" secure email Archives - LuxSci

Posts Tagged ‘secure email’

Zero Trust Email

Tuesday, July 20th, 2021

Our third article on Zero Trust Architecture covers zero trust email and the systems it requires. In May, the Biden Administration announced a new approach to cybersecurity that included a push toward Zero Trust Architecture. We have already covered Zero Trust Architecture as a whole, and also talked about how dedicated servers are important parts of the zero trust model. Now, it’s time to talk about zero trust email.

zero trust email

Zero Trust Email and Encryption

As we discussed in our previous articles, Zero Trust Architecture begins with the presumption that an organization’s network may not be secure. Because attackers may already be inside the network, NIST stipulates that:

“…communication should be done in the most secure manner available… This entails actions such as authenticating all connections and encrypting all traffic.”

This means that emails always need encryption. While many organizations recognize external threats and encrypt their sensitive external communications, it’s still common for workplaces to use unencrypted communication methods within the company network. This is generally done under the outdated assumption that the internal network is secure.

Zero Trust Architecture understands that any attacker within the network could easily read these communications. This is why zero trust email needs to be encrypted, even when it’s within an organization’s private network. One step in this direction is to force TLS for email encryption for all entities.

The zero trust model also requires encryption at rest, so emails also need to be protected in storage, not just in transmission.

Authentication and Zero Trust Email

NIST’s publication on Zero Trust Architecture also stipulates that:

“Access to individual enterprise resources is granted on a per-session basis. Trust in the requester is evaluated before the access is granted. Access should also be granted with the least privileges needed to complete the task.”

When it comes to zero trust email, this means that sensitive messages require authentication and authorization to be read. TLS encryption alone is not sufficient, because it doesn’t have the full capability for this type of verification. While it does allow authentication and authorization on the recipient’s email account, it cannot do so on the raw message data.

LuxSci supports:

  • Sender Policy Framework (SPF) – This is a system for email authentication that can detect forged sender addresses. Due to its limitations, it is best to complement it with other email authentication measures.
  • DomainKeys Identified Mail (DKIM) – This authentication method can detect email spam and phishing by looking for forged sender addresses.
  • Domain-based Message Authentication Reporting and Conformance (DMARC) – This email authentication protocol complements SPF, allowing it to detect email spoofing. It helps to protect organizations from phishing, business email compromise attacks, and other threats that are initiated via email.

Each of these email authentication measures are useful for verifying sender identities. LuxSci also offers premium email filtering, and together these techniques limit the trust that is applied to inbound messages.

Together, these techniques identify legitimate email messages while filtering out those that are unwanted or malicious. While it isn’t directly stated in the NIST guidelines, SPF, DKIM and DMARC can all be integral parts of the zero trust framework.

Access Control and Zero Trust Email

In addition to measures for encrypting messages and verifying inbound emails, zero trust email requires granular access controls to keep out intruders. LuxSci’s Secure Email Services include a wide range of access controls that limit unauthorized access while still making the necessary resources available. These include:

  • Two-factor authentication
  • Application-specific passwords
  • Time-based logins
  • IP-based access controls
  • APIs that can be restricted to the minimum needed functionality

These configuration options help reduce the likelihood that a malicious actor can access your systems. They also limit the sensitive email data that an attacker may have access to if they do manage to compromise an organization’s network.

LuxSci’s Zero Trust Email

As a specialist provider in secure and compliant services, LuxSci’s offerings are well-positioned as zero trust email solutions. Our Secure Email aligns with Zero Trust Architecture for every industry vertical, not just HIPAA. Contact our team to find out how LuxSci can help secure your organization with a zero trust approach.

17 Questions To Ask Before Sending A HIPAA-Compliant Marketing Email

Tuesday, April 20th, 2021

You’ve just been told that your email marketing program is putting your company at risk of violating HIPAA. What now? If you want to continuing using email to communicate with patients, you must implement HIPAA-compliant email marketing.

Start by breaking down that goal into two components: becoming HIPAA-compliant and achieving your marketing objectives. Setting up HIPAA-compliant systems and procedures will ensure your patient data is protected. However, you don’t have to let your marketing objectives suffer for the sake of security. Implementing a HIPAA-compliant marketing program can actually help you achieve better marketing results.

Ask yourself these 17 questions to ensure your email marketing plan aligns with your business goals and HIPAA.

Read the rest of this post »

Time-Based Access Control

Tuesday, March 16th, 2021

A new security feature is available for LuxSci WebMail customers. Account administrators now have the option to implement time-based access controls for their users. Administrators can restrict what times of day and what days of the week individual users are permitted to use the LuxSci web interface (for WebMail, administration, or other tasks) to increase security on the platform.

This prevents unauthorized off-hours access by employees and also by potential attackers. In a compliance context, LuxSci customers are able to apply time-of-day access controls on a user-level to further limit the attack surface and keep essential information protected.

How to Enable Time-Based Access

You must be an account administrator to enable time-based access. To edit this setting, go to the user’s account and click on “Settings.” Under “Security,” go to the “General” page and do the following steps:

  • Enable the overall setting “Enable time-based access restrictions to this web interface.”
  • Select the time zone to use for these times.
  • For each day the user will be allowed to login to the Web Interface, enter one or two time ranges in the 24-hour time format “HH:MM-HH:MM.”
    • For example, if the user can use the system between 9am and 5pm, you would enter “09:00-17:00.” Use two time ranges if there are two distinct periods of time during the day that are acceptable.

time based access settings

Additional Security Features

In addition to this feature, we also recommend that LuxSci customers take advantage of our other security controls such as:

What Are Your Goals for Sending HIPAA-Compliant Emails?

Wednesday, October 7th, 2020

…and how Do They Influence Which Provider You Choose?

So, you’ve heard that you need to send HIPAA-compliant emails. Maybe your company is only just starting to send ePHI in its messages. Perhaps it just wants to be extra careful, and limit the potential repercussions if ePHI is accidentally sent in an email. It could have even been skirting HIPAA regulations all along, and has suddenly realized the error of its ways.

Whatever led you up to this point, you are doing the right thing by looking for a HIPAA-compliant email provider. But the regulations and the services that have been developed to abide by them can be complex, so it’s important to do your research and carefully think through your decision.

hipaa compliant email sending

Secure email sending

On top of making sure that a potential service meets your compliance and security needs, you also need to consider the goals of your HIPAA-compliant email sending. Obviously, we can’t tell you what your goals are, but we can give you some suggestions that will help you refine them.

Are You Intending to Send ePHI, or Do You Just Want a HIPAA-Compliant Service to Be Careful?

Some organizations may want to directly email ePHI to their patients, so they need to focus on how they can do this effectively, while keeping both their patients and their businesses safe. For example, a doctor’s clinic may want to offer to send out test results via email.

Due to the high risk of exposing this information, it will probably want to opt-out encryption, rather than opt-in. Measures like this can significantly reduce the chances of accidentally sending out unprotected ePHI.

In contrast, other companies may only want to send ePHI on rare occasions, so they may find opt-in encryption more convenient. The point is that every organization has its own set of requirements, and they need to find a suitable email service for their individual circumstances.

Some will want a service that is tightly locked down to limit their risks, while others May have a high risk tolerance.

Do You Plan on Using It as Your Everyday Email Service, or for High Volume Messaging?

If you just want a HIPAA-compliant email service for everyday use, something like LuxSci’s Secure Email is a great option. Alternatively, if your main goal is to send out emails in bulk, you will need something like our Secure High Volume Sending.

Do You Want to Send Transactional Messages, Marketing Emails, or Both?

As obvious as it seems, marketing emails are messages that are mainly sent out for marketing purposes. These include newsletters and product updates. On the other hand, transactional emails are those that are essential for customer interactions with the company. Many different things qualify as transactional emails, from onboarding messages, to password resets, to receipts, and much more.

Savvy companies don’t just see transactional emails as a bland part of conducting business. Instead, they use them as opportunities to add in a little marketing for their products, services, or simply overall brand awareness.

Before you make your decision on an email platform, you should consider how you want to use the service, and which solutions cater best to those needs.

Do You Have an In-House Graphic Designer, or Do You Need Intuitive & Professional-Looking Templates?

If your company has its own graphic designer, or the budget to outsource it, then it may not need beautiful email templates. Not every organization has those resources on hand, and many just want something that looks good without having to put in a lot of effort. Your company’s current setup and goals will influence whether you look for a HIPAA-compliant email provider that offers these ready-made templates.

Do You Need Analytics that Help You Measure the Effectiveness of Your Campaigns?

If your goal is to have the most effective campaign possible, then you need to measure everything. Of course, this is only possible with a marketing service that has a comprehensive analytics platform. LuxSci’s Secure Marketing solution offers A/B testing, which allows you to compare two different approaches to see which is best.

It also features a range of reports that tell you who opened emails, what they clicked on, the bounce rate, whether messages were marked as spam, and much more. If you need this type of in-depth knowledge in your email campaigns, it will be an important factor in which email service you ultimately end up choosing.

LuxSci’s HIPAA-compliant email services aim to combine the functional features you need for high performance, alongside the security mechanisms required to stay within the regulations. Together, these provide adaptable services for those in the healthcare sector and for other businesses that deal with ePHI.

HIPAA-compliant Email Host or SMTP Connector?

Tuesday, July 28th, 2020

choosing hipaa compliant email

You may have heard that you need to use HIPAA-compliant email to protect your organization’s ePHI, but many people aren’t sure where to go from there. Don’t worry if you fall into this camp, because this article will explain your options in depth.

The most straightforward solution is to simply sign up for a HIPAA-compliant email host. These are providers who specifically design their email services to be compliant with HIPAA regulations. A good example is LuxSci’s Secure Email.

If you currently use tools like Google Workspace or Microsoft Office 365 for your email, you might be looking for ways that you can adapt them for HIPAA compliance. The good news is that this is possible with an outbound encryption tool like our HIPAA-compliant SMTP connector.

Some organizations may pursue this option because they need certain features that these programs offer, while others may be hesitant to introduce new software and have to train their employees to use it.

Why Do You Need a HIPAA-compliant SMTP Connector for Google Workspace, Microsoft Office & Other Services?

These services aren’t designed to be HIPAA-compliant. Tools like Google Workspace, Microsoft Office 365, and Microsoft Exchange are designed for the mass market, so HIPAA compliance and security were not significant factors during their development.

This means that they are unsuitable for protecting ePHI straight out of the box. In the case of Google Workspace, it lacks a HIPAA-compliant email encryption solution. Microsoft does have one, but it is difficult to configure. A solution like LuxSci’s Secure SMTP Connector hooks up to your existing email service, bridging the gap to make your outbound email secure and HIPAA-compliant.

LuxSci Secure Connector

LuxSci Secure Connector

 

HIPAA-compliant SMTP connectors can also help you send emails if your internet service provider prevents or limits your outbound mail server from sending messages. On top of this, they can also add SMTP authentication to your outbound email system, as well as offer encryption and archival mechanisms. SMTP servers can also assist you in adapting your existing mail service in a variety of other ways.

Should You Use a HIPAA-compliant Email Host or an SMTP Connector?

Every organization will come to its own conclusion, based on the factors that matter most in its unique situation. If your main concern is making your company’s HIPAA compliance as easy as possible, then a HIPAA-compliant email host is probably your best option.

These are developed with the regulations in mind, and are designed to make compliance simple, with configuration options that suit a range of scenarios. With a HIPAA-compliant email host, you are less likely to misconfigure it and accidentally expose ePHI. 

LuxSci’s HIPAA-compliant email is designed to offer you a high level of performance and functionality, without having to constantly worry about regulatory headaches.

In contrast, some organizations aren’t in a position where they are ready to switch to a new email host. If they rely on certain software features in Google Workspace or Microsoft Office 365, it’s best for them to deploy LuxSci’s secure connector so that they can protect their outbound email sending.

Setting up and maintaining HIPAA compliance may be more complicated if they pursue this option, but it’s still a better choice than completely disregarding their regulatory obligations.

LUXSCI