LuxSci

Menu
Contact us
Login

LuxSci Receives Majority Investment from Main Capital Partners

luxsci and main capital logos

Main Capital Partners announces a majority investment in Lux Scientiae, Incorporated (‘LuxSci’), a leading provider of healthcare-focused secure communications and secure hosting solutions. The investment reflects Main’s commitment to the healthcare market and desire to build robust, international software groups.

Founded in 1999, LuxSci is a leading American provider of HIPAA-compliant secure communications and secure hosting solutions. LuxSci’s application and infrastructure software enables organizations to securely deliver personalized sensitive data at scale. Certified by HITRUST to support customers with HIPAA compliance requirements, LuxSci serves dozens of healthcare enterprises and hundreds of middle-market organizations. Customers include providers, healthcare IT firms, medical device manufacturers, and companies active in other highly regulated industries.

With the strategic support of Main, LuxSci will strengthen its market position and its capabilities to meet the complex needs of modern healthcare organizations. In addition to fostering organic growth in the North American market, LuxSci and Main will explore opportunities for strategic acquisitions to expand the product portfolio and accelerate internationalization.

Erik Kangas (PhD), Founder & CEO of LuxSci, expressed his enthusiasm for the partnership, stating: “Having led LuxSci through 23 profitable bootstrapped years, I am extremely excited to partner with Main. Their resources and expertise will enable us to expand our technology and deepen our market penetration at a time when the demand for high-security communications solutions has never been greater.”

Jeanne Fama (PhD, MBA), COO & CSO of LuxSci, adds: “We are excited about the partnership’s potential to increase the awareness and adoption of LuxSci’s communication solutions and potentiate their impact in healthcare organizations seeking to improve clinical and business outcomes and increase patient satisfaction and loyalty.”

Main has demonstrated strong performance in both the healthcare and security markets, evidenced by investments such as Enovation (connected care solutions with over 350 employees across Europe) and Pointsharp (security and identity access management software with over 200 employees in Northwestern Europe). Main will leverage its experience and network in these markets to support LuxSci in its continued growth.

Daan Visscher, Co-Head of Main Capital North America, concludes: “We are thrilled to partner with the LuxSci team in spearheading the company’s next phase of growth. We are impressed by LuxSci’s double-digit recurring revenue growth, the underlying product, the management team’s capabilities, and the unwavering commitment to customers. We see ample opportunities to drive value through honing operational excellence, accelerating organic growth, and executing select strategic acquisitions. The result will be a robust, international software group positioned to meet the evolving needs of healthcare organizations.”

Pagemill Partners, the tech investment banking division of Kroll, served as financial advisor to LuxSci and Cooley LLP acted as legal advisor to LuxSci. Morse, Barnes-Brown & Pendleton, PC acted as legal advisor to Main.

About LuxSci

LuxSci is a leading provider of highly scalable secure communications and secure hosting solutions. Certified by HITRUST, LuxSci helps organizations navigate complex HIPAA regulations and safeguard sensitive data. LuxSci serves nearly 2,000 customers across healthcare and other highly regulated industries.

About Main Capital Partners

Main Capital Partners is a leading software investor active in Northwestern Europe and North America. Main has over 20 years of experience in software investing and works closely alongside management teams to achieve sustainable growth. Main has 70 employees operating out of its offices in The Hague, Stockholm, Düsseldorf, Antwerp, and Boston. Main has over EUR 2.2 billion in assets under management and maintains an active portfolio of over 40 software groups. The underlying portfolio employs over 12,000 employees.

Picture of LuxSci

LuxSci

Get in touch

Find The Best Solution For Your Organization

Talk To An Expert & Get A Quote




A member of our staff will reach out to you

Follow us on LinkedIn

Search

Search

Category

Recent Posts

Get Your Free E-Book!

LuxSci High Email Deliverability Best Practices Paper

What you’ll learn:

  • How to opitmize email performance
  • Key strategies to increase email deliverability rates
  • How email deliverability impacts marketing ROI
Get Free Ebook

Related Posts

What Sets B2B Marketing In The Healthcare Industry Apart?

B2B marketing in the healthcare industry runs through a buying environment shaped by review, caution, and internal scrutiny. A vendor may catch interest quickly, yet a deal still has to survive procurement, legal input, operational questions, and, in some cases, clinical oversight. That changes the tone and structure of effective outreach. Buyers want clear information, credible framing, and content that holds up when shared across teams. Strong campaigns account for those conditions from the first touch, giving decision makers useful material at the right point in the conversation.

How B2B marketing in the healthcare industry differs from other sectors

Healthcare buying carries a heavier internal burden than many commercial categories. A decision can affect patient related workflows, staff time, data handling, vendor risk, and budget planning all at once. That wider impact shapes how people read. A finance lead may scan for commercial logic and resource use. An operations leader may think immediately about rollout pressure and process disruption. An IT contact may focus on access, integration, and control. Messaging has to stand up to each of those viewpoints. That is why strong healthcare outreach tends to move with more restraint, more clarity, and more attention to proof than campaigns built for faster sales environments.

Trust within B2B marketing in the healthcare industry

Trust grows through judgment on the page. Buyers notice inflated language very quickly, especially when it appears in sectors where risk and accountability are part of everyday work. A polished headline can attract attention, though the body copy still has to carry weight. Clear examples help. Plain explanations help. So does a tone that sounds measured enough for someone to forward internally without hesitation. A payer team may want to see how a service affects review speed or administrative flow. A provider group may care about intake, coordination, or staff workload. A supplier may look for signs that communication across partners will become smoother and easier to manage. Credibility builds when the writing shows a close read of the reader’s world.

Buying committees do not think alike

Most healthcare deals are shaped by several people with different pressures attached to their roles. Procurement may be looking for vendor reliability and a smoother approval process. Compliance may read for privacy exposure and documentation. Operations may focus on practical fit with current workflows. Finance may want a clearer commercial case before the conversation goes any further. Those concerns do not compete with one another so much as stack on top of one another, which is why broad messaging tends to flatten out. Better campaigns anticipate that mix. One sequence can speak to efficiency and team workload. Another can support legal and compliance review. A third can frame the economic rationale in language senior stakeholders will recognise immediately.

Content that helps a deal move

Healthcare content earns its place when it gives buyers something they can use, discuss, and circulate. A short article on referral bottlenecks can help an operations lead frame the problem more clearly. A concise guide to secure communication can help internal teams ask better questions during review. A comparison page on implementation models can help a buyer weigh practical tradeoffs before a call is even booked. Useful content creates momentum because it fits the way decisions are made. It enters the conversation early, gives people sharper language for internal discussion, and keeps the subject alive between meetings. That is where strong work starts to separate itself from content written simply to fill a calendar.

Measuring progress with better signals

Healthcare teams get a clearer picture when they look past surface numbers and pay attention to the signs attached to real interest. Repeat visits from the same account can matter more than a large burst of low value traffic. A reply from an operations contact may tell you more than a high open rate. Visits to implementation, privacy, or procurement pages can indicate that the discussion is moving into a more serious stage.

Patterns like these help commercial teams judge where attention is gathering and where timing is starting to matter. Good B2B marketing in the healthcare industry supports that process by creating sharper entry points for sales, stronger context for follow up, and a more informed path from early curiosity to active evaluation.

Read More

Why Does B2B Healthcare Email Marketing Matter To Healthcare Buyers?

B2B healthcare email marketing is the practice of using email to reach healthcare business audiences with timely, relevant communication that supports trust, evaluation, and purchase decisions. In healthcare, that means more than sending promotional copy. Buyers want proof that a vendor understands procurement realities, privacy expectations, clinical workflows, and the pace of internal review. When the message is well judged, email helps move a conversation forward without forcing it. It can introduce a problem, frame the business case, and give decision makers something useful to circulate inside the company while they weigh next steps.

What makes B2B healthcare email marketing work in real buying cycles?

The difference between ignored email and useful email is context. Healthcare deals rarely move on impulse, and very few readers want a sales pitch in their inbox after one click or one download. Good B2B healthcare email marketing takes its cues from where the buyer is in the process. A first touch might define a problem in plain terms. A later message may explain implementation questions, privacy considerations, or internal adoption issues. That sequencing matters because healthcare buyers read with caution. They are not just asking whether a product looks good. They are asking whether it can survive legal review, procurement review, and scrutiny from the teams who will live with it day after day.

How does compliance shape B2B healthcare email marketing?

Healthcare email lives under closer scrutiny than email in many other industries. If a campaign touches protected health information, HIPAA enters the conversation immediately, especially the Privacy Rule and Security Rule. Even when outreach is aimed at business contacts, teams still need a disciplined view of what data is stored, who can access it, and how consent, opt out, and message content are handled.

The CAN SPAM Act also matters because sender identity, subject line accuracy, and unsubscribe function are not small details. Strong B2B healthcare email marketing treats compliance as part of message design from the start. That leads to cleaner copy, better internal approval, and fewer edits after legal teams step in.

Which audiences respond best to B2B healthcare email marketing?

Healthcare buying groups are rarely made up of one decision maker. A payer executive may care about administrative efficiency and audit readiness. A provider operations leader may be focused on referral flow, patient intake, or staff time. A supplier may look at partner communication, order handling, or data movement between systems. B2B healthcare email marketing works better when each audience receives language that matches its concerns instead of one generic message sent to everyone. That does not require jargon. It requires precision in the everyday sense of the word. Readers need to feel that the sender understands the pressures attached to their role, not just the industry label attached to their company.

What kind of content earns trust instead of quick deletion?

Healthcare buyers respond well to emails that help them think clearly. A short note that explains why referral leakage happens will land better than a vague message about transformation. A concise example showing how a health plan cut review delays can do more than a page of inflated claims. This is where B2B healthcare email marketing becomes persuasive without sounding pushy. The best messages teach, but they also move. They give the reader one useful idea, one practical example, and one reason to keep the conversation alive. That balance matters because healthcare readers are trained to be skeptical, and skepticism is not a barrier when the content respects it.

How can teams judge whether the program is doing its job?

Open rate alone does not say much in a long healthcare sales cycle. A better read comes from the quality of replies, the number of relevant page visits after a send, the movement of target accounts through the pipeline, and the way contacts share content internally.

B2B healthcare email marketing earns its place when it helps sales teams enter conversations with better timing and better context. If email is drawing the right people back to security pages, implementation pages, or procurement material, that is a useful signal. The real win is steady progress with buyers who need time, evidence, and confidence before they move.

Read More
HIPAA Compliant Email

New HIPAA Security Rule Makes Email Encryption Mandatory—Act Now!

The 2026 Deadline Is Closer Than You Think

The upcoming HIPAA Security Rule overhaul is expected to finalize by mid-2026, and it’s shaping up to be one of the most significant updates in years. Healthcare organizations that fail to prepare, especially when it comes to email security, will face immediate compliance gaps the moment enforcement begins.

Mid-2026 may sound distant, but for healthcare IT and compliance leaders, it’s right around the corner. Regulatory change at this scale doesn’t happen overnight, it requires planning, vendor evaluation, implementation, and internal alignment.

This isn’t a gradual shift. It’s a hard requirement.

Encryption Is About to Become Mandatory

For years, HIPAA has treated encryption as “addressable,” giving organizations flexibility in how they protect sensitive data. That flexibility is disappearing.

Under the updated rule, encryption, particularly for email containing protected health information (PHI), is expected to become a required safeguard.

That means:

  • Encryption must be automatic and standard for email, not optional
  • Policies must be enforced consistently
  • Email security can’t depend on human behavior

If your current system relies on users to manually trigger encryption, it’s already out of step with where compliance is heading. If you’re not encrypting your emails at all, then now is the time to re-evaluate and rest your technology and policies.

Email Is the Weakest Link in Healthcare Security

Email remains the most widely used communication tool in healthcare—and the most common source of data exposure. Every day, sensitive information flows through inboxes, including patient records, lab results, billing details, plan renewals and appointment reminders. Yet many organizations still depend on:

  • Basic TLS encryption that only works under certain conditions
  • Manual processes that leave room for human error
  • Limited visibility into email activity and risk

It only takes one mistake, such as a missed encryption trigger or a misaddressed email, to create a reportable breach. Regulators are well aware of this. That’s why email is a primary focus of the upcoming HIPAA Security Rule changes.

The Cost of Waiting Is Higher Than You Think

Delaying action may feel easier in the short term, but it significantly increases risk. Once the new rule is finalized, organizations without compliant systems may face:

  • Immediate audit failures
  • Regulatory penalties
  • Expensive, rushed remediation efforts
  • Or worst of all, an email security breach

Beyond financial consequences, there’s also reputational harm. Patients expect their data to be protected. A single incident can immediately erode trust and damage your brand beyond repair.

Waiting until the end of 2026 also means that you’ll be competing with every other organization trying to fix the same problem at the same time, driving up costs and limiting vendor availability.

Most Email Solutions Won’t Meet the New Standard

Here’s the uncomfortable reality: many existing email platforms won’t be enough, especially those that are not HIPAA compliant. Common gaps include:

  • Encryption that isn’t automatic or policy-driven
  • Lack of Data Loss Prevention (DLP)
  • Insufficient audit logging for compliance reporting
  • Lack of Zero Trust security principles

On top of that, vendors without alignment to HITRUST certification and Zero-Trust architectures may struggle to demonstrate the level of assurance regulators will expect moving forward.

If your current solution wasn’t designed specifically for healthcare and HIPAA compliance, it’s likely not ready for what’s coming.

LuxSci Secure Email: Built for What’s Next

This is where a purpose-built solution makes all the difference. LuxSci HIPAA compliant email is designed specifically for healthcare organizations navigating the latest compliance requirements, not just today, but in the future regulatory landscape.

LuxSci delivers:

  • Automatic, policy-based encryption that removes user guesswork
  • Advanced DLP controls to prevent PHI exposure before it happens
  • Comprehensive audit logs to support audits and investigations
  • Zero Trust architecture that verifies every user and action

Additionally, LuxSci is HITRUST-certified, helping organizations demonstrate a mature and defensible security posture as regulations tighten. Email data protection isn’t about patching gaps, it’s about eliminating them.

Act Now or Pay Later

If there’s one takeaway, it’s this: the time to act is now. Start by asking a few direct questions:

  • Is our email encryption automatic and enforced?
  • Do we have full visibility into email activity and risk?
  • Is our vendor equipped for evolving HIPAA requirements?

If the answer to any of these is unclear, now’s the time to take action. Organizations that move early will have time to implement the right solution, train their teams, and validate compliance. Those that wait will be forced into reactive decisions under pressure.

Conclusion: The Time to Act is Now!

The HIPAA Security Rule overhaul is coming fast, and it’s raising expectations across the board. Encryption will no longer be addressable, but rather mandatory. As a result, email security can no longer be overlooked, and compliance will no longer tolerate gaps.

LuxSci HIPAA compliant email provides a clear, future-ready path for your organization, combining automated encryption, DLP, auditability, and Zero Trust security in one solution.

The real question isn’t whether change is coming. It’s whether your organization will be ready when it does.

Reach out today. We can look at your existing set up, help you identify the gaps, and show you how LuxSci can help!

FAQs

1. When will the updated HIPAA Security Rule take effect?
The changes to the HIPAA Security Rule are expected to be finalized and announced around mid-2026, with enforcement likely soon after, by the end of the year.

2. Will email encryption truly be mandatory?
Yes, current direction strongly indicates encryption will become a required safeguard, which could start later this year or in early 2027.

3. Is TLS encryption enough for compliance?
No. TLS alone does not provide sufficient, guaranteed protection for PHI.

4. Why is HITRUST important in this context?
HITRUST certification demonstrates a vendor’s strong alignment with healthcare security standards and will likely carry more weight with regulators.

5. How does LuxSci help organizations prepare?
HITRUST-certified LuxSci offers secure email with automated encryption, DLP, audit logs, and Zero Trust architecture, helping organizations meet evolving compliance demands.

Read More
LuxSci G2 2026

LuxSci Earns 19 G2 Spring 2026 Badges

LuxSci continues its strong performance in the G2 Spring 2026 Reports, earning 19 badges that reflect real customer satisfaction and consistent product excellence across multiple areas, including email encryption, HIPAA compliant messaging, email security and email gateways.

G2: A Highly Reputable Peer Review Platformn

In a crowded software landscape, it’s easy for bold claims to blur together. That’s where G2 stands apart. Its rankings are based entirely on verified user feedback, giving buyers a clearer picture of how solutions actually perform in day-to-day use, not just how they’re marketed.

For Spring 2026, LuxSci earned recognition across multiple categories, including Leader, Best Customer Support, and Best ROI. Together, these awards show that LuxSci delivers leading technology and a best-in-class customer experience.

What the Badges Represent

Each G2 badge reflects direct input from customers using LuxSci in real-world environments. These evaluations cover usability, onboarding, support responsiveness, and long-term value. LuxSci’s Spring 2026 badges span leadership, customer satisfaction, ROI, and ease of implementation, demonstrating consistent strength across the full customer lifecycle.

Leader Badge: Market Leadership Validated

The Leader badge is awarded to companies with high customer satisfaction and strong market presence. LuxSci’s placement reflects reliable performance, strong security, and continued trust from organizations operating in highly regulated environments like healthcare.

Best Customer Support: A Standout Strength

In secure healthcare communications, timely and accurate support is essential. Issues must be resolved quickly to avoid operational or compliance risks. Customers consistently highlight LuxSci’s fast response times, deep expertise, and a hands-on approach, showing that our technology and our people deliver meaningful, real-world solutions.

Best ROI: Proven Business Value

ROI includes reduced compliance risk, improved efficiency, and scalable operations, not just cost. Customers report measurable benefits from LuxSci’s reliability, built-in compliance, and streamlined workflows, leading to strong long-term value and a solution that keeps you ahead of security and compliance risks.

What This Means for LuxSci Customers

These awards show LuxSci’s ability to serve organizations of varying sizes, from mid-market to enterprise. All reviews are from verified users, ensuring authenticity and transparency. Customers consistently mention reliability, security, and responsive support, along with overall peace of mind. The recognitions validate LuxSci’s ability to deliver secure, dependable communication solutions backed by strong support, including HIPAA compliant email, marketing and forms.

LuxSci’s 10 G2 Spring 2026 badges—including Leader, Best Customer Support, and Best ROI—demonstrate consistent excellence across performance, usability, and customer satisfaction. These results reinforce its position as a trusted provider in secure communications.

Read More

You Might Also Like

LuxSci MFA

Traditional MFA No Longer Qualifies as “Reasonable” Security

For years, multi-factor authentication (MFA) was considered one of the most effective ways to protect sensitive systems. By requiring a second verification step, such as a text message code or push notification, organizations could significantly reduce the risk of compromised passwords.

But the threat landscape has changed.

Today, attackers routinely bypass traditional MFA using techniques such as MFA evasion, token replay attacks, and consent phishing. These methods are no longer rare or highly sophisticated. They are widely used, automated, and increasingly effective.

As a result, regulators, auditors, and security frameworks are raising expectations for authentication security. For healthcare organizations in particular, traditional MFA alone may no longer satisfy the HIPAA requirement to implement “reasonable and appropriate safeguards.”

In the near future, email systems that rely only on basic MFA, without conditional access or phishing-resistant authentication, may increasingly be viewed as security gaps during risk assessments.

Why Traditional MFA Is No Longer Enough

Traditional MFA still improves security compared to passwords alone. However, many common MFA methods were designed before today’s phishing techniques and cloud authentication attacks became widespread.

Common MFA methods include:

  • SMS verification codes
  • Email-based authentication codes
  • Push notifications to mobile apps

While these mechanisms add friction for attackers, they can still be intercepted or manipulated during sophisticated phishing attacks. Because modern attackers now target authentication workflows directly, organizations relying solely on traditional MFA may be more vulnerable than they realize.

How Attackers Bypass MFA Today

Cybercriminals increasingly rely on tools that capture credentials and authentication tokens during login sessions. Three attack techniques are now especially common.

  • MFA Evasion and Phishing Proxies – Attackers frequently deploy adversary-in-the-middle phishing kits that sit between the user and the real login service. When users enter their credentials and MFA code on a phishing page, the attacker forwards the information to the legitimate site and captures the authentication session. The user successfully logs in—but the attacker gains access as well. If attackers capture those tokens, they can reuse them to access the account directly.
  • Token Replay Attacks – After successful authentication, systems typically issue session tokens that allow users to remain logged in without repeated MFA prompts. This technique has been widely observed in attacks targeting cloud email platforms such as Microsoft 365, allowing attackers to access email data even when MFA is enabled.
  • Consent Phishing – Consent phishing bypasses MFA entirely. Instead of stealing passwords, attackers trick users into granting permissions to malicious applications that request access to their mailbox or files. If users approve the request, the attacker’s application receives persistent access to the account through APIs—often without triggering security alerts.

Why Email Authentication Matters Most in Healthcare

Email remains one of the most critical systems in healthcare organizations. It supports patient communication, internal collaboration, and the exchange of sensitive information. Unfortunately, it is also the most frequently targeted entry point for cyberattacks.

Once attackers gain access to an email account, they can:

  • Impersonate healthcare staff
  • Launch internal phishing attacks
  • Access sensitive patient communications
  • Extract protected health information (PHI)

Because of this, email authentication controls are becoming a major focus for security teams and compliance auditors alike.

Evolving Regulatory Expectations

HIPAA does not prescribe specific technologies, but it requires organizations to implement safeguards that are “reasonable and appropriate” based on risk. As new attack methods emerge, the definition of reasonable security evolves.

Today, many security frameworks and regulatory bodies are emphasizing stronger identity protections, including:

  • Phishing-resistant authentication
  • Conditional access policies
  • Monitoring for suspicious login behavior
  • Controls for third-party application permissions

Organizations that rely solely on basic MFA may increasingly struggle to demonstrate that their authentication protections are sufficient.

The Shift Toward Phishing-Resistant Authentication

To address the weaknesses of traditional MFA, many organizations are adopting phishing-resistant authentication technologies, which can be enabled with tools like Duo and Okta. These solutions rely on cryptographic authentication tied to trusted devices, which prevents attackers from capturing or replaying login credentials.

Examples include:

  • Hardware security keys
  • Passkeys
  • Certificate-based authentication

Because authentication is tied to both the device and the legitimate website domain, these technologies significantly reduce the success rate of phishing attacks.

Why Conditional Access Is Becoming Essential

Conditional access adds another layer of protection by evaluating context and risk before granting access. Instead of treating every login the same, conditional access policies analyze signals such as:

  • Device security status
  • Geographic location
  • Network reputation
  • User behavior patterns

If something appears unusual, such as a login from a new country, the system can require stronger authentication or block the attempt altogether. This risk-based approach to authentication helps prevent many account compromise scenarios.

The Future of HIPAA Risk Assessments

As authentication threats evolve, healthcare security assessments are increasingly focusing on identity protection maturity. Organizations may begin seeing findings related to:

  • Weak or outdated MFA methods
  • Lack of conditional access policies
  • Insufficient monitoring of login activity
  • Unrestricted third-party application permissions

In particular, email systems without advanced authentication protections may be flagged as high-risk vulnerabilities, especially when PHI is accessible.

LuxSci’s Modern Approach to MFA

Modern threats require more than a simple second login factor. LuxSci approaches authentication security with layered identity protection designed specifically for healthcare environments.

Instead of relying solely on basic MFA methods like SMS codes or email verification, LuxSci supports stronger authentication controls and policies that align with evolving security expectations. These protections can include:

  • Strong multi-factor authentication options
  • Monitoring for unusual login behavior
  • Enhanced identity verification mechanisms

By combining multiple security layers within its HIPAA-compliant secure communications email and marketing solutions, LuxSci helps healthcare organizations protect sensitive email communications while maintaining usability for providers, health plan administrators, payment providers, and patient engagement teams.

Conclusion

Multi-factor authentication remains an important security control—but not all MFA is created equal. Attack techniques such as phishing proxies, token replay, and consent phishing have demonstrated that traditional MFA methods can be bypassed. As a result, regulators and auditors are increasingly expecting stronger identity protections.

For healthcare organizations that rely heavily on email communications, the implications are significant. Weak authentication controls can expose sensitive patient data and may soon appear as high-risk findings during HIPAA risk assessments. The organizations best positioned for the future will be those that modernize authentication strategies now, moving toward phishing-resistant methods, conditional access policies, and layered identity protection.

Reach out to LuxSci today to learn how HIPAA compliant email can support both your organization’s engagement and cybersecurity needs.

FAQs

1. What is traditional MFA?

Traditional MFA refers to authentication methods that require a second verification step, typically SMS codes, email codes, or push notifications.

2. Why can attackers bypass MFA today?

Modern phishing tools can intercept authentication sessions or steal login tokens, allowing attackers to access accounts even when MFA is enabled.

3. What is phishing-resistant authentication?

Phishing-resistant authentication uses cryptographic methods tied to trusted devices, preventing attackers from capturing login credentials.

4. Why is email security especially important for healthcare organizations?

Email systems often contain patient communications and sensitive information, making them a common target for cyberattacks.

5. How can organizations improve authentication security?

Organizations can strengthen identity security by adopting phishing-resistant authentication methods, implementing conditional access policies, and monitoring login activity.

Read More
LuxSci Executive Appointments Sullebarger Du Lac

LuxSci Expands Executive Team to Scale Enterprise Growth and Operations

LuxSci, a leading provider of secure, HIPAA-compliant communications software, today announced new executive appointments as part of its strategy to drive future growth and further expansion into the enterprise market. Experienced B2B software executives Robert Sullebarger and Geneviève du Lac have joined the company as Head of Sales and Head of Finance, respectively – reporting to recently appointed CEO Mark Leonard. In addition, David Hillman has joined the company as Director of Engineering, reporting to Erik Kangas, Chief Technology Officer.

“LuxSci has proven its capabilities with some of the largest, most forward-looking companies in healthcare, including patient engagement platform, EHR systems, and payment providers, as well as healthcare retail and in-home care providers,” said Leonard. “Bob, Geneviève and David all bring deep leadership experience combined with a willingness to be hands-on in helping us optimize our operations and execute quickly for our customers and partners.”

Proven Sales Leader and Trusted Advisor

Bob’s career has focused on enterprise software sales and customer acquisition across both established and emerging technologies, including security & compliance, conversational AI and virtual assistant platforms, machine learning, and telecom & networking. Bob brings LuxSci more than two decades of experience in sales, marketing, and product management roles, serving as both a trusted business advisor and a technology expert for customers and partners. Most recently, he led the sales teams for AI solution providers ModuleQ and Interactions LLC, where he helped the company grow from $10 million to more than $100 million in annual revenue. He has also held leadership positions at contact center analytics provider CallMiner, and data security provider Vericept Corporation.

“LuxSci is the gold standard for HIPAA-compliant email and secure healthcare communications with a leadership position in the market,” said Sullebarger. “With healthcare portal adoption maxing out, we have a real opportunity to improve patient engagement and outcomes by opening up the email, SMS and marketing channels to bring more people into today’s healthcare conversation.” 

Experienced CFO and Finance Leader

Geneviève joins LuxSci with more than 15 years of experience in CFO and Finance leadership roles. This includes building world-class Finance teams and organizations in the cybersecurity, consumer, and services industries at companies including Cypress Security, Astro Gaming and Wine Country Connect. Throughout her career Geneviève has established a proven track record of success in Finance leadership for ‘scale-up’ businesses, with focus on SaaS companies. Geneviève also brings LuxSci deep experience in implementing systems & processes aimed at building operational scalability, which will be a key part of her responsibilities at the company.

“I’m excited to be joining LuxSci as we build it into a world-class organization,” said Du Lac. “The company has achieved tremendous success to date, and we’re positioned better than ever to keep growing – and to help transform the healthcare industry with secure communications.”

Full Stack Software Architect and Data Scientist

David joins LuxSci with more than 20 years of experience across the entire spectrum of application development, data analysis and automated systems. This includes architect, engineer, developer, and consultant roles at innovative companies, such as Kapital Trading, Gogo, Monster, Livetext, and AT&T Bell Labs. David specializes in designing and building data-intensive applications that analyze large datasets and extract intelligence, as well as developing tools to empower users to interact with those resources. At LuxSci, David will play a key role in the future development of LuxSci technology, helping guide the company’s product direction and roadmap moving forward.

“I’m looking forward to collaborating with the outstanding team already in place at LuxSci and continuing to enhance our products to make our customers’ healthcare communications and operations both smoother and safer,” said Hillman.

In other recent news, LuxSci continues to innovate in secure healthcare communications, recently rolling out new email reporting capabilities and achieving best-in-class performance for email security.

LuxSci has been at the forefront of HIPAA-compliant communications since its inception, offering a full suite of products for secure email, marketing, text and forms. Today, LuxSci is used by nearly 2,000 customers for HIPAA-compliant communications across the healthcare industry, including athenaHealth, 1800 Contacts, Delta Dental, Lucerna Health, Hinge Health, and Rotech Healthcare.

If you’d like to learn more about how LuxSci can help you with secure healthcare communications, reach out to us today for a meeting or demo!

Read More
HIPAA Compliant Email

Signing a BAA Does Not Automatically Make You HIPAA Compliant

For healthcare organizations, choosing the right product and service vendors is essential for achieving HIPAA compliance. One of the key prerequisites of a HIPAA-compliant vendor is the willingness to sign a Business Associate’s Agreement (BAA): a legal agreement that outlines both parties’ responsibilities and liabilities in securing protected health information (PHI). 

However, despite what some healthcare organizations have been led to believe, simply signing a BAA with a vendor doesn’t guarantee your use of their product or service will be HIPAA-compliant. In reality, a BAA is just the beginning, and there are several subsequent actions both healthcare organizations and their supply chain partners must take to ensure the compliant use of PHI, especially over communications channels like email. 

With this in mind, this post explores some of the reasons why signing a BAA on its own doesn’t ensure the security of PHI and protect your organization from HIPAA violations.

Business Associate Agreements (BAAs) Explained 

As touched upon above, a BAA is a legally-binding document established between a covered entity (CE), i.e., healthcare organizations, and a business associate (BA), i.e, any company that handles PHI in providing a CE with products or services. For a BA to handle patient or customer data on behalf of a CE, following HIPAA regulations, there must be a BAA in place. 

A BAA details:

  • Each party’s roles, responsibilities, and liabilities in securing PHI.
  • The permitted uses of PHI by the BA and, conversely, restrictions on any other use.
  • The BA’s responsibilities in implementing appropriate administrative, technical, and physical security measures to best protect PHI.
  • The BA’s obligations to report any unauthorized use, disclosure, or breach of PHI.
  • That the BA is required to assist with patient rights support, i.e., data access, amendments, and accounting of disclosures, when appropriate.
  • The BA’s obligations in making records available for audits or investigations.  
  • The CE’s right to terminate the contract if the BA fails to fulfil their obligations in safeguarding PHI.

Additionally, if a BA employs a third-party company, i.e., a subcontractor, that will have access to a CE’s PHI, they are required to establish a BAA with that company. This then makes the subcontractor a “downstream BA” of the CE, and subject to the same obligations and restrictions placed on the original BA. This ensures the security protections mandated by HIPAA flow down the entire chain of custody for sensitive patient and customer data.

Compliance Considerations After Signing a Business Associate Agreement (BAA)

Now that we’ve covered what a BAA is and the role it plays in ensuring data privacy, let’s move on to exploring some of the key things you have to do following the singing of a BAA to ensure HIPAA compliance.  

1. Both Parties Must Implement HIPAA-Required Data Risk Mitigation Measures 

    First and foremost, while a BAA details each party’s respective responsibilities in implementing measures to protect PHI, both still actually need to implement those required security features to achieve HIPAA compliance. 

    The measures required under HIPAA’s Security Rule, including encryption and access control, are designed to mitigate and minimize the impact of data breaches. So, if a company suffers a security breach and later audits show the required security policies and controls were not in place, they would be subject to the consequences of HIPAA violations, including fines and reputation damage.   

    Also, while a BAA stipulates that the BA is responsible for implementing the HIPAA-required safeguards for the PHI under their care, it doesn’t specify exactly which security measures they must implement. Subsequently, that’s left to the BA to interpret based on their understanding of HIPAA requirements, and how they conduct their required risk assessments.

    For example, if you have a BAA with your email services provider, that alone may not be enough to keep your company or organization HIPAA compliant. That’s because the provider may not have the security measures your organization needs, and instead have a carefully worded BAA that will leave you vulnerable.

    Let’s say your email marketing service provider is a “semi-HIPAA compliant” provider. In these cases, they may not offer email encryption, or the necessary access control measures your organization needs to send PHI and other sensitive information safely. The so-called HIPAA compliance may be limited only to data stored at rest on their servers only.

    In short, although a BAA outlines each party’s commitment to securing data, both parties still have to follow through on implementing risk mitigation measures. Additionally, though a healthcare company has its BA’s assurances that they’ll have the appropriate safeguards in place, CEs often only have limited visibility into its ongoing security posture. As a result, asking the right questions and working with a proven HIPAA compliant provider are critical steps healthcare organizations must take to ensure full compliance.

    2. CEs Must Stick to “In-Scope” Services

      While a BA may provide a CE with a range of services, many limit the coverage of their BAAs to particular “in-scope” services. As a result, if a healthcare organization were to use a service outside the coverage of the BAA, i.e., an “out-of-scope” service, they’d risk exposing patient data and incurring HIPAA violations.

      And, even when a service is in-scope, the BA is still required to configure it properly for it to be compliant. These configurations could include:

      • Enabling encryption
      • Establishing access control
      • Activating multi-factor authentication (MFA)
      • Turning on audit logging 

      With this in mind, it’s crucial to ensure that the “complete” service or tool – not just a part of it – is covered by a BAA before using it to process PHI. Similarly, check the terms of your BAA for configuration or security best practices that offer guidance on fully HIPAA compliant use, and make sure your responsibilities as a CE are 100% clear.

      3. Staff Must Be Trained to Securely Handle PHI 

        Another key reason that signing a BAA doesn’t automatically result in HIPAA compliance is the likely need for both parties to educate their staff on how to securely handle sensitive data, such as PHI.

        Firstly, as discussed above, only some of the services offered by a BA may be covered by its agreement. Subsequently, a healthcare organization’s employees need to be sufficiently trained on the use and disclosure of PHI, namely, the services in which they’re permitted to process PHI and which, in contrast, services are non-compliant.

        By the same token, as well as implementing the stipulated safeguards, BAs are responsible for training their workforce on how to use and, where appropriate, configure them. This will help ensure the limited, correct use and disclosure of PHI as allowed by the BAA. 

        4. Reporting Requirements

          A BAA stipulates that a BA must notify the CE in the event of improper or unauthorized use of PHI. More specifically, this includes: 

          • Reporting immediately any use or disclosure not permitted by the terms of the BAA.
          • Notifying the CE of security incidents resulting in the potential exposure of  PHI.

          However, the commitment to reporting in the BAA and the ability to deliver on that commitment are two different things entirely. Firstly, the BA must implement the policies and infrastructure that allow for timely incident reporting. This includes conducting risk analysis, implemeting continuous monitoring, and developing a robust incident response plan. 

          Additionally, a key aspect of prompt, comprehensive reporting includes the BA ensuring that their staff are sufficiently trained to detect and report security events. As part of their training on the secure handling of PHI, a BA’s employees must be able to recognize common security issues and threats, such as improper email configurations and phishing attempts, and how to report them.

          5. Subcontractor BAAs

            While CEs must sign BAAs with their BAs for the compliant use and disclosure of PHI, they don’t have to sign such agreements with any subcontractors the BA may employ. Instead, it’s the responsibility of the BA to enter into their own business associate agreements with their subcontractors. As a result, the original security obligations are passed all the way down the data’s chain of custody. 

            While a CE can take certain measures to enforce this, such as requesting proof of subcontractor BAAs – or even the ability to review subcontractors before beginning engagement – ultimately, they have little control over their security postures. Ultimately, this means that they have to trust that the original service BA does their due diligence in selecting security-minded subcontractors, with the right PHI safeguards in place.  

            HIPAA Compliance Beyond a BAA with LuxSci

            LuxSci’s secure healthcare communications solutions – including HIPAA compliant email, text, marketing and forms – are designed specifically with the stringent compliance requirements of the healthcare industry in mind. 

            LuxSci also provides onboarding, comprehensive documentation, and support to ensure your infrastructure configurations align with HIPAA requirements, so you can confidently include PHI in your healthcare engagement communications campaigns.

            Contact LuxSci today to discover more about achieving compliance beyond obtaining a BAA.

            Read More
            healthcare marketing trends

            What Makes a Platform HIPAA Compliant?

            A platform becomes HIPAA compliant through a combination of security features, privacy controls, and administrative processes that protect patient information according to HIPAA regulations. No platform is inherently compliant but, rather, compliance emerges from implementing required safeguards, obtaining a Business Associate Agreement, and configuring the platform HIPAA compliant settings to handle protected health information properly. Healthcare organizations must evaluate platforms based on these capabilities and implement appropriate security measures to maintain compliance.

            Core Security Protections

            To make a platform HIPAA compliant, entities must incorporate several fundamental security capabilities. Encryption protects data both during storage and transmission, preventing unauthorized access. Authentication systems verify user identities through methods like password requirements and multi-factor verification. Access controls restrict what information different users can view based on job roles and responsibilities. Audit logging creates records of who accessed information and what actions they performed. Backup systems maintain data availability while incorporating appropriate security protections. These features enable organizations to implement the safeguards required by the HIPAA Security Rule.

            Vendor Agreement Framework

            HIPAA compliant platforms provide Business Associate Agreements (BAAs) establishing vendor responsibilities for protecting healthcare information. These agreements define how the platform vendor handles protected health information and outlines security obligations. Platforms designed for healthcare use typically offer standardized BAAs as part of their service agreements. The agreement specifies which portions of the platform fall under compliance coverage, as some vendors exclude certain features or services. Organizations must obtain these agreements before storing any patient information on third-party platforms regardless of security features implemented.

            Patient Data Privacy Mechanisms

            Platforms supporting healthcare data incorporate privacy controls aligned with HIPAA requirements. Notice functionality allows organizations to inform patients about information usage and their privacy rights. Consent management captures and stores patient authorizations for information disclosures. Access request handling helps organizations respond when patients want copies of their records. These privacy features help organizations fulfill obligations under the HIPAA Privacy Rule. While security prevents unauthorized access, privacy controls manage authorized information usage according to regulatory requirements and patient preferences.

            Compliance Evidence Generation

            To make a platform HIPAA compliant, entities can adopt solutions that provide documentation capabilities demonstrating regulatory adherence. Configuration documentation shows how security settings protect patient information. Audit reports detail system access and usage patterns for compliance verification. Risk assessment tools help identify potential vulnerabilities within platform implementations. These documentation features support healthcare organizations during internal reviews and external audits. Thorough reporting capabilities allow organizations to demonstrate due diligence in protecting healthcare information when questions arise about compliance status.

            Healthcare Process Enablement

            Platforms designed for healthcare environments incorporate features that maintain compliance while supporting clinical and administrative workflows. Secure messaging allows providers to discuss patient care without compromising confidentiality. Document management includes appropriate security controls for clinical records. Task management tracks workforce activities while protecting associated patient information. These workflow capabilities allow healthcare organizations to maintain productivity while adhering to regulatory requirements. The platform architecture considers both security needs and practical usage patterns within healthcare environments.

            Continuous Protection Adaptation

            HIPAA compliant maintenance includes features that support compliance over time as threats evolve. Vulnerability scanning identifies potential security issues as they emerge. Update mechanisms implement security patches without disrupting operations. Configuration management prevents inadvertent changes that might compromise compliance status. Training tools help staff understand proper system usage and security procedures. These management capabilities help organizations maintain compliance as technology and regulations evolve. Effective platforms reduce the administrative burden of ongoing compliance management while maintaining appropriate security controls

            Read More