" New Feature Announcements Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more
LUXSCI

Archive for the ‘New Feature Announcements’ Category

Custom Email Header Tracking and Reporting

Thursday, August 15th, 2019

Does your outbound email sending system incorporate custom email headers in each message … headers that track potentially important per-message information such as:

  • Email Campaign ID
  • Customer Segment ID
  • Unique message ID
  • Auto-responder code
  • etc.?

Many systems include such information; however, the email headers that these and other types of tracking information are recorded in are named different things by different programs and even by different users of the same program.

Custom Email Header Tracking

Read the rest of this post »

How to Evaluate any New Software or Service for HIPAA Compliance

Friday, August 9th, 2019

If your organization operates in the health sector or processes data for clients that are, then it will need to deal with all ePHI in a HIPAA-compliant manner. This means that HIPAA-compliant software and services are required whenever and wherever protected health information is dealt with.

HIPAA regulations limit the range of services that a company can use. Due to the complexity of the laws, it’s important to evaluate any potential service in a thorough manner to ensure that it is in fact HIPAA compliant. To make the process a little less daunting, we’ve collected a list of steps that make it easier to discern whether a provider can protect your organization’s data appropriately:

Does the Provider Say That the Service Is HIPAA Compliant?

This is the easiest and perhaps most obvious step. Organizations that provide HIPAA-compliant services generally advertise it quite prominently. If they are putting in the extra work to keep their clients secure and within the regulations, then the odds are that they are going to tell potential customers about it.

If you visit the company’s website (or talk to a sales rep) and don’t come across any information about HIPAA compliance, then it’s pretty safe to assume that the software or service is not HIPAA Compliant. If you want to make sure that you didn’t overlook anything, you can do a site search of the company’s website, looking for “HIPAA Compliant” and related keywords.

If you don’t find any results, it’s probably best to move on to other providers. If a company was actually HIPAA Compliant but didn’t make the information clear, it raises some serious questions about the company’s practices and strategies. Given the importance of HIPAA Compliance, it’s probably best to move on to another provider.

Let’s not get ahead of ourselves and assume that we can trust a company just because it says it’s HIPAA Compliant. This is simply the first step of the evaluation process and it helps to rule out a large number of providers. Once your organization has narrowed down the list, it still needs to analyze other aspects of the service and the company behind it.

Is the Service Provider Willing to Sign a Business Associate Agreement?

The next step is to determine whether the provider is willing to sign a business associate agreement (BAA) with your organization. If the service provider will be processing your company’s ePHI, but won’t sign a BAA with it, then any data sharing will not be HIPAA Compliant.

According to HIPAA, a BAA is required for any third party that may process your organization’s ePHI. This agreement stipulates how the data will be protected and processed, as well as where the responsibilities are delineated.

Let’s say a hypothetical organization did actually secure the data in a HIPAA-compliant manner without having signed the agreement – this would still violate the regulations, because there is no written agreement that ensures the protection of the patient data.

Look at the Company’s Reputation and Reviews

Trust is critical when it comes to HIPAA compliance. While you can’t look into the future and see how your organization’s experience with a service will play out, you can get a rough idea by looking at the company’s reputation, as well as any public reviews that may have been posted.

If a service provider has been in the industry for a long time, it’s generally a good sign. But be wary if the organization is branching out into a new service. A company could be industry-renowned for its HIPAA-compliant email, but if it have just launched a new chat service, it may not necessarily be up to the same standards. While new services aren’t necessarily bad by default, it’s probably best to do additional research before signing up to be a guinea pig.

Another key indicator is the service provider’s reviews. Do you know anyone personally or that you trust who has used the service? What did they say? Did their experience show that the company was committed to security and HIPAA compliance?

You can also look to online reviews and industry forums to find more information and stories from service providers. It’s important to not throw all of your trust into what someone says on the internet, but if you come across negative experience after negative experience, it may be a decent warning sign to steer clear. Watch out for digital marketing though – some companies are especially cunning and post ads that look like honest forum posts or reviews.

Investigate the Details

The steps listed above are a good way to narrow things down, but they are no substitute for a thorough evaluation. It’s your organization’s responsibility to make sure that a potential service has every technical, administrative, and operational measure that it needs to stay within the lines of HIPAA.

While a service provider will be responsible for compliance in a number of areas (if a BAA is in place), your organization is not at all free of obligations. It needs to make sure that it is encrypting data where necessary, that it implements effective access control, and has a host of other measures in place. It also needs an overarching policy that brings all of the elements together in a comprehensive plan.

Any HIPAA-compliant provider should be more than happy to share the technical, privacy, and legal details with a potential client. If not, your organization should be extremely suspicious of its services. If your organization lacks the expertise to thoroughly evaluate a provider, then it may be best to engage an outside consultant who can handle it for you.

HIPAA compliance is serious and complex. It’s important to get it right from the start, through careful examination and planning. If your organization doesn’t tread carefully from the beginning, it could very well find itself on the wrong side of the regulations, facing significant legal penalties.

API Updates: Retrieve Dedicated Server Status on Demand

Monday, July 29th, 2019

LuxSci’s secure REST API enables LuxSci’s customers to automate account management activities, send secure email messages and secure texts, download custom reports, integrate their web sites with LuxSci WebMail using single sign on, and more.

As frequently happens, at LuxSci, we have added some more features to our API at the request of current customers.  These are two new API calls related to dedicated servers.  With these calls, you can take inventory of all of the dedicated servers that you gave with LuxSci (be that one or 20 or more) and then request the current status of each one.  Additionally, we have updated our API documentation guides.

API Updates

New Functions

The API has two new functions for accessing information about dedicated servers. In order to use these functions, you will need to ensure that the configuration that you are using has the “Dedicated Servers – Servers Report” access control permission enabled.   LuxSci’s API is designed with security in mind – existing configurations do not have permission to use significantly new/different features that are added over time until you explicitly grant such access.

Reports:  All Servers

The first new command returns a current list of add dedicated servers assigned to your account.  For each server this includes information such as the server name, unique Id, amount of RAM, number of CPU cores, etc.  This is all static information; information not directly related to the current health and uptime of your server.

Report: Server Status

For any particular server in your account, you can request the server status.  In addition to the static information about your server that you get from the all servers report, the server status report also includes the current values of:

  • If the server is up and responding.
  • How long since the server was last rebooted.
  • The 1-minute, 5-minute, and 15-minute server load averages (divided by the number of CPU cores the server has).
  • How much RAM and SWAP space is available and used.
  • How much network bandwidth has been used in the last 15 minutes, inbound and outbound.
  • Information about all mounted disks: How much space they have, how much is free, and what the current percentage I/O load is.
  • How many email messages are in your outbound email queues.

Accessing the Application Programming Interface

To start using the API, customers should first review the API documentation.  Then, proceed to the API section of your LuxSci account administration pages and create a configuration and assign what types of functions your API configuration should be permitted to perform.

If you have questions, please contact LuxSci support.

Remote Work & Its Cybersecurity Implications

Tuesday, June 4th, 2019

Remote work has become a hot topic in recent years, with the rise of digital nomads as well as those who just want to sleep in, skip traffic and avoid their bosses. The increased flexibility can be great for workers, while organizations can save on office costs and even boost employee morale.

Despite the potential benefits, remote work can complicate an organization’s cybersecurity. Instead of having everything centrally controlled in the office, businesses with remote workers also have to account for people accessing their resources in other locations over potentially insecure connections and equipment.

It’s not an insurmountable problem, and all it requires is some basic analysis, planning and policy, as well as a few simple security tools.

remote work and cybersecurity implications

What Kind of Data Does the Employee Need to Access?

Before you dive into the technology requirements and write up a detailed policy framework, it’s important to perform an analysis to see what kind of access remote employees will need in the course of their work, and to determine whether they process any data that needs to be protected.

Some employees may not require any access to company systems and don’t need to deal with sensitive data. Others may need to log in to company tools and databases, while certain remote workers may need to deal with sensitive business data or ePHI. Each of these situations will require a different approach to maintain an appropriate security level within your organization.

Low-risk Employees

If it’s just a graphic designer updating your flyers or a similar type of low-risk work, you probably don’t need to worry too much. The graphic designer could directly email the drafts to hackers and it wouldn’t have any serious ramifications for your company (unless the hackers have some kind of absurd hatred for spam and target your business in an over-the-top revenge plot).

For employees that don’t access company systems or its data, you really don’t need to take any major security precautions. If the employees only deal with information that you could post on a billboard without repercussions, there’s no real point in developing special systems.

The only policy that you would need in place is to ensure that the rest of your employees keep their communications on a strict need-to-know basis with remote employees. While these remote workers don’t need any sensitive information in the course of their work, it’s important to prevent any gossipers from divulging company secrets.  It’s also important to segregate their computer systems from those of sensitive employees if and when they happen to be in the same location, so as to avoid the spread of malware.

If your organization already has secure systems in place, it may be worthwhile to use them with remote employees that fall into this category. It could prevent such rare slip ups at a low cost, since the infrastructure is already available.

Employees that Access Company Resources, Sensitive Data or ePHI

If remote workers need to access company systems, sensitive data or ePHI in the course of their work, then your organization will need to take a number of precautions to secure itself and the data.

Again, you first need to analyze what the employees actually need and come up with policies and technologies that allow them to safely use it, without opening up any doors to unauthorized parties.

This policy should include rudimentary security processes like enforcing strong passwords and requiring two-factor authentication.

Access Control

Follow the principle of least privilege and only allow employees to access what they strictly need in order to accomplish their tasks. Opening up all of your company’s systems and its data to employees only adds unnecessary risk.

Over time, an employee’s access needs may change. If this occurs, simply adjust their privileges as necessary, whether this involves increasing or decreasing them.

Secure Employee Devices

Ideally, companies should be supplying the devices that their employees use so that they have strict control over them. These devices should have full-disk encryption with remote wipe capabilities, firewalls and antivirus software at a minimum. Your organization should also have strict rules about what employees can and cannot use company devices for.

VPN Access

VPNs offer one of the best ways to safely allow remote access to company resources. They fully encrypt the pathway between an employee’s device and the company server, preventing outside access.

Monitor Your Remote Workers

As part of your organization’s overall security policy, it should be monitoring and taking logs whenever employees access company resources. Not only does this deter employees from acting inappropriately, but it also makes it much easier to find the culprit if the company has been breached.

Obviously, this policy should be extended to remote workers who access company systems and data, as well as internal employees.

Encrypt Everything

Sensitive data needs to be encrypted whenever it is being collected, processed, transmitted or stored. LuxSci offers a range of services that can help your organization keep this data safe, from our secure forms and hosting, to our HIPAA-compliant email.

Encrypting all of your organization’s sensitive data is a crucial part of keeping it safe when dealing with remote employees. Between this and the steps mentioned above, you can offer your employees the freedom of working from anywhere without putting your organization at risk.

Updated Service Level Agreement

Friday, May 31st, 2019

LuxSci has updated its Service Level Agreement (SLA) for all shared and dedicated customers. This change supersedes the previous SLA for all existing LuxSci customers that do not have a custom SLA agreement with LuxSci.

Download the Complete SLA Document

The new SLA in an improvement over the old SLA in many ways. Some of these include:

  • A new explicit guarantee on the Availability of Services running on dedicated servers
  • The addition of explicit SLAs for services provided by LuxSci’s vendors (such as Proofpoint).
  • An explicit description of how LuxSci performs regular and emergency maintenance on servers and services.
  • A new paid SLA Track called Premium SLA that changes how maintenance is performed with respect to Premium SLA Customer’s dedicated servers.

The Premium SLA Track provides:

  1. Higher degree of insulation from the potential impacts of software updates and changes.
  2. Preferred scheduled maintenance window selection.
  3. Higher-touch notices and coordination of updates.
  4. Longer notice for emergency maintenance.

Premium SLA Tracks are generally only available to Customers with an Enterprise Custom plan. If that is you and you are interested in adding Premium SLA to your LuxSci account, please contact sales.

LUXSCI