" email security Archives - Page 2 of 4 - LuxSci

Posts Tagged ‘email security’

Secure Email for Healthcare: How To Ensure You’re Not At Risk

Tuesday, December 11th, 2018

Email is one of the most convenient ways of communicating with patients. HIPAA permits email communications, but expects covered entities to take the necessary precautions to protect the integrity and security of patient health information shared via email. Ensure you are not at risk by implementing secure email in your organization.

Secure Email and HIPAA

HIPAA email rules require covered entities to implement controls and security to restrict access to PHI, ensure the integrity of PHI at rest, safeguard PHI against unauthorized access during transit and ensure message accountability. The language of the HIPAA Security Rule is important as some standards are ‘required’ and some ‘addressable.’ Required rules must be mandatorily followed while you may or may not implement addressable rules if a thorough risk analysis concludes that implementation is not reasonable. An implementation specification deemed unreasonable can be replaced by an equivalent alternative.

Any decision you take regarding addressable specifications needs to be documented in writing. That means you cannot simply “opt out” of addressable specifications.

Sending PHI by email? Consider these risks

When transmitted via email, PHI is exposed to many risks, such as:

    • the message could be mistakenly sent to the unintended recipient
    • the email could be captured en route to the recipient.
    • the message could be inappropriately accessed when in storage.

Imagine a scenario where a state Medicaid agency’s online form service provider emails information on forms to designated employees within the agency when the forms are submitted. If the email is not transmitted in a secure manner, then the PHI in the forms can be exposed. The compromised data can include names, addresses, birth dates, email addresses, admission and enrollment dates, Social Security numbers, Medicaid identification numbers, insurer name, medical condition, and more.

Although there is a small risk of the data being intercepted during transmission, it cannot be waived away. Mitigating the potential misuse of PHI is challenging and it is impossible to predict if someone who does capture PHI en route will use it for personal gain, commercial advantage or malicious harm. Better safe than sorry.

Encryption is an addressable standard, but you should not ignore it

Encryption is an addressable standard for email and data at rest. Still, it is a critical element of HIPAA compliance, particularly if email is your chief mode of communication. HIPAA does not specify the method of encryption, so you can consider various measures to maintain high levels of email security. Two main types of encryption can counter the common security problems encountered in email communications: symmetric encryption and asymmetric encryption.

Symmetric encryption involves encrypting a message into ‘cyphertext’ using a key shared by you and your correspondents. Cyphertext appears as a random sequence of characters, which can be decrypted and interpreted only with the secret key. This form of encryption deters eavesdropping of email and modification of messages in transit.

Asymmetric encryption, also known as public key cryptography, is a relatively new method compared to symmetric encryption. It uses two keys to encrypt plain text: the public key is available to anyone who wants to send you a message but the second private key is known only to you. A message encrypted with a public key can be decrypted using a private key, while a message encrypted with a private key can be decrypted with a public key.

Besides sending secure messages, asymmetric encryption allows you to prove to someone that you sent a message, sign a message to validate that it was you who sent it and help the recipient determine if the message was modified in transit, and take the most secure route – add a signature to the message and then encrypt the message and signature with the recipient’s public key. This addresses risk of eavesdropping and offers proof of sender and message integrity.

Encrypted email archiving

Email archiving is an important HIPAA-compliant email practice, enabling covered entities to retain and protect PHI-containing email messages, while also making archived email easy to retrieve, especially during emergencies, litigation discovery and compliance audits.

Email archiving providers are designated as Business Associates, and must comply with the HIPAA Security Rule as like covered entities. Check out this article to learn about when and why a BAA is required.

Choosing a secure email provider

Another conversation you will have with regard to email security is the choice of email provider. Your email provider should be cognizant of the administrative, physical and technical safeguards stipulated under the HIPAA regulations as well as provide a reliable service. Some questions that you should ask a potential provider include:

  • Is the provider aware of their responsibilities under HITECH and Omnibus?
  • Are they willing to advise you on your security and privacy options?
  • Do they have controls in place to validate and audit each user’s access?
  • What types of email encryption are offered?
  • Do they dispose of data securely?
  • Can they ensure emergency access to your email?
  • Do they provide web-based access without requiring a third-party software?
  • Will they sign a HIPAA Business Associate Agreement?

Want to discuss how LuxSci’s HIPAA-Compliant Email Solutions can help your organization?  Contact Us

Will Email Ever Be Truly Secure?

Tuesday, November 6th, 2018

Email gateways are a leading cause of security breaches. The optimistic view is that effective email security practices, firewalls, mobile device security, wireless security, endpoint security, web security, behavioral best practices, data loss prevention and network access control – among other solutions – can ensure foolproof security. The realistic view is that email – or anything for that matter – cannot be truly secure.

To err is human. Technology advancement is a boon and a bane: cyber attacks are more sophisticated than before. You can trust no one security solution, place your full trust on end-to-end encryption (currently the most secure way to communicate securely and privately online) or predict when someone will break into your device and access your email.

The road to HIPAA compliance is paved with many risks, possibilities and outcomes. Well-researched and thoughtful implementations are essential but there are many decisions to make and loose ends to tie up. Your ePHI protection, privacy and confidentiality practices may be excellent, but your employees may still mistakenly dispose of a fax machine or hard drive that contains retrievable PHI. Or some of your staff may fail to observe the policy of what needs to be encrypted and what does not.


And if you thought that email encryption, cryptographic protocols and even your computer system and CPU were protecting your data at all times, think again…

Read the rest of this post »

HIPAA-Compliant Email Checklist – 8 Things You Need to Know

Tuesday, August 14th, 2018

The Health Insurance Portability and Accountability Act (HIPAA) applies to protected health information (PHI). When stored or transmitted electronically, the HIPAA Security and Privacy Rules require covered entities to safeguard the integrity and confidentiality of electronic protected health information (ePHI). The most common way in which ePHI is shared is via email. No wonder then that HIPAA-compliant email security is a critical concern for healthcare organizations, with a majority preferring to outsource this item to knowledgeable providers.

The HIPAA email security rule

The section of the HIPAA Security Rule that pertains to email explicitly requires adequate protection for all patient data and does not endorse or prohibit the use of any specific technologies to ensure robust protection. The rule lays down four standards:

  1. Organizational requirements stating the specific functions that a covered entity must perform, including the implementation of policies and procedures and obligations with respect to business associate contracts.
  2. Administrative requirements related to the training, professional development and employee management covering PHI.
  3. Physical safeguards encompassing the security of computer systems, servers and networks, access to the facility and workstations, data back-up and storage and the destruction of obsolete data.
  4. Technical safeguards that ensure the security of email data transmitted over an open electronic network as well as the storage of that data.

HIPAA-Compliant Email Checklist

While email encryption gets most of the spotlight during discussions on email security, it covers a range of behaviors, controls, and services that work together to address eight key areas.

1. Access: How can you effectively safeguard access to your email account and email messages?

  • Use strong passwords that cannot be easily guessed or memorized
  • Create different passwords for different sites and/or applications
  • Use two-factor authentication
  • Secure connections to your email service provider using TLS and/or a VPN
  • Block unencrypted connections
  • Be prepared with software that remote wipes sensitive email off your mobile device when it is stolen or misplaced
  • Log off from your system when it is not in use and you’re not at your desk
  • Emphasize opt-out email encryption to minimize breaches resulting from human error

2. Encryption: Given that email is inherently insecure and at a risk of being read, stolen, eavesdropped on, modified and forged (repudiated), covered entities should go beyond the technical safeguards of the HIPAA security rule and adopt a ‘better safe than sorry’ approach to email security across areas of message transmission, storage, security, and in ensuring that the business associates they engage are HIPAA compliant.

  • Your email system should be able to send secure messages to anyone with any address
  • You should be able to receive secure messages from anyone
  • Measures should be in place to prevent the insecure transmission of sensitive data via email
  • Explore the use of features to retract a sent email message if it is found to be wrongfully containing sensitive data or to have been sent to the wrong address
  • Avoid opt-in encryption to satisfy HIPAA Omnibus Rule

3. Backups and archival: HIPAA sets forth rules on email backups and archival even for unencrypted email containing ePHI that are mutual consent cases.

  • Are there backups of your email folders?
  • Are there at least two different backups at two different geographical locations? The processes updating these backups should be independent of each other as a measure against backup system failures.
  • Have you maintained separate, permanent and searchable archives? While the emails should be tamper-proof, with no way to delete or edit them, they should be easily retrievable to facilitate discovery, comply with audit requests and support business-critical scenarios.

4. Defense: Do you have controls in place to safeguard against malicious messages?

  • Use server-side inbound email malware and anti-virus scanning, scans for phishing and malicious links
  • Show the sender’s email address
  • Use filtering software to detect fraudulent messages, and ensure it is using SPF, DKIM and DMARC information to classify messages
  • Scan outbound email
  • Scan workstations for malware and virus
  • Use plain text previews of your messages

5. Authorization: Protect others against malicious email impersonating you by configuring your own domains with SPF and DKIM so that recipients’ email filters can identify forged email. Also ensure that email cannot be sent through your email servers without authentication and encryption.

6. Reporting: Setting accountability standards for email security is an essential part of establishing and improving your HIPAA compliance posture.

  • Create login audit trails
  • Receive login failure and success alerts
  • Auto-block attackers
  • Maintain a log of all sent messages

7. Reviews and policies: Use best practices of email security that focus on plugging vulnerabilities and preventing human errors.

  • Invite independent third parties to review your email policies and user settings. Fresh unbiased eyes can weed out issues quickly.
  • Disallow the use of public Wi-Fi for devices that connect to your sensitive email
  • Your email policy should prohibit clicking on links or opening attachments that are not expected or requested

8. Repeat: What you cannot manage in-house, outsource to expert providers and vendors. Perform a yearly review of your email security and stay on top of emerging cybersecurity threats to take proactive action when necessary for sustained HIPAA compliance.

Want to discuss how LuxSci’s Business Email Solutions can help with HIPAA-Compliant Email? Contact Us

SSL versus TLS – What’s the difference?

Saturday, May 12th, 2018

SSL versus TLS

TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are protocols that provide data encryption and authentication between applications and servers in scenarios where that data is being sent across an insecure network, such as checking your email (How does the Secure Socket Layer work?). The terms SSL and TLS are often used interchangeably or in conjunction with each other (TLS/SSL), but one is in fact the predecessor of the other — SSL 3.0 served as the basis for TLS 1.0 which, as a result, is sometimes referred to as SSL 3.1. With this said though, is there actually a practical difference between the two?

SSL versus TLS: What is the differenc?

See also our Infographic which summarizes these differences.

Read the rest of this post »

How can I prove an email was actually sent to me?

Wednesday, June 14th, 2017

Someone claims to have sent you an email message. You never got it, as far as you know. How can you prove an email was actually sent? How can you check?

how to prove an email was sent

Read the rest of this post »