" access controls Archives - LuxSci

Posts Tagged ‘access controls’

Tips for Improving Account Security

Thursday, December 8th, 2022

Securing access to protected health information is a crucial tenant of HIPAA compliance. Your employees may have access to sensitive information, so ensuring their accounts are secure is essential to protecting this data. While you can’t stop users from making poor choices, there are administrative actions you can take to help improve account security. We’ve created a list to help assess your security stance.

account security

What are Access Controls?

First, let’s define what we mean by access controls. In the context of HIPAA compliance, access controls refer to the technical and physical safeguards required to maintain the integrity and confidentiality of protected health information. Physical access controls include protecting the physical security of PHI located on physical servers, files, and other hardware. This is easy to understand. File cabinets are locked, rooms require passkeys or access codes to enter, and there are often sign-in and out sheets for physical files or information.

Access controls are more complicated for digital storage. In today’s world, most electronic protected health information (ePHI) is digitally stored in EHRs, databases, or the cloud. This article discusses ways to improve account security to maintain the integrity and confidentiality of digitally stored ePHI.

Account Security Checklist

Below we’ve compiled some of our tips for improving account security. Note that HIPAA does not make specific technical recommendations for how to meet its requirements. There are many ways to meet HIPAA requirements that do not dictate the use of any specific technology. However, keep in mind that the goal is to secure the sensitive data entrusted to your organization, not just check off compliance requirements.

Unique Accounts

To track who is accessing protected health information, it’s essential that account logins are not shared among staff members. When users share login credentials, it is impossible to tell who accessed information when reviewing audit logs. This can create issues when dealing with a security incident. By clearly designating logins to individuals, it’s easy to determine who is accessing PHI and to detect unusual activity. Ensure your employees understand that sharing logins is not allowed and set policies to enforce this rule.

Secure Passwords

Many people understand the importance of having a secure password, but it’s still shocking how many people use insecure or easily guessed passwords. According to a report from LastPass, 95% of IT professionals said that passwords pose security risks to their organization. They reported that employees frequently mishandle passwords, sharing them too liberally and via insecure methods. A few steps you can take to improve password security include:

  • Using unique passwords for each account
  • Requiring the use of special characters, numbers, and capitalization
  • Randomly generating passwords
  • Using password managers to store account information securely

Administrators should create policies for passwords and enforce as many of these requirements as possible by default. Don’t rely on users making the right decisions.

Multifactor Authentication

If a user’s password is weak and gets compromised, multifactor authentication can help keep accounts secure. Multifactor authentication requires a second piece of information (usually a six-digit code) to complete the login process. The code is sent to or generated by a second device. Without access to this code, a hacker cannot log in to the account, even if they have the username and password.

We recommend using an application (like DuoSecurity or Google Authenticator) to generate the second factor because a competent hacker can intercept codes sent by text/SMS.

Time and Location-Based Settings

These settings are not required for HIPAA compliance but provide an additional layer of security. Administrators can stop logins that take place from outside of pre-set geographic regions. This is useful because many cybercrimes are launched from foreign countries. For example, logins coming from countries like Russia, China, or Iran could be forbidden by administrators. In addition, admins can lock users out when it is not their regular working hours. For example, keep users from logging in between 10pm-6am (or any time of your choosing.) Many malicious actions take place outside of regular operating hours to avoid notice. Be sure to have a way to override this in case of an emergency.

IP Restricted Logins

Restrict logins even further by requiring them to come from specific IP addresses. Administrators can use VPNs to secure traffic to their applications. The user will not be able to log in if the attempt does not come from the correct IP address.

Role-Based Permissions

Another factor to keep in mind is the principle of least access. Users should only have access to the systems required to perform their job duties. Not every user should have access to every system. Reducing the number of logins available decreases the attack surface and reduces risk. This is a key tenet of the Zero Trust security philosophy.

Automatic Log Out

Finally, prevent users from staying logged into sensitive systems indefinitely. Enforce automatic logouts after a point of idleness (this could be five minutes, 30 minutes, or an hour depending on your situation). This helps prevent unauthorized access to protected information after a user has legitimately logged in.

Conclusion

These tips represent just a few ways that administrators can improve the security of their users’ accounts and protect access to PHI.

LuxSci Tips and Tricks: WebAides Password Manager

Thursday, October 20th, 2022

We are starting a new blog series to help you understand some of the more advanced LuxSci features. First, did you know that LuxSci has a password manager tool? We designed this tool to make it easy to securely share passwords across your organization.

What is a Password Manager?

Password managers are software applications designed to store passwords securely. They require the use of one primary password to access an encrypted vault where passwords for other accounts are stored. There are many different password managers out there, with varying features and levels of security.

LuxSci’s WebAides Password Manager

WebAides Password Manager allows LuxSci users to create and securely store lists of passwords. It was designed to suit the needs of businesses and IT administrators.

With just a single primary password to remember, it’s easier to protect and store unique, complex passwords. This offers both security and convenience. WebAides Password Manager uses PGP encryption to safely store passwords for individual users or groups. This setup means that LuxSci employees cannot access the password data of our customers.

The tool is flexible, allowing administrators to control access to shared passwords. If someone is not a group member, they cannot decrypt the password. Administrators can easily add or remove users from groups to tightly control access to sensitive accounts.

Why Use WebAides Password Manager

The granular level of access control makes it extremely easy to share passwords among designated individuals from a central, secure location. Administrators can create multiple password folders to tightly control access to sensitive credentials. For example, when an employee is promoted, they may need to access different accounts. The administrator can add the employee as a member of a management password group and provide them with the primary password to access those account logins.

The tool also includes an export feature for business continuity and disaster recovery. Administrators can decrypt and backup the entire password web archive for offline storage. An offline backup of company passwords protects the organization in case of a catastrophe that brings standard systems down.

LuxSci’s WebAides Password Manager also includes a notes section for each entry. This is a great place to securely document account numbers, previously used passwords, and the security question and answers used to reset passwords or verify identity.

These features are useful for organizations with complex security and compliance needs.

How to Set Up WebAides Password Manager

Detailed instructions can be found in our Help documentation. To access your WebAides Password Manager, log in to your WebMail account and look under Apps -> Passwords. Before creating a new entry, you’ll need to generate a PGP certificate to encrypt the password. This can be done by going to the Account Settings –> Security -> Security Certificates settings.

Our support team is also available and ready to help. Contact us today to learn more.

Zero Trust Email

Tuesday, July 20th, 2021

Our third article on Zero Trust Architecture covers zero trust email and the systems it requires. In May, the Biden Administration announced a new approach to cybersecurity that included a push toward Zero Trust Architecture. We have already covered Zero Trust Architecture as a whole, and also talked about how dedicated servers are important parts of the zero trust model. Now, it’s time to talk about zero trust email.

zero trust email

Zero Trust Email and Encryption

As we discussed in our previous articles, Zero Trust Architecture begins with the presumption that an organization’s network may not be secure. Because attackers may already be inside the network, NIST stipulates that:

“…communication should be done in the most secure manner available… This entails actions such as authenticating all connections and encrypting all traffic.”

This means that emails always need encryption. While many organizations recognize external threats and encrypt their sensitive external communications, it’s still common for workplaces to use unencrypted communication methods within the company network. This is generally done under the outdated assumption that the internal network is secure.

Zero Trust Architecture understands that any attacker within the network could easily read these communications. This is why zero trust email needs to be encrypted, even when it’s within an organization’s private network. One step in this direction is to force TLS for email encryption for all entities.

The zero trust model also requires encryption at rest, so emails also need to be protected in storage, not just in transmission.

Authentication and Zero Trust Email

NIST’s publication on Zero Trust Architecture also stipulates that:

“Access to individual enterprise resources is granted on a per-session basis. Trust in the requester is evaluated before the access is granted. Access should also be granted with the least privileges needed to complete the task.”

When it comes to zero trust email, this means that sensitive messages require authentication and authorization to be read. TLS encryption alone is not sufficient, because it doesn’t have the full capability for this type of verification. While it does allow authentication and authorization on the recipient’s email account, it cannot do so on the raw message data.

LuxSci supports:

  • Sender Policy Framework (SPF) – This is a system for email authentication that can detect forged sender addresses. Due to its limitations, it is best to complement it with other email authentication measures.
  • DomainKeys Identified Mail (DKIM) – This authentication method can detect email spam and phishing by looking for forged sender addresses.
  • Domain-based Message Authentication Reporting and Conformance (DMARC) – This email authentication protocol complements SPF, allowing it to detect email spoofing. It helps to protect organizations from phishing, business email compromise attacks, and other threats that are initiated via email.

Each of these email authentication measures are useful for verifying sender identities. LuxSci also offers premium email filtering, and together these techniques limit the trust that is applied to inbound messages.

Together, these techniques identify legitimate email messages while filtering out those that are unwanted or malicious. While it isn’t directly stated in the NIST guidelines, SPF, DKIM and DMARC can all be integral parts of the zero trust framework.

Access Control and Zero Trust Email

In addition to measures for encrypting messages and verifying inbound emails, zero trust email requires granular access controls to keep out intruders. LuxSci’s Secure Email Services include a wide range of access controls that limit unauthorized access while still making the necessary resources available. These include:

  • Two-factor authentication
  • Application-specific passwords
  • Time-based logins
  • IP-based access controls
  • APIs that can be restricted to the minimum needed functionality

These configuration options help reduce the likelihood that a malicious actor can access your systems. They also limit the sensitive email data that an attacker may have access to if they do manage to compromise an organization’s network.

LuxSci’s Zero Trust Email

As a specialist provider in secure and compliant services, LuxSci’s offerings are well-positioned as zero trust email solutions. Our Secure Email aligns with Zero Trust Architecture for every industry vertical, not just HIPAA. Contact our team to find out how LuxSci can help secure your organization with a zero trust approach.