Does your outbound email sending system incorporate custom email headers in each message … headers that track potentially important per-message information such as:
Email Campaign ID
Customer Segment ID
Unique message ID
Many systems include such information; however, the email headers that these and other types of tracking information are recorded in are named different things by different programs and even by different users of the same program.
If your organization operates in the health sector or processes data for clients that are, then it will need to deal with all ePHI in a HIPAA-compliant manner. This means that HIPAA-compliant software and services are required whenever and wherever protected health information is dealt with.
HIPAA regulations limit the range of services that a company can use. Due to the complexity of the laws, it’s important to evaluate any potential service in a thorough manner to ensure that it is in fact HIPAA compliant. To make the process a little less daunting, we’ve collected a list of steps that make it easier to discern whether a provider can protect your organization’s data appropriately:
Does the Provider Say That the Service Is HIPAA Compliant?
This is the easiest and perhaps most obvious step. Organizations that provide HIPAA-compliant services generally advertise it quite prominently. If they are putting in the extra work to keep their clients secure and within the regulations, then the odds are that they are going to tell potential customers about it.
If you visit the company’s website (or talk to a sales rep) and don’t come across any information about HIPAA compliance, then it’s pretty safe to assume that the software or service is not HIPAA Compliant. If you want to make sure that you didn’t overlook anything, you can do a site search of the company’s website, looking for “HIPAA Compliant” and related keywords.
If you don’t find any results, it’s probably best to move on to other providers. If a company was actually HIPAA Compliant but didn’t make the information clear, it raises some serious questions about the company’s practices and strategies. Given the importance of HIPAA Compliance, it’s probably best to move on to another provider.
Let’s not get ahead of ourselves and assume that we can trust a company just because it says it’s HIPAA Compliant. This is simply the first step of the evaluation process and it helps to rule out a large number of providers. Once your organization has narrowed down the list, it still needs to analyze other aspects of the service and the company behind it.
Is the Service Provider Willing to Sign a Business Associate Agreement?
The next step is to determine whether the provider is willing to sign a business associate agreement (BAA) with your organization. If the service provider will be processing your company’s ePHI, but won’t sign a BAA with it, then any data sharing will not be HIPAA Compliant.
According to HIPAA, a BAA is required for any third party that may process your organization’s ePHI. This agreement stipulates how the data will be protected and processed, as well as where the responsibilities are delineated.
Let’s say a hypothetical organization did actually secure the data in a HIPAA-compliant manner without having signed the agreement – this would still violate the regulations, because there is no written agreement that ensures the protection of the patient data.
Look at the Company’s Reputation and Reviews
Trust is critical when it comes to HIPAA compliance. While you can’t look into the future and see how your organization’s experience with a service will play out, you can get a rough idea by looking at the company’s reputation, as well as any public reviews that may have been posted.
If a service provider has been in the industry for a long time, it’s generally a good sign. But be wary if the organization is branching out into a new service. A company could be industry-renowned for its HIPAA-compliant email, but if it have just launched a new chat service, it may not necessarily be up to the same standards. While new services aren’t necessarily bad by default, it’s probably best to do additional research before signing up to be a guinea pig.
Another key indicator is the service provider’s reviews. Do you know anyone personally or that you trust who has used the service? What did they say? Did their experience show that the company was committed to security and HIPAA compliance?
You can also look to online reviews and industry forums to find more information and stories from service providers. It’s important to not throw all of your trust into what someone says on the internet, but if you come across negative experience after negative experience, it may be a decent warning sign to steer clear. Watch out for digital marketing though – some companies are especially cunning and post ads that look like honest forum posts or reviews.
Investigate the Details
The steps listed above are a good way to narrow things down, but they are no substitute for a thorough evaluation. It’s your organization’s responsibility to make sure that a potential service has every technical, administrative, and operational measure that it needs to stay within the lines of HIPAA.
While a service provider will be responsible for compliance in a number of areas (if a BAA is in place), your organization is not at all free of obligations. It needs to make sure that it is encrypting data where necessary, that it implements effective access control, and has a host of other measures in place. It also needs an overarching policy that brings all of the elements together in a comprehensive plan.
Any HIPAA-compliant provider should be more than happy to share the technical, privacy, and legal details with a potential client. If not, your organization should be extremely suspicious of its services. If your organization lacks the expertise to thoroughly evaluate a provider, then it may be best to engage an outside consultant who can handle it for you.
HIPAA compliance is serious and complex. It’s important to get it right from the start, through careful examination and planning. If your organization doesn’t tread carefully from the beginning, it could very well find itself on the wrong side of the regulations, facing significant legal penalties.
LuxSci’s secure REST API enables LuxSci’s customers to automate account management activities, send secure email messages and secure texts, download custom reports, integrate their web sites with LuxSci WebMail using single sign on, and more.
As frequently happens, at LuxSci, we have added some more features to our API at the request of current customers. These are two new API calls related to dedicated servers. With these calls, you can take inventory of all of the dedicated servers that you gave with LuxSci (be that one or 20 or more) and then request the current status of each one. Additionally, we have updated our API documentation guides.
The API has two new functions for accessing information about dedicated servers. In order to use these functions, you will need to ensure that the configuration that you are using has the “Dedicated Servers – Servers Report” access control permission enabled. LuxSci’s API is designed with security in mind – existing configurations do not have permission to use significantly new/different features that are added over time until you explicitly grant such access.
Reports: All Servers
The first new command returns a current list of add dedicated servers assigned to your account. For each server this includes information such as the server name, unique Id, amount of RAM, number of CPU cores, etc. This is all static information; information not directly related to the current health and uptime of your server.
Report: Server Status
For any particular server in your account, you can request the server status. In addition to the static information about your server that you get from the all servers report, the server status report also includes the current values of:
If the server is up and responding.
How long since the server was last rebooted.
The 1-minute, 5-minute, and 15-minute server load averages (divided by the number of CPU cores the server has).
How much RAM and SWAP space is available and used.
How much network bandwidth has been used in the last 15 minutes, inbound and outbound.
Information about all mounted disks: How much space they have, how much is free, and what the current percentage I/O load is.
How many email messages are in your outbound email queues.
Accessing the Application Programming Interface
To start using the API, customers should first review the API documentation. Then, proceed to the API section of your LuxSci account administration pages and create a configuration and assign what types of functions your API configuration should be permitted to perform.
Remote work has become a hot topic in recent years, with the rise of digital nomads as well as those who just want to sleep in, skip traffic and avoid their bosses. The increased flexibility can be great for workers, while organizations can save on office costs and even boost employee morale.
Despite the potential benefits, remote work can complicate an organization’s cybersecurity. Instead of having everything centrally controlled in the office, businesses with remote workers also have to account for people accessing their resources in other locations over potentially insecure connections and equipment.
It’s not an insurmountable problem, and all it requires is some basic analysis, planning and policy, as well as a few simple security tools.
What Kind of Data Does the Employee Need to Access?
Before you dive into the technology requirements and write up a detailed policy framework, it’s important to perform an analysis to see what kind of access remote employees will need in the course of their work, and to determine whether they process any data that needs to be protected.
Some employees may not require any access to company systems and don’t need to deal with sensitive data. Others may need to log in to company tools and databases, while certain remote workers may need to deal with sensitive business data or ePHI. Each of these situations will require a different approach to maintain an appropriate security level within your organization.
If it’s just a graphic designer updating your flyers or a similar type of low-risk work, you probably don’t need to worry too much. The graphic designer could directly email the drafts to hackers and it wouldn’t have any serious ramifications for your company (unless the hackers have some kind of absurd hatred for spam and target your business in an over-the-top revenge plot).
For employees that don’t access company systems or its data, you really don’t need to take any major security precautions. If the employees only deal with information that you could post on a billboard without repercussions, there’s no real point in developing special systems.
The only policy that you would need in place is to ensure that the rest of your employees keep their communications on a strict need-to-know basis with remote employees. While these remote workers don’t need any sensitive information in the course of their work, it’s important to prevent any gossipers from divulging company secrets. It’s also important to segregate their computer systems from those of sensitive employees if and when they happen to be in the same location, so as to avoid the spread of malware.
If your organization already has secure systems in place, it may be worthwhile to use them with remote employees that fall into this category. It could prevent such rare slip ups at a low cost, since the infrastructure is already available.
Employees that Access Company Resources, Sensitive Data or ePHI
If remote workers need to access company systems, sensitive data or ePHI in the course of their work, then your organization will need to take a number of precautions to secure itself and the data.
Again, you first need to analyze what the employees actually need and come up with policies and technologies that allow them to safely use it, without opening up any doors to unauthorized parties.
This policy should include rudimentary security processes like enforcing strong passwords and requiring two-factor authentication.
Follow the principle of least privilege and only allow employees to access what they strictly need in order to accomplish their tasks. Opening up all of your company’s systems and its data to employees only adds unnecessary risk.
Over time, an employee’s access needs may change. If this occurs, simply adjust their privileges as necessary, whether this involves increasing or decreasing them.
Secure Employee Devices
Ideally, companies should be supplying the devices that their employees use so that they have strict control over them. These devices should have full-disk encryption with remote wipe capabilities, firewalls and antivirus software at a minimum. Your organization should also have strict rules about what employees can and cannot use company devices for.
VPNs offer one of the best ways to safely allow remote access to company resources. They fully encrypt the pathway between an employee’s device and the company server, preventing outside access.
Monitor Your Remote Workers
As part of your organization’s overall security policy, it should be monitoring and taking logs whenever employees access company resources. Not only does this deter employees from acting inappropriately, but it also makes it much easier to find the culprit if the company has been breached.
Obviously, this policy should be extended to remote workers who access company systems and data, as well as internal employees.
Sensitive data needs to be encrypted whenever it is being collected, processed, transmitted or stored. LuxSci offers a range of services that can help your organization keep this data safe, from our secure forms and hosting, to our HIPAA-compliant email.
Encrypting all of your organization’s sensitive data is a crucial part of keeping it safe when dealing with remote employees. Between this and the steps mentioned above, you can offer your employees the freedom of working from anywhere without putting your organization at risk.
LuxSci has updated its Service Level Agreement (SLA) for all shared and dedicated customers. This change supersedes the previous SLA for all existing LuxSci customers that do not have a custom SLA agreement with LuxSci.