" secure web portal Archives - LuxSci

Posts Tagged ‘secure web portal’

How to Tell If Someone Read Your Email: Read Receipts and Web Bugs

Tuesday, January 30th, 2024

We’ve all been in this scenario: you send an important email to your boss or a client, and then you wait, stressed out and anxious to know if they received it and their response. Typically, you can request a read receipt when sending the message to confirm the email was received. Another method, HTML web bug tracking, can also be used to see if an email message was read. However, spammers often use this method to identify active email addresses. Both methods are unreliable ways to tell if the recipient read an email.

The only way to have complete confidence that a message was read is by using a secure web portal solution like LuxSci’s SecureLine Escrow. It also allows for message retraction, which can be helpful when handling sensitive information.

This article explains how read receipts and web bugs work and how you to tell if someone read your email.

email read receipt

What Are Read Receipts?

Read receipts are requests attached to an email message by the sender. Most email programs, like Outlook, Thunderbird, and LuxSci WebMail, allow read receipts to be added to email messages and allow senders to choose if receipts are sent “never,” “on-demand,” or “always.”

Sending: Read receipts are implemented by adding a special “Header” to the headers area of the outbound email message. For example, if somebody@luxsci.net sent an email message and wanted a Read Receipt, the following “Disposition-Notification-To” header would be added:

Disposition-Notification-To: somebody@luxsci.net

Receipt: When the recipient opens the message, the recipient’s email program may see this header and send a special “Delivery Notification” email back to somebody@luxsci.net. When somebody@luxsci.net gets this notification, they know the message has been read.

Read Receipts are Not Reliable

Read receipts are not a reliable way to know if a message has been read. Why?

  • No Support: The recipient’s email program might not support responding to read receipt requests. In this case, receipts would never be sent.
  • Refusal: Even if the email program supports read receipts, the programs generally allow recipients to choose whether to respond. Recipients could choose to respond “never,” “always,” or “decide each time.” The default usually prompts the recipient and allows them to decide yes or no for each receipt.

So, if you use a read receipt to confirm delivery, you will only get a receipt if the recipient wants you to. Sending read receipt requests is unreliable for confirming the read status of a message in general, especially if the recipient denies that the message was even received!

What are Web Bugs?

So, we’ve established that read receipts aren’t 100% reliable because users can choose not to respond to them. Web bugs try to get around this problem by not letting the recipient know you are checking to see if they read the message. To explain how web bugs work, first, we must take a step back to explain how images are transmitted within email.

When an HTML-formatted email message is opened, any referenced external objects, such as images, are downloaded from the internet and displayed. For example, if someone sends you an email message with a link to display a picture that is not attached to the message but hosted elsewhere, your email program will download that image and display it.

Web bugs are contained within image files. To send a web bug, the sender includes some unique tracking code in the link to a picture in the email. When the email is received, the picture is downloaded, and the web server where it was stored records that download, complete with the date, time, tracking code, and the computer’s IP address. By looking at those web server log files, the sender can confirm if you have downloaded the image and, thus, if you have read the message.

Typically, the tracking code is attached to some small, innocuous image. These small tracking images are collectively known as web bugs because they are invisible to the recipient and are meant to secretly transmit data back to the sender, like a phone bug in a spy movie.

Why Web Bugs Are Not Reliable

Unfortunately, spammers often use web bugs to detect active email addresses. As a result, many email providers have taken steps to reduce their impact. That means that web bugs are also not a reliable way to know if a message has been read. Why?

  • No HTML: No images or other objects will be downloaded if the recipient opens the message in an email program with HTML support turned off. For example, LuxSci WebMail shows recipients a plain text preview of their messages. There is no way to track opening the plain text preview of a message using a web bug.
  • Images Off: If the recipient has turned the display of external images off in their email program, the web bugs will never be downloaded. This is an optional feature in some programs like Thunderbird and LuxSci WebMail.
  • Web Bug Extraction: Some email filters will auto-detect images that look like web bugs (i.e., images that look like tracking codes) and automatically remove them by replacing them with transparent images. The web bugs would not be downloaded in this case, but other images would appear as expected. LuxSci’s Premium Email Filtering can do this.

Spammers don’t care that this is not 100% reliable. It is “good enough” to identify many valid recipients and thus allows them to narrow down their lists and send these people more spam.

How to Tell if Someone Read Your Email

So, as we’ve learned, read receipts and web bugs do not always work and cannot be relied on to indicate if a message was read. What options do we have left?

The only way to tell if your email message was read is if you can control the recipient’s ability to access the message. A common way to do this is to:

  • Save the message on a website over which you have control.
  • Send the recipient a notice that a message is waiting for them on that website and provide them with the means to access it.
  • Record when the recipient successfully connects and uses their access credentials to open the message.

By controlling the message location, you can know if and when the message was retrieved. You also know how many times it was accessed and from what IP address(es), and you could remove access to it (i.e., retract it) at any time.

Other email systems may also provide reliable ways of read access tracking. In every case, it depends on if:

  • The system is configured to support it, and
  • Having complete control over the system that the recipient uses to access the message.

If you cannot control your recipient’s email system, consider using a secure web portal system with tracking included, such as LuxSci’s SecureLine Escrow.

Opportunistic TLS vs Forced TLS for SMTP

Tuesday, January 23rd, 2024

Email sometimes seems like magic because of how quickly messages are transmitted across the internet. While the rapid delivery speeds justify this presumption, a lot must happen for an email to reach you. Email sending relies on a protocol called the Simple Mail Transfer Protocol (SMTP) to make its way across the internet to your recipient’s server. From there, the recipient uses another protocol, such as ActiveSync, POP3, MAPI, IMAP, or a Web-based interface, to pick it up and read it.

 

Unfortunately, these protocols aren’t always secure by default. Under its original design, emails are sent as plain text. Anyone along the email’s journey can see (and even change) their contents. This can include those in charge of the servers, the government, and even hackers that intercept the data.

 

Thankfully, engineers are aware of this glaring security hole, and they have introduced several mechanisms that can be leveraged to protect email. This article reviews how SMTP TLS works and the differences between opportunistic TLS and forced TLS.

 

secure email sending on laptop

Read the rest of this post »

Are Replies to Encrypted Emails also Secure?

Tuesday, December 26th, 2023

Sending HIPAA-compliant emails is easy when you use an encryption solution like LuxSci. But what happens when someone replies to an encrypted message? Are the replies also secure? This is primarily a concern when using SMTP TLS as a secure means of email delivery. 

This article will explain how messages are sent securely, how replies behave, and whether they are secure and compliant. At the end, we provide some recommendations for how to balance security and usability. 

Read the rest of this post »

Send Secure Emails: Alternatives to Web Portals

Tuesday, December 5th, 2023

Digital technologies have entirely shifted how individuals want to interact with their healthcare providers. As consumers have become used to emailing or texting with their hairstylists, mechanics, and other providers to schedule appointments, they want to have the same level of interaction with their healthcare providers.

However, many healthcare organizations find it challenging to deliver the same experience because of their compliance requirements under HIPAA. They must balance usability and access with security and patient privacy. To send secure emails, they often resort to secure web portals. 

Problems with Secure Web Portals

One of the most common ways that healthcare organizations communicate securely with patients is by using the secure web portal method of email encryption. In this scenario, messages are sent to a secure web server, and a notification is sent to the recipient, who then logs into the portal to retrieve the message.

While highly secure, this method is not popular with recipients because of the friction it creates.

To maintain a high level of security, users must log in to a separate account to retrieve the message. This extra step creates a barrier, especially for individuals who are not tech-savvy. In addition to creating a new account, they must remember a different username and password to access their secure messages. If the recipient doesn’t have this information readily available, they will likely delete the message and move on with their day. Many users will never bother logging in because of the inconvenience. This creates issues for organizations that want to use email for standard business communications and patient engagement efforts. 

While this method may be appropriate for sending highly sensitive information like medical records, financial documents, and other valuable information, many emails that must meet compliance requirements only infer sensitive information and do not require such a high level of security. Flu shot reminder emails are not as sensitive or potentially devastating as sending the wrong medical file to someone. Healthcare organizations need to use secure email solutions that are flexible enough to send only the most sensitive emails to the portal and less sensitive emails using other methods.

How to Meet Compliance Requirements for Sending Secure Email

So, what other options do you have for sending secure emails? The answer will depend on what specific requirements you need to meet. Healthcare organizations that must abide by HIPAA regulations will find a lot of flexibility regarding the technologies they can use to protect ePHI in transit.

In addition to a secure web portal, three other types of encryption are suitable for email sending: TLS, PGP, and S/MIME. PGP and S/MIME are more secure than a web portal. They also require advanced technological skills and coordination with the end-user to implement, which makes them impractical for most business email sending.

That leaves us with TLS, which is suitable to meet most compliance standards (including HIPAA) and delivers an email experience much like that of a “regular” email.

Send Secure Emails with TLS Encryption

TLS encryption is an excellent option for secure email sending that provides a seamless experience for the recipient. Emails sent securely with TLS appear like regular, unencrypted emails in the recipient’s inbox.

TLS encrypts the message contents as they travel between mail servers to prevent interception and eavesdropping. Once the message reaches the inbox, it is unencrypted and can be read by anyone with access to the email account. For this reason, it is less secure than a portal but secure enough to meet compliance requirements like HIPAA.

If you’re wondering why this is, HIPAA only requires covered entities and business associates to protect PHI when it is stored on their systems or as it is transmitted elsewhere. After the message reaches the recipient, it is up to the recipient to decide what they want to do to secure the information. HIPAA does not apply to individuals. Each person is entitled to share and store their health information however they see fit.

Conclusion

Balancing security and usability is a significant challenge for healthcare organizations. If the message is too secure, it may be difficult for the recipient to open and engage with it. If it’s not secure enough, it is too easy for cybercriminals and other bad actors to intercept private information as it is sent across the internet. 

Choosing an email provider like LuxSci, which offers flexible email encryption options, allows users to choose the right level of encryption for each message to maximize engagement and improve health outcomes. Contact our team today to learn more about how we can support your efforts.