" email encryption Archives - HIPAA News, Web & Email Security Tips & News - Plus More | LuxSci

Posts Tagged ‘email encryption’

Get facebook Email Notifications Securely with LuxSci Email

Wednesday, September 23rd, 2015

facebook has a great feature where you can have all facebook notifications sent to you using PGP-encrypted email.  This is great if you want to be sure that noone except for you can read these messages.

LuxSci has supported sending and receiving PGP-encrypted email for the last 10 years, since the introduction of SecureLine email encryption services (10 years old this month).

In this article, we show you how users of LuxSci WebMail with SecureLine can setup facebook so that all facebook notices will be encrypted and delivered securely to their email Inboxes.

If you don’t have LuxSci email hosting yet, you can try it free.

If you are a LuxSci customer but don’t have SecureLine yet, you can upgrade.

Read the rest of this post »

Are you Minimizing your Risk by using the Next Generation of Opt In Email Encryption?

Friday, September 11th, 2015

We have long held that leaving it to each sender/employee to properly enable encryption for each sensitive message (a.k.a “Opt In Encryption”) is too risky.  Why? Any mistake or oversight immediately equals a breach and liability.

Instead, LuxSci has always promoted use of “Opt Out Encryption,” in which the account default is to encrypt everything unless the sender specifically indicates that the message is not sensitive.  The risk with Opt Out Encryption is very much smaller than with Opt In.  (See Opt-In Email Encryption is too Risky for HIPAA Compliance).

The problem is: many companies use Opt In Encryption because it is convenient when sending messages without sensitive information — you just send these messages “as usual,”  without forethought.  These companies are trading large risks in return for conveniences.

LuxSci has solved the “Opt In vs. Opt Out” conundrum with its SecureLine Email Encryption Service.  You could say that SecureLine enables the “Next Generation” of Opt In Email Encryption — combining both usability and security.

Read the rest of this post »

Is Email Encryption via Just TLS Good Enough for Compliance with Government Regulations?

Monday, August 24th, 2015

There are many ways to encrypt email, TLS being the simplest and most seamless.  With SMTP TLS (the use of TLS encryption to secure the “SMTP Protocol” used for the transmission of email between computers), messages are transported between the sender, recipient, and all servers securely.  TLS is a layer that fits seamlessly over “regular email” to ensure transport email encryption when supported by both the message sender and the recipient.  With SMTP TLS, sending a secure message works and feels the same as sending any other email message.

“It just works.” That is the ideal combination of security and usability.

SMTP TLS for Email Encryption

However, SMTP TLS only solves the problem of email encryption during transmission from sender to recipient.  It does not in any way secure an email message while it is at rest, whether while in the sender’s “sent email” folder, queued or backed up on the email servers of the sender or recipient, or saved and stored in the email recipient’s folders.  While SMTP TLS is really easy to use, it is important to consider if use of SMTP TLS alone is “good enough” for companies to comply with the many U.S. government laws which apply to email.

When it  is “good enough,” organizations may opt for the seamless simplicity of TLS over the added complexity of other modes of secure email communication.

In this article, we shall examine the security afforded by SMTP TLS and compare that to other modes of email encryption such as PGP, S/MIME, and Escrow (i.e. picking up your message from a secure web portal).  We shall then look at many of the most important laws (HIPAA, GLBA, Sarbanes-Oxley, SB1386, NASD 3010, FRCP, SEX 17a-4, FINRA, and PCI DSS)  to see what is said or implied about using “Just TLS” vs. other, stronger forms of encryption.  We won’t spend a lot of time explaining each law; if you are interested there are innumerable articles on the web for that.  We  focus only on what they say or imply about encryption for email transmission and storage.

The short answer is that many of these laws outline various requirements for email storage, archival, and retrieval for legal proceedings without specifically delineating requirements for the encryption of those messages.  So, use of TLS is just fine with respect to those.

For PCI compliance, avoid email if at all possible; however, if you must use email for sending credit card data, “Just TLS” is not sufficient.

For the rest, the burden ends up being on each individual organization to decide for itself the level of encryption appropriate to protect sensitive data.  Use of encryption methods that provide protection for data at rest can mitigate liability in the case of a breach, but they are not mandated.  There are also ways of protecting data at rest that do not involve more onerous methods of email encryption.

Indeed, your internal risk analysis may find that “Just TLS” is best in some cases and methods that provide explicit data-at-rest email encryption are warranted in others.

Read the rest of this post »

Google Apps HIPAA Compliance Gotchas: Email encryption not included and higher price

Wednesday, October 8th, 2014

There has been a lot of hype about Google offering a Business Associate Agreement to paid Google Apps customers who must abide by HIPAA regulations.  Those who are familiar with Google may be under the incorrect assumption that simply signing up for Google Apps will solve all their HIPAA compliance challenges.  This seems to be increasingly less likely as of October, 2014.

Myths and hidden costs pervade this equation. If a HIPAA-aspiring entity isn’t fully educated about the finer details of the compliance process, they could end up paying very large amounts of money for Google services and still be non-compliant. Here we discuss some misconceptions about Google services as they apply to HIPAA to help you avoid the pitfalls of non-compliance.

Read the rest of this post »

What is SecureLine Email Security? Watch the Video!

Tuesday, July 3rd, 2012

SecureLine is LuxSci’s end-to-end email encryption solution and is useful for any customer saddled with compliance needs or who just wants to be sure that the the integrity of their email communication is ensured.

Find out how it works by watching our SecureLine Overview Video.

SecureLine End-to-End Email Encryption: Easier than Ever!

Friday, May 25th, 2012

LuxSci’s SecureLine Email Encryption service enables LuxSci users to send secure email messages  to anyone with an email address.  It supports a combination of different message encryption mechanisms to handle different types of recipients and sender encryption strength requirements:

  • SMTP TLS – for server-to-server transport encryption with recipients whose servers support TLS
  • PGP and S/MIME – for customers who require higher levels of messages security through certificates
  • Escrow – where recipients can pick up their waiting message from our secure portal

We find that a majority of our customers’ SecureLine messages prefer the Escrow system of secure message pickup because most customers don’t require the extra security and hassle of PGP or S/MIME.  Another consideration is that either TLS is not supported for most recipients or many customers require some level of recipient identity verification — beyond the fact that they “have access to their email”.

LuxSci has augmented the Escrow service so that it can now send to any recipient without any setup or input by the sender.  Customers using SecureLine encryption can now just “start sending” and it will “just work”.

Read the rest of this post »

SecureLine End-to-End Email Encryption Service

Saturday, September 3rd, 2005

SecureLine is a new service provided by LuxSci that allows its users to easily send and receive secure email messages to and from anyone on the Internet who has an email address – no matter what kind of email software or service that correspondent has and no matter how insecure that correspondent’s current email services are!

SecureLine enables you to easily meet HIPAA (The Health Insurance Portability and Accountability Act) and other communication security regulations and policies and it enables account administrators to optionally require that all users employ SecureLine and thus participate only in secure communications.

In order to meet the combined goals of ease of use, maximum security, and communications with anyone, anywhere, SecureLine seamlessly integrates two distinct modes of secure email communications: SecureLine Escrow and SecureLine PKI.

SecureLine Escrow: For secure communications with anyone, anywhere, you can use “SecureLine Escrow”. When composing an email for escrow, the SecureLine-enabled sender will provide an authorization question and answer; something that is confidential and known only to the sender, recipient, and other authorized people. When sent, the secure email message is encrypted and stored in a special “escrow” database at LuxSci. The recipient receives an email notification with the password to the secure message. The recipient then follows a provided link to the “Escrow Portal” to pick up the secure message and to optionally securely reply back to the sender. In order to access the Escrowed message, the recipient needs both the password from the notification email and the answer to the sender-provided authorization question. Thus, SecureLine Escrow allows simple secure communication with anyone who has an email address.

SecureLine PKI: For secure communications with other users of SecureLine and with other people on the Internet who have compatible secure email services, LuxSci’s SecureLine also supports a Public Key Infrastructure (PKI) compatible with the S/MIME (Secure MIME) and PGP (Pretty Good Privacy) Public Key technologies. In a public key system, the encrypted message content is sent within the email message to the recipient, instead of being placed in escrow for later retrieval; the recipient can easily decrypt and read such secure messages from within his/her usual email program or WebMail. This mode of operation is more flexible and more like normal email usage than the “Escrow” system; however it requires that the recipient be another SecureLine user or someone who utilizes PGP or S/MIME email encryption technologies.

To read more about SecureLine, what features it provides and how exactly it is extremely easy to use, see the SecureLine description.