" secureform Archives - HIPAA News, Web & Email Security Tips & News - Plus More | LuxSci
LuxSci

Posts Tagged ‘secureform’

Creating Secure Web Pages and Forms: What You Need to Know

Monday, September 25th, 2017

Fred is a busy small business CEO.  He hired a cheap developer online to setup his secure medical web site for him.  The developer got an SSL certificate and setup pages where patients can make appointments and the doctor can receive patient requests and notices, “securely”.  However, the developer didn’t have any real training in security, none in HIPAA, and as a result, PHI was being sent in the clear, there were no audit trails or logs, SSL security was not enforced, and may other serious issues plagued the site.  The worst part — No one knew.

Luckily, Fred was made aware of the situation before a serious security breach happened (that he knew of); however, he had to re-do the site from scratch, more than doubling his time and money costs.

Creating secure web pages and forms

Creating a web site that has “secure” components requires more than slapping together some web pages and adding an SSL Certificate.  All such a certificate really does is create a thin veneer of security — one that does not go very far to protect whatever sensitive data necessitated security in the first place.  In fact, naive attempts at security can ultimately make the data less secure and more likely to be compromised by creating an appetizing target for the unscrupulous.

So, beyond paying big bucks to hire a developer with significant security expertise, what do you do? Start with this article — its purpose is to shed light on many of the most significant factors in secure web site programming/design and what you can do to address them.  At a minimum, reading this article will help you to intelligently discuss your web site security with the developers that you ultimately hire.

Read the rest of this post »

Your Guide to a HIPAA-Compliant Website

Monday, July 25th, 2016

The digitally savvy Internet user knows to check and see whether a website is secure before passing along any personal information like credit card numbers. TLS (SSL) certificates and encryption help keep hackers at bay by adding an extra layer of security to the typical website, preventing prying eyes from seeing information transmitted to and from the website. The need for website security also applies to HIPAA compliance when it comes to healthcare websites. Many doctors’ offices and healthcare companies want to keep up with the digital trend—and for good reason. Having a place online where individuals can apply for prescriptions, schedule appointments, and even get consultations is invaluable for both the patient and doctor. It saves everyone time, and it’s easier and more convenient than making a trip to the doctor’s office. But if there’s a breach of HIPAA regulations, even an unexpected or unintentional one, the cost and penalties can add up fast.

HIPAA-compliant website

Whether you’re building a new website for your healthcare company or seeking to make an existing site fully compliant with HIPAA standards, there are plenty of straightforward ways to ensure you have your bases covered. Here’s a quick overview of what makes a website HIPAA-compliant today, what to watch out for, and what best practices to maintain.

Read the rest of this post »

Are you encouraging insecurity via your Web site contact and intake forms?

Friday, April 15th, 2016

Many Web sites have “contact us” pages and other Web forms for receiving requests from existing or potential customers.  This includes “new patient intake” forms on the Web sites of healthcare providers.

 

The garden variety Web form suffers from several serious problems:

  • Spam – Getting unwanted form submissions from Web robots.
  • Privacy – Often, sensitive data is submitted insecurely through these forms.
  • Archival – You may need an archived record and backup of all submissions.
  • Notices – You may need to be alerted of form submissions, even if you are not online.

Proactive privacy vs. neglect of privacy

When your Web forms transmit data insecurely, store or send data insecurely, or otherwise to do not treat the data submitted with the level protection that it deserves, you are putting the users of your forms at risk.

The typical argument is that “it is up to the user of the forms to decide if they want to submit sensitive information.” In fact, many insecure forms even have disclaimers requesting people to not submit sensitive information if they have concerns … and then the forms go on to ask lots of sensitive questions.   Especially without a disclaimer, but even with one, the form is actively soliciting people to submit their information insecurely and requesting them to take risks with their private data.   This is not good.

In areas such as healthcare, where these forms are often collecting sensitive health data (protected health information – PHI), the fact that an organization solicits the submission of PHI through insecure, non-HIPAA-compliant means is far from a “best practice”.  Why?

Read the rest of this post »

Embedding SecureForms into WordPress using an iframe

Monday, March 14th, 2016

WordPress is an incredibly popular Web site management and blogging platform.  Customers inquire of LuxSci frequently about the best way to add forms to their WordPress pages and posts.  Not just any forms — complex forms that can be HIPAA-compliant and which can submit data securely through SecureForm.

There are numerous options here.  The two most popular are GravityForms and embedding forms with an iframe.  GravityForms is popular and very cool, but not free.  Also as GravityForms is complex and really wants to manage all of your form data itself (insecurely), integration with SecureForm is limited:

  • Multiple forms on the same page can be tricky
  • Ink Signatures can not be captured
  • File uploads can not be captured

Another alternative, which is free as it is included with your SecureForm service, is to:

  1. Build your form with SecureForm FormBuilder
  2. Embed this form into your WordPress page or post using an iframe

What is an “iframe?”  it is a tool that allows you embed one Web page within another Web page.  When you build a form with FormBuilder — that form is automatically saved and hosted securely for you and you are provided with the Web site address (URL) for that form.  All you need to do is to “insert” that hosted form into your WordPress page/post and you are all set.  All FormBuilder features are then also supported: Ink Signatures, file uploads, geolocation, etc.

Read the rest of this post »

Capture where someone filled out your form: Geolocation for SecureForm Form Builder

Monday, February 22nd, 2016

A nurse from your company visits a patient at his/her home and, as part of the process, has to fill out and submit an electronic form describing the visit while there. Capturing the nurse’s exact location (without the need to trust the nurse) when she or he fills out that form is a critical check that the patient received proper care—at the right time and place. This not only protects against nurses lying about their whereabouts, but it also defends you against patients who claim the nurse was not there at a specific time.

Geolocation

Geolocation is the ability for phone, tablet, and some laptops to know exactly where you are in the world (for example, through GPS or other means). This feature is visible in modern Web browsers so that Web pages can query the user’s device to find out the device’s current latitude and longitude and that can translate it into the approximate street address (assuming the location is close to some street address).

Read the rest of this post »

Receive & Collaborate on Secure Form posts via Secure Chat

Tuesday, July 7th, 2015

LuxSci is proud to announce the integration of SecureForm and SecureChat.   SecureForm allows you to securely capture and process post from your web site and PDF forms.  SecureChat provides secure real-time communication and collaboration between people on mobile and desktop devices.  E.g. a secure replacement for texting that incorporates collaboration, archival, and compliance.

Now, SecureForm users can have their form post data sent securely to anyone’s SecureChat account (in addition to having the option of sending data to MySQL databases, secure email, secure FTP, and secure online file storage):

Read the rest of this post »

SecureForm: API and Auditing Updates for Database Storage

Tuesday, June 16th, 2015

Your web and/or PDF forms can securely delivery data to you in many ways using LuxSci SecureForm.  One of these ways, saving all of your form post data to a hosted database, is now even more useful:

  • Data can be downloaded and/or deleted using LuxSci’s API
  • Row-level Audit trails are now explicitly maintained for access to database-stored data

Form Database Access using the LuxSci API

LuxSci’s API enables SecureForm customers to manage form posts stored to hosted MySQL databases.  In particular, this makes audited access to stored (and encrypted) data simple, does not require any SQL knowledge, and permits you to determine if access is read only or read and delete.

Read the rest of this post »

Switch from Adobe Form Central and have Secure Forms with No Programming

Wednesday, June 3rd, 2015

LuxSci SecureForm and FormBuilder enabled you to create web forms and receive your form submissions in any way you like — email, sftp, online storage, mysql, etc.  No programming needed, no web site or hosting needed, we can take care of it all for you.

Why LuxSci SecureForm?

Read the rest of this post »

Adding HIPAA-Compliance to your Web Forms in 10 minutes

Tuesday, April 21st, 2015

Forms are pervasive on web sites; the number of forms associated with medical web sites is growing exponentially as everyone is scrambling towards the goal of a paperless office, seeking to optimize time spent processing applications and managing patient data, speeding up the process of making appointments and getting referrals, meeting meaningful use, etc.

Web forms used in the medical industry generally have to be HIPAA-compliant, however, as they almost always involve the input and transfer of ePHI in one way or another.  That presents a problem as the requirements for a HIPAA-compliant web site are complex and take knowledgeable and experienced developers to implement and take extra time and money to get right — and you really have to get things right where HIPAA is concerned.

So, this is where most people are:

  1. They have a web site, which itself is likely not HIPAA compliant yet
  2. The have some web forms already … or maybe have some forms that they want to put up
  3. These forms will collect ePHI
  4. They need to set this up and have it be HIPAA compliant and don’t want to spend a lot of money or time getting it going.

What they need is “HIPAA Form Processing“. 

Read the rest of this post »

Can your web and PDF forms save to an Encrypted Database?

Monday, April 20th, 2015

Many web form processing systems allow you to save the form posts in a database.  However, for security and compliance reasons, that is not really very secure.  Of course, if your form processing and the database are in a secure, compliant environment (e.g. a HIPAA-compliant dedicated server), then the situation is better and it may be OK to have your form data saved unencrypted in your database.

However, as the person doing your compliance risk analysis will tell you, it is always better to have data encrypted at rest if you have a choice.  That greatly reduces your risk of breach / compromise.  The problem is: these web form processing systems and plugins will not encrypt your data for you and it is not easy to get a database that is itself fully encrypted.

So — what can you do to lock down your data?

Read the rest of this post »