Fewer clicks and faster access to your email … isn’t that what we all want? LuxSci’s latest WebMail enhancements keep us on track toward faster and easier.

Among minor changes and bug fixes, our latest enhancements include:

Automatic Loading of New Email

When new email messages arrive, you no longer have to click on “Get Email” to see what they are — they are automatically loaded and displayed to you in the user interface.  No need to click and wait a second.

Auto-loading of new email occurs when:

1. You are not sorting or are sorting by date, read status, or thread
2. You are not in the middle of a search
3. You are viewing the “page” of messages that includes the newest messages in your sorted list
4. You are using “WebMail Acceleration” (which is on by default for everyone).

Don’t worry, if these criteria are not met, you will still be informed of new messages in the usual way and you can click on “Get Email” to load them when you are ready.

Read the rest of this post »

We have recently looked at how hackers and spammers can send forged email and then seen how these forged messages can be almost identical to legitimate messages from the purported senders.  In fact, we learned that generally all you can trust in an inbound email message is the internet IP address of the server talking to your inbound email server — as this cannot realistically be forged in any way that would still enable you to receive the message.

In our last post in this series, we examined how SPF can be used to help weed out forged email messages based on validating if a message was sent by an approved server by looking at the IP address delivering the email message to you.  We found that while SPF can work, it has many significant limitations that cause it to fall far short of being a panacea.

So — besides looking at the sending server IP address — what else can we do to determine of a message was forged?

It turns out that there is another way — through the use of encryption techniques and digital signatures — to have the sender’s servers transparently “sign” a message in a way that you can verify upon receipt.  This is called DKIM.

DKIM – Domain Keys Identified Mail: A Simple Explanation

DKIM stands for “Domain Keys Identified Mail” … or, re-writing this more verbosely, “Domain-wide validation Mail Identity through use of cryptographic Keys”.  To understand DKIM, we need to back up for a second and look at what we mean by “cryptographic keys” and how that can be used.

Read the rest of this post »

Mason Rothert is the CEO of Mediprocity, the company that we have partnered with and worked closely with to provide LuxSci SecureChat.

Mason Rothert & Nicholas Magers conceived Mediprocity while working together in the healthcare field calling on physician offices and healthcare provider centers. At the time, Mason Rothert was working as V.P. of Sales and Technology for a management company overseeing long-term care facilities and a full range therapy company. Nicholas Magers was finishing up his MBA at USC and working for a pulmonary company as a sales director. They decided to combine forces in order to solve the fragmentation of communication amongst covered entities and business associates in healthcare. They would focus on the new technologies available as well as the growing need to encrypt patient health information in order to prevent data breaches.

Mediprocity begin in 2009 as a social network for healthcare.  The Company culture has always been to be physician-centric and to help improve communications.  As smartphone and text messaging popularity grew rapidly, it was clear in 2010 that Mediprocity needed to become a simple secure solution for HIPAA-compliant communication.  They set out to combine the best elements of instant messaging, SMS text, and Email.

LuxSci has integrated the Mediprocity secure communications product into its offering and is continuing to work closely with them to integrate the SecureChat service more and more tightly with LuxSci’s SecureLine secure emailing offerings.

Mason has agreed to this interview so that we can answer many common SecureChat-related questions for you.

Read the rest of this post »

Fred is a busy small business CEO.  He hired a cheap developer online to setup his secure medical web site for him.  The developer got an SSL certificate and setup pages where patients can make appointments and the doctor can receive patient requests and notices, “securely”.  However, the developer didn’t have any real training in security and none in HIPAA and as a result, PHI was being sent in the clear, there were no audit trails or logs, SSL security was not enforced, and may other serious issues plagued the site.  No one knew.

Luckily, Fred was made aware of the situation before a serious security breach happened (that he knew of); however, he had to re-do the site from scratch, more than doubling his time and money costs.

Creating a web site that has “secure” components requires more than slapping together some web pages and adding an SSL Certificate.  All a certificate really does is create a thin veneer of security — one that does not go very far to protect whatever sensitive data necessitated security in the first place.  In fact, naive attempts at security can ultimately make the data less secure and more likely to be compromised by creating an appetizing target for the unscrupulous.

So, beyond paying big bucks to hire a developer with significant security expertise, what do you do? Start with this article — its purpose is to shed light on many of the most significant factors in secure web site programming/design and what you can do to address them.  At a minimum, reading this article will help you to intelligently discuss your web site security with the developers that you ultimately hire.

Read the rest of this post »

Web site forms are ubiquitous.  Every site needs them to engage their visitors, collect information, makes sales, etc.  They are easy to add to your site, but not necessarily easy to do right.

Make a quick web form using some generic web site authoring software and put it up on your site and it may work, but you also may have serious issues:

• Incomplete Forms. Users submitting incomplete forms — e.g. not filling out all of the important fields
• Invalid Input. Users not entering the “right” information — e.g. not actually putting an email address in the email address field
• Form Spam Bots. Automated programs may fill out and submit your forms … sending you junk in the form of gibberish or web site URLs they hope you will visit and buy stuff from.
• Form Insecurity. If your from collects any kind of sensitive information … from passwords to medical data … it could easily be setup incorrectly and allow phishing attacks or data leakage.
• Stale Forms. You updated your form … but someone just somehow submitted the old version which is not even on the Internet anymore!
• Connectivity/Server Issues. You don’t want your users to give up because their network is down or your site is down for a few seconds.

All of these problems impact the success of your site — causing everything from annoyance to the inability to contact your sales leads to breaches of privacy.  Fortunately, it is not really hard to plug these gaps and have a solid, productive, and secure web form.

Read the rest of this post »

We have recently looked at how hackers and spammers can send forged email and then seen how these forged messages can be almost identical to legitimate messages from the purported senders.  In fact, we learned that generally all you can trust in an inbound email message is the internet IP address of the server talking to your inbound email server — as this cannot realistically be forged in any way that would still enable you to receive the message.

We know who the message says it is from and the address of the server that delivered it to us.  How can we reliably prevent fraud by checking if the message was forged or not?  Seems hard.

It turns out that there are a number (yes, more than one!) of techniques that can be used to do this.  The first and simplest is SPF – Sender Policy Framework.  Below, we shall look at what this does, how it works, how to set it up, and what some of its deficiencies are.  In future articles, we will look at the other techniques.

SPF – Sender Policy Framework: A Super Simple Explanation

Simply put, SPF is a way for the owner of a domain, such as bankofamerica.com, to publish information indicating what servers (Internet addresses) are authorized to send email from that domain.  Recipients (e.g. your spam filtering software) can check the Internet address that is trying to send you an email from bankofamerica.com against this authorization list — if it is on it, the message is probably legitimate; if not, it’s probably forged.

Read the rest of this post »

LuxSci is pleased to announce the availability of SecureChat, a secure, HIPAA-compliant chat and texting service that works through any modern web browser and though native Apps for iOS and Android devices.

SecureChat enables real-time texting and communications of files in a way that is secure and compliant, unlike regular text messaging and use of apps like Skype.

“Delays in communication no longer represent a delay in care. Our facility did a pilot study and it showed that the average response time from doctors using secure chat is 1-2 minutes, compared to 28 minutes when they used pagers and phones. I oversee a multidisciplinary team of health care professionals. With so many people involved, having fast, secure text messaging is critical to how we relay doctor’s orders and changes in patient status, and get nursing updates and therapy reports.”

— Aaron Salyapongse, MD; Director of Hip and Knee Surgery at Valley Care Hospital

Notably, SecureChat includes:

1. Messages and files always encrypted — in transit and at rest
2. Archives of all messages and files sent
   • Administrative access to archived messages for compliance
3. Compatibility with iOS, Android, and any modern web browser
4. Read receipts on messages sent
5. Users can connect using multiple devices, simultaneously
6. File attachments up to 100MB in size
7. Real-time, synchronized messaging and conversations
8. Distribution lists
9. Unlimited conversations, messages, and archival storage

SecureChat is integrated with LuxSci and provides a fast, clean, and simple interface to communicating on-the-go (and in your seat) with other SecureChat users.

SecureChat licenses are $6/user/month (with discounts for 100+ licenses).  New customers can add SecureChat to their orders using our Order Wizard; existing customers can add SecureChat to their existing accounts using the “Account – Upgrade” tool.

One SecureChat license is needed per individual using the SecureChat system; however, your licenses do not have  correspond to the users in your LuxSci email hosting account.  They could include a subset of these people, as well as licenses for arbitrary external users that you also wish to include.

Please contact Sales if you have questions about SecureChat, or if you would like to try it out for Free.

Doctors and medical professionals are feeling increasing pressure to get their business online (e.g. use of electronic prescriptions, web appointments, and remote medicine are both trendy and critical for building and sustaining revenue streams in the tightening medical market).  This push includes making available protected health information to patients via a web site and collecting similar private information from patients or would-be patients.

However, where the health information of an identifiable individual is involved, the Health Insurance Portability and Accountability Act (HIPAA) is the official compliance document.  And with the Omnibus rule in place, all web sites, old and new, must be properly designed or their owners face potential financial liability into the millions of dollars.

So, what do these requirements mean and how can HIPAA be followed in the context of a website?

Read the rest of this post »

In conjunction with their use of LuxSci HIPAA-compliant email and web hosting services, many small health care practices often ask us about use of Skype and other video conferencing software for communicating with patients over the Internet.

Is it possible to be HIPAA compliant while using Skype for sending PHI via chat, voice, and/or video?  Why?  Everyone else is doing it … shouldn’t I thus be able to as well?

The short answer is “no – don’t use Skype” and “there are other options available that offer this capability and allow you to be HIPAA compliant in the process.”  For the long answer, read on.

Read the rest of this post »

In our previous posting, we looked at exactly how Spammers and hackers can send forged email — how its is possible and how it is done.  Therein, we gave an example how one could send an email forged to be from Bank of America.

In this post, we will look at that forged Bank of America email to see technically what it looks like and how it differs from legitimate email from Bank of America.

What can we learn that allows us to detect forged email in the future?

The Forgery: Received.

The forged email from Bank of America was based on a legitimate email message, so that the forgery could look as close as possible to actual email from them.

In truth, the majority of forged email simply changes the “From” address and does not bother with anything else.  These forged messages are used for Spam and hope the forgery fools enough people to be worth it, through numbers.  What we are looking at here is a more carefully crafted message designed to fool filters and a careful eye.  These kinds of fakes might be used in spear phishing attacks on an individual or in more sophisticated Spam campaigns.

The the forged Bank of America email that arrived in the recipient’s mail box looked like this (the raw headers):

Read the rest of this post »