" secure email Archives - Page 3 of 6 - LuxSci

Posts Tagged ‘secure email’

Are Prescription Notifications HIPAA-Compliant?

Tuesday, December 14th, 2021

It is common to receive calls and text messages from pharmacies reminding us that it is time to pick up or renew our prescriptions for drugs or other medical items. Have you ever wondered if these prescription notifications are HIPAA-compliant?

Just because every pharmacy seems to send them, it doesn’t mean they are aware of the compliance requirements. Let’s look into the context and learn how to remind patients of prescription refills and appointments securely.

prescription notifications hipaa compliant

Read the rest of this post »

5 Ways to Prevent Human Impacts on Your Cybersecurity Program

Tuesday, October 12th, 2021

There are multiple ways that humans impact cybersecurity and can put data at risk. From being tricked by phishing emails to choosing easily guessed passwords, insider fraud and mistakenly classifying the security level of emails and other content, the actions of your employees can make your data vulnerable.

While the impact of human errors can’t be eliminated entirely, there are steps that can be taken to minimize the effects humans can have on your cybersecurity. Five of these steps are detailed below.

prevent human effects on cybersecurity

1. Adopt an “Opt-out” approach to encryption

At LuxSci, our philosophy is to limit risk by taking basic security choices out of employee hands. Instead of relying on employees to encrypt emails with sensitive contents, we automatically encrypt every message by default. This makes it more difficult for an employee to carelessly send out sensitive emails without the proper safeguards.

Conversely, when taking an opt-in approach to cybersecurity, employees are responsible for remembering to encrypt each email before sending. Anytime an employee forgets to take this step, it represents a potential security breach with all the liability that entails. Adopting an opt-out approach to encryption reduces this risk significantly. While many companies use opt-in processes because of their convenience, they introduce a high degree of risk. LuxSci’s SecureLine encryption technology enables a new generation of email encryption that features both flexibility and security.

2. Implement strict email filtering and network firewalls

Are you familiar with the aphorism “an ounce of prevention is worth a pound of cure”? By taking steps to prevent malicious threats from reaching your systems and networks, your employees will not have to spend their time trying to figure out what is a threat.

Email filtering

Phishing is one of the greatest threats to cybersecurity. Rather than relying strictly on human judgement with regard to which emails to open, using a sender policy system that filters or flags suspicious incoming emails can appreciably improve cybersecurity. Don’t count on your busy employees to know when an email is suspicious. Instead, use email filtering to keep those emails from even entering their inboxes.

Network firewalls

Firewalls help prevent attackers from gaining easy access to your network. They prevent suspicious connections or messages from connecting to the network or reaching their intended destination. By serving as a first line of defense, a firewall plays a major part in shielding your network from cyberattacks. By preventing external threats from accessing your applications, you don’t need to count on your employees to recognize when something isn’t right.

3. Prevent human impacts on cybersecurity by training staff

Almost every modern workplace relies on internet-connected devices to get work done. However, just training staff to use your technology effectively is not enough. With cyberattacks growing in frequency, keeping your staff aware of the latest cybersecurity threats is essential to protect your business. With data breaches, denial-of-service (DoS), and ransomware attacks accounting for tremendous financial losses, failing to prepare your staff for the danger these attacks pose to your IT operations can be costly.

Your employees can prevent security breaches if they are properly trained in the latest cybersecurity best practices. Some complex security breaches can evade even the best automated security measures. If your staff knows what to look for, they can play a crucial role in augmenting your existing security measures.

In addition, hackers often target employees as their first access point for gaining entry to a network. As a result, restricting cybersecurity training to just the IT department can leave your employees vulnerable to social engineering, phishing emails, and other exploits used by hackers to dupe them.

A cybersecurity training program can help reduce risks by familiarizing employees with the tricks used by hackers to gain access to their accounts. As part of the training program, it’s important to test employees on core concepts to ensure the message is retained.

4. Enforce strong password and access control policies

To reduce the risk of security breaches, a robust password protection program is necessary. One of the key elements is enforcing password complexity. Simple passwords are vulnerable to brute force hacking, enabling hackers to easily access employee accounts.

Requiring staff to use unique, complex passwords makes it much harder for hackers to gain access to an account. A complex password can include multiple types of characters (numbers, letters, capitalization, special characters) and minimum character lengths. Learn more about creating secure passwords in our blog archives.

Multi-factor authentication (MFA) is another key element of a robust security policy. By requiring more than a single action to access an account, you can drastically cut down on security breaches due to lost or stolen passwords. Given that compromised passwords are a significant cause of security breaches, using MFA is a powerful tool for bolstering network security.

In addition, setting up time-based access controls for your sensitive systems can prevent bad actors from gaining unauthorized access. For example, if you have an employee who works a 9am-5pm shift, you can prevent her from accessing the system from 6pm-8am. That way if a bad actor did get her credentials, they would be unable to login when she was offline. This could prevent someone from taking over your systems overnight.

5. Adopt the Zero Trust security stance

What is Zero Trust Architecture? Essentially, it is a policy for guarding against cyberattacks by assuming that every aspect of a network is subject to attack. This includes potential insider threats from employees or attackers who have infiltrated your network. This contrasts with other security approaches that assume that traffic within a network’s security perimeter can automatically be trusted. Instead, Zero Trust Architecture minimizes the security perimeter as much as possible to reduce the chance of a security breach and evaluates the credentials and actions of users at all levels of access to identify any actors inside the network who may pose a threat.

By providing a more granular level of threat detection and limiting access within the network, a Zero Trust security approach is more rigorous than existing security models focused primarily on perimeter security.

ZTA improves security without imposing unduly burdensome requirements. It gives users access to just the minimum level of data and services needed to fulfill their role. This can help stop insider threats from employees. If a lower-level employee with little access to sensitive data has their credentials compromised, it is less threatening to the organization’s data security. The attacker will not be able to penetrate other parts of the network without additional identity verification.

Limiting human impacts on your cybersecurity to decrease risk

Humans can amplify cybersecurity risks in many ways. Between careless mistakes and intentional sabotage, there are a number of things that employees can do to expose your company to cybersecurity risks. The steps listed above comprise a comprehensive set of measures you can take to minimize negative human impacts on cybersecurity. In conjunction with a robust security solution, these measures can significantly enhance your cybersecurity defenses.

Secure your organization by contacting us to find out how to get onboard with LuxSci.

Online Reviews and HIPAA Compliance

Tuesday, September 28th, 2021

Online reviews are critical for success in our modern business world. Many of us turn to online reviews when searching for a new health provider, but HIPAA compliance issues complicate how providers can use online reviews.

Savvy health care marketers want to use online reviews to attract new patients. But how can they do so while also protecting sensitive data and complying with HIPAA?

online reviews HIPAA

Online Reviews and Medical Marketing

Online reviews are extremely popular and are often consulted by patients looking for new providers. Google, Yelp, and Facebook are just a few of the most common review websites that people visit. Skilled digital marketers in every industry recognize the power of a positive review and want to incorporate online reviews and testimonials into their marketing strategies. How many times have you been contacted and asked to leave a review after visiting a restaurant, supermarket, or retail store?

However, when it comes to the health care industry, it’s not as simple as sending off an automated email or survey. Health care marketers need to keep HIPAA compliance in mind when crafting their review campaigns.

The HIPAA Compliance Issues Involved In Asking For Online Reviews

A traditional email campaign to request a review is quite simple. The sender creates a message that says something like “Thanks for visiting Dr. Smith’s office today. We hope you had a positive experience and we would appreciate your feedback. Please click here to leave a review on Google.” You may not realize it, but this simple ask is more complicated than it seems from a HIPAA compliance perspective. Why? Because even the most seemingly mundane details constitute electronic protected health information (ePHI).

ePHI is defined as “individually identifiable health information” relating to:

  • An individual’s past, present or future physical or mental health or condition,
  • The provision of health care to the individual, or
  • The past, present, or future payment for the provision of health care to the individual.

A patient’s name and even their email address are considered individually identifiable information, while asking for a review of their appointment clearly relates to the “…provision of health care to the individual.”

Most messages that ask for an online review include ePHI and must be protected. If this information isn’t adequately secured, the message will be sent in violation of HIPAA. These violations can result in significant penalties for your organization.

How Can You Ask For Patient Reviews And Maintain HIPAA Compliance?

Is it possible for healthcare marketers to solicit patient reviews via email? Keeping the message content as generic as possible may help you avoid a violation. However, when it comes to HIPAA and patient security, we always recommend stepping up your game.

Sending normal emails or text messages is risky, but a HIPAA-compliant email solution allows you to circumvent this problem. Services like LuxSci’s Secure Marketing and Secure High Volume Email are designed with HIPAA compliance in mind. They have the appropriate protections (including message encryption) in place to keep ePHI secure.

Using these services allows you to ask patients for online reviews, all in a HIPAA-compliant manner. Not only will this help your company get more positive online reviews, but LuxSci’s solutions allow you to automate the whole process. You can set up the systems to automatically email patients after they have an appointment, making it simple for your company to boost its online reputation.

How To Respond To Online Reviews While Maintaining HIPAA Compliance

Most marketers know that it is a good practice to respond to patient reviews, whether they are positive or negative. However, public correspondence regarding patient appointments can be a nightmare when it comes to HIPAA compliance.

Even acknowledging that a patient had an appointment with your organization can be a HIPAA violation, because it combines details of their health care with individually identifiable information in a public forum.

This means that even if a patient publicly writes about their medical conditions or treatments, you can’t acknowledge them. This means messages like “Thanks so much! We’re glad Dr. Smith was able to stitch you up.” or “We’re sorry to hear you had a bad experience refilling your anti-depressant prescription. How can we fix the situation?” are off-limits.

It’s counter to how most marketers would like to reply, but for compliance reasons you cannot acknowledge their visit or the specifics. A HIPAA-compliant message could be something like* “We really appreciate your review.” It may seem impersonal, but the law is the law, and you face huge fines if you disobey it.

(*Please note that this is not intended as legal advice. You should consult a lawyer if you have questions about online reviews and compliance.)

Responding To Online Reviews In A HIPAA-Compliant Manner

There are many situations where you may want to give a more sincere reply than the example above, especially if a patient had a negative experience. If the review is not anonymous, we recommend having a staff member reach out privately.

It’s best to see these as opportunities to listen to your patients and try to rectify the situation. By taking the right approach, you can turn a negative review into a positive experience.

However, you can’t have a detailed discussion about the online review on the website while still maintaining your HIPAA compliance. This means that you need a way to reach out to your patients without violating the regulations. LuxSci’s Secure Email is perfect for these kinds of situations, because it is designed from the ground up to be HIPAA-compliant. You can email your patients to discuss the situation without worrying about exposing their ePHI and violating the law.

Contact LuxSci now to find out how you can use our services to reach out to your patients and collect reviews that drive new business.

LuxSci Joins the Oracle Cloud Marketplace

Friday, August 27th, 2021

LuxSci is pleased to announce that our Secure High Volume solution is now available on the Oracle Cloud Marketplace for deployment with Oracle Cloud Infrastructure (OCI). The Oracle Cloud Marketplace is a centralized repository of enterprise applications offered by Oracle and Oracle partners.

luxsci oracle marketplace

LuxSci’s Secure High Volume email service allows organizations to secure their outbound transactional and marketing emails with highly flexible and secure email encryption. Users can select the method of encryption (TLS, Secure Portal Pickup, PGP, S/MIME, etc.) to meet their campaign needs. Sending emails that contain sensitive information like protected health information (PHI) is easy and secure with LuxSci’s ultra-flexible encryption technology.

LuxSci’s services are highly configurable. Each customer has their own custom deployment to meet their sending and throughput needs. Customers can choose to implement high availability services to increase sending power and reduce downtime in the event of server failure. Secure High Volume sending integrates with your existing platforms via SMTP or API to streamline secure email sending.

In spring 2021, LuxSci announced the move to Oracle’s security-first cloud infrastructure. OCI’s highly flexible and secure server configuration options allow LuxSci to deliver larger quantities of HIPAA-compliant email messages. Compared to other servers, OCI is faster and more reliable. With OCI, LuxSci can also architect more custom deployments and can serve customers of all sizes. Learn more about why LuxSci chose to work with Oracle.

 

 

Zero Trust Email

Tuesday, July 20th, 2021

Our third article on Zero Trust Architecture covers zero trust email and the systems it requires. In May, the Biden Administration announced a new approach to cybersecurity that included a push toward Zero Trust Architecture. We have already covered Zero Trust Architecture as a whole, and also talked about how dedicated servers are important parts of the zero trust model. Now, it’s time to talk about zero trust email.

zero trust email

Zero Trust Email and Encryption

As we discussed in our previous articles, Zero Trust Architecture begins with the presumption that an organization’s network may not be secure. Because attackers may already be inside the network, NIST stipulates that:

“…communication should be done in the most secure manner available… This entails actions such as authenticating all connections and encrypting all traffic.”

This means that emails always need encryption. While many organizations recognize external threats and encrypt their sensitive external communications, it’s still common for workplaces to use unencrypted communication methods within the company network. This is generally done under the outdated assumption that the internal network is secure.

Zero Trust Architecture understands that any attacker within the network could easily read these communications. This is why zero trust email needs to be encrypted, even when it’s within an organization’s private network. One step in this direction is to force TLS for email encryption for all entities.

The zero trust model also requires encryption at rest, so emails also need to be protected in storage, not just in transmission.

Authentication and Zero Trust Email

NIST’s publication on Zero Trust Architecture also stipulates that:

“Access to individual enterprise resources is granted on a per-session basis. Trust in the requester is evaluated before the access is granted. Access should also be granted with the least privileges needed to complete the task.”

When it comes to zero trust email, this means that sensitive messages require authentication and authorization to be read. TLS encryption alone is not sufficient, because it doesn’t have the full capability for this type of verification. While it does allow authentication and authorization on the recipient’s email account, it cannot do so on the raw message data.

LuxSci supports:

  • Sender Policy Framework (SPF) – This is a system for email authentication that can detect forged sender addresses. Due to its limitations, it is best to complement it with other email authentication measures.
  • DomainKeys Identified Mail (DKIM) – This authentication method can detect email spam and phishing by looking for forged sender addresses.
  • Domain-based Message Authentication Reporting and Conformance (DMARC) – This email authentication protocol complements SPF, allowing it to detect email spoofing. It helps to protect organizations from phishing, business email compromise attacks, and other threats that are initiated via email.

Each of these email authentication measures are useful for verifying sender identities. LuxSci also offers premium email filtering, and together these techniques limit the trust that is applied to inbound messages.

Together, these techniques identify legitimate email messages while filtering out those that are unwanted or malicious. While it isn’t directly stated in the NIST guidelines, SPF, DKIM and DMARC can all be integral parts of the zero trust framework.

Access Control and Zero Trust Email

In addition to measures for encrypting messages and verifying inbound emails, zero trust email requires granular access controls to keep out intruders. LuxSci’s Secure Email Services include a wide range of access controls that limit unauthorized access while still making the necessary resources available. These include:

  • Two-factor authentication
  • Application-specific passwords
  • Time-based logins
  • IP-based access controls
  • APIs that can be restricted to the minimum needed functionality

These configuration options help reduce the likelihood that a malicious actor can access your systems. They also limit the sensitive email data that an attacker may have access to if they do manage to compromise an organization’s network.

LuxSci’s Zero Trust Email

As a specialist provider in secure and compliant services, LuxSci’s offerings are well-positioned as zero trust email solutions. Our Secure Email aligns with Zero Trust Architecture for every industry vertical, not just HIPAA. Contact our team to find out how LuxSci can help secure your organization with a zero trust approach.