Published: July 12th, 2017
Our latest “Ask Erik” question involves TLS delivery of email over SMTP.
Hello! I read the “How Can You Tell if an Email Was Transmitted Using TLS Encryption?” article, and found it very helpful and informative! I am currently looking into Mail Chimp’s encryption practices. On their website they advertise “SSL Encryption”. I’m not sure whether this actually means TLS yet, but I’m wondering: (1) is it possible to see if an email is SSL-encrypted (actually SSL, not TLS) other than by looking at the email headers? (2) if an email header does not contain “TLS” or “SSL”, like Hotmail’s “received” header from the article, does this necessarily mean it was sent unencrypted? Or is it possible (or likely) that hotmail would not record its encryption use?
Read the rest of this post.
Published: July 11th, 2017
A majority of companies and hospitals that offer email encryption for HIPAA compliance allow senders to “opt in” to encryption on a message-by-message basis. E.g., if the sender “does nothing special” then the email will be sent in the normal/insecure manner of email in general. If the sender explicitly checks a box or adds some special content to the body or subject of the message, then it will be encrypted and HIPAA compliant.
Opt-in encryption is desirable because it is “easy” … end users don’t want any extra work and don’t want encryption requirements to bog them down, especially if many of their messages do not contain PHI. It is “good for usability” and thus easy to sell.
However, opt-in encryption is a very bad idea with the inception of the HIPAA Omnibus rule. Opt-in encryption imposes a large amount of risk on an organization, which grows exponentially with the size of the organization. Organizations are responsible for the mistakes and lapses of their employees; providing an encryption system where inattention can lead to a breach is something to be very wary of. Read the rest of this post.
Published: July 10th, 2017
In the last ten or so years, apps have swept through the world alongside the smartphone boom. Smartphones enabled us to carry miniature computers everywhere we went, so we quickly began to integrate them into our everyday lives.
We stopped asking for directions and used the GPS app instead, we checked out the Yelp app when we wanted to find somewhere good to eat, and we kept track of our friends on Facebook from our mobiles.
People have become accustomed to using apps these days, which has put pressure on many organizations to conduct their services through them. If they don’t offer an app, they may lose customers to their more tech-savvy competitors. The health industry is no different, so apps have become an essential offering for many organizations.
In some industries, developing apps may be relatively straightforward, but those that deal with PHI need to make sure that their app is HIPAA compliant. If your company’s app isn’t HIPAA compliant, it could result in heavy fines or a breach of patient data, which could seriously harm your business’s finances and its reputation.
To make a HIPAA-compliant app, privacy and security need to be consider at each step of development. Read the rest of this post.
Published: June 30th, 2017
Technology sure has come a long way. The rise of computers and the internet has meant that we can conduct so much of our lives online. With Wi-Fi or mobile data, you can work on your laptop by the beach, do the weekly shopping on your phone and even find the life partner of your dreams through an app. One task that is notably absent is voting.
It seems like online voting would be a great idea. You could participate in democracy from the comfort of your couch, rather than having to march all the way down to the polling booth. Many believe that it would increase voter turnout as well, resulting in a more engaged democracy.
Some countries have dipped their toes in the waters of online voting and Estonia has cannonballed in, but why don’t we do it in the US? While it may seem like a relatively straightforward process, online voting presents a range of technological and security challenges that the US isn’t quite ready to deal with.
When you consider how important elections are, as well as how willing other nations are to influence elections, it is best to tread cautiously with online voting. After last years attacks on our election, it has become evident just how vulnerable the voting process is. While online voting may certainly be viable in the future, there are several obstacles that we need to traverse beforehand. Read the rest of this post.
Published: June 26th, 2017
With all the talk of Russia influencing the election through the DNC hacks and fake news, we are finally realizing just how open the political process is to manipulation. One aspect that had taken a backseat until recently was how the votes themselves can be tampered with.
Over the last month, we have uncovered more and more information about just how severe the hacks were. At this stage, it is confirmed that 39 states had their voter registration databases accessed, although officials assume that attempts were made to break into all 50.
There was at least once incidence of voter data being altered, however it was detected and rectified without any long term damage. Almost 90,000 records were accessed and stolen from Illinois, 90% of which contained details such as drivers license numbers and the last for digits of an individuals’ Social Security number.
Officials are stating that these hacks didn’t influence the results of the election, as no databases were permanently changed. Some have suggested that the only reason the damage wasn’t worse is because US intelligence agencies caught onto the attacks and the Government issued Russia a stern warning.
Given that another country clearly had the chance to tamper with the voting process, it’s time to reevaluate our election security. How can we bolster our defenses to prevent further attacks? First, we need to understand which parts of the system are vulnerable. Read the rest of this post.
Published: June 21st, 2017
Protected health information (PHI) is heavily regulated under HIPAA, but the exact details can be confusing. The regulations are designed to keep everyone’s private information safe, but they also put a significant amount of responsibility on businesses.
HIPAA regulations apply to just about every aspect of a person’s medical information, including their transit, storage and security. Because email is such an important and extensively-used form of communication, HIPAA regulations apply to it as well.
Some may think that secure and encrypted email is all you need to keep PHI safe and emails compliant. The reality is that HIPAA email regulations go above and beyond standard secure email. To protect your business, you need to make sure that your email provider is HIPAA-compliant, not just secure. Read the rest of this post.
Published: June 19th, 2017
We all want to keep our data safe. Whether it’s personal or for business, we don’t want it to be stolen, altered or deleted. From the violation of individual privacy to breaches that cost companies millions to recover from, losing control of data can be damaging in numerous ways.
There are many techniques for keeping data safe and any good security policy must combine a range of them. One important piece of the data-security puzzle is full-disk encryption. This encrypts everything on the disk, apart from the master boot record.
Encryption allows you to make data unreadable unless someone has the key. With full-disk encryption, the key must be entered when you boot your device in order to access the disk or any of its files. Read the rest of this post.
Published: June 14th, 2017
Someone claims to have sent you an email message. You never got it, as far as you know. How can you determine if the sender actually sent the message? How to you prove or disprove the claim?
This question is submitted by a reader via “Ask Erik” — a channel by which anyone can ask LuxSci a technical question.
Read the rest of this post.
Published: June 13th, 2017
It seems like major hacks are always in the news. Whether it is the vicious WannaCry ransomware that swept across the world or the constant stories about Russian hacks, we are being bombarded by increasingly devastating online threats. If you want to help prevent your organization from becoming the next in a long line of victims, you really need to start paying attention to your cyber security efforts.
A solid defense requires a comprehensive security policy that measures your assets against their risks and adapts as these things change. While an overall plan is important, there are several things you can do right now to bolster your security and help prevent the latest attacks:
Read the rest of this post.
Published: June 7th, 2017
When it comes to cyber security, nothing is 100%. No matter how advanced your defenses are, hackers can find a way around them if they have enough time, money and resources. Because breaches can affect any business, it is important that you are prepared for worst case scenarios ahead of time. The right planning will help minimize damages to your business and help it to get back on its feet sooner.
Read the rest of this post.