" secure Archives - LuxSci

Posts Tagged ‘secure’

How Can You Tell if an Email Was Transmitted Using TLS Encryption?

Tuesday, October 29th, 2019

Frequently, we are asked to verify if an email that someone sent or received was encrypted using SMTP TLS while being transmitted over the internet.  For example, banks, health care organizations under HIPAA, and other security-aware institutions have a requirement that email be secured at least by TLS encryption from sender to recipient.

Email should always be transmitted with this basic level of email encryption ensure that the email message content cannot be eavesdropped upon.  This check, to see if a message was sent securely, is fairly easy to do by looking the the raw headers of the email message in question.  However, it requires some knowledge and experience.  It is actually easier to tell if a recipient’s server supports TLS than to tell if a particular message was securely transmitted.

To see how to analyze a message for its transmission security, we will look at an example email message sent from Hotmail to LuxSci, and see that Hotmail did not use TLS when sending this message.  Hotmail is not a good provider to use when security or privacy are required.

Read the rest of this post »

SMTP TLS: All About Secure Email Delivery over TLS

Monday, October 2nd, 2017

TLS stands for “Transport Layer Security” and is the successor of “SSL” (Secure Socket Layer). TLS is one of the standard ways that computers on the internet transmit information over an encrypted channel. In general, when one computer connects to another computer and uses TLS, the following happens:

  1. Computer A connects to Computer B (no security)
  2. Computer B says “Hello” (no security)
  3. Computer A says, “Let’s talk securely over TLS” (no security)
  4. Computer A and B agree on how to do this (secure)
  5. The rest of the conversation is encrypted (secure)

In particular:

  • The meat of the conversation is encrypted
  • Computer A can verify the identity of Computer B (by examining its SSL certificate, which is required for this dialog)
  • The conversation cannot be eavesdropped upon (without Computer A knowing)
  • A third party cannot modify the conversation
  • Third parties cannot inject other information into the conversation.

TLS and SSL are used for many different reasons on the internet and help make the internet a more secure place. One of the popular uses of TLS is SMTP for securely transmitting email messages between servers. See also:

Read the rest of this post »

Is FAXing really HIPAA Compliant?

Tuesday, September 12th, 2017

Many organizations, especially in the healthcare industry, have an urgent need to send important and sensitive information, like protected health information (what constitutes PHI?), to organizations via FAX (facsimile).

Why?  Because this is how it has always been done, and everyone is “set up” to be able to handle FAXes quickly and efficiently.

Go back in time 10-15 years.  Every doctor’s office and small business had one or more FAX machines for sending documents and pictures back and forth.  It was essential technology that became ingrained into business processes through constant, repetitive use.  Everyone knows how to use a FAX machine, even the most technologically challenged staff member.

Fast forward to now:

  1. Fax Machines have changed.  They are now all-in-one devices that scan, print, copy, send files to your computer, and more.  The “FAX” ability is now just a minor extra feature.
  2. HIPAA has arrived and evolved.  It used to be that sending patient (ePHI) data via FAX was the norm.  Now, it is perilous to send such private data over regular FAX lines, as it is easy for that process to break down and violate HIPAA.  E.g. see this $2.5 million dollar law suite resulting from 1 fax message.
  3. Everyone has a computer or tablet. Most doctors and staff members have access to email, a HIPAA-secured computer or tablet, and familiarity with how to use them … and have been trained on best practices via the required HIPAA security training that everyone has to have now-a-days.
  4. Paperless offices. Workplaces have or are evolving to become paperless — everything is stored electronically.  Regular FAXes are often disdained in favor or email; when regular FAXes do arrive, they are often scanned to electronic files and then destroyed.
  5. Low resolution. Faxes are low-resolution.  They are slow and they do not contain a great amount of detail.  They are not great for sending anything graphical.

Read the rest of this post »

Is email message transport over MAPI or HTTPS secure?

Tuesday, September 5th, 2017

Our latest “Ask Erik” question involves understanding what email headers save about secure message transport … especially when they list MAPI or HTTPS instead of TLS.

Read the rest of this post »

Do my online forms need to be HIPAA-Compliant if they don’t ask for medical information?

Monday, September 29th, 2014

HIPAA FormsFor folks in the medical field, there is often a lot of uncertainty regarding which kinds of web forms need HIPAA compliance and which ones do not. We often have customers ask if their online forms need to be HIPAA-compliant.

The short answer is that you should probably make ALL of your forms secure, like it is best to make all pages of your website secure, no matter what is on the page. This instills more trust in your web visitors and results in more business. It doesn’t take much work to secure your forms, so you might as well do it for all of them. Your user’s data will be protected, and they will know that you are looking to make the best choices for them, even in cases where it might not strictly be necessary. This is a good thing.

Back to the original question-

If you are a medical office, do your online forms need to be HIPAA-Compliant, depending on what is collected?

Note: the following is suggested advice from LuxSci based on our understanding of HIPAA; however, this should not be taken as legal advice. We advise you to consult your lawyer for accurate legal advice on your particular situation.

HIPAA requires that all electronic Protected Health Information (ePHI) be secured to protect the privacy of the individuals identified in the ePHI. So, as long as either (a) HIPAA does not apply to you or (b) your form does not collect ePHI, then you do not have to secure the web form.
Let’s look at each of the two criteria to tell if either one may apply to you or your form.

1. Does HIPAA Apply to You?

HIPAA applies to your web form if you are a “HIPAA Covered Entity” or if you are collecting data for someone that is a HIPAA Covered Entity (making you a “HIPAA Business Associate” of theirs).

HIPAA Covered Entities Include:

  1. Care: You provide services or supplies related to an individual’s physical or mental health care. This includes: (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure concerning the physical or mental condition or functional status of an individual that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other items in accordance with a prescription.
  2. Provider: A provider of services (as defined in section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the ordinary course of business.
  3. Clearinghouse:  A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value-added” networks and switches that either process or facilitate the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or receive a standard transaction from another entity and process or facilitate the processing of health information into a nonstandard format or nonstandard data content for the receiving entity.
  4. Plan: With certain exceptions, an individual or group plan that provides or pays the cost of medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)). The law specifically includes many organizations and government programs as health plans.

You are a HIPAA Business Associate if someone who is a HIPAA Covered Entity has contracted you to collect data for them through the form. (You also have to sign a Business Associate Agreement and abide by many other restrictions if you are a Business Associate). A good example of a Business Associate would be a web design company that handles the websites and forms for their customers, some of whom are “HIPAA Covered Entities.” If the website uses web forms to collect ePHI, the web design company must then be a Business Associate of that customer and abide by HIPAA regulations. Without a BAA, their customer is non-compliant and putting patient data at risk.

2. Does the online form collect ePHI?

So let’s say that HIPAA does apply to you, and you still want to know if a particular web form needs to be compliant. This is determined by whether the form collects ePHI or not.

What is ePHI?
ePHI is individually identifiable, protected health information sent or stored electronically. “Protected health information” can include information about an individual’s:

  1. Past, present, or future physical or mental health or conditions
  2. Past, present, or future provisioning of health care
  3. Past, present, or future payment-related information for the provisioning of health care

“Individually identifiable” information includes all information used to determine which specific individual is involved. There are 18 types of identifiers for an individual (listed below), together with any “protected health information” (e.g., an appointment with a particular doctor), that constitutes ePHI.

  • Name
  • Address (all geographic subdivisions smaller than the state, including street address, city, county, zip code)
  • All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
  • Telephone numbers
  • Fax number
  • Email address
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate/license number
  • Any vehicle or other device serial number
  • Device identifiers or serial numbers
  • Web URL
  • Internet Protocol (IP) address numbers
  • Finger or voiceprints
  • Photographic images
  • Any other characteristic that could uniquely identify the individual

So, it is pretty easy for a web form to be collecting ePHI!

Web Forms and ePHI need to be HIPAA-Compliant

Here are some examples of web forms that would likely be collecting ePHI:

  1. Appointment Requests and Referral Requests: These will collect identifiable information about the person requesting the appointment. The request for the appointment should be considered information about “future provisioning of health care to an individual.” Furthermore, by context, requesting an appointment may also imply information about “an individual’s past, present, or future physical or mental health or condition.”
  2. Patient Intake Forms: These forms usually enable prospective patients to provide information about themselves for one purpose or another. This is both identifiable and information about “an individual’s past, present, or future physical or mental health or condition.”

Some examples that might not be considered in the collection of ePHI (depending on the exact context of the site) because while they are individually identifiable, they do not include or imply health information for that individual:

  1. Contact Requests: The website visitor is merely asking for a call or email with no specified reason.
  2. Requests for Information: Where the website visitor requests a white paper, a pamphlet, or other information
  3. Purchases of products that do not require a prescription: Purchasing a product does not in and of itself imply who is to use it unless that use of that product is restricted (e.g., via a prescription). Of course, this may also depend on if you try to collect health information as part of the purchase, e.g., for future marketing or upsell.

Getting the picture — anything that identifies the person and relates to that person’s health or healthcare should be considered ePHI and protected. In other cases, you could get away with not being secure. But — why would you? People are afraid and paranoid about identity theft and information leakage on all sites, not just ones related to medical information. Anything that a website can do to make its visitors more comfortable and “secure” will improve trust and sales conversions.

What About Consent for Insecure Transmission?

As a follow-up question, we are often asked if there can be a checkbox on the form where patients can click to consent to the use of an insecure, non-compliant form. Presumably, if they do not click, they thus cannot submit the form at all. E.g., you are forcing them to either “go away” or submit securely with consent” to insecurity.

This is highly advised against and is almost certainly not HIPAA-compliant. This is also a case where you should consult with a lawyer to make sure it’s okay for your case if you were going to do it anyway.

To understand why this is a bad idea, consider “Mutual Consent.”

Under HIPAA, Mutual Consent to transmit ePHI insecurely seems to be allowed if:

  1. You and the patient agree that insecure transmission is okay,
  2. The patient has been appropriately advised of the security risks involved,
  3. The patient agrees in writing that insecure transmission is okay, and
  4. The option for HIPAA-compliant transmission is available by implication.

The simplest thing to do is have secure transmission and be done with it — no need to consent to insecure delivery. It doesn’t make things any easier for the person filling out the form if it is insecure.

The only case where this could be considered possibly under the HIPAA radar (again, please consult your lawyer) is if:

  1. Your insecure form has a clear section where it advises the users of the risks of submitting their data via this form
  2. That warning is understandable to most laypeople without further explanation
  3. They have to check a box (or maybe sign their name) to consent to the submission of that form
  4. You may need to show that they understood and agreed to the risks and didn’t just click without reading.
  5. When you collect the form data, you save and archive all of these consent agreements in case of a breach, and you need to prove that insecure sending was allowed and the user was well informed of the risks.
  6. You have another option available to the user if they do not accept the risks, e.g., Submitting the form securely, calling you via a phone number, printing and mailing in a physical form, etc.

You place a significant burden on the end-user by adding warnings and consent to your form. This will turn most folks off. As always with the web, keep it as simple as possible for maximum results. In this case, that means no consent, no warning, just simple, secure submission.