" hipaa-compliant email Archives - LuxSci

Posts Tagged ‘hipaa-compliant email’

Will Email Ever Be Truly Secure?

Tuesday, November 6th, 2018

Email gateways are a leading cause of security breaches. The optimistic view is that effective email security practices, firewalls, mobile device security, wireless security, endpoint security, web security, behavioral best practices, data loss prevention and network access control – among other solutions – can ensure foolproof security. The realistic view is that email – or anything for that matter – cannot be truly secure.

To err is human. Technology advancement is a boon and a bane: cyber attacks are more sophisticated than before. You can trust no one security solution, place your full trust on end-to-end encryption (currently the most secure way to communicate securely and privately online) or predict when someone will break into your device and access your email.

The road to HIPAA compliance is paved with many risks, possibilities and outcomes. Well-researched and thoughtful implementations are essential but there are many decisions to make and loose ends to tie up. Your ePHI protection, privacy and confidentiality practices may be excellent, but your employees may still mistakenly dispose of a fax machine or hard drive that contains retrievable PHI. Or some of your staff may fail to observe the policy of what needs to be encrypted and what does not.


And if you thought that email encryption, cryptographic protocols and even your computer system and CPU were protecting your data at all times, think again…

Read the rest of this post »

HIPAA-Compliant Email Checklist – 8 Things You Need to Know

Tuesday, August 14th, 2018

The Health Insurance Portability and Accountability Act (HIPAA) applies to protected health information (PHI). When stored or transmitted electronically, the HIPAA Security and Privacy Rules require covered entities to safeguard the integrity and confidentiality of electronic protected health information (ePHI). The most common way in which ePHI is shared is via email. No wonder then that HIPAA-compliant email security is a critical concern for healthcare organizations, with a majority preferring to outsource this item to knowledgeable providers.

The HIPAA email security rule

The section of the HIPAA Security Rule that pertains to email explicitly requires adequate protection for all patient data and does not endorse or prohibit the use of any specific technologies to ensure robust protection. The rule lays down four standards:

  1. Organizational requirements stating the specific functions that a covered entity must perform, including the implementation of policies and procedures and obligations with respect to business associate contracts.
  2. Administrative requirements related to the training, professional development and employee management covering PHI.
  3. Physical safeguards encompassing the security of computer systems, servers and networks, access to the facility and workstations, data back-up and storage and the destruction of obsolete data.
  4. Technical safeguards that ensure the security of email data transmitted over an open electronic network as well as the storage of that data.

HIPAA-Compliant Email Checklist

While email encryption gets most of the spotlight during discussions on email security, it covers a range of behaviors, controls, and services that work together to address eight key areas.

1. Access: How can you effectively safeguard access to your email account and email messages?

  • Use strong passwords that cannot be easily guessed or memorized
  • Create different passwords for different sites and/or applications
  • Use two-factor authentication
  • Secure connections to your email service provider using TLS and/or a VPN
  • Block unencrypted connections
  • Be prepared with software that remote wipes sensitive email off your mobile device when it is stolen or misplaced
  • Log off from your system when it is not in use and you’re not at your desk
  • Emphasize opt-out email encryption to minimize breaches resulting from human error

2. Encryption: Given that email is inherently insecure and at a risk of being read, stolen, eavesdropped on, modified and forged (repudiated), covered entities should go beyond the technical safeguards of the HIPAA security rule and adopt a ‘better safe than sorry’ approach to email security across areas of message transmission, storage, security, and in ensuring that the business associates they engage are HIPAA compliant.

  • Your email system should be able to send secure messages to anyone with any address
  • You should be able to receive secure messages from anyone
  • Measures should be in place to prevent the insecure transmission of sensitive data via email
  • Explore the use of features to retract a sent email message if it is found to be wrongfully containing sensitive data or to have been sent to the wrong address
  • Avoid opt-in encryption to satisfy HIPAA Omnibus Rule

3. Backups and archival: HIPAA sets forth rules on email backups and archival even for unencrypted email containing ePHI that are mutual consent cases.

  • Are there backups of your email folders?
  • Are there at least two different backups at two different geographical locations? The processes updating these backups should be independent of each other as a measure against backup system failures.
  • Have you maintained separate, permanent and searchable archives? While the emails should be tamper-proof, with no way to delete or edit them, they should be easily retrievable to facilitate discovery, comply with audit requests and support business-critical scenarios.

4. Defense: Do you have controls in place to safeguard against malicious messages?

  • Use server-side inbound email malware and anti-virus scanning, scans for phishing and malicious links
  • Show the sender’s email address
  • Use filtering software to detect fraudulent messages, and ensure it is using SPF, DKIM and DMARC information to classify messages
  • Scan outbound email
  • Scan workstations for malware and virus
  • Use plain text previews of your messages

5. Authorization: Protect others against malicious email impersonating you by configuring your own domains with SPF and DKIM so that recipients’ email filters can identify forged email. Also ensure that email cannot be sent through your email servers without authentication and encryption.

6. Reporting: Setting accountability standards for email security is an essential part of establishing and improving your HIPAA compliance posture.

  • Create login audit trails
  • Receive login failure and success alerts
  • Auto-block attackers
  • Maintain a log of all sent messages

7. Reviews and policies: Use best practices of email security that focus on plugging vulnerabilities and preventing human errors.

  • Invite independent third parties to review your email policies and user settings. Fresh unbiased eyes can weed out issues quickly.
  • Disallow the use of public Wi-Fi for devices that connect to your sensitive email
  • Your email policy should prohibit clicking on links or opening attachments that are not expected or requested

8. Repeat: What you cannot manage in-house, outsource to expert providers and vendors. Perform a yearly review of your email security and stay on top of emerging cybersecurity threats to take proactive action when necessary for sustained HIPAA compliance.

Want to discuss how LuxSci’s Business Email Solutions can help with HIPAA-Compliant Email? Contact Us

HIPAA Email: Does it Require Encryption?

Tuesday, July 31st, 2018

HIPAA’s encryption requirements fall in a grey area. This is mainly due to two reasons:

  • encryption is required when ‘deemed appropriate’, which means email encryption is not absolutely necessary and ‘mutual consent’ can be used in place of encryption.
  • there are a number of ‘addressable requirements’ pertaining to the technical safeguards as far as ePHI encryption is concerned

What exactly is mutual consent?

Mutual consent refers to a mutual understanding between doctor and patient that email containing ePHI can be sent to patients’ email account without encryption. Patients should communicate their approval in writing after being informed of the security risks and understanding that a secure option is available. You must additionally maintain all records of mutual consent.

Mutual consent does not waive off other HIPAA-related requirements. You must still use HIPAA-compliant systems, log and audit non-encryption choices, and back-up and archive all email communications sent insecurely, etc.

Encryption at rest is ‘addressable’

‘Addressable’ means that the safeguard should be implemented or an alternative to the safeguard that delivers the same results should be implemented. In the absence of both, you should document and justify why no action has been taken with regard to the safeguard.

Read the rest of this post »

How Is HIPAA-Compliant Email Different from Secure Email?

Wednesday, June 21st, 2017

Protected health information (PHI) is heavily regulated under HIPAA, but the exact details can be confusing. The regulations are designed to keep everyone’s private information safe, but they also put a significant amount of responsibility on businesses.

HIPAA regulations apply to just about every aspect of a person’s medical information, including their transit, storage and security. Because email is such an important and extensively-used form of communication, HIPAA regulations apply to it as well.

HIPAA-compliant email vs secure email

Some may think that secure and encrypted email is all you need to keep PHI safe and emails compliant. The reality is that HIPAA email regulations go above and beyond standard secure email. To protect your business, you need to make sure that your email provider is HIPAA-compliant, not just secure.

Read the rest of this post »