Frequently we are approached by customers who have automated systems that need to send out secured emails on demand and without any manual interaction.  These could be web site response systems for sensitive information, health care labs emailing results which need to meet HIPAA compliance, or other situations where the email messages must all be secured.

LuxSci’s SecureLine service provides a means for encrypting some or all outbound email messages using any combination of 4 different email encryption techologies: SMTP TLS, PGP, S/MIME, and SecureLine Escrow (secure message pickup).

Read the rest of this post »

SSL v3 and TLS v1 are subject to a serious exploit, according to a recently published attack mechanism (called BEAST).  This sounds foundation-shattering and kind of scary. When people see this, as when we did, the first panicky questions that arise are:

• What is really affected?
• How serious is it?
• What can I do to protect myself?
• How does the BEAST attack actually work?

After researching this issue, we have digested what we have found and produced this article to answer all of these questions for you.

Read the rest of this post »

When sending outbound email from an email program (like Outlook or Thunderbird) or from a mobile device (like iPhone or Blackberry) that is not using Premium MobileSync, your program or device connects to our outbound email servers using an Internet protocol called “SMTP” (The Simple Mail Transport Protocol).

An email server, however, does lots of different things in addition to sending outbound email.  It may allow checking of email via POP or IMAP, or checking your address book using LDAP, or other things. So, when your email program connects to the server it has to specify what it wants to do (i.e. send an email).  It does this by connecting to a numbered “port” on the server.  Port number “25″ is the Internet standard for “regular outbound email”.

However, because port 25 is standard for outbound email, many ISPs, wifi networks, hotels, airports, and other locations that provide Internet access will arbitrarily block any connections to servers (except perhaps their own) on port 25 in order to stop spammers from using their services for the sending of spam, viruses, or malware and to prevent their IP addresses from being black listed.

Read the rest of this post »

We have previously discussed how it may be OK according to HIPAA to send and receive FAXes with ePHI over standard analog phone lines.  See: Is a FAX document HIPAA-Secure?

However, we have observed that customers more and more wish to integrate FAXing with their computers, taking advantage of the “paper-free” office that is arriving most places.  Why should they have to print and manually fax things or receive FAXes on an old-fashioned FAX printer, when their computers have FAX capability?  Can that capability be used in a HIPAA-compliant way?

The answer is “Yes, you can”.  This article explains how and points out things to watch out for.

Read the rest of this post »

LuxSci has updated its per-domain administrative controls, adding features that were previously only present in the global, account-wide configuration area.

Now, the following security and privacy features can be configured on a per-domain basis, unless they are already set up globally:

Read the rest of this post »

LuxSci’s SecureLine end-to-end email security system enables allows customers to enable use of TLS for email delivery, without any further encryption, when TLS is supported by the recipient email servers and the customers’ needs only include transport encryption (i.e. for HIPAA).  This provides security with maximum usability, when available.

However, TLS is not as secure as SecureLine Escrow for email communications.  For cases where enhanced security is desired, even to a recipient whose email servers support TLS, LuxSci’s WebMail email composer now permits users to override the use of “TLS Only” so that “SecureLine Escrow” can be used instead — on a message-by-message basis.  I.e., users can now use Escrow “on demand” to provide enhanced security over TLS.

Additionally, users have a new preference (under “Email Composition > SecureLine” preferences), where they can alter the behavior of WebMail so that “TLS Only” delivery is NOT used for them unless requested — Escrow can be used by default if desired.

These new security settings only apply to SecureLine customers who have “TLS” enabled as a viable secure email delivery method in their account.

SecureForm is LuxSci’s service that makes it quick and easy to collect data, including files, from web and PDF form posts and have that data emailed to one or more recipients and/or archived in a LuxSci WebAides document storage area.  The “Secure” in SecureForm refers in part to the fact that the emailed form data can be secured using PGP or S/MIME.  This, combined with enforced use of SSL, ensures that the form data is secured from end-to-end … from submission by the end user to the receipt by the web site administrator.  This ensures HIPAA compliance and strong security for that data.

Now, SecureForm supports the option of secure delivery of form data emails to recipients using TLS instead of PGP or S/MIME.  While use of TLS only is less secure than PGP or S/MIME, it is more user friendly — there is no need for certificates or extra steps to decrypt the messages once they arrive.  TLS does provide transport encryption from LuxSci’s servers to the recipients servers and thus still provides HIPAA compliant form data delivery. 

Read the rest of this post »

TLS stands for “Transport Layer Security” and is closely related to “SSL” (Secure Socket Layer). TLS is one of the standard ways that computers transmit information over an encrypted channel. In general, when one computer connects to another computer and uses TLS, the following happens:

1. Computer A connects to Computer B (no security)
2. Computer B says “Hello” (no security)
3. Computer A says “Lets talk securely over TLS” (no security)
4. Computer A and B agree on how to do this (secure)
5. The rest of the conversation is encrypted (secure)

In particular:

• The meat of the conversation is encrypted
• Computer A can verify the identity of Computer B (by examining its SSL certificate, which is required for this dialog)
• The conversation cannot be eavesdropped upon (without Computer A knowing)
• The conversation cannot be modified by a third party
• Other information cannot be injected into the conversation by third parties.

TLS (and SSL) is used for many different reasons on the Internet and helps make the Internet a more secure place, when used. One of the popular uses of TLS is with SMTP.  See also:

• How Does Secure Socket Layer (SSL or TLS) Work?
• The Case for Email Security (Why normal email is insecure)

Read the rest of this post »

LuxSci’s SecureLine end-to-end email filtering solution has been augmented with a new, optional, outbound email encryption option: “TLS Only”.

SecureLine accounts that enable “TLS Only” can have their outbound email delivered over an SMTP TLS encrypted channel to recipients whose email services support it.  This mitigates the need for using PGP, S/MIME, or SecureLine Escrow message pickup service for many secure outbound email messages — if TLS message transport encryption is “good enough” for your organization (i.e. it is for HIPAA compliance and it is for most bank-to-bank communications).

SecureLine TLS-Only Outbound Encryption:

Read the rest of this post »

LuxSci has added two new features to help administrators manage the forwarding of email in their accounts so that they can meet HIPAA and other regulatory requirements and at the same time easily control the actions of their users:

• Globally restricting email forwarding to only recipients whose email servers support SMTP TLS for message transport encryption, and
• Globally restricting users from managing their own email forwarding settings.

Read the rest of this post »