email encryption Archives - Page 2 of 6

Posts Tagged ‘email encryption’

Send Secure Emails: Alternatives to Web Portals

Tuesday, December 5th, 2023

Digital technologies have entirely shifted how individuals want to interact with their healthcare providers. As consumers have become used to emailing or texting with their hairstylists, mechanics, and other providers to schedule appointments, they want to have the same level of interaction with their healthcare providers.

However, many healthcare organizations find it challenging to deliver the same experience because of their compliance requirements under HIPAA. They must balance usability and access with security and patient privacy. To send secure emails, they often resort to secure web portals.

Problems with Secure Web Portals

One of the most common ways that healthcare organizations communicate securely with patients is by using the secure web portal method of email encryption. In this scenario, messages are sent to a secure web server, and a notification is sent to the recipient, who then logs into the portal to retrieve the message.

While highly secure, this method is not popular with recipients because of the friction it creates.

To maintain a high level of security, users must log in to a separate account to retrieve the message. This extra step creates a barrier, especially for individuals who are not tech-savvy. In addition to creating a new account, they must remember a different username and password to access their secure messages. If the recipient doesn’t have this information readily available, they will likely delete the message and move on with their day. Many users will never bother logging in because of the inconvenience. This creates issues for organizations that want to use email for standard business communications and patient engagement efforts.

While this method may be appropriate for sending highly sensitive information like medical records, financial documents, and other valuable information, many emails that must meet compliance requirements only infer sensitive information and do not require such a high level of security. Flu shot reminder emails are not as sensitive or potentially devastating as sending the wrong medical file to someone. Healthcare organizations need to use secure email solutions that are flexible enough to send only the most sensitive emails to the portal and less sensitive emails using other methods.

How to Meet Compliance Requirements for Sending Secure Email

So, what other options do you have for sending secure emails? The answer will depend on what specific requirements you need to meet. Healthcare organizations that must abide by HIPAA regulations will find a lot of flexibility regarding the technologies they can use to protect ePHI in transit.

In addition to a secure web portal, three other types of encryption are suitable for email sending: TLS, PGP, and S/MIME. PGP and S/MIME are more secure than a web portal. They also require advanced technological skills and coordination with the end-user to implement, which makes them impractical for most business email sending.

That leaves us with TLS, which is suitable to meet most compliance standards (including HIPAA) and delivers an email experience much like that of a “regular” email.

Send Secure Emails with TLS Encryption

TLS encryption is an excellent option for secure email sending that provides a seamless experience for the recipient. Emails sent securely with TLS appear like regular, unencrypted emails in the recipient’s inbox.

TLS encrypts the message contents as they travel between mail servers to prevent interception and eavesdropping. Once the message reaches the inbox, it is unencrypted and can be read by anyone with access to the email account. For this reason, it is less secure than a portal but secure enough to meet compliance requirements like HIPAA.

If you’re wondering why this is, HIPAA only requires covered entities and business associates to protect PHI when it is stored on their systems or as it is transmitted elsewhere. After the message reaches the recipient, it is up to the recipient to decide what they want to do to secure the information. HIPAA does not apply to individuals. Each person is entitled to share and store their health information however they see fit.

Conclusion

Balancing security and usability is a significant challenge for healthcare organizations. If the message is too secure, it may be difficult for the recipient to open and engage with it. If it’s not secure enough, it is too easy for cybercriminals and other bad actors to intercept private information as it is sent across the internet.

Choosing an email provider like LuxSci, which offers flexible email encryption options, allows users to choose the right level of encryption for each message to maximize engagement and improve health outcomes. Contact our team today to learn more about how we can support your efforts.

Tags: digital transformation, email, email encryption, email security, patient engagement, patient experience, secure web portal, tls, tls encryption
Posted in Email
Comments Off on Send Secure Emails: Alternatives to Web Portals

Understanding the HIPAA Requirements for Email Encryption

Tuesday, November 28th, 2023

If you are in the healthcare field, you may have wondered what HIPAA’s exact requirements are regarding email encryption. Understandably, not many people are willing to read the 115 pages of the simplified regulation text, so the question often goes unanswered.

The good news is that we have parsed them for you. We’ve trawled through the long and arduous document to identify the HIPAA regulations concerning email encryption. We also conducted some analysis to help you figure out just how your organization can comply with these requirements.

What Does HIPAA Say About Email Encryption?

There are a few different segments of the HIPAA Security Rule that apply to email encryption. The first one we will discuss is section 164.306 Security Standards.

Security Standards for HIPAA Email Encryption

The general requirements state that covered entities and business associates must do the following:

Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.
Ensure compliance with this subpart by its workforce.

Let’s unpack some of these terms to understand how they apply to your obligations under HIPAA.

Covered entity – As a simplification, a covered entity is any healthcare-related organization dealing with protected health data.
Business associate – A business associate (BA) is a person or organization with which a covered entity shares electronic protected health information (ePHI). This relationship is governed by a business associates agreement (BAA).
Electronic protected health information (ePHI) – This is basically any digital information that is both “individually identifying” and contains “protected health information.” Individually identifying information includes names, contact details, social security numbers, and more. Protected health information relates to a patient’s health, treatments, or payments. Check out our article on ePHI for the specifics.

To summarize: Under the Security Rule, healthcare organizations and those dealing with their protected health information are obligated to protect that data. Encryption is just one way that data can be protected when stored or transmitted electronically, like through an email account.

HIPAA Technical Safeguards and Email Encryption

The next place to find information about email encryption is in section 164.312 Technical Safeguards. The rule states:

“Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.”

Notice how it says “addressable”? HIPAA has two different specifications regarding implementation, “required” and “addressable.” Required means that a particular mechanism must be in place for compliance.

On the other hand, addressable means that there is flexibility in the mechanisms that can be used. HIPAA is intentionally vague and technologically agnostic on purpose. This gives organizations the flexibility to develop the best security measures for their unique situation. It is not an excuse to be lax about security. Some addressable standards may not apply to an organization because of the structure or technologies used. Whether or not you need to meet the standard is a question for your legal and compliance teams.

Does HIPAA Require Encryption and Decryption?

At this stage, you may assume that since encryption is an addressable standard, it’s optional, and you do not have to utilize it. This assumption is almost correct– nowhere in the HIPAA documentation does it specify that encryption and decryption must be used.

But unfortunately, things aren’t that simple. Let’s return to the Security Standards of section 164.306, where it states that covered entities and business associates must:

“Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.”

This time, we’ve put different terms in bold. So, while HIPAA does not state that covered entities have to use encryption, it does say that they need to ensure the confidentiality of any ePHI that is created, received, maintained, or transmitted.

The big question is, “If you aren’t going to use encryption, what techniques will you use to guarantee confidentiality instead?” Will you put all electronic data on flash drives and lock them in metal boxes for storage and transit?

The text doesn’t say that you have to use encryption. Still, given the other requirements in the HIPAA documentation, encryption is the only reasonable solution if you want to communicate electronically about patients and their health conditions.

Is Email Encryption Required for HIPAA?

As stated above, HIPAA does not require the use of email encryption. However, if you plan to communicate PHI via email, you must take steps to secure that data. Without other suitable technologies, encryption is the easiest way to protect patient data in emails.

So what can you do? The HIPAA text doesn’t include specific encryption requirements, so the documentation isn’t particularly helpful for organizations looking for ways to be compliant and secure. Thankfully, the National Institute of Standards and Technology (NIST), another government agency, has released its own guidelines for email and how to keep it secure.

The guide is extensive, but some of the key takeaways are:

Appropriate authentication and access control measures need to be in place.
TLS should be used to connect to the email server.
Mechanisms such as PGP or S/MIME should be used to encrypt sensitive data (such as ePHI).

If you don’t feel like reading such an exhausting document, you can turn to a HIPAA compliance specialist like LuxSci instead. Our HIPAA-Compliant Email includes email encryption as well as other features to help your organization stay both secure and compliant.

Tags: email encryption, email security, HIPAA email encryption, hipaa email requirements, HIPAA requirements, how to secure email
Posted in LuxSci Library: HIPAA, Email
No comments »

What is a Secure Email Gateway?

Tuesday, October 24th, 2023

As threats to email security are increasing, organizations are looking for ways to enhance their security and reduce risk. One option is a secure email gateway. In this article, we review what secure email gateways are and how they can be used to secure sensitive data as it flows into and out of your accounts.

Protect Your Accounts With A Secure Email Gateway

Secure email gateways are an excellent way to strengthen the security of your email accounts without a costly switch to a new email provider. They layer on top of your existing email accounts to encrypt messages, scan for threats, and even capture messages for archival or backup purposes. They can also hide the sender’s IP address because messages are routed through another email infrastructure before delivery to the recipient. If you are concerned about increasing risks to sensitive data, secure email gateways offer a simple and effective way to enhance your email security.

How Do Secure Email Gateways Work?

When using a secure email gateway, your messages are routed to a separate server before being sent or received. When sending an outbound message with LuxSci’s Secure Connector, it is routed through our SecureLine encryption before being securely delivered to the recipient. A copy of the message may also be sent to an independent email archive to help meet compliance requirements for message retention.

For incoming messages, the gateway can employ email filtering technology to quarantine suspicious messages. These technologies can scan incoming messages and prevent spammers and scammers from reaching employee inboxes and wreaking havoc. Just like with outbound email sending, the gateway can also capture a copy of inbound messages and retain them in an independent message archive.

The exact features of a secure email gateway will vary from vendor to vendor, but these represent some of the core functions that these tools provide. Simply put, a secure email gateway protects both incoming and outgoing messages to ensure that sensitive data is guarded from threats.

Why Choose a Secure Gateway?

There are two main reasons to implement a secure email gateway: the security and compliance benefits and their ease of use. Let’s look at each.

Compliance and Security Benefits

Many companies, like healthcare organizations, must comply with regulations for protecting patient or customer data. Many organizations grapple with the best way to secure potentially sensitive communications without interfering with or slowing down critical business workflows. Because secure email gateways layer on top of existing email accounts, they offer a speedy way to bring your organization into compliance with data security and retention guidelines.

As email continues to be an important channel for essential business communications, all organizations can benefit from protecting their employee accounts and reducing their risk and liability.

Easy to Administer and Use

Another benefit of using a secure email gateway is that your organization does not need to switch your primary email provider to enhance its security. Changing to a more secure email provider can be extremely challenging, especially if you have a lot of users with a lot of data that needs to be migrated to a new system. Add on the training time, and some organizations will find that switching email providers is a significant burden on the organization.

Installing a secure email gateway is very easy for account administrators and often does not require additional training or implementation for email users. Employees can continue to use their regular Microsoft or Google email accounts and do not need to take additional steps to learn an entirely new email program. With 73% of breaches in the healthcare industry caused by human factors, implementing tools that don’t rely on employee decision-making is essential.

Learn More About LuxSci’s Secure Connector

LuxSci’s Secure Connector is unlike other secure email gateways in that it encrypts every email automatically to reduce the risk of breaches caused by human errors. LuxSci provides the flexibility to opt-in to more secure methods of encryption for highly sensitive messages. Email filtering and archival tools are also available to reduce risk and improve resilience in the case of a cyber incident. Contact our sales team to learn more about our email security tools.

Tags: email archival, email encryption, email filtering, email security, hipaa compliance, secure connector, secure email gateway
Posted in Email, LuxSci Library: Email Programs and Devices
Comments Off on What is a Secure Email Gateway?

Is TLS Email Encryption Suitable for Compliance?

Tuesday, September 19th, 2023

This article discusses what types of email encryption are sufficient to comply with government regulations. TLS email encryption is a good option for many organizations that manage sensitive data. However, it does not protect data at rest. Each organization must perform a risk assessment to determine which encryption methods suit their legal requirements.

Read the rest of this post »

Tags: California Senate Bill 1386, email encryption, encryption at rest, ePHI, Federal Rules for Civil Procedure, finra, frcp, glba, Gramm-Leach-Bliley Act, hipaa, nasd 3010, nist, pci dss, pgp, s/mime, Sarbanes-Oxley Act, sb 1386, sec 17a-4, smtp, tls, tls email encyption
Posted in LuxSci Library: HIPAA, LuxSci Library: Security and Privacy
No comments »

How to Secure SMTP Email Delivery with TLS

Tuesday, August 29th, 2023

Secure email sending is a priority for organizations that communicate sensitive data externally. One of the most common ways to send secure emails is with SMTP TLS. TLS stands for Transport Layer Security and is the successor of SSL (Secure Socket Layer). TLS is one of the standard ways that computers on the internet transmit information over an encrypted channel. In general, when one computer connects to another computer and uses TLS, the following happens:

Computer A connects to Computer B (no security)
Computer B says “Hello” (no security)
Computer A says, “Let’s talk securely over TLS” (no security)
Computers A and B agree on how to do this (secure)
The rest of the conversation is encrypted (secure)

In particular:

The conversation is encrypted
Computer A can verify the identity of Computer B (by examining its SSL certificate, which is required for this dialog)
The conversation cannot be eavesdropped upon (without Computer A knowing)
A third party cannot modify the conversation
Third parties cannot inject other information into the conversation.

TLS and SSL help make the internet a more secure place. One popular way to use TLS is to secure SMTP to protect the transmission of email messages between servers.