Anti-virus scanning for files uploaded through your Web forms with SecureForm

Published: April 22nd, 2016

If you have a web form that allows end users to upload files, then you may be placing yourself at risk.  End users can upload virus-laden files or malware through these forms.  Opening such files can place your computer at risk — especially if your computer does not itself have real-time anti-virus scanning enabled, that scanning software is old or not well designed, or it is not updating itself frequently.

LuxSci SecureForm form data processing now automatically scans all uploaded files for viruses in real time.  If a virus or malware is detected, the form submission will be automatically blocked.  Current SecureForm users are automatically protected by this service.

Defense in depth is an important security measure.  Multiple barriers, multiple scans, and multiple checks all help to protect your systems.  If you are accepting arbitrary files over the Internet, have them scanned immediately on upload.  Have them scanned again when you access them using your own computer’s anti-virus system.  We are in the days where viruses do not just slow down your computer, they encrypt and lock away all of your data and/or put your identity up for sale.  You need to take as many precautions as possible to minimize your possible exposure to threats and the risk to your business.

How do I fix the reputation of my IP address?

Published: April 19th, 2016

It happens — you’re sending email messages without issue, and then suddenly they’re not being delivered, or they’re being tagged as spam.  A little digging reveals that the problem is that your “IP reputation” is now poor, and you need to fix it somehow.

This is our latest “Ask Erik” question, from Angelo Correa or Living Legacy, Inc.

How do I fix the reputation of my IP address?

What is IP Reputation?

Email service providers (e.g. AOL, Gmail, LuxSci) and email filtering systems (e.g. Barracuda, McAfee, Proofpoint, SenderScore) collaborate on and track the sending of unwanted email in order to reduce the blight of email spam that continues to plague the Internet.  Some of the significant factors that they track include:

  1. Quantity of email sent from your IP address
  2. The spam-like characteristics of these messages (based on spam filter analysis)
  3. The number of spam complaints by recipients of these messages
  4. The number of messages sent to invalid recipients or honey pots. Honey pots are email addresses that do not belong to real people and only exist as traps for senders who have acquired these email addresses via web site scraping or some other illegitimate manner.

Put together, these factors end up determining the reputation of that IP address with respect to the sending of email messages.  If the reputation becomes poor, then spam filters will start to quarantine or reject your messages, resulting in poor deliverability.

Read the rest of this post »

Infographic: Texting in healthcare – a not-so-simple exchange

Published: April 18th, 2016

Sending text messages between health care providers and patients is incredibly common but it is also generally a violation of HIPAA.  See: To Text of Not To Text.  Texting and healthcare.  This infographic covers when texting occurs and where the risk arises.

Texting in healthcare – a not-so-simple exchange

Texting in healthcare - a not-so-simple exchange

Read the rest of this post »

Are you encouraging insecurity via your Web site contact and intake forms?

Published: April 15th, 2016

Many Web sites have “contact us” pages and other Web forms for receiving requests from existing or potential customers.  This includes “new patient intake” forms on the Web sites of healthcare providers.

 

The garden variety Web form suffers from several serious problems:

  • Spam – Getting unwanted form submissions from Web robots.
  • Privacy – Often, sensitive data is submitted insecurely through these forms.
  • Archival – You may need an archived record and backup of all submissions.
  • Notices – You may need to be alerted of form submissions, even if you are not online.

Proactive privacy vs. neglect of privacy

When your Web forms transmit data insecurely, store or send data insecurely, or otherwise to do not treat the data submitted with the level protection that it deserves, you are putting the users of your forms at risk.

The typical argument is that “it is up to the user of the forms to decide if they want to submit sensitive information.” In fact, many insecure forms even have disclaimers requesting people to not submit sensitive information if they have concerns … and then the forms go on to ask lots of sensitive questions.   Especially without a disclaimer, but even with one, the form is actively soliciting people to submit their information insecurely and requesting them to take risks with their private data.   This is not good.

In areas such as healthcare, where these forms are often collecting sensitive health data (protected health information – PHI), the fact that an organization solicits the submission of PHI through insecure, non-HIPAA-compliant means is far from a “best practice”.  Why?

Read the rest of this post »

What is the least expensive way I can get my company HIPAA Certified?

Published: April 14th, 2016

A common question posed to Ask Erik involves how small organizations can get “HIPAA certified” quickly and with minimal expense.  These questions stem from desperation (people know that they are not compliant), fear (people know that non-compliance is extremely risky in terms of potential fines and bad publicity, not to mention risk to their customers/patients), lack of an understanding of HIPAA (they do not really know what getting “HIPAA certified” means), and lack of resources (time and money are both scarce).  Organizations in this situation know that they need to take steps for compliance ASAP, but they may not know what those steps are and really want to allocate the minimum possible time or money towards them.

What does getting “HIPAA Certified” mean?

The first hurdle is that there is no official, government-sanctioned HIPAA certification program.  So, there is no way to be officially “HIPAA certified” and thus be “all set.”  What you really must do is strive to be HIPAA-compliant in all aspects of your business that deal with Protected Health Information (PHI) and strive to keep up with your changing organization and the changing compliance landscape over time.

So how can I be HIPAA-compliant?

This is an ongoing process, but here are some steps to get started:

Read the rest of this post »

Is Skype HIPAA Compliant? If not, what is?

Published: April 6th, 2016

Revision 2016:  Since the article was published, Microsoft has started offering a Business Associate Agreement (BAA) for Office 365 Online of which Skype is a part.  While online documentation is very unclear, Microsoft has indicated that Skype is covered under this BAA and thus use of Skype can be “HIPAA compliant” as long as you have “Skype for Business” and the signed BAA with Microsoft.

However, Skype lacks many controls and features that are actually required for an organization to be compliant, such as access auditing, backups, and breach reporting.  This makes it unclear what the usefulness of its being “covered” under Microsoft’s BAA really is.  Microsoft is really just leaving it up to the Skype user to determine if the use of Skype is appropriate without taking any steps to ensure that use of Skype really could be compliant.  Additionally, even though Skype is covered under Microsoft’s BAA, the regular, free Skype used by most people is not covered.  So, for example, a therapist should under no circumstances have a session with a patient, where that patient is using the regular free Skype program.

Original Article Content:

In conjunction with their use of LuxSci HIPAA-compliant email and web hosting services, many small health care practices often ask us about use of Skype and other video conferencing software for communicating with patients over the Internet.

Is it possible to be HIPAA compliant while using Skype for sending PHI via chat, voice, and/or video?  Why?  Everyone else is doing it … shouldn’t I thus be able to as well?

The short answer is “no – don’t use Skype” and “there are other options available that offer this capability and allow you to be HIPAA compliant in the process.”  For the long answer, read on.

Read the rest of this post »

Press Release: How To Text and Remain HIPAA-compliant

Published: March 15th, 2016

WESTWOOD, MA, March 15, 2016 — LuxSci® announces the recent launch of SecureText, a unique solution to concerns about HIPAA-compliant text messaging, and an important step to safeguard and secure electronic patient health information (ePHI).

Communicating through text message is a convenience to which we have grown rapidly accustomed. However, sending unsecured texts places healthcare providers and patients at risk in several ways: (1) ePHI-laden messages are not always encrypted during transmission or storage; (2) anyone with access to a recipient’s phone or stored messages can view ePHI-laden messages; (3) and some ePHI-laden text messages travel through organizations which lack required HIPAA Business Associate Agreements. Additionally, since healthcare providers are required to obtain and maintain consent from patients for texting – providers must ensure that patients are adequately educated on the risks associated with sending ePHI via text and presented with secure alternatives to insecure texting.

Read the rest of this post »

Embedding SecureForms into WordPress using an iframe

Published: March 14th, 2016

WordPress is an incredibly popular Web site management and blogging platform.  Customers inquire of LuxSci frequently about the best way to add forms to their WordPress pages and posts.  Not just any forms — complex forms that can be HIPAA-compliant and which can submit data securely through SecureForm.

There are numerous options here.  The two most popular are GravityForms and embedding forms with an iframe.  GravityForms is popular and very cool, but not free.  Also as GravityForms is complex and really wants to manage all of your form data itself (insecurely), integration with SecureForm is limited:

  • Multiple forms on the same page can be tricky
  • Ink Signatures can not be captured
  • File uploads can not be captured

Another alternative, which is free as it is included with your SecureForm service, is to:

  1. Build your form with SecureForm FormBuilder
  2. Embed this form into your WordPress page or post using an iframe

What is an “iframe?”  it is a tool that allows you embed one Web page within another Web page.  When you build a form with FormBuilder — that form is automatically saved and hosted securely for you and you are provided with the Web site address (URL) for that form.  All you need to do is to “insert” that hosted form into your WordPress page/post and you are all set.  All FormBuilder features are then also supported: Ink Signatures, file uploads, geolocation, etc.

Read the rest of this post »

How do you access multiple LuxSci accounts from one browser?

Published: March 8th, 2016

Our first “Ask Erik” question comes from Peter Douglas of GFIA, Singapore:

“I’ve been a LuxSci customer for >15 years and it’s been great… to the extent that almost all the organizations I’m involved with, I’ve set up with LuxSci email and sometimes Web hosting.

On an email client I can switch between LuxSci accounts seamlessly.  But on WebMail, if I try to open my various accounts in different tabs, I keep getting logged out each time I move between accounts.

In the past your technical support has suggested using a different make of browser for each account.  This works, but it seems a bit of a duct-tape-and-WD40 approach for the 21st century.  Is there a more elegant solution to switching between multiple LuxSci accounts?”

Thank you for the great question, Peter.  Below, I shall explain what is happening and why, and then present a few good solutions for accessing or managing multiple LuxSci accounts.

Read the rest of this post »

Ask Erik!

Published: March 7th, 2016

Erik invites you to submit questions directly to him.

Erik Kangas, PhD, is the CEO of LuxSci and the editor of the LuxSci Blog.

Selected questions will be answered publicly in the LuxSci Blog and some questions will be answered via a direct response.

Good question topics include:

  1. LuxSci and desired features and services
  2. Email and email security
  3. HIPAA compliance
  4. Secure web sites and web forms
  5. Email marketing
  6. Internet security and privacy
  7. Related topics in the news or of concern to your organization

While Erik will review all questions, there is no guarantee that any particular question will be answered or that the question will be answered quickly. If you have technical support, billing, or sales needs, please contact LuxSci through the normal channels.

Submit Your Question to Erik