" escrow Archives - HIPAA News, Web & Email Security Tips & News - Plus More | LuxSci
LuxSci

Posts Tagged ‘escrow’

Next Generation Data Loss Prevention (DLP) with LuxSci Secure Email

Tuesday, September 29th, 2015

Data Loss Prevention (DLP) describes a plan for companies to control the sending of sensitive data.  E.g. this can include controls to stop the flow of sensitive data or to ensure that sensitive data is always well-encrypted (for compliance) when sent.

In the context of email, DLP is usually achieved through the following formula:

  1. Construct a list of words, phrases, or patterns that, if they are present in an email, signify an email message that may contain sensitive information.
  2. Have all outbound email scanned for these words, phrases, or patterns
  3. For messages that match, take action:
    1. Block: Refuse to send the message, or
    2. Encrypt: Ensure that the message is encrypted
    3. Audit: (and maybe send a copy of the message to an “auditor”)

This classic DLP system is available through many email providers and has been available at LuxSci for many years as well. However, it does have a glaring limitation — no matter how complete and complex your DLP pattern list is, it is almost certain that some messages containing sensitive information will not quite match (or the information will be embedded in attachments that can’t be searched properly).  If they do not match, then they will escape in a way that may be considered a breach.

Read the rest of this post »

Toggling Between TLS-Only and More Secure Encryption Methods

Thursday, September 10th, 2015

There are many ways to send an email securely.  These range from the super-easy-to-use but less secure “TLS” method (see About SMTP TLS) to the universal “pick it up on a secure portal method” (that we call Escrow), to the very secure but harder to deal with PGP and S/MIME methods.

Many people like to use just TLS for email transmission security whenever possible, simply because it is so easy for everyone to use — you can encrypt everything, using TLS when possible and Escrow when TLS is not supported by your recipients.

However, if you have compliance needs or deal with sensitive information, there are many situations where you may like to “jack up” the level of encryption from just enforced TLS to TLS if possible plus one of the other methods … one that is more secure and which provides for encryption at rest.  (See: Is Email Encryption via Just TLS Good Enough for Compliance with Government Regulations?)

Disabling “Just TLS” on a per-message basis is quite easy with LuxSci.

Read the rest of this post »

SecureLine Message Center: Free, Secure Message Access Portal

Thursday, April 23rd, 2015

LuxSci customers send encrypted email messages to anyone using the SecureLine Escrow system — recipients receive a notification of their waiting secure message and click on a link to access it after either answering a security question or logging into their free SecureSend account to verify their identities.

The SecureLine Namespace and Message Center features enable your recipients to login and see a history of all secure messages sent to them from your users and to easily open, read, reply to, and delete these historical messages any time … at least until they have expired.  The Message Center also keeps copies of sent messages — so it enables free WebMail-like behavior in the SecureSend secure messaging portal

Read the rest of this post »

7 Steps to Make your Web Site HIPAA-Secure

Friday, February 13th, 2015

Doctors and medical professionals are feeling increasing pressure to get their business online (e.g. use of electronic prescriptions, web appointments, and remote medicine are both trendy and critical for building and sustaining revenue streams in the tightening medical market).  This push includes making available protected health information to patients via a web site and collecting similar private information from patients or would-be patients.

However, where the health information of an identifiable individual is involved, the Health Insurance Portability and Accountability Act (HIPAA) is the official compliance document.  And with the Omnibus rule in place, all web sites, old and new, must be properly designed or their owners face potential financial liability into the millions of dollars.

So, what do these requirements mean and how can HIPAA be followed in the context of a website?

Read the rest of this post »

SMTP TLS vs Secure Message Pick Up: Which is Better for HIPAA?

Wednesday, November 12th, 2014

There are many methods for sending an email message securely.  These generally vary in terms of the degree of security vs how easy they are to set up and use.  The two most common email encryption methods include:

  • SMTP TLS: Encrypting the message only while it is transmitted between the sender’s and the recipient’s servers.  See: SMTP TLS: All about secure email delivery over TLS.  Note that SMTP TLS is only supported by some email service providers.
  • Secure Message Pickup:  Sending the recipient an email notice with a link.  The recipient clicks on the link and goes to a secure web site to authenticate and access the message. (LuxSci call’s this method “Escrow”).  Secure Message Pickup allows one to send a secure message to anyone.

Other methods, such as PGP and S/MIME, are also in wide use.  However, these require a lot more setup and collaboration between the sender and recipient.  The above two methods are most commonly used for sending messages to people that you have not otherwise communicated with.

So, which is better?  How does that answer change when HIPAA compliance is involved?

Read the rest of this post »

Email your Form Data Securely to Addresses Determined on the Fly

Wednesday, February 12th, 2014

SecureFormLet’s say you have a web or PDF form and you would like to have the completed form emailed back to the user after it is submitted.  Or perhaps you have a complex form whose data should be sent to any one of a wide range of different email addresses based on its content.  Finally — what if those email messages needed to be secure to protect the form data?

It’s now quick and simple to accomplish this with LuxSci SecureForm.

Read the rest of this post »

Secure: Does LuxSci Hold the Keys to Unlock your Secure Email Data?

Wednesday, December 18th, 2013

For many different reasons, customers have asked us if we hold the keys to unlocking their email data. Why?

  1. Compliance / Emergencies: Customers with compliance needs, such as HIPAA, need to have emergency access to data … and that can mean appealing to LuxSci to access data to which the customer has otherwise lost access.  Having the keys in this case, is very important.
  2. Privacy: On the other end of the spectrum, some customers want to do as much as possible to ensure that no one, not even LuxSci staff, can access their email data.

Both considerations are extremely valid in their own context.  The answer is that “it depends”.  For security and flexibility, LuxSci presents customers a variety of email encryption options that span the complete range from “completely unencrypted” to “LuxSci has no possible access“.  It is up to the customer to choose where in that spectrum they fall … often balancing ease of use with security needs.

In the following sections, we will consider to what degree LuxSci can assist customers in accessing email (and WebAides) data, based on what encryption options the customer has chosen.  We also discuss where and how your trust of LuxSci comes into play. Understanding if and when LuxSci can access encrypted data is different from understanding when messages are encrypted at rest

Read the rest of this post »

Are Replies to my HIPAA-Compliant Secure Emails also Secure?

Friday, October 11th, 2013

HIPAACustomers of LuxSci HIPAA-compliant email accounts can send secure email messages in a secure and compliant manner to anyone with an email address.   One common question is whether the replies back to these messages will also be HIPAA compliant.  This is especially a concern when customers choose to use TLS only a a secure means of email delivery.

In this article we will break down the various ways that messages are sent securely from LuxSci to recipients across the Internet, and how replies behave — and whether they are secure and compliant.  At the end, we provide some recommendations for best practices for maximizing data security.

Read the rest of this post »

SecureLine Message Center now Displays Sent Email

Friday, September 6th, 2013

Secure Sent EmailLuxSci’s SecureLine email encryption service enables our customers to send secure email messages to anyone with an email address.  Through the included “SecureSend” portal, it also allows anyone with an email address to send secure messages to our SecureLine users, for free.

With Private Label Branding, LuxSci customers can customize this experience, making the web interfaces look like their company and also enabling a feature called “Message Center“.  Message center allows the recipients of your SecureLine messages sent using the Escrow secure message pickup mechanism to be able to view and reply to all messages sent to them in the SecureSend portal — e.g. akin to an online Inbox of received secure messages.

LuxSci has extended the Message Center so that it now includes copies of messages sent by these users as well:

  1. Messages sent as replies to SecureLine Escrow messages received by them
  2. New messages sent directly from the SecureSend portal’s secure email composer

Going forward, people interacting with LuxSci’s SecureLine users through the free SecureSend system can return to the portal and read items that they have previously sent using the system, just like they can log in and review emails that they have received.

Read the rest of this post »

How do you know if someone has read your email message?

Friday, July 26th, 2013

Has your recipient actually read that email that you sent to him or her?

Has anyone else been reading the email messages that you sent or which are saved in your online email folders?

We are often asked how customers can verify if an email that has been sent has actually been read or if they can detect if messages have been covertly read (e.g. by the NSA).  The quick answer is that:

  1. With respect to your recipients reading your emails, you generally cannot ever know unless you plan on it ahead of time or use a system that includes read tracking as a feature.
  2. With respect to your ISP or the government reading emails, you cannot ever know.  All you can do is implement encrptions mechanisms to prevent them from reading the messages altogether.

In this article, we will discuss what measures you can take and how effective they are for determining if an email message has been read — the simplest and most generally available methods are the least reliable.

Read the rest of this post »