" New Feature Announcements Archives - Page 7 of 18 - LuxSci

Archive for the ‘New Feature Announcements’ Category

Remote Work & Its Cybersecurity Implications

Tuesday, June 4th, 2019

Remote work has become a hot topic in recent years, with the rise of digital nomads as well as those who just want to sleep in, skip traffic and avoid their bosses. The increased flexibility can be great for workers, while organizations can save on office costs and even boost employee morale.

Despite the potential benefits, remote work can complicate an organization’s cybersecurity. Instead of having everything centrally controlled in the office, businesses with remote workers also have to account for people accessing their resources in other locations over potentially insecure connections and equipment.

It’s not an insurmountable problem, and all it requires is some basic analysis, planning and policy, as well as a few simple security tools.

What Kind of Data Does the Employee Need to Access?

Before you dive into the technology requirements and write up a detailed policy framework, it’s important to perform an analysis to see what kind of access remote employees will need in the course of their work, and to determine whether they process any data that needs to be protected.

Some employees may not require any access to company systems and don’t need to deal with sensitive data. Others may need to log in to company tools and databases, while certain remote workers may need to deal with sensitive business data or ePHI. Each of these situations will require a different approach to maintain an appropriate security level within your organization.

Low-risk Employees

If it’s just a graphic designer updating your flyers or a similar type of low-risk work, you probably don’t need to worry too much. The graphic designer could directly email the drafts to hackers and it wouldn’t have any serious ramifications for your company (unless the hackers have some kind of absurd hatred for spam and target your business in an over-the-top revenge plot).

For employees that don’t access company systems or its data, you really don’t need to take any major security precautions. If the employees only deal with information that you could post on a billboard without repercussions, there’s no real point in developing special systems.

The only policy that you would need in place is to ensure that the rest of your employees keep their communications on a strict need-to-know basis with remote employees. While these remote workers don’t need any sensitive information in the course of their work, it’s important to prevent any gossipers from divulging company secrets.  It’s also important to segregate their computer systems from those of sensitive employees if and when they happen to be in the same location, so as to avoid the spread of malware.

If your organization already has secure systems in place, it may be worthwhile to use them with remote employees that fall into this category. It could prevent such rare slip ups at a low cost, since the infrastructure is already available.

Employees that Access Company Resources, Sensitive Data or ePHI

If remote workers need to access company systems, sensitive data or ePHI in the course of their work, then your organization will need to take a number of precautions to secure itself and the data.

Again, you first need to analyze what the employees actually need and come up with policies and technologies that allow them to safely use it, without opening up any doors to unauthorized parties.

This policy should include rudimentary security processes like enforcing strong passwords and requiring two-factor authentication.

Access Control

Follow the principle of least privilege and only allow employees to access what they strictly need in order to accomplish their tasks. Opening up all of your company’s systems and its data to employees only adds unnecessary risk.

Over time, an employee’s access needs may change. If this occurs, simply adjust their privileges as necessary, whether this involves increasing or decreasing them.

Secure Employee Devices

Ideally, companies should be supplying the devices that their employees use so that they have strict control over them. These devices should have full-disk encryption with remote wipe capabilities, firewalls and antivirus software at a minimum. Your organization should also have strict rules about what employees can and cannot use company devices for.

VPN Access

VPNs offer one of the best ways to safely allow remote access to company resources. They fully encrypt the pathway between an employee’s device and the company server, preventing outside access.

Monitor Your Remote Workers

As part of your organization’s overall security policy, it should be monitoring and taking logs whenever employees access company resources. Not only does this deter employees from acting inappropriately, but it also makes it much easier to find the culprit if the company has been breached.

Obviously, this policy should be extended to remote workers who access company systems and data, as well as internal employees.

Encrypt Everything

Sensitive data needs to be encrypted whenever it is being collected, processed, transmitted or stored. LuxSci offers a range of services that can help your organization keep this data safe, from our secure forms and hosting, to our HIPAA-compliant email.

Encrypting all of your organization’s sensitive data is a crucial part of keeping it safe when dealing with remote employees. Between this and the steps mentioned above, you can offer your employees the freedom of working from anywhere without putting your organization at risk.

Telehealth & BYOD: Is It a Bad Idea?

Tuesday, May 21st, 2019

Telehealth leverages telecommunication technology to provide healthcare and related services. It can include treatment, education, prevention, reminders, communication and other measures that rely on devices and technology.

Over the past few years, it has become more common for companies to allow their employees to bring their smartphones into the workplace. This practice, known as bring your own device (BYOD), has been embraced by many businesses because it can help to reduce costs, boost productivity, and increase employee satisfaction.

Despite these benefits, BYOD policies come with a number of security complications. Since healthcare organizations deal with vast quantities of highly regulated and sensitive information, the security and privacy of data is even more critical than in other sectors.

Given the risks of breaching electronic protected health information (ePHI), or going through a costly and disruptive HIPAA violation, are BYOD policies appropriate for telehealth practices?

Devices in Healthcare

Devices such as smartphones and tablets are now seen as an essential part of the medical world. They can help to improve communication and give patients new options for treatment. They are also a core aspect of telehealth practices.

Given the necessity of these devices in the healthcare industry, organizations have two ways that they can facilitate their use. They can either provide devices for their employees, which allows employers to maintain strict controls over how they are used, or they can let their employees bring their own devices and use them as part of their work processes.

Employer Provided Devices

Providing devices for employees is the ideal option from a security perspective, particularly in a health scenario where there is so much sensitive data at stake. Since employers own the devices, they can regulate where and how they are used without too many major issues.

The most important aspect is to make sure that the rules are enforced to minimize any breach-related risks.

Another major challenge is keeping the personal devices of employees outside of the workplace. Since they have become a mainstay of modern life, it can be difficult to prevent employees from bringing smartphones in to work and using them. It requires strongly enforced policy and a high level of employee awareness to manage this risk.

BYOD Devices

If personal devices are going to be allowed in the workplace or as part of a healthcare worker’s job, a strict BYOD policy needs to be in place. The threat of exposing ePHI is simply too great for healthcare organizations to neglect having one.

These policies should define when, where, how and through which applications employees may use their devices, as well as what is strictly prohibited.

If employees are allowed to use personal devices in the course of their jobs, then the BYOD policy needs to be even more stringent. Businesses have two major ways that they can do this and still safeguard ePHI to a reasonable degree.

The first is to only allow access to ePHI through VPNs or web portals, never storing any sensitive patient data on the personal devices of employees. This can secure data without being too intrusive.

Alternatively, employers can require their workers to add security software and make sure that devices are configured properly to safeguard any ePHI. This includes things like encrypted folders and remote wipe capabilities.

Since this option involves mandating how employees use their own devices and can even affect their personal files, it’s not ideal. It can lead to privacy concerns and cause employee dissatisfaction.

Should Your Organization Allow BYOD?

Ideally, healthcare organizations should keep personal devices out of the workplace to minimize the risks of leaking ePHI and facing HIPAA violations. This may not be practical for all businesses, so those that choose to allow personal devices need to be aware of the risks and adopt a strict policy that minimizes them.

Telehealth: The Benefits & The Risks

Tuesday, April 30th, 2019

In recent years, telehealth has been touted as a solution to many of our society’s medical problems. It has the potential to make health services more efficient and improve patient access. Despite these benefits, telehealth isn’t without its risks and challenges.

What Is Telehealth?

Telehealth is the practice of leveraging information technologies to deliver patient care and other health-related services. The term can be used broadly to include providing healthcare from a distance, health-related education, monitoring, intervention, communication and more.

Telehealth is often used interchangeably with telemedicine or eHealth, although some may argue that telemedicine is more focused on providing healthcare from a distance, and eHealth is more focused on electronic communication and processing.

In comparison, two medical practitioners discussing a case over a video call could fall under the umbrella of telehealth, even though it may not relate directly to the treatment of a patient.

telehealth risk

What Are the Benefits of Telehealth?

At its primary level, telehealth involves applying technology to enhance healthcare and its surrounding processes. Just as in most other sectors, our evolving technology can be used in numerous ways to improve treatment, outcomes, communication and efficiency.

One of the most obvious examples of the benefits of telehealth involves those who live in regional areas. In these cases, it may be either impossible or extremely costly for a patient to receive medical treatment from certain specialists.

Without telehealth, the only possibility would be for either the patient to travel to the medical practitioner, or for the healthcare specialist to go to them. Depending on how remote the patient is, this can be incredibly inefficient.

Advances in technology have completely changed the treatment prospects in these cases. As long as there is an adequate internet connection, healthcare specialists may be able to monitor their patient, give advice, diagnose them or even provide treatment without leaving their offices.

This increases healthcare access and makes the whole process much more efficient. If healthcare professionals don’t need to account for travel time between clients, they can see far more patients each day, easing the burden on the healthcare system and essentially making treatment cheaper.

On top of this, telehealth can help to promote healthcare education, disease prevention and more. It can also increase access and reduce costs in each of these aspects.

What Risks Are Involved in Telehealth?

While telehealth opens up a world of opportunities in medical care, it is not without its challenges and it should not be implemented without adequate planning. We will mainly discuss the technical, privacy and security challenges, although there can be other issues, such as reduced quality of care in certain situations.

One of the primary requirements for telehealth is a stable and reliable connection. If the network infrastructure is inadequate, it could limit the quality of care that a patient receives, or even endanger them. In cases where internet connections are poor, traditional medicine should be used instead.

On top of this, there is the issue of consent. Should the patient be required to give it before any telehealth practices begin? The technology-based nature of telehealth involves numerous complications that simply don’t exist in face-to-face healthcare. Since technology links the two parties together, there are a range of privacy and security issues which patients need to be aware of.

Telehealth & Privacy

Let’s look at an example of a potential privacy issue. Patients with certain conditions may have in-home monitoring technology to detect falls or other health-related incidents. The issue is that these technologies, whether they be cameras or sensors, will also detect information which the patient may not want exposed.

This could include when their home is unoccupied, or it could even reveal things about their intimate relationships, drug abuse or other private matters. This leads into our next issue, telehealth and its security.

Telehealth & Security

By its very nature, telehealth involves collecting, processing, transmitting and storing data which would normally not be a part of traditional medicine. As we mentioned above, this information can be problematic, even when it is only in the hands of authorized personnel such as healthcare professionals.

But what happens if this data falls into the hands of attackers?

Healthcare information is some of the most valuable of all, because it tends to be comprehensive and can also include sensitive details. For this reason, it is important for any applications of telehealth to use appropriate security measures. These include encryption both in transit and at rest, authentication and access control.

Telehealth Is Still in a Regulatory Gray Area

Since telehealth is yet to be widely used, our laws haven’t had a chance to catch up with it. The best guidance probably comes from HIPAA, although these laws are intentionally vague to allow organizations to implement security in a way that is most suitable for the situation. Because of this, businesses should err on the safe side whenever they use telehealth.

Should Your Organization Use Telehealth?

When deciding on whether your organization should use telehealth, the first step is to determine whether it will actually be beneficial. Will it improve patient outcomes or increase efficiency within your organization?

If you can foresee definite benefits, then you should take the time to examine how it would be applied and secured. Due to the risks involved in telehealth, it’s important to take the appropriate planning steps and make sure that adequate security measures are in place.

Rushing into telehealth without taking the time to examine its repercussions could lead to data breaches, HIPAA violations, or even lower health outcomes for your patients.

If you are interested in pursuing telehealth at your organization, contact LuxSci first. We have almost two decades of experience in healthcare security, so we can help your business get the most out of telehealth, without being trapped by its numerous pitfalls.

Email Open and Click Tracking for Everyone

Tuesday, April 2nd, 2019

Have you ever sent an email message and then wondered:

  • Did they open your email message?  
  • Did they click on any of the links that you included?  
  • Which links?  
  • Was the message forwarded on and opened by other people?  
  • When did they read it?

Typical email marketing platforms, like LuxSci’s Spotlight Mailer, include features that expose this information for the email marketing campaigns sent through them.   However, not all email marketing systems include email open and click analysis.  And, what about sending email via other means, e.g., through WebMail, Outlook, iPhone, API, basic SMTP relaying, etc.   Most outbound email systems that are not explicitly geared towards email marketing do not provide any means to learn the answers to these important questions.

With LuxSci’s new email open and click tracking options, LuxSci will add codes to your messages so that you can gather then answers to such business critical questions for any messages sent through LuxSci:

  • WebMail
  • API
  • SMTP Relaying — i.e., Outlook, Mac Mail, iOS, Android, and other all programs that connect via SMTP

Open and click tracking is included as a standard feature with LuxSci email hosting, LuxSci high volume secure sending, and LuxSci smart hosting.

HOW DOES IT WORK?

When LuxSci email open tracking is enabled, LuxSci adds a small image to the end of the HTML part of every message sent to every recipient.  When the recipient opens this message, that image is requested from LuxSci’s servers and we record the “email open” event.   This includes the date/time it was opened, the recipient of that message, and the IP address / physical location where the message was opened.

When LuxSci email click tracking is enabled, LuxSci modifies the links in all HTML parts of every message sent to every recipient.  When the recipient clicks on any of these links, they are taken first to LuxSci.  We record the click event. This includes the URL clicked, date/time it was clicked, the recipient of that message, and the IP address / physical location where the link was clicked.  Then, LuxSci redirects your recipient to the actually intended web address.  This happens so fast that most people never notice the tracking.

HOW TO I ENABLE OPEN AND CLICK TRACKING?

Open and/or click tracking can be enabled in LuxSci on an account-wide, domain-wide, or per-user basis; you can customize its usage to match your business needs.

To enable account-wide, for all messages sent by all users in your account, go to:

  • Account Settings > Email
  • Scroll down to “Open Tracking” and “URL Click Tracking”
  • Toggle the settings to “On” and press “Save Changes”

To enable domain-wide, for all messages sent by all users whose email addresses belong to a specific domain, go to:

  • Account Settings > Domains
  • Click on the domain in question (if you have multiple in your account).
  • Click on “Outbound Email Settings” on the left
  • Scroll down to “Open Tracking” and “URL Click Tracking”
  • Toggle the settings to “On” and press “Save Changes”

To enable for all messages sent by a specific user, go to

  • Your user outbound email settings:
  • Scroll down to “Open Tracking” and “URL Click Tracking”
  • Toggle the settings to “On” and press “Save Changes”

HOW DO I SEE MY OPEN AND CLICK TRACKING REPORTS?

Once you have enabled open or click tracking and have sent some messages, you can look and see what has happened. Did anyone open the messages? Who clicked on what links? When?

There are several ways to dig into this juicy data.

User-Level Reports

Login to you LuxSci Account and go to your Reports area. From there, open up the menu area on the left for “Sent Email – From WebMail” or “Sent Email – From SMTP Server,” depending on which messages you are interested in. Next, you can look at the “Message Opens” and “URL Clicks” reports to see what has been opened and clicked. Note that you can export data using the “Download CVS File” button on the upper right of the page. Also, Open and Click details are also available in the “Delivery Status” reports via the “Advanced” reporting tab.

Account-Level Reports

As an account administrator, you can view reports covering sending across all users in your account. Go to your Account Reports area. Then, open the “Sent Email” menu on the left and you can find reports analogous to the user-level ones, described above, but inclusive of the sending from all users.

API Reports

If you would like to integrate email open, click, and other deliverability information into our own database or application, your can use LuxSci’s REST API. The API provides all of the functionality of the user and account user interface reports, but through programmable queries and filters.

WHAT ABOUT WHITE LABEL BRANDING

When open or click tracking are enabled, images and/or links are added to your email email messages that reference luxsci.com.  If you would like to customize this so that your own domain name is used for these images and links, LuxSci offers “Private Labeling.”  Customers with Private Labeling can customize many aspects of LuxSci, including the look of the WebMail interface and the domain name used for these links and images.  If you already have Private Labeling enabled, then your configured secure domain name will be automatically used with open and click tracking.

Want to learn more about HIPAA-compliant email marketing and reporting? Contact us.

How Secure Is Your Email Provider?

Tuesday, March 26th, 2019

Most people don’t put a lot of thought into the security of their email. As long as it sends and receives messages without overloading them with spam, it seems to be enough, right?

Well, that depends on what you use your email for.

If you only use it for reading chain letters from your aunt and skimming through the newsletters from your favorite organizations, then you might not have much to worry about.

But very few people use their email in such a limited manner. It’s often used as a second authentication factor for other accounts, many people get their bank statements sent to them via email, and others use it to talk about critical work details.

That’s not to mention the countless other pieces of sensitive and valuable information that people communicate over email each day.

If you use your email for any of the above, then you need to think twice about your email’s security.

Why?

Because email is inherently insecure.

Without additional protective measures, the plaintext of your emails can easily be intercepted by attackers.

That’s right. Someone could have seen your online banking passwords that time you emailed them to your husband. A hacker could have read that message you sent to a friend where you called your boss every bad name in the book, then used it to blackmail you. An attacker could even receive the link to reset your password and use it to hijack your account.

If that’s not bad enough, your messages can also be modified or deleted in transit. And this is just the tip of the iceberg when it comes to the security and privacy issues that surround email.

Let’s look at some of the particular problems associated with some of the world’s most popular email providers, Gmail and Outlook:

Gmail

Thankfully, in 2017, Google announced that it would no longer be automatically scanning emails for advertising purposes. It’s good news that they are no longer diving through their customers’ messages with their tools. However, third-party apps that are installed on people’s devices can still be configured to scan through emails instead.

So maybe Google isn’t going through your messages any more, but there is the potential that other companies are.

Messages are encrypted within Gmail’s systems and when traveling to some of the major email providers. However, this all depends on the recipient’s email provider, and some providers may not offer TLS encryption. This means that a message may travel part of the way as cleartext.

When you add in Google’s strong history of collecting as much user data as they can, it’s safe to assume that Gmail is not the best option for those who are privacy conscious.

Outlook

Outlook does offer configuration options to send completely encrypted email, but it is not set up by default and can easily be misused. It operates under a different funding model to Gmail, so one positive aspect is that it hasn’t been as rife with privacy issues as Google’s offering.

While it is possible to sign a Business Associate’s Agreement with Microsoft, Outlook isn’t really set up to be HIPAA-compliant, so using it for your HIPAA needs can be very dangerous.

Looking for a Provider that Takes Your Email Security Seriously?

None of the major providers make it easy to be HIPAA compliant, nor are they designed with your security needs in mind. These organizations are also huge targets for hackers and they have massive attack surfaces that they need to defend. All of them have had a number of serious data breaches over the years as well.

LuxSci is a security provider that specializes in HIPAA compliance, and keeping our customers safe is one of the foremost design objectives in all of our services. That’s why we’ve tailored our secure email service to offer completely encrypted email in a number of different ways, including TLS, portal-pickup, PGP and S/MIME.

We also offer a range of configuration options that make it easy to prevent user errors, such as opt-out encryption.

If you really care about your email’s security, then you should be choosing a provider who prioritizes it at the core of their service, rather than a mainstream competitor who has only tacked it on over the years after countless damning media reports. Keep your messages safe with LuxSci.

Want to discuss how LuxSci’s HIPAA-Compliant Email Solutions can help your organization?  Contact Us