" email security Archives - LuxSci

Posts Tagged ‘email security’

Time-Based Access Control

Tuesday, March 16th, 2021

A new security feature is available for LuxSci WebMail customers. Account administrators now have the option to implement time-based access controls for their users. Administrators can restrict what times of day and what days of the week individual users are permitted to use the LuxSci web interface (for WebMail, administration, or other tasks) to increase security on the platform.

This prevents unauthorized off-hours access by employees and also by potential attackers. In a compliance context, LuxSci customers are able to apply time-of-day access controls on a user-level to further limit the attack surface and keep essential information protected.

How to Enable Time-Based Access

You must be an account administrator to enable time-based access. To edit this setting, go to the user’s account and click on “Settings.” Under “Security,” go to the “General” page and do the following steps:

  • Enable the overall setting “Enable time-based access restrictions to this web interface.”
  • Select the time zone to use for these times.
  • For each day the user will be allowed to login to the Web Interface, enter one or two time ranges in the 24-hour time format “HH:MM-HH:MM.”
    • For example, if the user can use the system between 9am and 5pm, you would enter “09:00-17:00.” Use two time ranges if there are two distinct periods of time during the day that are acceptable.

time based access settings

Additional Security Features

In addition to this feature, we also recommend that LuxSci customers take advantage of our other security controls such as:

Dedicated Servers: How They Improve Security And Reliability

Tuesday, December 8th, 2020

What’s best for your organization, shared or dedicated servers? If your company is looking for website hosting, an email provider, or hosting for other online services, this question may not be high up on its list of priorities. The differences between shared and dedicated servers may not seem particularly obvious or important at first, but your choice could have significant security and reliability ramifications down the line.

Many providers will steer you toward shared servers, or only provide a “shared cloud,” even though these may not be in your company’s best interest.

Dedicated Servers

Why?

It’s more efficient and cost-effective for them to lump a bunch of their customers onto the same server. This makes it easier to manage and reduces the provider’s overhead expenses. Your provider’s cost-savings and ease-of-administration probably aren’t your organization’s greatest concerns. Instead, you should be more worried about the additional risks and complications that shared servers can bring to your business.

While dedicated servers can be a more expensive option, particularly for companies with limited needs, they provide security and reliability benefits that can make it worthwhile.

Security of Shared vs Dedicated Servers

Let’s say your website is hosted on a shared server, along with a bunch of other websites. For the sake of this example, let’s also presume that you are exceptionally diligent. All of your software and plugins are always updated as soon as possible, you have strong passwords, two-factor authentication, and suitable access control policies. You have regular security audits, and any issues that pop up are immediately rectified. Your site is essentially Fort Knox.

But what about the sites that you share your server with?

You have no control over them, and can’t make sure that they take all of the same security precautions that your organization does.

Well, that’s their problem, right?

It is, but it could very easily become your problem as well. There are a number of situations in which things could go badly for your organization as well.

Security Risks on Shared Servers

  • One or more of the other websites may be highly vulnerable. Whether through neglecting their updates or other poor security practices, they may be easy to infiltrate. If hackers can compromise one site on the server, it can give them a window into the others. This means that sharing a server significantly increases your own risk of data breaches. Cybercriminals may even target your site deliberately by looking up others that share the same IP address.
  • Malicious actors may set up their own sites on your shared server, with the sole intention of using this access to penetrate the other sites. This can also result in your organization’s website and database being breached.
  • You may share the server with a high-value target, such as a political activist or journalist. If they raise the ire of others, they could fall victim to a DDoS attack. Not only could this prevent legitimate visitors from accessing their website, but it could use up the shared resources, preventing anyone from being able to visit your site as well.

These examples around web hosting also apply to other services such as email hosting, video conferencing, payment processing, online chat, etc. It is always a better and more secure choice to isolate your services and data from others to the maximum degree possible.

While shared servers can be the more economical option, particularly for those with limited needs, you also need to weigh these savings against the potential threats that come from any of these attacks. Is the possibility of suffering an attack, as well as the costs, damage to your organization’s reputation and stress worth the slight reduction in price?

If you use a shared server, it takes control out of your organization’s hands. The configuration is handled by the provider, which means that you cannot set it up according to your company’s needs and risk tolerance.

Reliability of Shared vs Dedicated Servers

If your organization uses a shared service, it means it’s sharing the resources with many other organizations provisioned on to the same shared server(s). The disk space, disk throughput, memory, network capacity, and processing power are all split or shared between the various parties.

This isn’t necessarily a problem—unless one of the other customers starts consuming all of the resources. If you shares a server with one of these bad neighbors, the strain can cause your services to slow down, or even become unavailable. In practical terms, this could result in your web site being down, your email inaccessible, an inability for your employees to send messages, of your video teleconferencing system malfunctioning.

If one of these bad neighbors is sending out email spam, that activity can also get the whole shared server or shared IP space blacklisted. This can result in your company’s emails going straight to the spam, even when it has done nothing wrong. The reliability of your email sending and the successful inbox delivery of your messages depend on others when using shared resources.

LuxSci’s Dedicated Server Options

You can avoid facing these security and reliability issues through segmentation and isolation. LuxSci provides a range of options to suit a variety of different needs. These include giving clients:

  • Their own dedicated server(s) that are firewalled off from other customers.
  • Their own network segment with dedicated physical or network firewalls. These can be customized according to an organization’s needs.
  • Their own dedicated physical hardware, which means that even virtualization hypervisors aren’t shared between customers.

These options give our clients the flexibility they need to meet their organization’s unique requirements. Pursuing one of the above options will mean that your organization won’t have to worry about the threats or reliability problems that sharing a server can bring.

Contact our team for more information on how our dedicated servers can help your organization reduce its risks and circumvent reliability issues.

HIPAA-compliant Email Host or SMTP Connector?

Tuesday, July 28th, 2020

choosing hipaa compliant email

You may have heard that you need to use HIPAA-compliant email to protect your organization’s ePHI, but many people aren’t sure where to go from there. Don’t worry if you fall into this camp, because this article will explain your options in depth.

The most straightforward solution is to simply sign up for a HIPAA-compliant email host. These are providers who specifically design their email services to be compliant with HIPAA regulations. A good example is LuxSci’s Secure Email.

If you currently use tools like Google Workspace or Microsoft Office 365 for your email, you might be looking for ways that you can adapt them for HIPAA compliance. The good news is that this is possible with an outbound encryption tool like our HIPAA-compliant SMTP connector.

Some organizations may pursue this option because they need certain features that these programs offer, while others may be hesitant to introduce new software and have to train their employees to use it.

Why Do You Need a HIPAA-compliant SMTP Connector for Google Workspace, Microsoft Office & Other Services?

These services aren’t designed to be HIPAA-compliant. Tools like Google Workspace, Microsoft Office 365, and Microsoft Exchange are designed for the mass market, so HIPAA compliance and security were not significant factors during their development.

This means that they are unsuitable for protecting ePHI straight out of the box. In the case of Google Workspace, it lacks a HIPAA-compliant email encryption solution. Microsoft does have one, but it is difficult to configure. A solution like LuxSci’s Secure SMTP Connector hooks up to your existing email service, bridging the gap to make your outbound email secure and HIPAA-compliant.

LuxSci Secure Connector

LuxSci Secure Connector

 

HIPAA-compliant SMTP connectors can also help you send emails if your internet service provider prevents or limits your outbound mail server from sending messages. On top of this, they can also add SMTP authentication to your outbound email system, as well as offer encryption and archival mechanisms. SMTP servers can also assist you in adapting your existing mail service in a variety of other ways.

Should You Use a HIPAA-compliant Email Host or an SMTP Connector?

Every organization will come to its own conclusion, based on the factors that matter most in its unique situation. If your main concern is making your company’s HIPAA compliance as easy as possible, then a HIPAA-compliant email host is probably your best option.

These are developed with the regulations in mind, and are designed to make compliance simple, with configuration options that suit a range of scenarios. With a HIPAA-compliant email host, you are less likely to misconfigure it and accidentally expose ePHI. 

LuxSci’s HIPAA-compliant email is designed to offer you a high level of performance and functionality, without having to constantly worry about regulatory headaches.

In contrast, some organizations aren’t in a position where they are ready to switch to a new email host. If they rely on certain software features in Google Workspace or Microsoft Office 365, it’s best for them to deploy LuxSci’s secure connector so that they can protect their outbound email sending.

Setting up and maintaining HIPAA compliance may be more complicated if they pursue this option, but it’s still a better choice than completely disregarding their regulatory obligations.

Do Healthcare Marketing Emails Have to Be HIPAA-Compliant?

Friday, July 26th, 2019

Healthcare is a competitive business! A well thought out marketing strategy can help you outshine your competition, but providers need to keep compliance in mind when considering email marketing for healthcare.

Many organizations have substantial email lists of their clients and wonder how they can utilize them to increase patient engagement. Marketing professionals may strongly suggest email communications, but it is important to understand the HIPAA restrictions around email marketing for healthcare before starting a campaign.

So, do healthcare marketing emails have to be HIPAA-compliant? It’s an important question to ask, and one that’s not exactly clear-cut, because the answer is dependent on the context.

Does the Marketing Email Contain Protected Health Information?

Email marketing for healthcare is subject to HIPAA regulations if the emails contain “protected health information” that is “individually identifiable.”  The term “protected health information” refers to any data that relates to a person’s health, treatment, or payment information, whether it is in the past, present, or future.

Under this definition, some examples of PHI may include:

  • Test results
  • Prescription refill notifications
  • Appointment reminders
  • A receipt or bill for healthcare services

Is the Information Individually Identifiable?

If information is individually identifiable, it can somehow be linked back to the individual. There are a long list of identifiers that include:

  • Names
  • Addresses
  • Birthdays
  • Contact details (like email addresses)
  • Insurance details
  • Biometrics

The final entry in the official list of possible identifiers is “Any other characteristic that could uniquely identify the individual,” so this concept is really is all-encompassing.

Do Your Marketing Emails Need to Comply?

If both conditions are met, then the email needs to be sent in a HIPAA-compliant manner. If it doesn’t your organization may be safe. Before you rush to start an email campaign, you need to be careful. The edges of HIPAA can be blurry and it is best to proceed with caution.

Let’s take this example. A clinic comes across a study that recommends new dietary supplementation for expectant mothers. It decides that it can use this information not just to help mothers-to-be, but to also bring in new business. The clinic then sends out an email to all of its expectant mothers with details from the new study, asking them to make an appointment if they have any further questions.

Everything should be above board, right? Well, maybe not. Because the email was only sent to expectant mothers, it infers that everyone in the group is an expectant mother, which means that it could be considered protected health information. Each email address is also considered individually identifiable information.

With both of these characteristics in place, it’s easy to see how this kind of email could violate HIPAA regulations. If the email had been sent to every member of the clinic, then it might not be viewed as violating HIPAA. This approach wouldn’t single out the women who were pregnant (though it might single you out as a former patient of that clinic and could also imply things about your past/present/future medical treatments). It might seem unlikely, but these situations occur all the time. 

Even if most of your organization’s emails don’t include PHI, sending them in a HIPAA-compliant manner is wise. It is very easy to make a mistake and accidentally include ePHI in a marketing email. When you consider the high penalties of these violations, making sure that all of your emails are sent securely ends up being a worthwhile investment.

How Can You Make Email Marketing for Healthcare HIPAA-Compliant?

If your healthcare organization sends out marketing emails, then it is important to make sure that they are sent in a HIPAA-compliant manner. The best approach is to use an email marketing platform designed specifically for health care, such as LuxSci’s HIPAA-Compliant Secure Marketing platform.

Your organization will need to sign a HIPAA Business Associate Agreement with any service provider you work with. It is also important to use the appropriate encryption, access controls, and other security mechanisms that are required to protect ePHI. Be sure to vet your email provider thoroughly and remember that signing a BAA is not enough to ensure compliance. 

Secure Email for Healthcare: How To Ensure You’re Not At Risk

Tuesday, December 11th, 2018

Email is one of the most convenient ways of communicating with patients. HIPAA permits email communications, but expects covered entities to take the necessary precautions to protect the integrity and security of patient health information shared via email. Ensure you are not at risk by implementing secure email in your organization.

Secure Email and HIPAA

HIPAA email rules require covered entities to implement controls and security to restrict access to PHI, ensure the integrity of PHI at rest, safeguard PHI against unauthorized access during transit and ensure message accountability. The language of the HIPAA Security Rule is important as some standards are ‘required’ and some ‘addressable.’ Required rules must be mandatorily followed while you may or may not implement addressable rules if a thorough risk analysis concludes that implementation is not reasonable. An implementation specification deemed unreasonable can be replaced by an equivalent alternative.

Any decision you take regarding addressable specifications needs to be documented in writing. That means you cannot simply “opt out” of addressable specifications.

Sending PHI by email? Consider these risks

When transmitted via email, PHI is exposed to many risks, such as:

    • the message could be mistakenly sent to the unintended recipient
    • the email could be captured en route to the recipient.
    • the message could be inappropriately accessed when in storage.

Imagine a scenario where a state Medicaid agency’s online form service provider emails information on forms to designated employees within the agency when the forms are submitted. If the email is not transmitted in a secure manner, then the PHI in the forms can be exposed. The compromised data can include names, addresses, birth dates, email addresses, admission and enrollment dates, Social Security numbers, Medicaid identification numbers, insurer name, medical condition, and more.

Although there is a small risk of the data being intercepted during transmission, it cannot be waived away. Mitigating the potential misuse of PHI is challenging and it is impossible to predict if someone who does capture PHI en route will use it for personal gain, commercial advantage or malicious harm. Better safe than sorry.

Encryption is an addressable standard, but you should not ignore it

Encryption is an addressable standard for email and data at rest. Still, it is a critical element of HIPAA compliance, particularly if email is your chief mode of communication. HIPAA does not specify the method of encryption, so you can consider various measures to maintain high levels of email security. Two main types of encryption can counter the common security problems encountered in email communications: symmetric encryption and asymmetric encryption.

Symmetric encryption involves encrypting a message into ‘cyphertext’ using a key shared by you and your correspondents. Cyphertext appears as a random sequence of characters, which can be decrypted and interpreted only with the secret key. This form of encryption deters eavesdropping of email and modification of messages in transit.

Asymmetric encryption, also known as public key cryptography, is a relatively new method compared to symmetric encryption. It uses two keys to encrypt plain text: the public key is available to anyone who wants to send you a message but the second private key is known only to you. A message encrypted with a public key can be decrypted using a private key, while a message encrypted with a private key can be decrypted with a public key.

Besides sending secure messages, asymmetric encryption allows you to prove to someone that you sent a message, sign a message to validate that it was you who sent it and help the recipient determine if the message was modified in transit, and take the most secure route – add a signature to the message and then encrypt the message and signature with the recipient’s public key. This addresses risk of eavesdropping and offers proof of sender and message integrity.

Encrypted email archiving

Email archiving is an important HIPAA-compliant email practice, enabling covered entities to retain and protect PHI-containing email messages, while also making archived email easy to retrieve, especially during emergencies, litigation discovery and compliance audits.

Email archiving providers are designated as Business Associates, and must comply with the HIPAA Security Rule as like covered entities. Check out this article to learn about when and why a BAA is required.

Choosing a secure email provider

Another conversation you will have with regard to email security is the choice of email provider. Your email provider should be cognizant of the administrative, physical and technical safeguards stipulated under the HIPAA regulations as well as provide a reliable service. Some questions that you should ask a potential provider include:

  • Is the provider aware of their responsibilities under HITECH and Omnibus?
  • Are they willing to advise you on your security and privacy options?
  • Do they have controls in place to validate and audit each user’s access?
  • What types of email encryption are offered?
  • Do they dispose of data securely?
  • Can they ensure emergency access to your email?
  • Do they provide web-based access without requiring a third-party software?
  • Will they sign a HIPAA Business Associate Agreement?

Want to discuss how LuxSci’s HIPAA-Compliant Email Solutions can help your organization?  Contact Us

LUXSCI