" email Archives - LuxSci

Posts Tagged ‘email’

What is the Difference Between Asynchronous and Synchronous Communications?

Tuesday, June 7th, 2022

Synchronous and asynchronous are terms used to describe when and how individuals communicate. The critical difference between asynchronous and synchronous communication is that synchronous communications are scheduled, real-time interactions. Asynchronous communications happen independently and don’t need scheduling.

This article explores the differences between each and how they can be utilized in a healthcare context.

asynchronous and synchronous communications

Synchronous Communications

Synchronous communications happen in real-time between two or more people. Examples of synchronous communications include in-person meetings, videoconferencing, phone calls, or other types of interactions where an immediate response is expected.

In a health care context, this face-to-face time is precious and can be hard to schedule. Unless seeking acute care at an emergency department or urgent care facility, it is not easy to have same-day synchronous communications with a care provider. Telehealth live video appointments are also considered synchronous.

Asynchronous Communications

Alternatively, asynchronous communications are interactions without real-time conversation. The replies to asynchronous messages are delayed and happen on the participants’ schedules. Email, texting, patient portal messaging, video libraries, or other online wikis are considered asynchronous communications.

Asynchronous communications are becoming more popular among patients and healthcare providers. The advent of patient portals with secure messaging capabilities allows for non-urgent communications to be sent securely and answered on time.

Which is better for healthcare communications?

It depends on the context. Synchronous communications are always better for urgent scenarios. If a sick child exhibits flu-like symptoms, it makes sense to use synchronous communication channels to contact their pediatrician.

However, asynchronous communications are an excellent option for most administrative healthcare interactions. Questions about billing, appointment scheduling, referrals, prescription refills, etc., are not urgent and most often do not require a face-to-face interaction.

Some non-urgent medical questions can also be addressed through asynchronous communications. For example, if a patient has a rash or insect bite, they can upload an image of the rash to a patient portal where a clinician can diagnose and recommend a treatment remotely. Of course, the question may not be answered immediately, but it could be a good option for diagnosing and treating minor skin conditions and irritations.

Improving the Patient and Clinician Experience

In fact, cutting down the number of synchronous communications can help improve both the clinician and patient experience. On the clinician’s side, constant interruptions by phone calls or live video chats can be detrimental to productivity and increase stress. By encouraging asynchronous communications for non-critical issues, clinicians can block off time to respond to messages. They can also take time to deliver thorough responses instead of rushing or being unprepared for conversations.

From the patient’s perspective, asynchronous communication can often offer a better experience. Almost everyone has called their doctor’s office and been put on hold for extended periods. It is frustrating, can take a lot of time out of a workday, and often doesn’t deliver an adequate response. Instead, patients can send a message and be confident that it will be addressed by the right staff member promptly. Asynchronous communications also tend to be more transparent. Patients can reference messages later because they are logged in chat portals or email chains.

Conclusion

Organizations should look at ways to incorporate more asynchronous communications into their workflows. Relieving the administrative burden on staff and freeing up phone lines helps improve employee satisfaction and allows them to focus on what matters- providing a high quality of patient care.

Is Email Archival Required by HIPAA?

Tuesday, April 5th, 2022

Customers often inquire if email archival is required by HIPAA regulations.

There is a great deal of confusion and uncertainty here because:

  1. HIPAA lists many requirements, but does not provide specific instructions on how to implement them. It’s ambiguous, but provides a great deal of flexibility for organizations.
  2. Email archival adds a fixed cost to any email solution – and everyone prefers to avoid unnecessary costs.
  3. Many organizations want to do the minimum needed for compliance due to time and budgetary constraints.

email archival hipaa

In our opinion, email archival is an implicit requirement of HIPAA for all organizations that send ePHI via email. In the next section, we’ll review why.

Read the rest of this post »

HIPAA-Compliant Email Hosting or Outbound Email Encryption?

Tuesday, January 25th, 2022

There are many ways to protect ePHI in email. HIPAA is technology-neutral and doesn’t make specific recommendations for how to protect email communications. This article explains the difference between a HIPAA-compliant email host and an email encryption gateway. These are just two of the options for securing email accounts.

email encryption

Read the rest of this post »

Zero Trust Email

Tuesday, July 20th, 2021

Our third article on Zero Trust Architecture covers zero trust email and the systems it requires. In May, the Biden Administration announced a new approach to cybersecurity that included a push toward Zero Trust Architecture. We have already covered Zero Trust Architecture as a whole, and also talked about how dedicated servers are important parts of the zero trust model. Now, it’s time to talk about zero trust email.

zero trust email

Zero Trust Email and Encryption

As we discussed in our previous articles, Zero Trust Architecture begins with the presumption that an organization’s network may not be secure. Because attackers may already be inside the network, NIST stipulates that:

“…communication should be done in the most secure manner available… This entails actions such as authenticating all connections and encrypting all traffic.”

This means that emails always need encryption. While many organizations recognize external threats and encrypt their sensitive external communications, it’s still common for workplaces to use unencrypted communication methods within the company network. This is generally done under the outdated assumption that the internal network is secure.

Zero Trust Architecture understands that any attacker within the network could easily read these communications. This is why zero trust email needs to be encrypted, even when it’s within an organization’s private network. One step in this direction is to force TLS for email encryption for all entities.

The zero trust model also requires encryption at rest, so emails also need to be protected in storage, not just in transmission.

Authentication and Zero Trust Email

NIST’s publication on Zero Trust Architecture also stipulates that:

“Access to individual enterprise resources is granted on a per-session basis. Trust in the requester is evaluated before the access is granted. Access should also be granted with the least privileges needed to complete the task.”

When it comes to zero trust email, this means that sensitive messages require authentication and authorization to be read. TLS encryption alone is not sufficient, because it doesn’t have the full capability for this type of verification. While it does allow authentication and authorization on the recipient’s email account, it cannot do so on the raw message data.

LuxSci supports:

  • Sender Policy Framework (SPF) – This is a system for email authentication that can detect forged sender addresses. Due to its limitations, it is best to complement it with other email authentication measures.
  • DomainKeys Identified Mail (DKIM) – This authentication method can detect email spam and phishing by looking for forged sender addresses.
  • Domain-based Message Authentication Reporting and Conformance (DMARC) – This email authentication protocol complements SPF, allowing it to detect email spoofing. It helps to protect organizations from phishing, business email compromise attacks, and other threats that are initiated via email.

Each of these email authentication measures are useful for verifying sender identities. LuxSci also offers premium email filtering, and together these techniques limit the trust that is applied to inbound messages.

Together, these techniques identify legitimate email messages while filtering out those that are unwanted or malicious. While it isn’t directly stated in the NIST guidelines, SPF, DKIM and DMARC can all be integral parts of the zero trust framework.

Access Control and Zero Trust Email

In addition to measures for encrypting messages and verifying inbound emails, zero trust email requires granular access controls to keep out intruders. LuxSci’s Secure Email Services include a wide range of access controls that limit unauthorized access while still making the necessary resources available. These include:

  • Two-factor authentication
  • Application-specific passwords
  • Time-based logins
  • IP-based access controls
  • APIs that can be restricted to the minimum needed functionality

These configuration options help reduce the likelihood that a malicious actor can access your systems. They also limit the sensitive email data that an attacker may have access to if they do manage to compromise an organization’s network.

LuxSci’s Zero Trust Email

As a specialist provider in secure and compliant services, LuxSci’s offerings are well-positioned as zero trust email solutions. Our Secure Email aligns with Zero Trust Architecture for every industry vertical, not just HIPAA. Contact our team to find out how LuxSci can help secure your organization with a zero trust approach.

How to Create Email Suppression Lists

Tuesday, June 29th, 2021

LuxSci customers are now able to create email suppression lists. In this article, we will walk you through how to create an email suppression list in your own account.

email suppression lists

What is an Email Suppression List?

First, it may be helpful to clarify exactly what a suppression list is. It’s simply a list of email addresses to which all email sending should be blocked (or suppressed). There are many reasons why you might want to use a suppression list. One example is to track people who have opted-out of receiving marketing emails. When someone decides to unsubscribe from a mailing list, their email address can be placed on a suppression list that prevents them from receiving future emails.

Suppression lists are used to manage:

  • requests for removal from mailing lists,
  • requests to never be emailed, and
  • lists of people who have complained about emails sent from your account (i.e., by marking it as Spam).

LuxSci & Email Suppression

LuxSci Secure Marketing customers already have access to suppression tools for email marketing. The new suppression features apply to all email sent via:

  1. WebMail
  2. SMTP
  3. Secure Connector/smart hosting
  4. API
  5. Secure Marketing (Secure Marketing has additional suppression list functionality which is applied first).

Suppressions do not apply to email sent:

  1. via SecureForms
  2. from web hosting (that does not send through an authenticated SMTP connection or API call).

To view these features in your own account, login to the WebMail portal and navigate to the Settings page. From there, go to “Outbound Email” and select “Email Suppression.” From there, you will be able to add up to 500 new email addresses to be suppressed.

Email suppressions can be applied at the account, domain, and user level. Account-level suppressions apply to everyone in the account. No users in your account will be able to send emails to the addresses on the list. Domain-level suppressions apply to everyone whose login email address uses that specific domain name. For example, if your email username is joe@company.com the suppressions you apply will also be applied to jen@company.com and julie@company.com. However, they will not be applied for john@business.com. User-level suppressions apply only to the specific user who created them. For example, the email suppressions that joe@company.com creates will only apply to his account if the suppression is applied at the user-level.

Email Suppression Expirations

When an email suppression list is added to your account, the default setting is that it never expires. However, there may be times when it makes sense to add an expiration date to your suppressions. When uploading a list, select the length of time you want these emails addresses to remain on the suppression list from the drop-down menu. You can choose to keep email addresses suppressed for up to one year.

Deleting Suppressions

To delete an email from the suppression list, click the red “X” icon to the right of any entry. If the “X” is not present, then the suppression is defined at a higher level in your account and cannot be removed from the current page. This means that you cannot delete an account-wide suppression from the page where you mange user-specific suppressions.

How to Manage Email Suppression Lists via API

Finally, suppressions can also be managed by the API. The API allows managing user-level and account-level suppression lists and enables:

  • Listing/searching suppressions
  • Deleting suppressions
  • Adding suppressions individually or in bulk

If you have additional questions about the suppression features LuxSci offers, please reach out to our Support team. Current customers can find more information in our help documentation.