LuxSciLuxSci
be Smart.
be Secure.
Phone: 800-441-6612
sales@luxsci.com
support@luxsci.com

Anti-virus scanning for files uploaded through your Web forms with SecureForm

Published: April 22nd, 2016

If you have a web form that allows end users to upload files, then you may be placing yourself at risk.  End users can upload virus-laden files or malware through these forms.  Opening such files can place your computer at risk — especially if your computer does not itself have real-time anti-virus scanning enabled, that scanning software is old or not well designed, or it is not updating itself frequently.

LuxSci SecureForm form data processing now automatically scans all uploaded files for viruses in real time.  If a virus or malware is detected, the form submission will be automatically blocked.  Current SecureForm users are automatically protected by this service.

Defense in depth is an important security measure.  Multiple barriers, multiple scans, and multiple checks all help to protect your systems.  If you are accepting arbitrary files over the Internet, have them scanned immediately on upload.  Have them scanned again when you access them using your own computer’s anti-virus system.  We are in the days where viruses do not just slow down your computer, they encrypt and lock away all of your data and/or put your identity up for sale.  You need to take as many precautions as possible to minimize your possible exposure to threats and the risk to your business.

How do I fix the reputation of my IP address?

Published: April 19th, 2016

It happens — you’re sending email messages without issue, and then suddenly they’re not being delivered, or they’re being tagged as spam.  A little digging reveals that the problem is that your “IP reputation” is now poor, and you need to fix it somehow.

This is our latest “Ask Erik” question, from Angelo Correa or Living Legacy, Inc.

How do I fix the reputation of my IP address?

What is IP Reputation?

Email service providers (e.g. AOL, Gmail, LuxSci) and email filtering systems (e.g. Barracuda, McAfee, Proofpoint, SenderScore) collaborate on and track the sending of unwanted email in order to reduce the blight of email spam that continues to plague the Internet.  Some of the significant factors that they track include:

  1. Quantity of email sent from your IP address
  2. The spam-like characteristics of these messages (based on spam filter analysis)
  3. The number of spam complaints by recipients of these messages
  4. The number of messages sent to invalid recipients or honey pots. Honey pots are email addresses that do not belong to real people and only exist as traps for senders who have acquired these email addresses via web site scraping or some other illegitimate manner.

Put together, these factors end up determining the reputation of that IP address with respect to the sending of email messages.  If the reputation becomes poor, then spam filters will start to quarantine or reject your messages, resulting in poor deliverability.

Read the rest of this post »

Infographic: Texting in healthcare – a not-so-simple exchange

Published: April 18th, 2016

Sending text messages between health care providers and patients is incredibly common but it is also generally a violation of HIPAA.  See: To Text of Not To Text.  Texting and healthcare.  This infographic covers when texting occurs and where the risk arises.

Texting in healthcare – a not-so-simple exchange

Texting in healthcare - a not-so-simple exchange

Read the rest of this post »

Are you encouraging insecurity via your Web site contact and intake forms?

Published: April 15th, 2016

Many Web sites have “contact us” pages and other Web forms for receiving requests from existing or potential customers.  This includes “new patient intake” forms on the Web sites of healthcare providers.

 

The garden variety Web form suffers from several serious problems:

  • Spam – Getting unwanted form submissions from Web robots.
  • Privacy – Often, sensitive data is submitted insecurely through these forms.
  • Archival – You may need an archived record and backup of all submissions.
  • Notices – You may need to be alerted of form submissions, even if you are not online.

Proactive privacy vs. neglect of privacy

When your Web forms transmit data insecurely, store or send data insecurely, or otherwise to do not treat the data submitted with the level protection that it deserves, you are putting the users of your forms at risk.

The typical argument is that “it is up to the user of the forms to decide if they want to submit sensitive information.” In fact, many insecure forms even have disclaimers requesting people to not submit sensitive information if they have concerns … and then the forms go on to ask lots of sensitive questions.   Especially without a disclaimer, but even with one, the form is actively soliciting people to submit their information insecurely and requesting them to take risks with their private data.   This is not good.

In areas such as healthcare, where these forms are often collecting sensitive health data (protected health information – PHI), the fact that an organization solicits the submission of PHI through insecure, non-HIPAA-compliant means is far from a “best practice”.  Why?

Read the rest of this post »

What is the least expensive way I can get my company HIPAA Certified?

Published: April 14th, 2016

A common question posed to Ask Erik involves how small organizations can get “HIPAA certified” quickly and with minimal expense.  These questions stem from desperation (people know that they are not compliant), fear (people know that non-compliance is extremely risky in terms of potential fines and bad publicity, not to mention risk to their customers/patients), lack of an understanding of HIPAA (they do not really know what getting “HIPAA certified” means), and lack of resources (time and money are both scarce).  Organizations in this situation know that they need to take steps for compliance ASAP, but they may not know what those steps are and really to allocate the minimum possible time or money towards them.

What does getting “HIPAA Certified” mean?

The first hurdle is that there is no official, government-sanctioned HIPAA certification program.  So, there is no way to be officially “HIPAA certified” and thus be “all set.”  What you really must do is strive to be HIPAA-compliant in all aspects of your business that deal with Protected Health Information (PHI) and strive to keep up with your changing organization and the changing compliance landscape over time.

So how can I be HIPAA-compliant?

This is an ongoing process, but here are some steps to get started:

Read the rest of this post »

Is Skype HIPAA Compliant? If not, what is?

Published: April 6th, 2016

Revision 2016:  Since the article was published, Microsoft has started offering a Business Associate Agreement (BAA) for Office 365 Online of which Skype is a part.  While online documentation is very unclear, Microsoft has indicated that Skype is covered under this BAA and thus use of Skype can be “HIPAA compliant” as long as you have “Skype for Business” and the signed BAA with Microsoft.

However, Skype lacks many controls and features that are actually required for an organization to be compliant, such as access auditing, backups, and breach reporting.  This makes it unclear what the usefulness of its being “covered” under Microsoft’s BAA really is.  Microsoft is really just leaving it up to the Skype user to determine if the use of Skype is appropriate without taking any steps to ensure that use of Skype really could be compliant.  Additionally, even though Skype is covered under Microsoft’s BAA, the regular, free Skype used by most people is not covered.  So, for example, a therapist should under no circumstances have a session with a patient, where that patient is using the regular free Skype program.

Original Article Content:

In conjunction with their use of LuxSci HIPAA-compliant email and web hosting services, many small health care practices often ask us about use of Skype and other video conferencing software for communicating with patients over the Internet.

Is it possible to be HIPAA compliant while using Skype for sending PHI via chat, voice, and/or video?  Why?  Everyone else is doing it … shouldn’t I thus be able to as well?

The short answer is “no – don’t use Skype” and “there are other options available that offer this capability and allow you to be HIPAA compliant in the process.”  For the long answer, read on.

Read the rest of this post »

Press Release: How To Text and Remain HIPAA-compliant

Published: March 15th, 2016

WESTWOOD, MA, March 15, 2016 — LuxSci® announces the recent launch of SecureText, a unique solution to concerns about HIPAA-compliant text messaging, and an important step to safeguard and secure electronic patient health information (ePHI).

Communicating through text message is a convenience to which we have grown rapidly accustomed. However, sending unsecured texts places healthcare providers and patients at risk in several ways: (1) ePHI-laden messages are not always encrypted during transmission or storage; (2) anyone with access to a recipient’s phone or stored messages can view ePHI-laden messages; (3) and some ePHI-laden text messages travel through organizations which lack required HIPAA Business Associate Agreements. Additionally, since healthcare providers are required to obtain and maintain consent from patients for texting – providers must ensure that patients are adequately educated on the risks associated with sending ePHI via text and presented with secure alternatives to insecure texting.

Read the rest of this post »

Embedding SecureForms into WordPress using an iframe

Published: March 14th, 2016

WordPress is an incredibly popular Web site management and blogging platform.  Customers inquire of LuxSci frequently about the best way to add forms to their WordPress pages and posts.  Not just any forms — complex forms that can be HIPAA-compliant and which can submit data securely through SecureForm.

There are numerous options here.  The two most popular are GravityForms and embedding forms with an iframe.  GravityForms is popular and very cool, but not free.  Also as GravityForms is complex and really wants to manage all of your form data itself (insecurely), integration with SecureForm is limited:

  • Multiple forms on the same page can be tricky
  • Ink Signatures can not be captured
  • File uploads can not be captured

Another alternative, which is free as it is included with your SecureForm service, is to:

  1. Build your form with SecureForm FormBuilder
  2. Embed this form into your WordPress page or post using an iframe

What is an “iframe?”  it is a tool that allows you embed one Web page within another Web page.  When you build a form with FormBuilder — that form is automatically saved and hosted securely for you and you are provided with the Web site address (URL) for that form.  All you need to do is to “insert” that hosted form into your WordPress page/post and you are all set.  All FormBuilder features are then also supported: Ink Signatures, file uploads, geolocation, etc.

Read the rest of this post »

How do you access multiple LuxSci accounts from one browser?

Published: March 8th, 2016

Our first “Ask Erik” question comes from Peter Douglas of GFIA, Singapore:

“I’ve been a LuxSci customer for >15 years and it’s been great… to the extent that almost all the organizations I’m involved with, I’ve set up with LuxSci email and sometimes Web hosting.

On an email client I can switch between LuxSci accounts seamlessly.  But on WebMail, if I try to open my various accounts in different tabs, I keep getting logged out each time I move between accounts.

In the past your technical support has suggested using a different make of browser for each account.  This works, but it seems a bit of a duct-tape-and-WD40 approach for the 21st century.  Is there a more elegant solution to switching between multiple LuxSci accounts?”

Thank you for the great question, Peter.  Below, I shall explain what is happening and why, and then present a few good solutions for accessing or managing multiple LuxSci accounts.

Read the rest of this post »

Ask Erik!

Published: March 7th, 2016

Erik invites you to submit questions directly to him.

Erik Kangas, PhD, is the CEO of LuxSci and the editor of the LuxSci Blog.

Selected questions will be answered publicly in the LuxSci Blog and some questions will be answered via a direct response.

Good question topics include:

  1. LuxSci and desired features and services
  2. Email and email security
  3. HIPAA compliance
  4. Secure web sites and web forms
  5. Email marketing
  6. Internet security and privacy
  7. Related topics in the news or of concern to your organization

While Erik will review all questions, there is no guarantee that any particular question will be answered or that the question will be answered quickly. If you have technical support, billing, or sales needs, please contact LuxSci through the normal channels.

Submit Your Question to Erik

• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 BlackBerry
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries