This article discusses what types of email encryption are sufficient to comply with government regulations. TLS email encryption is a good option for many organizations that manage sensitive data. However, it does not protect data at rest. Each organization must perform a risk assessment to determine which encryption methods suit their legal requirements.
Read the rest of this post »
Creating secure web forms starts with creating a secure website. This process is more complex than creating web pages and adding an SSL Certificate. A certificate is a solid first step, but it only goes so far as to protect whatever sensitive data necessitates security in the first place.
Naive attempts at security can ultimately make the data less secure and more likely to be compromised by creating an appetizing target for the unscrupulous.
So, what do you do beyond hiring a developer with significant security expertise? Start with this article. Its purpose is to shed light on many of the most significant factors in creating secure web forms and how to address them. At a minimum, reading this article will help you intelligently discuss website security with the developers you hire.
Read the rest of this post »
If your business transmits sensitive information via email, encryption is often required to meet compliance standards. However, if encryption is difficult to use, employees and recipients alike may avoid secure channels and communicate sensitive information insecurely. Email encryption technology must be intuitive for employees to use and easy for recipients to decrypt to encourage adoption. In this article, we explore some of the main issues with email encryption and how to address them to improve the user experience.
If it’s challenging for recipients to decrypt messages, they go unread or deleted. Most users will not install new software or create new accounts to read an email message. They will delete the message and move on with their day. Encryption technologies like PGP and S/MIME are highly secure, but with that security comes a lack of usability. It’s essential to evaluate the message contents and select a level of encryption corresponding to the message sensitivity.
If reading encrypted messages requires the user to visit other websites, log in to other accounts, and verify their identity multiple times, it creates a poor user experience that drives individuals outside of secure channels to communicate. This defeats the purpose of using encrypted email and leaves people unsatisfied.
How many times have you forgotten to include an attachment when sending an important email? For users who need to send encrypted emails, remembering to type a keyword or press a button to enable encryption introduces risk, interrupts business processes, and generally limits productivity.
To address some of these issues, let’s look at a few ways that you can improve the email encryption experience for both senders and recipients.
Instead of using a secure web portal or exchanging S/MIME and PGP keys, use TLS as often as possible to encrypt emails. TLS is sometimes called “invisible encryption” because it provides a barely noticeable encryption experience for recipients. Emails sent with TLS encryption appear just like regular emails in the recipient’s inbox and do not require any additional steps to decrypt. TLS encryption is sufficient for most compliance requirements, including HIPAA, which makes it an excellent choice for many email communications.
TLS is supported by over 80% of email clients, which means it’s appropriate in most situations. But what happens when TLS cannot be supported? For many encryption providers, that means they send the email without any encryption at all. For customers with compliance requirements, this is not an option. By choosing an email encryption provider like LuxSci, you can configure your encryption settings to automatically select a form of encryption that is compatible with the recipient’s email client. For example, if the recipient does not support TLS encryption, the email would be sent to a secure web portal to protect it. Users don’t have to run tests or make the right choice; LuxSci’s tool automatically chooses the right encryption option based on your configuration and the recipient’s settings.
Make encryption opt-out instead of opt-in. By encrypting all emails automatically with TLS, employees do not need to decide if an email needs to be secured. As discussed above, TLS provides a user experience just like regular email, so it does not make it more challenging for the recipient to engage with messages. Encrypting all emails as a matter of policy reduces risk and does not slow down workflows.
Administrators can allow users to opt out of encryption if they choose to. This added step requires employees to think carefully about the message contents and ensure they are not sensitive before sending.
Email encryption does not have to be difficult to use. It’s possible to securely exchange information via email without negatively impacting the user experience. To learn more about how LuxSci’s SecureLine email encryption can help you protect sensitive data at scale, contact us today.
It is not easy to create a HIPAA-compliant web site and webmasters often ask us for clarification on best practices when it comes to HIPAA compliance.
We have previously discussed what makes a web page secure and also what makes a web site HIPAA-compliant, but it seems that an explainer on what you should and should not do with web sites in shared and dedicated environments would be useful to many.
Read the rest of this post »
SSL and TLS play critical roles in securing data transmission over the internet, and AES-256 is integral in their most secure configurations. The original standard was known as Secure Sockets Layer (SSL). Although it was replaced by Transport Layer Security (TLS), many in the industry still refer to TLS by its predecessor’s acronym. While TLS can be relied on for securing information at a high level—such as US Government TOP SECRET data—improper or outdated implementations of the standard may not provide much security.
Variations in which cipher is used in TLS impact how secure TLS ultimately is. Some ciphers are fast but insecure, while others are slower, require a greater amount of computational resources, and can provide a higher degree of security. Weaker ciphers—such as the early export-grade ciphers—still exist, but they should no longer be used.
The Advanced Encryption Standard (AES) is an encryption specification that succeeded the Data Encryption Standard (DES). AES was standardized in 2001 after a five-year review and is currently one of the most popular algorithms used in symmetric-key cryptography. It is often seen as the gold standard symmetric-key encryption technique, with many security-conscious organizations requiring employees to use AES-256 for all communications. It is also used prominently in TLS.
Read the rest of this post »
