covid-19 Archives

Posts Tagged ‘covid-19’

30th National HIPAA Summit Recap

Tuesday, March 30th, 2021

Last week, the LuxSci team attended the Virtual 30^th National HIPAA Summit. The conference featured government and industry leaders who led sessions on updates to HIPAA rules, ongoing threats to cybersecurity, the impacts of remote work, and many other topics.

We can’t touch on every session that took place over the four days of the conference, but some of the most interesting updates came from the Office of Civil Rights (OCR) at Department of Health and Human Services. OCR is responsible for enforcing HIPAA, so as you would expect their sessions were of high interest to anyone responsible for compliance.

OCR UPDATES

At the start of the pandemic, OCR adopted enforcement discretion to allow health care organizations to quickly transition to virtual health care and remote work without fear of penalties. In January, OCR announced that enforcement discretion would also apply to Covid-19 vaccine scheduling. OCR will not impose penalties on those acting in “good faith” to create online or web-based scheduling applications for Covid-19 vaccine appointments. Nevertheless, this does not mean that covered entities are off the hook when it comes to HIPAA. It is recommended that they implement “reasonable safeguards” to protect PHI.

The Office of Civil Rights has also continued to penalize organizations for right of access violations. When most people think of HIPAA, they think of protecting private information through strict security policies. However, HIPAA stands for the Health Insurance Portability and Accountability Act. Portability means that patients have a right to access and transmit their information to other insurance or health care providers as they see fit. In recent years, OCR has increasingly penalized organizations for failing to respond to patient information requests in a timely manner. It is important for health care organizations to have secure offsite back-ups of patient information to prevent enforcement actions. It is challenging to find the right balance of security and patient access, but it is so important!

CYBERSECURITY THREATS

Unsurprisingly, Covid-19 exposed organizations to new security risks as employees rapidly transitioned to remote work. Although the pandemic changed practically every aspect of our lives, phishing and ransomware remained two of the biggest security threats to health care providers. At the outset of the pandemic, many ransomware hackers voluntarily stopped targeting hospitals systems in a show of solidarity. However, the respite was temporary. As the value of health care data on the black market has continued to rise, ransomware attacks have surged.

Phishing also remains a primary attack vector for intruders. OCR reported that in the first two months of 2021, hacking/IT accounted for 71% of large health care breaches. According to OCR, most large breaches have occurred via email (39%) or network servers (32%). Phishing attacks increased so much over the last year that one conference speaker noted his organization considered turning off external emails. Though it is true that the only way to completely avoid hackers is to disable your systems, it is an unrealistic option for most businesses. To combat phishing, organizations need to train staff and have technology controls in place to prevent human error. If you have the right email filtering in place, you can prevent phishing emails from even reaching your employees’ inboxes.

REMOTE WORK- LEARNING FROM THE PANDEMIC

Shifting to remote work in early 2020 left organizations scrambling to create security policies and protect patient information. Not only did providers need to worry about preventing telehealth conversations from being overheard by their families, but they also needed to be conscious of a wide array of security issues including:

Securing their physical workspace and devices
Preventing data loss
Protecting notes from patient conversations
Using secure network connections
Letting children or partners use work devices

The number of security risks that remote work introduced were almost immeasurable. Organizations needed to act quickly to create new policies to protect patient data, while maintaining excellent standards of patient care. Time and time again, health care organizations that lacked basic cyber hygiene like unique logins, complex passwords, and device usage policies were the most at risk of a cyberattack or breach.

One year later, organizations are continuing to adapt their policies as much of the workforce remains remote. Many presenters expect at least some of their workforce to remain remote once the pandemic ends. Some organizations were surprised to discover the benefits of having a remote workforce. Rural hospitals are better able to attract talent when remote work is an option. Patients also benefitted from increased access to health care when telehealth was an option.

The HIPAA Summit was a wonderful reminder that if you don’t have procedures and policies in place to protect your patient data and communications, it’s only a matter of time before a breach occurs. Did you attend the HIPAA Summit? We would love to learn more about your challenges with Covid-19 and secure patient communications.

Tags: compliance, covid-19, cybersecurity, events, hipaa, hipaa compliance, phishing, ransomware, remote work
Posted in Industry News, LuxSci Library: HIPAA, LuxSci Library: Security and Privacy
Comments Off on 30th National HIPAA Summit Recap

Securely Sending COVID-19 and Other Test Results to Patients

Tuesday, February 9th, 2021

Securely Sending COVID-19 and Other Test Results via Email or Text

The COVID-19 pandemic has made it clear just how important it is to have secure, quick, and effective methods for sending test results to patients. A faster response may help to limit further exposures, because those with positive results may be even more likely to comply with isolation protocols. A quicker negative test result will also help people get back to their normal lives sooner.

Security is of the utmost importance, both for the privacy of patients, and also so that medical labs stay within the lines of HIPAA legislation. The need for fast, HIPAA-compliant and easy-to-access solutions may be more apparent during the current crisis, but it will continue to be important in a post-pandemic world. Rapid results can help patients get the treatment they need in a more timely manner, and help to ease the stress that comes from longer waiting periods.

While there are few providers that can meet these complex and disparate requirements, LuxSci offers solutions that are uniquely capable of securely sending large volumes of individual messages, either by email or text.

Read the rest of this post »

Tags: covid-19, medical labs, test results
Posted in Case Studies
Comments Off on Securely Sending COVID-19 and Other Test Results to Patients

CEO Erik Kangas Featured on Total HIPAA Podcasts

Thursday, July 16th, 2020

Erik recently sat down with our friends at Total HIPAA to discuss a variety of HIPAA topics, including:

Security concerns during COVID-19.
How you can be more secure while working from home.
How LuxSci is helping organizations that need to securely send PHI in their COVID-19-related communications.
How to interpret the U.S. Department of Health and Human Services (HHS) limited waiver of some HIPAA sanctions during the pandemic.

The first of the 2-part conversation can be heard here or on a mobile device via Apple Podcasts.

Tags: covid-19, ePHI, HIPAA and telehealth
Posted in New Feature Announcements, Telehealth
No comments »

LuxSci is Offering Free Secure Email During COVID-19 Pandemic

Thursday, April 23rd, 2020

High Volume COVID-19 Test Results Communicated Quickly and Securely

The evolving COVID-19 pandemic continues to place extreme strain on healthcare services and diagnostic labs needing to communicate critical information, such as test results, quickly and efficiently. These organizations are nevertheless still constrained by HIPAA regulations. LuxSci is extending its offer for free HIPAA-compliant emailing services through October 1st, 2020 to help them cope with these demands and to speed time-sensitive communications. Interested organizations may apply at our website: LuxSci COVID-19.

LuxSci’s CEO, Erik Kangas, stressed the importance of secure email for medical test results:

“Email communication sounds mundane, but right now it can literally save lives and help us bootstrap our way back to normal more safely. As the country starts to open up and we struggle to socially distance, knowing your results days or hours sooner may be the difference between attending an event or staying home. As I watch friends and family fall sick and fear for others, I realize that this is one unique way that we can make a small but important difference. LuxSci is one of the few companies that has positioned itself to provide high volumes of truly HIPAA-compliant email.”

High volumes of testing and retesting will continue through the foreseeable future, thus leading to an urgent need to deliver test results to increasingly large numbers of people in a timely and secure manner. Use of email for health care communications supports this. It’s instantaneous and ubiquitous. Even with the advent of “instant COVID-19 testing,” lab-based testing remains crucial as it provides the most accurate data about infection.

LuxSci is providing its HIPAA-compliant transactional email service free to any organization delivering COVID-19-related health or safety information. (Some restrictions may apply.) Services are available to testing labs as well as healthcare organizations of any size: those with modest needs (up 25,000 messages/month) and high-capacity needs (millions of messages per month). Typical pricing for these services ranges from $100/month to well over $1000/month, depending on the volume.

Interested organizations may apply by visiting our website: LuxSci Covid-19.

(Previous content: March 13th, 2020 – See Press Release)

In response to the US declaration of a COVID-19 public health emergency, LuxSci is offering companies the ability to send free High Volume HIPAA-compliant health/safety-related email securely, free of charge, until July 1st, 2020.

CEO Erik Kangas said,

“Communication during the COVID-19 emergency is essential, and LuxSci wants to help. That’s why, starting immediately, we are offering eligible companies the ability to share vital information with their employees and consumers free of charge. We hope the six-month window will be generous enough for this health emergency to resolve out of crisis mode and into maintenance mode.”

He added,

“We are providing accounts for sending up to 25,000 emails per month to smaller organizations with modest needs. For larger organizations, who may need to send into the millions of messages each month, we are providing free dedicated server sending solutions.” Both solutions are free through July 1st. With CoronaVirus fears taking hold, the need for secure communication is in unprecedented demand. Our goal is to help protect personal information from predation during this crisis and to facilitate the fast, secure communication of critical information, such as medical testing results. If we can give companies and consumers one less thing to worry about, this is the right thing to do.”

LuxSci’s HIPAA-compliant email solutions enable companies to send PHI and other sensitive information during mission-critical or sensitive sending scenarios.

This promotion is available to all new eligible US clients; terms and conditions apply. Existing customers who have a similar need can also apply.

Apply for Free Service

Tags: covid-19, high volume email sending, press release
Posted in LuxSci Insider
No comments »

Secure & Compliant Remote Work

Thursday, April 16th, 2020

As a result of the pandemic, many businesses have closed their offices and have employees working from home, which is an excellent compromise for keeping operations ongoing and while keeping employees safe.

However, the shift to working from home is a big jump for many companies and their employees, mainly if an existing remote work policy isn’t in place. Organizations need to tread carefully because, with certain exceptions for the public health emergency, coronavirus doesn’t change their security and compliance obligations.

This is especially critical for organizations that process electronic protected health information (ePHI) and for employees that deal with valuable or sensitive data. If the appropriate precautions aren’t taken, companies could breach regulations like HIPAA or PCI DSS and face the significant penalties that come with violations.

They may also have their sensitive data stolen by cybercriminals or leaked through negligence, which could lead to all kinds of problems, ranging from the theft of intellectual property to blackmail.

How Can Organizations Establish a Secure & Compliant Remote Work Policy

Even in these difficult times, a secure and compliant remote work policy needs to be designed carefully. It needs to meet company requirements and its employees, as well as any legal obligations and the needs of customers.

To address each of these needs, all of these stakeholders should be involved in the process. It’s critical to get legal advice and engage security experts to make sure that the policy and technical measures are adequate for your company’s unique circumstances.

A secure and compliant remote work policy should include:

Who is covered, when, and in which situations.
What are the organization’s responsibilities and obligations.
What are the employee’s responsibilities and obligations.
What hardware and software must be used, and in what configurations.
What security and privacy measures should be in place.
How reliability and availability will be ensured.

Companies may still have specific legal obligations for their remote workers, so a secure and compliant remote work policy needs to take these into account. For example, the company may still need to take measures to ensure that laws such as the Fair Labor Standards Act are followed and that employees are working in a safe environment.

Once your company has developed its remote work policy, it should have each of its employees sign it so that they are aware of the expectations and committed to following them.

What Security Measures Do Companies Need as Part of Their Remote Work Policies?

The particular measures will vary from situation to situation, depending on a company’s setup, the regulations it is subject to, the data assets it has, as well as how it transmits and stores valuable or sensitive information.

Some measures for remote work, found in the HITRUST and other security guidelines, include:

All data should be encrypted when it is transmitted over public networks. FIPS-approved ciphers should be implemented in any of the security protocols used.
Wireless access points should be encrypted with AES WPA2 as a minimum security standard.
Emails and other digital messages should be protected from end-to-end and sensitive information should never be sent without encryption.
Faxes should only be used for protected information if more secure alternatives are not possible.
Employees should use VPNs to connect to corporate systems, and all traffic should flow through the VPN. Any access should be remotely logged and monitored. Unauthorized connections should be monitored and reviewed quarterly at a minimum, and appropriate actions should be taken after the review process.
Effective authorization systems need to be in place for privileged connections and access to sensitive business information. Remote administration sessions should have heightened security measures in place.
The authentication process for remote devices should include additional measures on top of passwords, such as the verification of IP or MAC addresses.
Employee use of portable storage devices should be strictly controlled, and the information should be encrypted.
Any data transfers outside of controlled areas require approval, and the details need to be recorded. Cryptographic measures need to be in place to protect the integrity and confidentiality of data when it is transferred.
Sensitive or valuable data should not be available to unauthorized individuals or left unattended. This includes leaving the information out on desks, on printers, or viewable by others on computer monitors.
External services (such as new SaaS vendors) should not be used to store or transmit information without prior approval.
Controls and training should be in place if personal devices are allowed to be used in the workplace.

Solutions for Secure & Compliant Remote Work

In the wake of the rapid spread of coronavirus and the significant changes it has brought, many companies are scrambling to provide secure and compliant remote work solutions to their employees.

This poses a significant challenge because when new systems are implemented abruptly, it can easily lead to mistakes. If these errors involve data leaks or compliance violations, they can have substantial long-term consequences for businesses.

To minimize risk, the best option is to use well-established and specialized solutions like LuxSci’s many offerings. All of our products are designed to be secure and comply with various sets of regulations and optimize our users’ workflows.

These services include our secure and HIPAA-compliant email service, as well as tools like SecureText. The rise of coronavirus may have permanently changed work environments, but adopting LuxSci’s safe and carefully designed tools can help prevent further threats from harming your business in these difficult times.

Tags: covid-19, ePHI, hipaa, HITRUST
Posted in Business Solutions, HITRUST CSF
No comments »