" email encryption Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more
LUXSCI

Posts Tagged ‘email encryption’

Secure Email for Healthcare: How To Ensure You’re Not At Risk

Tuesday, December 11th, 2018

Email is the most convenient way of communicating with patients. HIPAA permits email communications but expects covered entities to take the necessary precautions to protect the integrity and security of patient health information shared via email.

HIPAA email rules

HIPAA email rules require covered entities to implement controls and security to restrict access to PHI, ensure the integrity of PHI at rest, safeguard PHI against unauthorized access during transit and ensure message accountability. The language of the HIPAA Security Rule is important as some standards are ‘required’ and some ‘addressable’. Required rules must be mandatorily followed while you may or may not implement addressable rules if a thorough risk analysis concludes that implementation is not reasonable. An implementation specification deemed unreasonable can be replaced by an equivalent alternative.

Any decision you take regarding addressable specifications needs to be documented in writing. That means you cannot simply “opt out” of addressable specifications.

secure email

Sending PHI by email? Consider these risks

When transmitted via email, PHI is exposed to many risks, such as:

    • the message could be mistakenly sent to the unintended recipient
    • the email could be captured en route to the recipient.
    • the message could be inappropriately accesed when in storage.

Read the rest of this post »

Tags: do I need email archiving, email encryption, secure email for healthcare, secure email provider
Posted in Email Archival, LuxSci Library: HIPAA
No comments »

Get facebook Email Notifications Securely with LuxSci Email

Wednesday, September 23rd, 2015

facebook has a great feature where you can have all facebook notifications sent to you using PGP-encrypted email.  This is great if you want to be sure that noone except for you can read these messages.

LuxSci has supported sending and receiving PGP-encrypted email for the last 10 years, since the introduction of SecureLine email encryption services (10 years old this month).

In this article, we show you how users of LuxSci WebMail with SecureLine can setup facebook so that all facebook notices will be encrypted and delivered securely to their email Inboxes.

If you don’t have LuxSci email hosting yet, you can try it free.

If you are a LuxSci customer but don’t have SecureLine yet, you can upgrade.

Read the rest of this post »

Tags: email encryption, facebook, pgp, secureline
Posted in LuxSci Library: Insider Insight
No comments »

Are you Minimizing your Risk by using the Next Generation of Opt In Email Encryption?

Friday, September 11th, 2015

We have long held that leaving it to each sender/employee to properly enable encryption for each sensitive message (a.k.a “Opt In Encryption”) is too risky.  Why? Any mistake or oversight immediately equals a breach and liability.

Instead, LuxSci has always promoted use of “Opt Out Encryption,” in which the account default is to encrypt everything unless the sender specifically indicates that the message is not sensitive.  The risk with Opt Out Encryption is very much smaller than with Opt In.  (See Opt-In Email Encryption is too Risky for HIPAA Compliance).

The problem is: many companies use Opt In Encryption because it is convenient when sending messages without sensitive information — you just send these messages “as usual,”  without forethought.  These companies are trading large risks in return for conveniences.

LuxSci has solved the “Opt In vs. Opt Out” conundrum with its SecureLine Email Encryption Service.  You could say that SecureLine enables the “Next Generation” of Opt In Email Encryption — combining both usability and security.

Read the rest of this post »

Tags: breach, compliance, email encryption, glba, hipaa, opt in, opt out, pgp, s/mime, secureline, tls, TLS-Only
Posted in LuxSci Library: HIPAA, LuxSci Library: Security and Privacy
No comments »

Is Email Encryption via Just TLS Good Enough for Compliance with Government Regulations?

Monday, August 24th, 2015

There are many ways to encrypt email, TLS being the simplest and most seamless.  With SMTP TLS (the use of TLS encryption to secure the “SMTP Protocol” used for the transmission of email between computers), messages are transported between the sender, recipient, and all servers securely.  TLS is a layer that fits seamlessly over “regular email” to ensure transport email encryption when supported by both the message sender and the recipient.  With SMTP TLS, sending a secure message works and feels the same as sending any other email message.

“It just works.” That is the ideal combination of security and usability.

SMTP TLS for Email Encryption

However, SMTP TLS only solves the problem of email encryption during transmission from sender to recipient.  It does not in any way secure an email message while it is at rest, whether while in the sender’s “sent email” folder, queued or backed up on the email servers of the sender or recipient, or saved and stored in the email recipient’s folders.  While SMTP TLS is really easy to use, it is important to consider if use of SMTP TLS alone is “good enough” for companies to comply with the many U.S. government laws which apply to email.

When it  is “good enough,” organizations may opt for the seamless simplicity of TLS over the added complexity of other modes of secure email communication.

In this article, we shall examine the security afforded by SMTP TLS and compare that to other modes of email encryption such as PGP, S/MIME, and Escrow (i.e. picking up your message from a secure web portal).  We shall then look at many of the most important laws (HIPAA, GLBA, Sarbanes-Oxley, SB1386, NASD 3010, FRCP, SEX 17a-4, FINRA, and PCI DSS)  to see what is said or implied about using “Just TLS” vs. other, stronger forms of encryption.  We won’t spend a lot of time explaining each law; if you are interested there are innumerable articles on the web for that.  We  focus only on what they say or imply about encryption for email transmission and storage.

The short answer is that many of these laws outline various requirements for email storage, archival, and retrieval for legal proceedings without specifically delineating requirements for the encryption of those messages.  So, use of TLS is just fine with respect to those.

For PCI compliance, avoid email if at all possible; however, if you must use email for sending credit card data, “Just TLS” is not sufficient.

For the rest, the burden ends up being on each individual organization to decide for itself the level of encryption appropriate to protect sensitive data.  Use of encryption methods that provide protection for data at rest can mitigate liability in the case of a breach, but they are not mandated.  There are also ways of protecting data at rest that do not involve more onerous methods of email encryption.

Indeed, your internal risk analysis may find that “Just TLS” is best in some cases and methods that provide explicit data-at-rest email encryption are warranted in others.

Read the rest of this post »

Tags: California Senate Bill 1386, email encryption, encryption at rest, ePHI, Federal Rules for Civil Procedure, finra, frcp, glba, Gramm-Leach-Bliley Act, hipaa, nasd 3010, nist, pci dss, pgp, s/mime, Sarbanes-Oxley Act, sb 1386, sec 17a-4, smtp, tls
Posted in LuxSci Library: HIPAA, LuxSci Library: Security and Privacy
No comments »

Google Apps HIPAA Compliance Gotchas: Email encryption not included and higher price

Wednesday, October 8th, 2014

There has been a lot of hype about Google offering a Business Associate Agreement to paid Google Apps customers who must abide by HIPAA regulations.  Those who are familiar with Google may be under the incorrect assumption that simply signing up for Google Apps will solve all their HIPAA compliance challenges.  This seems to be increasingly less likely as of October, 2014.

Myths and hidden costs pervade this equation. If a HIPAA-aspiring entity isn’t fully educated about the finer details of the compliance process, they could end up paying very large amounts of money for Google services and still be non-compliant. Here we discuss some misconceptions about Google services as they apply to HIPAA to help you avoid the pitfalls of non-compliance.

Read the rest of this post »

Tags: baa, business associate agreement, email encryption, gmail, Google apps, hipaa, hipaa compliance, ombibus
Posted in LuxSci Library: HIPAA, New Feature Announcements
No comments »

« Older Entries
LUXSCI
www.LuxSci.com — 1-800-441-6612 — sales@luxsci.cm