post »

Many of our customers require that electronic digital signatures be added to outbound email messages.  Here we discuss what these are, what they do for you, and how to add them using LuxSci SecureLine email encryption.

What are Digital Signatures?

In short, adding a digital signature to an email message allows:

Read the rest of this post »

SecureForm is LuxSci’s service that makes it quick and easy to collect data, including files, from web and PDF form posts and have that data emailed to one or more recipients and/or archived in a LuxSci WebAides document storage area.  The “Secure” in SecureForm refers in part to the fact that the emailed form data can be secured using PGP or S/MIME.  This, combined with enforced use of SSL, ensures that the form data is secured from end-to-end … from submission by the end user to the receipt by the web site administrator.  This ensures HIPAA compliance and strong security for that data.

Now, SecureForm supports the option of secure delivery of form data emails to recipients using TLS instead of PGP or S/MIME.  While use of TLS only is less secure than PGP or S/MIME, it is more user friendly — there is no need for certificates or extra steps to decrypt the messages once they arrive.  TLS does provide transport encryption from LuxSci’s servers to the recipients servers and thus still provides HIPAA compliant form data delivery. 

Read the rest of this post »

Creating a web site that has “secure” components requires more than slapping together some web pages and adding an SSL Certificate.  All a certificate really does is create a thin veneer of security — one that does not go very far to protect whatever sensitive data necessitated security in the first place.  In fact, naive attempts at security can ultimately make the data less secure and more likely to be compromised by creating an appetizing target for the unscrupulous.

So, beyond paying big bucks to hire a developer with significant security expertise, what do you do? Start with this article — its purpose is to shed light on many of the most significant factors in secure web site programming/design and what you can do to address them.  At a minimum, reading this article will help you to intelligently discuss your web site security with the developers that you ultimately hire.

Read the rest of this post »

LuxSci offers many options for email security. Whether it is PGP, S/MIME, LuxSci’s SecureLine end-to-end email encryption, or forced secure logins over SSL, LuxSci can guide you in making the best choices for secure and safe email.

End-to-end email encryption is one way to ensure that your email can only be read by the intended recipients. SSL and TLS connections are secure, but only to a point. While you can ensure that your users connect securely to LuxSci’s servers, who is to say that your recipient’s connection is secure? With LuxSci SecureLine, even if the recipient’s connection isn’t secure, you can be assured that your message is sent securely and can only be read by whom you intended.

Read the rest of this post »

We at LuxSci are always being asked questions about various email programs and their usage.  With HIPAA compliance becoming more and more important, we get a lot of inquiries regarding secure email. One of the most frequently asked questions is how to install S/MIME security certificates in various email programs that our servers support. Sometimes finding instructions on installing security certificates in various email clients is difficult, even with the help of search engines. To make your search easier, we have complied instructions for several of the the major email clients:

• S/MIME for Outlook 2003
• S/MIME for Outlook 2007
• S/MIME for Mail.app
• S/MIME for Entourage
• S/MIME for Thunderbird
• PGP for Thunderbird via the Enigmail Add-on.

Read the rest of this post »

The situation: your organization needs to collect information from clients through from(s) on your web site, but that information is sensitive. So, you need to be absolutely sure that the information is transferred from the users of your web site to you in as secure a fashion as possible. This means that

1. no one but you (or optionally your authorized staff) can intercept or read the information,
2. the information is never stored insecurely anywhere
3. the information cannot be modified without your knowledge

Why would this high level of security and privacy be necessary? There are many cases where they are essential; some of these include:

Read the rest of this post »

Section 1: Introduction to Email Security

You may already know that email is insecure; however, it may surprise you to learn just how insecure it really is. For example, did you know that messages which you thought were deleted years ago may be sitting on servers half-way around the world? Or that your messages can be read and modified in transit, even before they reach their destination? Or even that the username and password that you use to login to your email servers can be stolen and used by hackers?

This article is designed to teach you about how email really works, what the real security issues are, what solutions exist, and how you can avoid security risks.

Information Security and integrity are becoming more important as we use email for personal communication and business. While you are reading this article imagine how security problems can affect your business or personal life…. if they have not already.

Read the rest of this post »

We recently discussed email security for accountants and mentioned that the use of password-protected files is not usually a very good solution for meeting data privacy needs.  After writing this and getting some feed back, we thought that the issue of password-protected files really deserves some further discussion.  Many people are under the assumption that if they use the “password protection” features of whatever software they are using, that their data is safe and secure.  However, this is not necessarily the case.  Why?

Using password-protected files to secure data is fast and easy and built into many applications.  Why not use it?  Certainly, password protecting files is much better than not doing so.  However, there are several things that determine how secure these “protected” files really are.

Read the rest of this post »

Doctors and medical professionals are feeling a growing pressure to get their business online (i.e. even use of electronic prescriptions is being pushed).  This includes making available protected health information to patients via a web site and collecting similar private information from patients or would-be patients. If doctors can show that they are using digital systems with their health care practices in a meaningful way by 2011, they may be eligible for some serious money (part of the proposed stimulus package — the Health Information Technology for Economic and Clinical Health Act (HITECH)).

However, where the health information of an identifiable individual is involved, the Health Insurance Portability and Accountability Act (HIPAA) is the official compliance document.  So, what do these requirements mean and how can HIPAA be followed in the context of a website?

Read the rest of this post »