Security and HIPAA Changes Coming Soon to LuxSci
On January 30th, 2010, LuxSci will be releasing a set of software updates that add new security features and enhance existing security features. Additionally, LuxSci is introducing a new Business Associate Agreement for HIPAA customers — one that complies with the new HITECH provisions of HIPAA. These changes will impact some existing and future customers, as described in this notice.
HIPAA Changes for HITECH
LuxSci is a vendor commonly used by customers who must abide by HIPAA; a Medical Business Associate Agreement has been part of our standard service contract for some time. LuxSci will be publishing a revised Agreement on January 30th which will reflect the changes required by the Health Information Technology for Economic and Clinical Health Act (HITECH), which goes into effect on February 17th.
The LuxSci HIPAA HITECH time line:
- January 30th, 2010
- Software changes to be released to provide enhanced auditing and security to accounts.
- All new HIPAA accounts will be required to physically sign an updated Business Associate Agreement and meet new guidelines for being designated as a “HIPAA Account.”
- First 2 weeks of February, 2010
- LuxSci will be contacting existing customers who appear to be HIPAA-related, letting them know of these changes, asking them to sign the new Business Associate Agreement, and ensuring that their account(s) meet our security requirements for HIPAA.
- February 17th, 2010
- LuxSci’s previous Business Associate Agreement expires / is considered void due to the requirements of HITECH.
- Any existing customer who must abide by HIPAA needs to have a new BAA signed and their account reviewed before they will be designated as a “HIPAA Account” by LuxSci.
The new Business Associate Agreement is ready, so if you are an existing customer who must abide by HIPAA, please contact us to get the process started. Similarly, if you do not hear from us by the beginning of February 2010 and you know that you transmit or store PHI information, you must contact LuxSci to initiate a new explicit Business Associate Agreement and to ensure that your account is meets the security requirements of HIPAA.
We will publish the new security requirements for LuxSci’s HIPAA accounts in full detail on January 30th, 2010; however, the highlights are:
- All email hosting users must have SecureLine licenses for end-to-end email encryption.
- All logins to all services at LuxSci must be over SSL, TLS, or SFTP.
- All outbound email must be encrypted using SecureLine.
- All user passwords must be “strong”.
- All SecureForms must be configured to use security
- All WebAide feeds must be accessed over SSL and be password protected.
- Only Premium High Volume Outbound Email account can be HIPAA accounts.
LuxSci will review your account to be sure that potential PHI is protected, including:
- Sent email messages
- Received email messages that are encrypted or from LuxSci servers
- The content stored in WebAides
- The content stored in non-third party Widgets
- The contents of any customer MySQL databases
- Files stored in the customer’s non-public web hosting/FTP file space.
If you have any concerns about how HIPAA applies to your email or web hosting, or questions about how LuxSci can help you meet your HIPAA requirements, please contact us.
Security Changes that Impact Existing Customers
The concept of “Enforced Secure Logins” is being extended to FTP access and remote MySQL access. This change is to protect user names and passwords from eavesdropping attacks when connecting to these services.
- Any user who has use of “Secure Logins” enforced for him/her on a global, domain, or personal level will no longer be permitted to connect to his/her FTP account insecurely. Affected users will have to use Secure FTP (SFTP) to connect.
- Anyone in an account with “Secure Logins” enforced on a global (account-wide) level, will be forced to use SSL to connect to their MySQL databases, if connecting remotely. Connections from their LuxSci web server / web site do not have to use SSL.
Anyone who is affected by these two changes should take steps to ensure that they can connect securely before January 30th, when these services will start being locked down.
- Secure FTP: First, your account administrator should ensure that your user has permission to use “SCP/SFTP”. This can be done in the User Configuration section of the User Administration area. Then, you should use an FTP program like “Filezilla” that supports SFTP to connect to your FTP area.
- MySQL SSL: If you can configure your system to connect to port 5001 on your LuxSci databases using SSL, then you can access your database securely over SSL. One easy way to do this is to setup an stunnel from your server to our server on port 5001.
Other Changes Going into Effect
Along with these changes, the January 30th release will contain many other enhancements, some of which include:
- Exporting of account access audit trails as CSV files
- Expanded auditing of actions and changes to accounts.
- An option to ensure that all SecureForms are configured in a secure way.
- An option to ensure that all WebAide feeds are setup with password protection and SSL requirement
- A Security Audit feature that allows administrators to review the all of the security settings of their accounts on a single page, identifying places where security could be improved.
A full list of changes will be posted in the Blog at the time of the software release.