" email encryption Archives - LuxSci

Posts Tagged ‘email encryption’

When Should You Use An Email Encryption Gateway?

Tuesday, September 14th, 2021

An email encryption gateway is a great way to protect sensitive emails for HIPAA compliance. You probably know just how important encryption is for sensitive data, as well as information that is protected by law, like ePHI. However, embracing these protections can sometimes be challenging. Gateways that rely on opt-in encryption put your company at risk, because employees may forget to encrypt protected health information.

Email encryption gateways like LuxSci’s Secure Connector automatically encrypt all outgoing emails, drastically reducing the risk of breaches caused by human errors.

email encryption gateway

What Is An Email Encryption Gateway?

By default, email is incredibly insecure. Protecting it requires additional effort, and it is easy for employees to make mistakes. The main purpose of an email encryption gateway is to encrypt outgoing emails. Some common ways to trigger encryption are:

  • by using keyword prompts
  • pushing a button or switch to enable encryption
  • using content scanners to encrypt emails according to administrator settings.

LuxSci’s Secure Connector automatically encrypts every email message using TLS encryption for a seamless delivery to recipient accounts. LuxSci’s solution allows you to choose the right type of encryption to suit your email use cases. For example, you may want to send highly sensitive messages like patient lab results using a more secure form of encryption like Portal Pickup to protect patient privacy. Not every gateway can provide that level of flexibility so it’s important to understand how you want to use the tool when shopping for a solution.

When Should You Use An Email Encryption Gateway?

There are several situations when using an email encryption gateways is appropriate. These include:

Email Encryption Gateways For Microsoft 365 And Google Workspace

One of the most useful applications is for businesses that use Microsoft Office 365 or Google Workspace. These extremely popular email platforms do not come automatically configured for HIPAA compliance. To make Google Workspace HIPAA-compliant, you must use a third-party encryption tool to secure your emails. Microsoft Office 365 has an encryption add-on option, but it can be difficult to configure and cumbersome for your email recipients.

LuxSci’s own email encryption gateway Secure Connector works with both Google Workspace and Microsoft Office 365 and is simple to configure. All it requires are LuxSci smart hosting accounts for your Google or Microsoft users. For example, if you have 20 users for your company’s domain in Microsoft, you would simply need LuxSci accounts set up in the same domain for those 20 users.

Once the user accounts are configured and smart hosting is enabled in Google or Microsoft, the outbound email for all of these users will flow through LuxSci’s Secure Connector. Every outbound email will be automatically encrypted, without the user noticing or having to do anything. This setup can help your organization meet its HIPAA obligations without having to switch email hosting providers.

Email Encryption Gateways Can Solve A Wide Range Of Problems

While one of the most popular uses of LuxSci’s Secure Connector is for automatically encrypting outbound email for Google and Microsoft, this has much to do with the ubiquity of these services, rather than the limitations of email encryption gateways.

LuxSci’s Secure Connector can also solve the following problems:

  • An ISP does not allow your mail server to send outbound email, or limits the number of outbound emails to a set quantity. Secure Connector gives you a way to circumvent these limitations and send more emails.
  • Your Exchange Server can’t send email directly for your organization, Secure Connector provides another means to do so.
  • If an outbound email system does not support SMTP authentication, Secure Connector can perform the authentication instead. It supports username and password authentication, which can help to keep your organization secure.
  • Your IP address has a poor reputation and your outbound emails are filtered out as spam by the recipients. Secure Connector can help to stop this from happening.
  • You want to hide your mail server’s IP address. With Secure Connector, your mail server’s IP address can be hidden. This helps prevent mail from being blocked by recipients.
  • Archive your outbound emails.

Is LuxSci’s Secure Connector The Ideal Email Encryption Gateway for Your Organization?

If your company needs an email encryption gateway to automatically secure all of its outbound email, LuxSci’s Secure Connector is the only choice. Our opt-out approach to email encryption sets us apart from other companies. It is a HIPAA-compliant solution that supports multiple types of encryption to increase security for highly sensitive emails. Contact our team now to learn more about how Secure Connector can help solve your problems.

Zero Trust Email

Tuesday, July 20th, 2021

Our third article on Zero Trust Architecture covers zero trust email and the systems it requires. In May, the Biden Administration announced a new approach to cybersecurity that included a push toward Zero Trust Architecture. We have already covered Zero Trust Architecture as a whole, and also talked about how dedicated servers are important parts of the zero trust model. Now, it’s time to talk about zero trust email.

zero trust email

Zero Trust Email and Encryption

As we discussed in our previous articles, Zero Trust Architecture begins with the presumption that an organization’s network may not be secure. Because attackers may already be inside the network, NIST stipulates that:

“…communication should be done in the most secure manner available… This entails actions such as authenticating all connections and encrypting all traffic.”

This means that emails always need encryption. While many organizations recognize external threats and encrypt their sensitive external communications, it’s still common for workplaces to use unencrypted communication methods within the company network. This is generally done under the outdated assumption that the internal network is secure.

Zero Trust Architecture understands that any attacker within the network could easily read these communications. This is why zero trust email needs to be encrypted, even when it’s within an organization’s private network. One step in this direction is to force TLS for email encryption for all entities.

The zero trust model also requires encryption at rest, so emails also need to be protected in storage, not just in transmission.

Authentication and Zero Trust Email

NIST’s publication on Zero Trust Architecture also stipulates that:

“Access to individual enterprise resources is granted on a per-session basis. Trust in the requester is evaluated before the access is granted. Access should also be granted with the least privileges needed to complete the task.”

When it comes to zero trust email, this means that sensitive messages require authentication and authorization to be read. TLS encryption alone is not sufficient, because it doesn’t have the full capability for this type of verification. While it does allow authentication and authorization on the recipient’s email account, it cannot do so on the raw message data.

LuxSci supports:

  • Sender Policy Framework (SPF) – This is a system for email authentication that can detect forged sender addresses. Due to its limitations, it is best to complement it with other email authentication measures.
  • DomainKeys Identified Mail (DKIM) – This authentication method can detect email spam and phishing by looking for forged sender addresses.
  • Domain-based Message Authentication Reporting and Conformance (DMARC) – This email authentication protocol complements SPF, allowing it to detect email spoofing. It helps to protect organizations from phishing, business email compromise attacks, and other threats that are initiated via email.

Each of these email authentication measures are useful for verifying sender identities. LuxSci also offers premium email filtering, and together these techniques limit the trust that is applied to inbound messages.

Together, these techniques identify legitimate email messages while filtering out those that are unwanted or malicious. While it isn’t directly stated in the NIST guidelines, SPF, DKIM and DMARC can all be integral parts of the zero trust framework.

Access Control and Zero Trust Email

In addition to measures for encrypting messages and verifying inbound emails, zero trust email requires granular access controls to keep out intruders. LuxSci’s Secure Email Services include a wide range of access controls that limit unauthorized access while still making the necessary resources available. These include:

  • Two-factor authentication
  • Application-specific passwords
  • Time-based logins
  • IP-based access controls
  • APIs that can be restricted to the minimum needed functionality

These configuration options help reduce the likelihood that a malicious actor can access your systems. They also limit the sensitive email data that an attacker may have access to if they do manage to compromise an organization’s network.

LuxSci’s Zero Trust Email

As a specialist provider in secure and compliant services, LuxSci’s offerings are well-positioned as zero trust email solutions. Our Secure Email aligns with Zero Trust Architecture for every industry vertical, not just HIPAA. Contact our team to find out how LuxSci can help secure your organization with a zero trust approach.

5 Questions to Find the Right HIPAA-Compliant Email Marketing Platform

Tuesday, June 15th, 2021

If you are subject to HIPAA regulations- think twice before sending off that marketing email blast to your customers. If your emails contain ePHI, stop and make sure you are using a HIPAA-compliant email marketing platform before sending.

Not all email marketing platforms were designed with HIPAA compliance in mind. In fact, it can be difficult to figure out which vendors will allow you to send HIPAA-compliant emails on their platforms. We created this list of five questions to help you screen potential vendors for compliance.

hipaa compliant email marketing

1.    Is your email marketing platform HIPAA-compliant and HITRUST certified?

It’s a simple question, but if the vendor does not mention anything about HIPAA or HITRUST certification on their website, it’s a good indicator that they are not secure enough to be compliant. As you probably know, HIPAA regulations can be onerous, and many companies do not have the time, expertise, or desire to update their technology. On the other hand, if they have taken the time and spent the money to invest in the serious security steps needed for HIPAA compliance, you should be able to find something about it in their marketing.

2.    Will the vendor sign a Business Associate Agreement?

If you are sharing ePHI with a vendor (including lists of patient names and email addresses), you must have a BAA in place that outlines their responsibilities to protect your ePHI. If a vendor will not sign a BAA with you, it is an obvious sign that you cannot use their platform for HIPAA-compliant email marketing.

However, even if a vendor will sign a BAA, it does not mean that you can use their platform and comply with HIPAA. Read the fine print! Some companies have very restrictive BAAs that severely limit the functionality of the platform and prevent you from sending emails. We call these vendors “quasi” compliant. The only comply with HIPAA, if you abide by strict rules that prevent you from actually using their solution.

For an example, take Constant Contact. They will sign a BAA. However, they explicit state in their BAA that you:

“Should not use our systems for transmitting highly sensitive PHI (for example: mental health, substance abuse, or HIV information). Our application was not built for electronic medical records (EMR). If you have such information to send, please do not use Constant Contact.”

Constant Contact does not encrypt outbound emails, making it a poor choice for a HIPAA-compliant email marketing vendor. Depending on your email use cases, you could be unable to send any emails on their platform. Even worse, if you mistakenly send emails that contain ePHI you will be held liable for violating HIPAA, not Constant Contact, because you violated the terms of the BAA.

3.    Does the email marketing platform protect data at rest and in transit?

Encryption is an addressable standard as part of the HIPAA Security Rule. Encryption is highly recommended to protect ePHI in all digital communications.  Many email marketing platforms have adopted encryption methods that are secure enough to protect ePHI while it remains in their systems. However, that’s not enough to comply with HIPAA. You should specifically ask about their ability to encrypt outbound emails. Data in transit is extremely vulnerable to malicious actors, and therefore you need to encryption to protect emails containing ePHI. If a vendor does not provide encryption for outbound marketing emails then you should not consider using them.

4.    How does the email marketing platform encrypt emails?

If a vendor says that they do encrypt outgoing messages, it’s important to consider these additional questions.

  • How are they encrypting those emails?
  • Do the encryption methods match your email use cases?

As a marketer, you want your emails to directly reach the recipient with as little friction as possible. If the recipient has to login to another platform to read the email, it’s unlikely to be read. A good HIPAA-compliant email marketing platform will use TLS encryption to send marketing messages directly to inboxes that support it. Emails sent with TLS encryption appear just like any other message directly in the recipient’s inbox.

However, there may be scenarios when you need to use more secure encryption methods. We recommend finding an email marketing vendor that is flexible and will let you select the right method of encryption for any type of message. For example, you may want to use a portal-based encryption method to send highly sensitive messages. Either way, make sure your vendor can support your needs with the right type of email encryption.

5.    Does the platform allow you to send ePHI in the body of your emails?

Finally, the most important question to ask is: can I include highly sensitive patient information in an email? If you cannot, you can’t use the full power of the email marketing platform to create targeted, personalized and relevant messages. At best, you can only send generic office newsletters. If you want to create the types of marketing emails that will drive ROI and improve patient engagement, utilize your patient data for personalization and segmentation.

HIPAA-Compliant Email Marketing Platforms

LuxSci’s Secure Marketing platform was built from the ground up with HIPAA compliance in mind. If you would like to learn more about how to create compliant email marketing campaigns utilizing ePHI, please let us know.



What Are the HIPAA Requirements for Email Encryption?

Tuesday, April 9th, 2019

If you’re involved in the healthcare field, you may have wondered what HIPAA’s exact requirements are when it comes to email encryption. Understandably, not too many people are willing to read the 115 pages of the simplified regulation text, so the question tends to go unanswered.

The good news is that we’ve gotten someone to do it for you. They’ve trawled through the long and arduous document to pick out the exact HIPAA regulations concerning email encryption.

We’ve gone through and found out what the text actually says, as well as conducted some analysis to help you figure out just how your organization can comply with these requirements.

What Do the Regulations Actually Say?

There are a few different segments of the security rule which are pertinent to email encryption. The first one is section 164.306 Security standards: General rules:

(a) General requirements. Covered entities and business associates must do the following:

(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.

(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.

(4) Ensure compliance with this subpart by its workforce.

Let’s unpack some of these terms a bit:

So let’s summarize things a little bit. Under the Security Rule, organizations in the healthcare field and those that deal with their sensitive data are obligated to protect it.

Let’s wade a little bit further into the text. It specifically talks about encryption in section 164.312 Technical safeguards:

(iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.

Notice how it says “addressable”? HIPAA has two different specifications when it comes to implementation, “required” and “addressable”. “Required” means that a certain mechanism must be in place for compliance.

“Addressable” means that there is flexibility in the mechanisms that can be used. This isn’t particularly specific, but it’s important to be aware that HIPAA is intentionally vague and technologically agnostic. This gives organizations the flexibility they need to come up with the best security measures for their own unique situation. It is not an excuse to be lax about security.

Are Encryption & Decryption Required?

At this stage, you may be thinking that you have found a loophole and you don’t technically have to use encryption. This assumption is kind of correct–nowhere in the HIPAA documentation does it specify that encryption and decryption must be used.

But unfortunately, things aren’t that simple. Let’s return to section 164.306, where it states that covered entities and business associates must:

(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.

This time, we’ve put different terms in bold. So, while HIPAA does not state that covered entities have to use encryption, it does say that they need to ensure the confidentiality of any ePHI that is created, received, maintained or transmitted.

The big question is, “If you aren’t going to use encryption, what techniques are you going to use to guarantee confidentiality instead?” Will you put all of the data on flash drives, then lock them in metal boxes for storage and transit?

Sure, the text says that you don’t have to use encryption, but given the other requirements stated in the HIPAA documentation, encryption is the only reasonable solution.

When it comes to encryption, the HIPAA legislators are kind of like a parent who takes their child to a store, promising them that they can eat anything that they want. The child’s eyes light up with excitement, imagining all of the candy that they will be gobbling down in just a few moments

When they arrive, the child’s heart sinks – they are at the fruit store. Sure, they can have anything they want, but the only thing around them is fruit.

You don’t technically have to use encryption under HIPAA, but it’s pretty much the only thing on offer.

How Should You Use Encryption to Protect Email?

Since the HIPAA text doesn’t include any encryption requirements, the documentation isn’t particularly helpful for those organizations that want to be both compliant and secure. Thankfully, the National Institute of Standards and Technology (NIST), another government agency, has released its own documentation about email and how to keep it secure.

The guide is extensive, but some of the key takeaways are:

  • Appropriate authentication and access control measures need to be in place.
  • TLS should be used to connect to the email server.
  • Mechanisms such as PGP or S/MIME should be used to encrypt sensitive data (such as ePHI).

If you don’t feel like reading such an exhausting document, you can turn to a HIPAA compliance specialist like LuxSci instead. Our HIPAA-Compliant Email includes all of these features and much more, helping your organization stay both secure and compliant.

Secure Email for Healthcare: How To Ensure You’re Not At Risk

Tuesday, December 11th, 2018

Email is one of the most convenient ways of communicating with patients. HIPAA permits email communications, but expects covered entities to take the necessary precautions to protect the integrity and security of patient health information shared via email. Ensure you are not at risk by implementing secure email in your organization.

Secure Email and HIPAA

HIPAA email rules require covered entities to implement controls and security to restrict access to PHI, ensure the integrity of PHI at rest, safeguard PHI against unauthorized access during transit and ensure message accountability. The language of the HIPAA Security Rule is important as some standards are ‘required’ and some ‘addressable.’ Required rules must be mandatorily followed while you may or may not implement addressable rules if a thorough risk analysis concludes that implementation is not reasonable. An implementation specification deemed unreasonable can be replaced by an equivalent alternative.

Any decision you take regarding addressable specifications needs to be documented in writing. That means you cannot simply “opt out” of addressable specifications.

Sending PHI by email? Consider these risks

When transmitted via email, PHI is exposed to many risks, such as:

    • the message could be mistakenly sent to the unintended recipient
    • the email could be captured en route to the recipient.
    • the message could be inappropriately accessed when in storage.

Imagine a scenario where a state Medicaid agency’s online form service provider emails information on forms to designated employees within the agency when the forms are submitted. If the email is not transmitted in a secure manner, then the PHI in the forms can be exposed. The compromised data can include names, addresses, birth dates, email addresses, admission and enrollment dates, Social Security numbers, Medicaid identification numbers, insurer name, medical condition, and more.

Although there is a small risk of the data being intercepted during transmission, it cannot be waived away. Mitigating the potential misuse of PHI is challenging and it is impossible to predict if someone who does capture PHI en route will use it for personal gain, commercial advantage or malicious harm. Better safe than sorry.

Encryption is an addressable standard, but you should not ignore it

Encryption is an addressable standard for email and data at rest. Still, it is a critical element of HIPAA compliance, particularly if email is your chief mode of communication. HIPAA does not specify the method of encryption, so you can consider various measures to maintain high levels of email security. Two main types of encryption can counter the common security problems encountered in email communications: symmetric encryption and asymmetric encryption.

Symmetric encryption involves encrypting a message into ‘cyphertext’ using a key shared by you and your correspondents. Cyphertext appears as a random sequence of characters, which can be decrypted and interpreted only with the secret key. This form of encryption deters eavesdropping of email and modification of messages in transit.

Asymmetric encryption, also known as public key cryptography, is a relatively new method compared to symmetric encryption. It uses two keys to encrypt plain text: the public key is available to anyone who wants to send you a message but the second private key is known only to you. A message encrypted with a public key can be decrypted using a private key, while a message encrypted with a private key can be decrypted with a public key.

Besides sending secure messages, asymmetric encryption allows you to prove to someone that you sent a message, sign a message to validate that it was you who sent it and help the recipient determine if the message was modified in transit, and take the most secure route – add a signature to the message and then encrypt the message and signature with the recipient’s public key. This addresses risk of eavesdropping and offers proof of sender and message integrity.

Encrypted email archiving

Email archiving is an important HIPAA-compliant email practice, enabling covered entities to retain and protect PHI-containing email messages, while also making archived email easy to retrieve, especially during emergencies, litigation discovery and compliance audits.

Email archiving providers are designated as Business Associates, and must comply with the HIPAA Security Rule as like covered entities. Check out this article to learn about when and why a BAA is required.

Choosing a secure email provider

Another conversation you will have with regard to email security is the choice of email provider. Your email provider should be cognizant of the administrative, physical and technical safeguards stipulated under the HIPAA regulations as well as provide a reliable service. Some questions that you should ask a potential provider include:

  • Is the provider aware of their responsibilities under HITECH and Omnibus?
  • Are they willing to advise you on your security and privacy options?
  • Do they have controls in place to validate and audit each user’s access?
  • What types of email encryption are offered?
  • Do they dispose of data securely?
  • Can they ensure emergency access to your email?
  • Do they provide web-based access without requiring a third-party software?
  • Will they sign a HIPAA Business Associate Agreement?

Want to discuss how LuxSci’s HIPAA-Compliant Email Solutions can help your organization?  Contact Us