" secure text Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more
LUXSCI

Posts Tagged ‘secure text’

Secure Texting: Communication’s Unicorn

Tuesday, March 5th, 2019

Does secure texting exist, or is it as elusive as a clear photo of bigfoot? To answer that question, we have to take a look at the main SMS (short message service) protocols.

The majority of the world’s texting is done using either the Global System for Mobile Communications (GSM), High Speed Packet Access (HSPA) or Long Term Evolution (LTE) standards. Under these systems, text messages are transmitted from devices to a short message service center. This center stores the messages and attempts to send them on to the recipients. If it cannot reach them, the messages are queued to be tried again later.

secure texting

The Issues with SMS

The main problems with SMS messaging are that it is both unreliable and insecure.

The Reliability of SMS

Unfortunately, SMS messages are inherently unreliable. The sender does not know whether their message has been delivered, nor whether it has arrived on time. On top of this, messages can be completely lost, while others may only be received long after the were needed.

SMS Security Problems

SMS messages have issues with confidentiality and authentication, as well as a number of widely known security vulnerabilities.

Messages sent with GSM are only optionally encrypted between the mobile station and the base transceiver station. If they are encrypted, they use the A5/1 cipher, which is known to be vulnerable. This makes it possible for anyone with enough motivation to read the messages.

If that isn’t bad enough, the authentication process is also flawed. Users are authenticated by the network, but the user does not authenticate the network in return. This makes the user vulnerable to man-in-the-middle attacks.

You may think that you are safer if you use LTE, but renegotiation attacks can be used to force your phone to use GSM instead.

On top of this, there are also the dangers of SMS spoofing, sim swapping, and a variety of other security vulnerabilities. Since we can’t trust the encryption or authentication processes in SMS, it’s best to assume that any SMS you send can be intercepted and accessed.

As you can see, secure SMS is like a unicorn. It doesn’t exist, and you should never use the medium to transmit any sensitive or valuable information. Because of this, SMS messages should either be avoided or strictly controlled, particularly in tightly regulated fields like healthcare. All it takes is one message that accidentally contains ePHI, and your organization could be feeling the heavy hand of HIPAA penalties.

But I hear the term secure texting all the time…

That’s true, lots of providers refer to their offerings as secure texting. But the majority of these services aren’t using SMS. If they are, then they certainly aren’t secure and you should steer clear of anything to do with the company.

How Can Messages Be Sent Securely?

Although the standards used for SMS are lost causes, that doesn’t mean that you can’t securely exchange short written messages.

The answer? LuxSci’s SecureText.

LuxSci’s solution doesn’t send sensitive information over the standard protocols used for SMS, so you don’t have to worry about any of the security issues that surround SMS messaging.

SecureText transmits its data with TLS protection, stores its information with 256-bit AES, and data is never kept on the recipient’s device. Recipients use password-based authentication to access the information and messages are securely stored in LuxSci’s databases. Every step is safe and completely HIPAA compliant.

The best part? No one has to download yet another app to send or receive secure messages.

How Does SecureText Work?

The sender uses LuxSci’s SecureLine encryption service:

  1. They write their message in either LuxSci’s WebMail or their preferred email program.
  2. In the address field, the sender enter a special email address that is based the recipient’s phone number. For example an address of 2114367789@secure.text would send the message to a US recipient whose number is 211-436-7789. Once the sender is finished, they hit the send button.
  3. The recipient will receive a normal SMS that tells them a secure message is waiting for them. The message contains a link, which opens up their phone’s web browser:
  • If they have recently viewed another SecureText message, the new message will immediately be displayed.
  • If the recipient has used SecureText to view messages at an earlier date, they will need to enter their password before they can view the message.
  • If this is the recipient’s first SecureText message, they will need to set up a password before they can view the message.

The protected and HIPAA-compliant design of LuxSci’s SecureText makes it useful for sending ePHI in a range of different situations. It’s a great option for messaging without email.

It can be used to send appointment reminders, for general communication with patients, and to send real-time alerts that include sensitive information. All with none of the risk that comes from SMS messaging.

Want to discuss how LuxSci’s HIPAA-Compliant Texting Solutions can help your organization?  Contact Us

Email, Calls, Messaging Apps & More: How Can You Secure It All?

Tuesday, February 26th, 2019

In a forgotten time, if an organization wanted to secure their communications, all that they had to worry about was their conversations, postage and landlines. If a business was on the cutting edge of technology, it might use a fax machine as well.

In 2019, things are a lot more complicated. To start with we, now have email, mobile calls, and text messages. Then there are the countless messaging apps like WhatsApp, Facebook Messenger, Telegram, Signal, and Viber.

On top of this, there are online calls like Google Voice, Skype, and others. We can’t forget video calling either, or the fact that many of these services offer several different communication channels.

Landlines and postage haven’t gone away either, so they still have to be secured as well. Some businesses even persist in using fax machines.

The point is that in the modern world, we have a lot more to worry about. With so many different channels, how can an organization possibly secure them all?

While the task may seem like an unending battle against emerging and deprecating technology, the goal of securing all of your business’s communications is not unattainable. All it takes is planning, policy, and enforcement.

secure communications

 

Analyzing the needs of your organization

Sure, all of these new communication methods have definitely complicated security, but you also have to look at the other side as well. They allow us to do things that we have never been able to do before – we can get results in seconds that may have taken months in earlier days.

There are tremendous advantages to many of these technologies, so there is no point in being a Luddite and staying away from technological developments. As long as potential security risks are addressed, these solutions can be more than worthwhile.

Your organization should be leveraging these technologies to simplify its work processes as much as it can. But it needs to be doing with a security-first mindset.

 

Take stock of your organization’s current communication methods

The first step is to look at the channels that are currently being used. Email is a given, most businesses probably use cell phones and landlines as well. Does your business use messaging apps on top of this? How about VOIP or video call services? Is there a workplace Slack, Facebook or Telegram group?

 

What does your organization really need?

Once you have accounted for each of the channels that are being used, and what they are being used for, you can consider whether or not they are necessary. Does your business really need to use landlines, cell phones and VoIP, or can these be consolidated? Are texting apps important for getting work done quickly, or can you restrict messaging to email in order to simplify your systems?

If you can reduce the number of different communication channels that are used in your workplace without impacting productivity, it will make it much easier to administer them securely.

Does it need to be secured?

Let’s be honest, a lot of information doesn’t need to be secured. While SMS may be insecure, it probably doesn’t matter if all you are using it for is to send certain offers and promotions to your customers (although there may be certain healthcare situations where even something this simple can violate HIPAA).

If you can ensure that a given communication channel won’t be used to transmit sensitive or valuable information, then you may not need to find a secure alternative. Take the human factor into account when you consider this because these mistakes and laziness can end up being incredibly costly for businesses.

 

Look for Secure & Compliant Alternatives

There are a number of different solutions that allow you to message, call or video-call in a secure and compliant manner:

  • Calls – Neither landlines or cell phones offer a safe way to voice call. Any calls that require security should be done over encrypted VoIP connections.
  • SMS – SMS is an insecure protocol, so secure email or messaging apps should be used whenever you are sending sensitive or valuable information. Despite this, a service like SecureText can be used to send SMS messages that alert recipients that there is a secure message waiting for them.
  • Email – Standard email is inherently insecure, but services that use portal pickup, PGP or S/MIME can be safe. Secure Email is a HIPAA-compliant option that offers a wide range of security configurations.
  • Messaging apps – SecureChat is HIPAA-compliant and secure. While options like Signal and WhatsApp also offer encryption, they do not offer HIPAA compliance.
  • VoIP – Signal and WhatsApp both encrypt their voice calls from end to end, but they do not offer HIPAA-compliance.
  • Video calls – Secure Video allows its users to deliver telemedicine or run conference calls with up to 100 people, all in a secure and HIPAA-compliant manner.

 

Establish a Policy

Once you have determined your business’s communication needs, analyzed the risks and come up with secure alternatives, it’s time to establish a workplace-wide policy that ensures these secure communication channels are used every time that sensitive and valuable information is transmitted.

 

Design the Policy to Handle Worst-case Scenarios

It’s best to be overly cautious in the policy and account for mistakes – remember, simple errors often cause of massively expensive HIPAA penalties.

Sure, a workplace Facebook group can be a great way to facilitate communications. You could even have a strict policy that sensitive and valuable information should not be exchanged in the group. It might even be effective for a long time.

But what happens when Robert from accounting just woke up from his 2pm nap, and in a brief, bleary-eyed moment he forgets about the rules and posts something he shouldn’t? Even if it was a simple accident and Robert from accounting didn’t mean to do it, his actions could still lead to a HIPAA violation or the information getting stolen by a hacker or publically exposed.

This is why it’s best to be overly cautious. Sure, you could have a workplace Facebook group, but why run the risk when you can use secure alternatives instead?

 

Training & Awareness

Once a policy has been established, you need to make your employees aware of it so that the new regulations are followed. Compliance can often be improved by explaining the reasons why the policy is in place and discussing the risks during training sessions.

 

Monitor & Enforce the Policy

Once your new policy has been set up, you will need to monitor whether or not it is being followed. In the transition period, you may notice violations, but if you address these carefully at the start and strictly maintain the policy, you will soon break the old employee habits.

 

Over time, there may need to be some reinforcement, otherwise the old habits can end up slipping back. This can be achieved through periodic training, continuing to provide awareness about the policy and the reasons behind it, as well as taking extra time to address those employees who have violated the policy.

 

Adjust the Policy as Necessary

Over time, new solutions will become available, while your current services may also become less secure. If you want your business to maximize its security and productivity, there is no reason for the policy to be set in stone. Instead, it should be adaptable, taking advantage of services that may improve performance, while leaving behind those that may pose a threat.  Policies should be reviewed and updated at least yearly.

 

Workplace-wide Secure Communications

Protecting all of your critical communication channels may sound like a challenging process, but luckily there is already a wide range of security-focused applications that are easy to implement.

At LuxSci, we offer a variety of secure and HIPAA-compliant alternatives in-house:

Arranging to take care of all of your secure communication services through one provider will result in systems that are more interoperable, save on overhead, simplify implementation and make management far less of a headache.

With the right approach and an expert technology partner, securing all of your organization’s communications is an easy way to drastically reduce the risks that it faces.

Does HIPAA really permit reminding patients to pick up their prescriptions?

Thursday, December 8th, 2016

We get calls and text messages from pharmacies like CVS, reminding us that it is time to pick up and/or renew our prescriptions for drugs or other medical items. When you think about HIPAA, this is confusing. In many cases, these reminders constitute Protected Health Information (PHI) … so is this really allowed?

The default answer of “it must be OK if CVS is doing it” is naive as it loses all of the context about what is and is not permitted and does not shed any insight into when and how other organizations may similarly inform or remind patients of things such as prescriptions and appointments.

Is it really PHI?

Read the rest of this post »

SMS is Broken and Hackers can Read Text Messages. Never use Regular Texting for ePHI.

Thursday, June 23rd, 2016

Security firm Positive Technologies has published a report (see their overview of attack on one time passwords and PDF of the SS7 security problems) that explains how attackers can easily attack the protocols underlying the mobile text messaging networks (i.e. the Signaling System 7 or “SS7” protocol).  In their report, they indicate how this makes it easy to attack the two-factor login methods and password recovery schemes where a one-time security code is sent via an insecure text message.

Devices and applications send SMS messages via the SS7 network to verify identity, and an attacker can easily intercept these and assume identity of the legitimate user.

SMS is Insecure due to SS7 protocol

Read the rest of this post »

To Text or Not To Text: Texting under HIPAA

Monday, February 29th, 2016

Sending text messages under HIPAA

Sometimes, technology just sneaks up on you. Patients want to speak with you – stat – about lab results or to schedule, be reminded of, and confirm an appointment without an interminable wait in the phone queue. Patients want text messaging — which has quickly become the new normal for everyday communication — to be used routinely for their healthcare needs, as well. You hesitate, concerned not only about the appropriateness of text messaging, but the legal ramifications. These are legitimate concerns.

HIPAA unambiguously states that sending health information in a text message is a straight up violation, unless it is to a patient and a proper consent form has been signed (as discussed below). This provision applies to messages as simple as appointment reminders. If you engage in such a practice and do not document context, consideration, and patient consent, you will be in willful neglect and quite possibly assessed up to $50,000 for each text message.

Why is text messaging such a hot-button issue to HIPAA enforcers? Under what conditions can health information be sent by way of regular text messages? The good news is that you can secure text messages rather simply and not jeopardize your patients’ privacy or your healthcare practice. Please read on.

Read the rest of this post »

LUXSCI