" tls Archives - LuxSci

Posts Tagged ‘tls’

Infrastructure Requirements for HIPAA Compliance

Thursday, December 1st, 2022

If you are building a new environment that must comply with HIPAA, you may be surprised to find that the infrastructure requirements for HIPAA compliance do not require the use of any specific technology. This provides a lot of flexibility for developers and architects but can also introduce risk if you are unfamiliar with the requirements. This article outlines a few considerations to keep in mind as you build a HIPAA-compliant infrastructure or application.

infrastructure hipaa requirements

Dedicated Servers and Data Isolation

Reliability and data security are two of the most important considerations when building a healthcare application. Building an infrastructure in a dedicated server environment is the best way to achieve these aims. Let’s look at both.

Reliability

Hosting your application in a dedicated environment means you never have to share server resources with anyone else, and it can be configured to meet your needs exactly. This may also include high-availability configurations to ensure you never have to deal with unexpected downtime. For many healthcare applications, unexpected downtime can have serious consequences. 

Security

A dedicated environment isolates your data from others, providing an added security layer. Segmentation and isolation are crucial components of the Zero Trust security stance, and using a dedicated environment helps keep bad actors out. Hosting your application in a public cloud could put sensitive data at risk if another customer falls victim to a cyberattack or suffers a security incident.

HIPAA does not require the use of dedicated servers. Still, any host you choose must follow the HIPAA requirements associated with access controls, documentation, physical security, backups and archival, and encryption. Review our checklist for more details about HIPAA’s security requirements.

Encryption

It’s worth spending a minute discussing encryption because it’s an often misunderstood topic. Encryption is listed as an “Addressable” standard under HIPAA. Because it is not “Required,” this leads many to think that it is optional. The Rule states: “Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.” So, while HIPAA does not state that covered entities must use encryption, it does say that they need to ensure the confidentiality of any ePHI that is created, received, maintained, or transmitted.

The confusion arises because HIPAA is technology-neutral and does not specify how exactly to protect ePHI. Encryption is unnecessary if your organization can devise another way to protect sensitive data. However, practically speaking, there aren’t many alternatives other than not storing or transmitting the data at all. Encryption is the easiest and most secure way to protect electronic data in transmission and at rest.

At-Rest Encryption

HIPAA does not require at-rest encryption, though it is recommended to decrease risk and potential liability in some situations. Suppose your risk assessment determines that storage encryption is necessary. In that case, you must ensure that all collected and stored protected health information is encrypted and can only be accessed and decrypted by people with the appropriate keys. This makes backups secure, protects data from access by unauthorized people, and generally protects the data no matter what happens (unless the keys are stolen). Storage encryption is essential in any scenario where the data may be backed up or placed in locations out of your control. 

Transmission Encryption

If protected health information is transmitted outside of the database or application, encryption must also be used to protect the data in transmission. At a minimum, TLS encryption (with the appropriate ciphers) is secure enough to meet HIPAA guidelines. However, TLS alone may not be appropriate for your use cases.

  • Consider using a portal pickup method, PGP, or S/MIME encryption when transmitting highly sensitive information to end users.

Backup Infrastructure Requirements for HIPAA Compliance

Backups and archival are often an afterthought regarding HIPAA compliance, but they are essential. HIPAA requires that organizations “Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.” You must be sure that all ePHI stored or collected by your application is backed up and can be recovered in case of an emergency or accidental deletion. If your application sends information elsewhere (for example, via email), those messages must also be backed up or archived. HIPAA-compliant backups are robust, available, and accessible only by authorized people.

Under HIPAA Omnibus, organizations must keep electronic records of PHI disclosures for up to three years. Some states and company policies may require a longer record of disclosures; some states require up to ten years. When building a HIPAA-compliant infrastructure from scratch, it’s also essential to build backups.

Conclusion

If it is your first time dealing with infrastructure requirements for HIPAA compliance, be sure to ask the right questions and work only with vendors who thoroughly understand the risks involved. It can be overwhelming, but by selecting the right partners, you can achieve your goals without violating the law. 

New Feature: Secure Email Tagline

Thursday, June 23rd, 2022

LuxSci is introducing a new email tagline feature to inform recipients that email messages are secured. This helps build trust and increase confidence with less tech-savvy recipients who do not understand how email encryption works.

secure email tagline

TLS Encryption

TLS encryption is now widely supported by the most popular email providers. As a result, more organizations are choosing to send emails containing sensitive data with TLS encryption. There are a few reasons for this:

  1. TLS encryption is permitted under HIPAA and most compliance regulations.
  2. It’s easier to use and does not require recipients to log in to portals to access their messages.
  3. The open and response rates are higher on TLS encrypted messages.

However, using only TLS to encrypt emails can be confusing to the laypeople receiving them. While it’s easy to use and “invisible,” that can be concerning when transmitting sensitive information. If it looks like a regular email, recipients may be concerned that the organization does not care about the security of their personal information. This perception can negatively impact the business and dissuade people from using digital channels.

Introducing a New Email Tagline

For these reasons, all Email Hosting, Secure Connector, Secure High Volume Email, and Secure Marketing customers who send emails encrypted via SecureLine will have a small tagline at the bottom of the email that indicates the message is secure. It looks like this:

message secured by LuxSci tagline

This tagline builds trust and lets the recipient know that the company has taken steps to secure sensitive data. If you are an existing customer, visit your email settings or contact Customer Support to enable this feature. New customers will automatically have the tagline enabled when sending SecureLine encrypted emails.

Does TLS Email Encryption Meet Compliance Requirements?

Tuesday, February 22nd, 2022

In this article, we discuss what types of email encryption are sufficient to comply with government regulations. TLS encryption is a good option for many organizations dealing with sensitive data and legal requirements. However, TLS does not protect data at rest. Each organization must undertake their own risk assessment to determine which encryption methods are suitable to fulfill legal requirements.

Read the rest of this post »

Email Encryption for HIPAA Compliance: SMTP TLS vs Portal Pick Up

Tuesday, February 15th, 2022

Email encryption is an addressable standard for HIPAA compliance, but that doesn’t mean it’s optional. When sending sensitive data via email, it should be protected with encryption. However, there are many ways to send a secure email message and HIPAA does not require the use of a specific method.

The two most common email encryption methods include SMTP TLS and Secure Portal Pick Up. This article will discuss the differences between them and provide guidance for what to use in a HIPAA compliance context.

email encryption for hipaa

Read the rest of this post »

Are Replies to my HIPAA-Compliant Secure Emails also Secure?

Friday, June 18th, 2021

Sending HIPAA-compliant secure emails is easy- LuxSci’s services allow you to send secure emails to anyone with an active email address. One common question is whether the replies back to these messages will also be HIPAA compliant. This is especially a concern when customers choose to use TLS only a a secure means of email delivery.

In this article we will break down the various ways that messages are sent securely from LuxSci to recipients across the Internet, and how replies behave — and whether they are secure and compliant. At the end, we provide some recommendations for best practices for maximizing data security.

Read the rest of this post »