" email Archives - Page 3 of 9 - LuxSci

Posts Tagged ‘email’

Securing your iPhone’s Email – Best Practices

Wednesday, November 4th, 2020

Apple offers an array of configuration options for securing your iPhone email. However, there are a number of steps that you will have to take before your device and its emails are actually protected.

Securing your iPhone Email 

Securing your iPhone email: Protect the iPhone itself first

The best place to start securing your iPhone email is by making sure the phone itself is protected. If the phone isn’t secure, then not only could someone access your email, but they could get your documents, pictures, contacts, and everything else you have on it. They could even take over your accounts.

This first step is pretty basic, and it applies to everyone, regardless of whether you have an iPhone or an Android device. Set up a passcode or password, and Touch ID or Face ID if you prefer these methods for unlocking your device.

A strong password will be harder to crack than a shorter passcode, at the sake of convenience. Your choice will depend on how sensitive the data on your phone is. At the lower end, a 6-digit passcode should be fine as long as it isn’t too easy to guess.  Why? Because after several failed attempts, Apple begins to lock the phone for longer periods before a user can make further guesses. There’s even an option that users can set so that the iPhone will erase its data after 10 failed attempts (enable that if the data on your phone is very, very sensitive).

Apple encrypts iPhone data by default, so as long as you have a sufficiently strong locking mechanism in place, attackers cannot access any of your data through the device, including your email.

In addition to these measures, you may also want to:

  • Set your screen to lock after 30 seconds or so.
  • Change your notification settings so that no email details appear on your lock screen, visible to anyone looking at your phone.
  • Make sure you still have USB Restricted Mode on. After iOS 11.4, iPhones needed to be unlocked before they could connect to a USB accessory. While this is a great feature for preventing attackers from connecting to your device when you are away from it, some users may have turned it off without realizing its significance.  USB accessories are notorious being able to exploit security issues to gain unauthorized access to phones, laptops, and other devices.

Update your iPhone and its Apps

This is another general security tip that everyone needs to take heed of. Software is never perfect, and over time, security vulnerabilities are discovered. When good developers find them, they then rush out a patch to fix the vulnerability in the next update.  Although some updates can certainly be frustrating, it’s important to install them as soon as possible to prevent your device from being wide open to these old attacks. This applies to iOS, and all of the apps that you run on the device.

It’s an important step for securing your iPhone email, because otherwise attackers can use the old vulnerabilities to install malware, which can then send them all of your sensitive data.

A good example of this is the Apple Mail bug discovered in 2020, which allowed remote code execution. ZecOps, the firm that discovered it, suspected that it had been used to target Fortune 500 companies, journalists, executives and others.

Other vulnerabilities have allowed attackers to break into phones simply by sending carefully crafted text messages — even if you never explicitly opened the message!

Remove unneeded Apps 

Old Apps can have security issues, as just discussed.  However, even updated Apps can (a) contain unpatched security issues, and (b) contain malware that was purposefully placed there by the app designers.  It is a best practice to:

  1. Delete any Apps from your iPhone that you do not need or that you never use.  You can always re-download it later if you chane your mind.
  2. Carefully consider what Apps you do install.  Is the manufacturer reputable? Is the the one you really wanted, or one that just “looks really similar.”  App designers often name their Apps and create their logos to create confusion, hoping that you will download their App instead of the one you actually want.  Just search for “Zoom” in the App store.  Confusing.

Securing your iPhone Email Backups

Things go wrong. iPhones break and get stolen, so it’s important to have backups of your data, including your emails. A good rule of thumb is to have three copies of everything important. One on your iPhone, one in the cloud, and another physical backup, ideally stored in a separate location to your phone (i.e., your laptop).

If you need to save all of your sent and received email messages in Apple Mail, you can archive them automatically by creating Rules. Otherwise, you can just select the important emails to archive manually.

Part of securing your iPhone email involves securing all of the backups. Presuming you use iCloud, you will need a strong password for your Apple account, and to set up two-factor authentication.

While this may be enough to protect your email backups in many circumstances, according to Apple and the iCloud Security overview:

All traffic between your devices and iCloud Mail is encrypted with TLS 1.2. Consistent with standard industry practice, iCloud does not encrypt data stored on IMAP mail servers. All Apple email clients support optional S/MIME encryption.

This means that  by default, Apple is capable of accessing your iCloud Mail. As Reuters reported in January 2020, Apple routinely hands this and other data over to US Government agencies, while only offering end-to-end encryption that it can’t touch for certain types of sensitive data.

Fully securing your iPhone email backups on iCloud Mail will require S/MIME encryption for your messages, which is not reasonable.

An easy way to set up physical backups is to save your Mailbox on your Mac, or set up iCloud on Windows and save your Mailbox data. Whether you choose to keep the data on the computer or an external hard drive, the device will need to be encrypted with a strong password to secure your iPhone email backups.

Securing the Apple Mail App

Apple may have a better privacy reputation than the other tech companies, but it’s not unscathed. Unencrypted emails are also inherently insecure. While individual Apple Mail messages can be encrypted with S/MIME as mentioned above, many users may prefer to send and store their email through a service that offers a greater range of configuration and compliance options.

One solution is to use a third-party secure email provider, like LuxSci, so that:

  1. Your email messages are stored outside of Apple’s ecosystem
  2. You can have a greater range of security, archival, and backup options
  3. You can still send and receive email through your iPhone Mail App (or other third party Apps).

If you do not like or trust the Apple Mail App, iOS 14 allows you to change the default email App on your iPhone.   After all, even Apple’s Mail App has had its share of security vulnerabilities.  A google search will show you a lot of email application alternatives.

HIPAA Compliance and Apple.

If you are using your iPhone for work and your job requires HIPAA compliance,  you should be aware that Apple’s iCloud email is not HIPAA compliant.  Your organization will need to use a third-party email solution that does provide appropriate HIPAA compliant email, security, and a HIPAA Business Associate Agreement.  And it goes without saying that you should not be texting or sending ePHI through Apple iMessage, either.

LuxSci offers a variety of options that are great for meeting your security and compliance needs.

Talk with our team to see how our solutions can help your organization keep its data safe and navigate the regulatory minefield.

What Are Your Goals for Sending HIPAA-Compliant Emails?

Wednesday, October 7th, 2020

…and how Do They Influence Which Provider You Choose?

So, you’ve heard that you need to send HIPAA-compliant emails. Maybe your company is only just starting to send ePHI in its messages. Perhaps it just wants to be extra careful, and limit the potential repercussions if ePHI is accidentally sent in an email. It could have even been skirting HIPAA regulations all along, and has suddenly realized the error of its ways.

Whatever led you up to this point, you are doing the right thing by looking for a HIPAA-compliant email provider. But the regulations and the services that have been developed to abide by them can be complex, so it’s important to do your research and carefully think through your decision.

hipaa compliant email sending

Secure email sending

On top of making sure that a potential service meets your compliance and security needs, you also need to consider the goals of your HIPAA-compliant email sending. Obviously, we can’t tell you what your goals are, but we can give you some suggestions that will help you refine them.

Are You Intending to Send ePHI, or Do You Just Want a HIPAA-Compliant Service to Be Careful?

Some organizations may want to directly email ePHI to their patients, so they need to focus on how they can do this effectively, while keeping both their patients and their businesses safe. For example, a doctor’s clinic may want to offer to send out test results via email.

Due to the high risk of exposing this information, it will probably want to opt-out encryption, rather than opt-in. Measures like this can significantly reduce the chances of accidentally sending out unprotected ePHI.

In contrast, other companies may only want to send ePHI on rare occasions, so they may find opt-in encryption more convenient. The point is that every organization has its own set of requirements, and they need to find a suitable email service for their individual circumstances.

Some will want a service that is tightly locked down to limit their risks, while others May have a high risk tolerance.

Do You Plan on Using It as Your Everyday Email Service, or for High Volume Messaging?

If you just want a HIPAA-compliant email service for everyday use, something like LuxSci’s Secure Email is a great option. Alternatively, if your main goal is to send out emails in bulk, you will need something like our Secure High Volume Sending.

Do You Want to Send Transactional Messages, Marketing Emails, or Both?

As obvious as it seems, marketing emails are messages that are mainly sent out for marketing purposes. These include newsletters and product updates. On the other hand, transactional emails are those that are essential for customer interactions with the company. Many different things qualify as transactional emails, from onboarding messages, to password resets, to receipts, and much more.

Savvy companies don’t just see transactional emails as a bland part of conducting business. Instead, they use them as opportunities to add in a little marketing for their products, services, or simply overall brand awareness.

Before you make your decision on an email platform, you should consider how you want to use the service, and which solutions cater best to those needs.

Do You Have an In-House Graphic Designer, or Do You Need Intuitive & Professional-Looking Templates?

If your company has its own graphic designer, or the budget to outsource it, then it may not need beautiful email templates. Not every organization has those resources on hand, and many just want something that looks good without having to put in a lot of effort. Your company’s current setup and goals will influence whether you look for a HIPAA-compliant email provider that offers these ready-made templates.

Do You Need Analytics that Help You Measure the Effectiveness of Your Campaigns?

If your goal is to have the most effective campaign possible, then you need to measure everything. Of course, this is only possible with a marketing service that has a comprehensive analytics platform. LuxSci’s Secure Marketing solution offers A/B testing, which allows you to compare two different approaches to see which is best.

It also features a range of reports that tell you who opened emails, what they clicked on, the bounce rate, whether messages were marked as spam, and much more. If you need this type of in-depth knowledge in your email campaigns, it will be an important factor in which email service you ultimately end up choosing.

LuxSci’s HIPAA-compliant email services aim to combine the functional features you need for high performance, alongside the security mechanisms required to stay within the regulations. Together, these provide adaptable services for those in the healthcare sector and for other businesses that deal with ePHI.

Is Amazon Simple Email Service (SES) HIPAA Compliant?

Thursday, March 19th, 2020

Because Amazon Web Services (AWS) is very inexpensive, very well known, and offers “HIPAA-compliant” solutions to some degree, we are often asked if, and to what degree, Amazon Simple Email Service (SES) is HIPAA compliant. AWS is a big player offering countless services on which companies can build and/or host applications and infrastructures. One of the myriad of services provided by Amazon is their “Simple Email Service” (AWS SES for short).  Organizations are very interested in determining if the services offered are appropriate for their use cases and if use of specific Amazon services will leave them non-compliant or at risk.  Indeed, the larger the organization, the more concern we encounter.

 

Read the rest of this post »

Enterprise-Grade High Volume Secure Email Sending API

Tuesday, February 4th, 2020

LuxSci has released an enhancement to its REST API targeted at fast, reliable, large-scale email sending. While LuxSci’s API has had features for secure email sending for many years, the new API call is specifically designed with the needs of enterprise email sending in mind.

The new “Send Email” High Volume API call enables:

  1. Pipelining: Send up to 1,000 email messages per request
  2. Send to up to 1,000 email recipients per request
  3. Works for sending HIPAA-compliant secure email or regular email
  4. Load Balancing: Distributes your outbound email messages across your multiple dedicated outbound email servers.
  5. Fail Over: If you have multiple outbound email servers and one is down for some reason, the API will automatically re-try sending through other servers.
  6. Queuing: If you are depositing email into the API faster than your email servers can send, or if your email servers are down for some reason (e.g., maintenance), the messages will be accepted, queued, and delivered automatically as soon as possible.
  7. Tracking: Email delivery, bounce, click, feedback loop, and open tracking works just like it does for messages sent via SMTP.
  8. Encryption and all other email sending features currently supported by direct SMTP sending (e.g., tag lines, encryption “Opt-Out”, etc.) are supported by the API.
  9. SMTP Limits. Your overall API-based email sending is limited only by the number of recipients or messages to whom you are normally allowed to send via SMTP.

Read the rest of this post »

Email Data Breaches Are the Most Common Incident Location According to OCR Data

Monday, November 4th, 2019

Email data breaches were the most common incident location listed in breach notification data from the Office of Civil Rights, a subbranch of the Department of Health and Human Services. From the first of June, 2019 until the time of writing, 178 different breaches had been reported to the authorities.

Of these breaches, 69 involved email as their “Location of Breached Information”. In total, these email-related breaches affected almost 850,000 individuals – that’s almost a million people who had their data exposed or stolen due to either hacking or improper use. All in just six months.

Email data breaches were the clear frontrunner, with network servers following a reasonable distance behind them as the second most common location of breached information. Network servers were involved in 54 of the cases.

So what do these figures tell us?

Email Is Still the Weakest Link in Security & Data Breaches

If the OCR data reveals that email is the most common location of data breaches in recent times, then it insinuates that we have major issues in our approach to using email.

The data doesn’t necessarily mean that email technology is inherently less secure than network servers or the other incident locations – the results may be caused by how ubiquitous email is for communication, how easy it is for hackers to trick us over email, or how cavalier our attitudes are towards it.

However, the data does indicate that email is still a major source of problems, and we need to take the necessary steps to minimize its role in the cavalcade of data breaches we seem to experience.

Preventing Email Data Breaches

Data breaches are a concern for all businesses, because they can result in business disruption, damage a brand’s reputation, and result in huge compensation costs as well as fines.

This is especially true for organizations in the health sector and their business associates who deal with ePHI. Not only is the data they possess valuable and attractive to hackers, but they are also governed by strict HIPAA laws and the harsh penalties that come alongside them.

This makes email data breach prevention incredibly important for those both inside and outside of the health sector. The good news is that there are several things businesses can do to reduce the risks they face.

One of the first steps should be to adopt a secure email service like LuxSci’s HIPAA-compliant email hosting. Our solution offers a high degree of security configuration options that help organizations protect their data according to their own unique needs. These include support for PGP, S/MIME, portal pickup and TLS, providing protection for email both in transit and in storage.

LuxSci’s premium email filtering also helps to stop attackers from ever making their way into employee inboxes, preventing them from gaining footholds that they can use to cause email data breaches.

Although the OCR’s notification data doesn’t go into depth, it’s likely that many of the affected businesses either weren’t using secure email software, or were using it inappropriately. Our HIPAA-compliant service can help to cut down on the risks that organizations face, reducing the likelihood of them ending up on the OCR’s list in the future.

While the majority of email data breach incidents in the OCR figures were due to hacking, some were the result of unauthorized access or disclosure. These acts are often overlooked, but they still contribute to costly and disruptive breaches.

LuxSci’s email hosting can help to cut down on accidental email data breaches because we offer features like opt-out encryption. When our clients enable it, it means that their employees have to actively opt-out when they don’t want encryption to protect a message.

This almost completely eliminates incidents where employees simply forget to encrypt sensitive data. They would have to go out of their way to do so, which makes opt-out encryption a simple way for organizations to reduce the risks they face.

Email data breaches are one of the huge risks that businesses face in our internet age. Thankfully, there are straightforward steps that organizations can take to minimize them, which helps to save money in the long run. LuxSci’s email service is just one of them. We also offer a wide range of other secure services such as hosting and forms.