LuxSci

Menu
Contact us
Login

LuxSci Establishes New Headquarters Offices in Cambridge, Mass.

LuxSci New Headquarters Offices

We’re thrilled to announce the opening of LuxSci’s new headquarters offices at Harvard Square in Cambridge, Massachusetts!

The move marks another milestone in our continuing journey to innovate and grow in secure healthcare communications. The new workspace aims to bring our people and teams together for in-person interactions and collaboration, and to better connect with our customers, partners and thought leaders. Located in the heart of one of the world’s most prestigious educational and technology hubs, our new office space reflects our roots and connections to the Massachusetts Institute of Technology (MIT), and our founder Erik Kangas, an MIT alumnus and advisor.

A Strategic Move for Continued Growth and Expansion

Opening our Cambridge office, part of the Industrious complex of offices, is not just about a change in location. The new office puts us at the center of cutting-edge technology in a thriving area for healthcare innovation. As a company deeply rooted in delivering the latest in secure, HIPAA-compliant communication solutions, this move allows us to leverage the rich talent pool and dynamic environment that Cambridge and the Greater Boston area have to offer.

Leading the Way in HIPAA Compliance for Healthcare Communications

At LuxSci, we’re proud to be the leader in HIPAA-compliant communication solutions for the healthcare industry, which includes serving some of the largest organizations in the US. With over two decades of experience, we understand the critical importance of safeguarding sensitive patient information and protected health information (PHI), but also how to increase patient and customer engagement.

The Next Step into Personalized Healthcare Engagement

Effective healthcare communication goes beyond just compliance—it’s about creating personalized and meaningful interactions with patients and customers. This often requires healthcare organizations to move beyond patient portals to open-up new communications channels and use cases, including email, marketing, text and forms—all in a HIPAA-compliant way. By protecting PHI data and using it in your communications for better personalization, you can deliver improved experiences and better outcomes for everyone involved.

Multi-Channel Suite of Secure Healthcare Communications Solutions

Today, LuxSci offers a suite of secure healthcare communication solutions, including support for high volume email, marketing, text messaging, and forms. As the demand for secure, compliant communication tools grows, LuxSci is at the forefront of delivering solutions that keep up with regulations and protect you from the latest threats.

“With our new Cambridge office, we’re launching the company into a new future with valuable connections to our past and where LuxSci was born,” said Mark Leonard, CEO of LuxSci. “Cambridge offers an unparalleled environment for innovation, and we’re excited to to bring our employees, partners and customers together – and to be part of this vibrant community.”

Want to see for yourself?

Contact us today for an in-person visit to talk about the future of secure healthcare
communications. 

Picture of LuxSci

LuxSci

Get in touch

Find The Best Solution For Your Organization

Talk To An Expert & Get A Quote




A member of our staff will reach out to you

Follow us on LinkedIn

Search

Search

Category

Recent Posts

Get Your Free E-Book!

LuxSci High Email Deliverability Best Practices Paper

What you’ll learn:

  • How to opitmize email performance
  • Key strategies to increase email deliverability rates
  • How email deliverability impacts marketing ROI
Get Free Ebook

Related Posts

HIPAA Security Rule Update

The HIPAA Security Rule Missed Its May Deadline — Here’s What We Know

The proposed HIPAA Security Rule update has become one of the most closely watched healthcare compliance developments in recent years. Designed to strengthen cybersecurity protections for electronic protected health information (ePHI), the proposal could significantly reshape how healthcare organizations approach risk management, ePHI encryption, and mandatory email encryption requirements.

A final rule was expected as early as May 2026. However, that deadline has now passed without publication from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

So, what happens next—and what should healthcare IT directors, CISOs, and compliance officers do now?

Where Things Stand Today

The HIPAA Security Rule Notice of Proposed Rulemaking (NPRM) was published on January 6, 2025, with the goal of strengthening cybersecurity protections for ePHI in response to escalating ransomware attacks, healthcare breaches, and growing concerns about cyber resilience across the healthcare sector.

The proposal generated thousands of public comments from healthcare providers, payers, business associates, technology vendors, and industry groups. OCR has spent much of the past year reviewing this feedback and evaluating the operational and financial impact of the proposed changes.

Although the Spring Unified Regulatory Agenda identified May 2026 as a target date for a final rule, that milestone came and went without publication. As of June 2026, the proposed HIPAA Security Rule update remains under review.

While some organizations may be tempted to take a wait-and-see approach, the missed deadline should not be interpreted as a signal that the initiative has stalled. If anything, the proposal offers valuable insight into the future direction of healthcare cybersecurity regulation.

The Growing Focus on Mandatory Email Encryption

One of the most discussed aspects of the proposed HIPAA Security Rule update is encryption.

Under the current HIPAA Security Rule, encryption is generally classified as an “addressable” implementation specification. Organizations can choose alternative safeguards if they document and justify their decisions through a risk analysis process.

The proposed changes would significantly reduce that flexibility. Instead, many security safeguards, including encryption controls, would become more prescriptive and difficult to avoid.

While the final language has not yet been released, healthcare organizations should pay close attention to the proposal’s clear message: protecting ePHI through encryption is increasingly viewed as a baseline cybersecurity requirement.

This is particularly important for email communications.

Email remains one of the most widely used communication channels in healthcare, supporting everything from patient engagement and care coordination to billing, scheduling, and marketing communications. As regulators continue to focus on reducing data breach risks, mandatory email encryption is emerging as a likely area of increased scrutiny.

What Healthcare Organizations Should Do Now

The current delay creates an opportunity, not a reason to postpone action.

Healthcare organizations can begin preparing for likely requirements today by evaluating the security controls highlighted throughout the proposed rule.

Key areas to review include:

  • Encryption of ePHI across systems and communications channels
  • Comprehensive asset inventories and ePHI data mapping
  • Enhanced risk analysis and risk management processes
  • Multifactor authentication (MFA)
  • Vulnerability scanning and penetration testing
  • Incident response planning and testing
  • Backup and recovery procedures
  • Email security and secure email encryption practices

Organizations that proactively strengthen these areas now will be better prepared regardless of the final rule’s implementation timeline.

Why Secure Email Encryption Should Be a Priority

For many healthcare organizations, email remains one of the largest compliance and security risks.

Human error, misdirected messages, phishing attacks, and inconsistent encryption practices continue to contribute to breaches involving protected health information. As a result, secure email encryption is increasingly becoming a foundational component of healthcare cybersecurity strategies.

Organizations that rely on manual encryption processes or employee judgment alone may find it difficult to meet evolving regulatory expectations.

Instead, healthcare organizations should look for solutions that automate encryption decisions, reduce user error, and provide flexibility based on the sensitivity of the communication.

At LuxSci, we have long believed that security and usability must work together. We are 100% focused on secure healthcare communications, helping healthcare providers, payers, and suppliers protect sensitive data while improving patient and customer engagement. Our proven secure email solutions, used by leading companies including Athenahealth, 1-800 Contacts, and Hinge Health, help organizations protect ePHI with automated encryption capabilities that support both compliance and operational efficiency. Our unique SecureLine encryption technology enables organizations to apply the appropriate level of protection while maintaining a seamless experience for patients, customers, and staff.

For organizations already using Microsoft 365 or Google Workspace, LuxSci Secure Email Gateway can add HIPAA-compliant email security and encryption without requiring users to change their existing workflows. This approach helps reduce risk, while preserving productivity and user adoption.

The Bottom Line

The HIPAA Security Rule final rule may have missed its anticipated May deadline, but the cybersecurity challenges driving the proposal remain very real.

The OCR is still expected to make the rule change, which could require mandatory encryption of ePHI by early 2027.

The time to prepare is now!

Healthcare organizations should view the proposed HIPAA Security Rule update as an advance warning of where regulatory expectations are heading. Stronger cybersecurity controls, enhanced risk management, ePHI encryption, and mandatory email encryption requirements are all likely to remain central themes in future compliance efforts.

The organizations that begin preparing now will not only be better positioned for future regulatory changes, but will also strengthen their ability to protect patient data, reduce risk, and build trust in an increasingly challenging threat landscape.

At LuxSci, we’re proud to support the healthcare industry’s ongoing digital transformation through secure healthcare communications. Our HIPAA-compliant solutions for secure email, email marketing, and forms empower organizations to safely use and protect PHI, while delivering better patient experiences and outcomes.

Ready to strengthen your healthcare cybersecurity strategy?

Learn more about LuxSci and our complete suite of HIPAA compliant email and marketing solutions, or schedule a consultation with one of our healthcare communication experts today.

Contact us today!

Read More
LuxSci G2

LuxSci Awarded 20 Badges in the G2 Summer 2026 Reports

We’re excited to announce that LuxSci has again been recognized by G2 with 20 badges in its just-released Summer 2026 Reports, highlighting our continued leadership in secure healthcare communications and HIPAA compliant email solutions.

The new LuxSci G2 recognitions span several categories, including:

  • Best Estimated ROI
  • Best Support
  • High Performer
  • Leader

These latest LuxSci G2 awards reflect what matters most to our customers: delivering secure, HIPAA compliant healthcare communications backed by responsive support and measurable business results.

As one of the most trusted providers of HIPAA compliant email, marketing, and forms solutions, we’re proud to see our commitment recognized across multiple product categories and customer satisfaction metrics.

Recognition Built on Customer Experience

LuxSci’s G2 rankings are based on verified customer feedback and real-world user experiences, making these badges especially meaningful to our team.

This year’s Summer Reports recognized LuxSci for consistently delivering value to healthcare organizations looking to securely engage patients and customers while maintaining compliance with HIPAA requirements.

Among the highlights, the LuxSci G2 recognition includes:

  • Best Estimated ROI, reflecting the measurable value customers achieve through secure healthcare communications and personalization
  • Best Support, reinforcing LuxSci’s long-standing reputation for responsive, knowledgeable customer service
  • High Performer badges across multiple categories for customer satisfaction and product performance
  • Leader recognition for delivering secure, scalable communications solutions trusted by healthcare organizations

At LuxSci, we believe secure communications should also drive better engagement, stronger outcomes and operational efficiency. These recognitions reinforce our focus on helping healthcare providers, payers and suppliers personalize communications while protecting sensitive patient data.

Supporting the Future of Personalized Healthcare Engagement

LuxSci’s secure healthcare communication and patient engagement solutions empower organizations to safely communicate with patients and customers through:

  • HIPAA-compliant high volume email
  • Secure email marketing
  • Secure forms and data collection
  • Flexible encryption with SecureLine technology

Our solutions are designed to help healthcare organizations improve engagement, streamline workflows and personalize the healthcare journey while maintaining the highest standards of security and compliance.

These latest LuxSci G2 recognitions also build on LuxSci’s broader reputation for security, performance and customer success. Security and trust remain foundational to everything we do, alongside our commitment to delivering smart, responsive support for our customers.

Thank You to Our Customers

We’re grateful to our customers for their continued trust, collaboration and feedback. Their reviews and insights help shape our products and drive ongoing innovation across the LuxSci product set.

To learn more about LuxSci’s secure healthcare communications solutions, contact our team to schedule a secure email assessment or demo.

Connect with us today!

Follow us on LinkedIn

Read More
Email Encryption

Is OCR Already Enforcing Email Encryption Under the New HIPAA Security Rule?

Healthcare organizations waiting for the final HIPAA Security Rule updates before improving email encryption and security may already be behind.

While the proposed changes to the HIPAA Security Rule are expected to be finalized in May, the direction from the U.S. Department of Health and Human Services Office for Civil Rights (OCR) is becoming increasingly clear. Across investigations, settlements, and enforcement actions, OCR continues emphasizing stronger technical safeguards, encryption, documented security programs, multi-factor authentication (MFA), risk analysis, and proactive cybersecurity operations.

For healthcare organizations, one area stands directly in the middle of all of these priorities: email.

Email remains a primary communication channel in healthcare — and one of the industry’s largest security vulnerabilities. From unauthorized PHI exposure to phishing attacks and ransomware delivery to account compromise, email continues to be at the center of healthcare cybersecurity incidents.

So, are the proposed HIPAA Security Rule changes hypothetical future guidance or a preview of OCR’s future enforcement expectations?

For healthcare email security, the implications are significant.

Email = Healthcare Cybersecurity Risk

Healthcare organizations rely on email for critical communications and healthcare workflows, including:

  • Patient communications
  • Care coordination
  • Claims and billing notifications
  • Marketing and engagement
  • Internal collaboration
  • Third-party vendor communications
  • Delivery of sensitive PHI

At the same time, attackers continue targeting email systems because they remain one of the easiest entry points into healthcare environments.

Insecure email workflows create unnecessary exposure of protected health information. Phishing campaigns are becoming more sophisticated. Credential theft attacks are bypassing traditional MFA methods. And business email compromise (BEC) attacks continue rising.

Recent OCR enforcement actions increasingly reflect these realities.

Organizations are being evaluated not simply on whether a breach occurred, but whether they implemented reasonable safeguards beforehand, including encryption, authentication controls, monitoring, access management, and documented risk mitigation processes.

For email systems specifically, that means healthcare organizations should expect increased scrutiny around:

  • Email encryption enforcement
  • MFA deployment
  • Audit logging and retention
  • Conditional access policies
  • Vendor security controls
  • Secure email delivery best practices
  • Segmentation and infrastructure isolation
  • Ongoing patch and vulnerability management

In many ways, email infrastructure is becoming a visible test of an organization’s overall cybersecurity posture.

Email Encryption Is Moving From Addressable to Required

Historically, healthcare organizations often interpreted HIPAA email encryption requirements with flexibility because encryption was technically categorized as an “addressable” safeguard under the Security Rule. But, OCR enforcement and broader cybersecurity realities are changing that interpretation rapidly.

Today, failing to encrypt sensitive healthcare communications increasingly creates both security and regulatory risk. The proposed Security Rule updates place even greater emphasis on encryption and technical safeguards. At the same time, OCR investigations continue examining whether organizations properly protected PHI in transit and at rest.

For healthcare email specifically, this creates several growing expectations:

  • Email encryption should be automated wherever possible
  • Human error should not determine whether PHI is protected
  • Organizations should maintain documented encryption policies
  • Secure delivery methods should adapt dynamically to recipient capabilities
  • Audit trails should demonstrate how messages were secured

At LuxSci, we have long believed that encryption should operate as a strategic layer of healthcare communications infrastructure, not as a manual user decision.

Our SecureLine email encryption technology automatically applies appropriate encryption methods based on organizational policies and delivery requirements, helping reduce the risks associated with human error while maintaining usability, deliverability and compliance. As enforcement expectations rise, this type of automated security enforcement is becoming increasingly important.

Traditional MFA May No Longer Be Enough

Another major shift emerging from both OCR enforcement trends and the proposed rule updates is the growing importance of stronger authentication models.

Healthcare organizations have historically viewed MFA deployment as sufficient protection. But attackers have adapted quickly.

MFA bypass attacks, token theft, session hijacking, and consent phishing campaigns are increasingly targeting healthcare users. As a result, regulators and cybersecurity experts are placing greater emphasis on phishing-resistant authentication approaches and contextual access controls.

For email environments, organizations should increasingly evaluate:

  • Whether MFA methods are resistant to phishing attacks
  • Conditional access policies based on device, location, and behavior
  • Account monitoring and anomaly detection
  • Administrative access protections
  • Session management controls
  • Logging and authentication auditing

The broader message is clear: healthcare organizations need authentication strategies designed for today’s threat landscape, not yesterday’s compliance checklist.

OCR Wants Proof, Not Just Policies

One of the clearest trends emerging from recent OCR activity is the increasing importance of documentation and operational evidence. Healthcare organizations must increasingly demonstrate not only that safeguards exist, but that they are consistently enforced, monitored, tested, and maintained over time.

For email systems, organizations should be prepared to demonstrate:

  • Email encryption policies
  • MFA enforcement records
  • Audit logs and message tracking
  • Vendor security documentation
  • Risk assessments involving email infrastructure
  • Patch management procedures
  • Employee security awareness training
  • Incident response procedures for email-based threats

This represents a broader shift in healthcare cybersecurity expectations.

The question is no longer: “Do you have email security controls?”

The question is increasingly: “Can you prove they are operationally effective?”

Healthcare Organizations Need a New Email Security Strategy

The healthcare industry is entering a new phase of cybersecurity enforcement.

OCR’s direction is becoming increasingly clear: organizations are expected to proactively secure systems handling PHI using modern, documented, and continuously maintained safeguards. For email security specifically, that means organizations should stop treating encryption, MFA, and secure communications as optional compliance requirements. Instead, they should view secure email infrastructure as a strategic component of enterprise cybersecurity and patient trust.

At LuxSci, we help healthcare organizations modernize secure communications with HIPAA compliant email infrastructure designed specifically for healthcare environments, including flexible encryption, secure delivery, auditability, high deliverability, access controls, and dedicated infrastructure options.

The proposed HIPAA Security Rule updates may not yet be final. But, OCR is already signaling where healthcare cybersecurity enforcement is headed next. For organizations relying on email to communicate with patients, members, customers, and partners, the time to examine your secure email infrastructure is now.

Connect with our experts to learn more using the form at the top of this page!

Read More
LuxSci HIPAA Compliant Email for Mid-Sized Healthcare Organizations

LuxSci Launches Enterprise-Grade HIPAA Compliant Email Security for Mid-Sized Healthcare Organizations

New right-sized offering brings advanced encryption, easy API integration, and HITRUST-certified compliance to the most underserved segment in healthcare email — with pricing starting at $99/month

CAMBRIDGE, MA — May 5, 2026 — LuxSci, a leading provider of HIPAA compliant secure healthcare communications, today announced the launch of LuxSci Secure High Volume Email for mid-sized healthcare organizations, the industry’s trusted HIPPA-compliant email solution now packaged and priced for mid-size healthcare organizations. Regional health systems, health plans, specialty group practices, urgent care networks, and multi-site regional providers can now access LuxSci’s enterprise-grade email security and encryption infrastructure at published, volume-based pricing — with no custom quote required.

LuxSci Secure High Volume Email for mid-sized healthcare organizations delivers the same HITRUST CSF r2-certified email security and flexible encryption capabilities that power communications for some of the largest healthcare organizations in the industry, including Athenahealth, 1-800 Contacts, Hinge Health and Eurofins. The new LuxSci mid-sized offer is tiered and priced for organizations with email sending volumes of between 300 and 99,000 emails per month.

LuxSci Secure High Volume Email is built on the company’s proprietary SecureLine™ encryption technology, which automatically selects the optimal email encryption method — TLS, secure portal fallback, PGP, or S/MIME — on a per-recipient basis at the time of delivery, with no action required from senders or recipients. This intelligent, adaptive encryption method goes significantly beyond TLS-only or portal fallback models offered by basic platforms, giving mid-market healthcare organizations the flexibility and cybersecurity depth they need as HIPAA regulations tighten and email threats continue to get more sophisticated.

Key capabilities include:

  • Automatic email encryption via SecureLine™ — encrypt every email and its content, including Protected Health Information (PHI), with per-recipient adaptive encryption across TLS, portal fallback, PGP, and S/MIME.
  • Advanced REST API with webhooks for dataflows into your systems — supports unlimited messages/hour with failover, queuing, plus webhooks can push email engagement data back to EHRs, CRMs, RCM and customer data platforms.
  • Comprehensive audit logging and reporting — message-level tracking, delivery status, engagement reporting, and downloadable reports for compliance officers.
  • HITRUST CSF r2 certification, BAA, GDPR-compliant, and US-EU Privacy Framework agreement all included.
  • Microsoft 365 and Google Workspace overlay — use LuxSci’s Secure Email Gateway add-on to integrate directly with existing M365 or Google Workspace environments, adding HIPAA-compliant encryption without migration or user retraining.
  • HIPAA-compliant patient engagement — secure outbound email campaigns with PHI-powered hyper-segmentation, automated workflows, and personalized emails for marketing campaigns, proactive patient communications, appointment reminders, care gap outreach, new plan enrollments, healthcare education, and more — with LuxSci Secure Marketing add-on.

New Published LuxSci Pricing

LuxSci Secure High Volume Emai for mid-sized healthcare organizations features published pricing based on monthly sending volume:

Monthly Send VolumeMonthly Price
300 to 9,999 emails/month $99/month
10,000 – 29,999 emails/month $199/month
30,000 – 49,999 emails/month $299/month
50,000 – 99,999 emails/month $399/month
100,000+ emails/month Custom

“Mid-size healthcare organizations have been underserved for too long, forced to choose between inadequate email security tools that weren’t built for healthcare and HIPAA compliance and enterprise level solutions that felt too big or too complex,” said Mark Leanord, CEO of LuxSci. “Our new secure email packaging for mid-sized organizations changes that. We’re making the same encryption depth, ease of integration into EHRs, CRMs and other systems, and compliance rigor that powers our largest customers accessible for mid-sized organizations to easily evaluate and buy.”

Timing and Market Context

The launch comes at a critical moment for mid-size healthcare organizations. The HHS HIPAA Security Rule overhaul, expected to finalize in mid-2026, is anticipated to mandate email encryption as a required safeguard, elevating email security from addressable best practice to a regulatory requirement for thousands of organizations that have not yet upgraded their email security and compliance posture. LuxSci secure email is designed to meet these requirements, backed by HITRUST CSF r2 certification and the company’s 20-year track record in secure healthcare communications.

Availability

LuxSci Secure Email for mid-sized healthcare organizations is available immediately. Pricing and product details are published here.

Users can contact LuxSci to set up a call or DEMO.

About LuxSci

LuxSci is a leading provider of secure healthcare communications solutions for the healthcare industry. The company offers secure email, marketing, forms and hosting, delivering HIPAA‑compliant communication solutions that enable organizations to safely manage and transmit sensitive data, including protected health information (PHI). Founded in 1999 and recently merged with digital care and telehealth provider Ovia Health, LuxSci serves more than 2,000 customers across healthcare verticals, including providers, payers, suppliers, and healthcare retail, home care providers, and healthcare systems, as well as organizations operating in other highly regulated industries. LuxSci is HITRUST‑certified with current customers including Athenahealth, 1800 Contacts, Lucerna Health, Eurofins, and Rotech Healthcare, among others.

###

Media Contact:
Pete Wermter, CMO

pwermter@luxsci.com

Read More

You Might Also Like

LuxSci HIPAA-Compliant Marketing Email

12 Key Questions to Ask Before Sending HIPAA-Compliant Marketing Emails

So – you’ve just been told that your email marketing program is putting your company at risk of violating HIPAA.

Ok. What now?

If you want to continue your email-based patient engagement efforts – without the risk of the financial, operational, and reputational risk that accompanies the exposure of sensitive patient data, you must implement HIPAA compliant email marketing practices.

This is comprised of two components: becoming HIPAA-compliant, setting up the required systems and procedures to ensure your PHI (PHI) and EPHI (EPHI) are protected, and your marketing objectives, who you want to reach and what to communicate.

However, you don’t have to let your marketing objectives suffer for the sake of security.

Implementing a HIPAA-compliant marketing program can actually help you achieve better marketing results.

Asking yourself these 12 questions ensures your email marketing campaigns align with your business goals and are HIPAA-compliant.

———

HIPAA-Compliant Marketing Emails

1. Do you have security controls to protect access to your email marketing system?

2. Do you have a documented procedure to guide you HIPAA-compliant email marketing?

3. Can you send encrypted emails?

4. Do you have a complete understanding of your organization’s PHI and ePHI?

5. Do you have a required training process for anyone sending HIPAA-compliant marketing emails?

6. Do you have effective protection against malware?

7. Do you have valid Business Associate Agreements (BAA) in place?

8. Why am I sending this email?

9. Is my email’s subject line standing out?

10. What is the recipient’s brand and product awareness level?

11. Have I tested my message for readability?

12. Have I sent my message to a test email account?

HIPAA-Compliant Marketing Emails

If your organization requires HIPAA-compliant email, start by using these questions to inspect your email marketing for compliance. Note that while we can’t provide legal advice, the below questions will help you identify some of the most common points of vulnerability and non-compliance.

1. Do you have security controls to protect access to your email marketing system?

Email security is an essential component of being HIPAA-compliant. As a starting point, check your internal security processes for access restrictions. This includes:

  • A robust password policy, i.e., changed frequently (e.g., 30 days), has to contain a mixture of characters, etc.
  • Multi-factor authentication (MFA), i.e., users verifying their identity in multiple ways, e.g., username/password and sent number codes (text, email, key fob, etc.), biometrics, etc.
  • Role-based access controls, i.e., granting access to individuals based on the responsibilities of their job role.
  • Zero Trust Architecture (ZTA), i.e., “never trust, always verify” – where users are required to reconfirm their identity on a case-by-case basis, as opposed to once when logging on, which mitigates session hijacking and similar threats.

2. Do you have a documented procedure to guide you HIPAA-compliant email marketing?

“Winging it” simply doesn’t cut it when it comes to HIPAA-compliant email marketing; you must develop a comprehensive documented process detailing how you intend to safeguard PHI throughout your email marketing campaigns.

This should include:

  • Specifying the HIPAA-compliant email delivery service you’ll use to execute your marketing campaigns
  • The processes and controls you’ll use to encrypt data  for ePHI at rest and in transit
  • The access and authentication controls you have in place
  • How you’ll implement data minimization: only using the minimum necessary PHI in communications – and not including sensitive PHI unless it’s essential.
  • How you’ll securely dispose of data: Implement a process for securely deleting emails containing ePHI once they’re no longer needed, to comply with retention policies.
  • Staff training: educating employees involved in email marketing on how to securely handle PHI and other HIPAA requirements.
  • Incident response plan, i.e., an additional documented plan for how you’ll respond to data breaches and other cyber attacks; this also includes notifying any affected parties as mandated by HIPAA.

If you’re starting from scratch, the information contained in the answers to the questions in this article provides a useful starting point for creating your first procedure.

3. Can you send encrypted emails?

If you are sending highly sensitive data or PHI in your emails, be aware that HIPAA requires the data to be encrypted a rest, i.e., the storage medium where it resides, and in transit, when being sent to recipients.

To the surprise of many healthcare organizations, most major email marketing providers, such as Mailchimp and Constant Contact are unable to provide encryption for data in transit and only protect data in their systems. To avoid falling foul of HIPAA regulations, ensure that the email delivery platform you use to transmit messages containing PHI offers end-to-end encryption.

4. Do you have a complete understanding of your organization’s PHI and ePHI?

Much of the time, when we, as well as healthcare providers, talk about PHI, we’re actually referring to electronic protected health information (EPHI). While PHI is a catch-all term to account for all sensitive health information, in truth, in the digital age, the vast majority is stored electronically in data centers – and the patient data handled is EPHI.

You can discover “PHI” and “ePHI” within the context of your organization’s context by identifying and categorizing the PHI and ePHI typically handled in your business. It’s an absolutely crucial tenet of data protection that you simply can’t protect what you’re not aware of.

Comprehensive PHI categorization will help your staff navigate HIPAA-compliant email requirements.

5. Do you have a required training process in place for anyone sending HIPAA-compliant marketing emails?

Your HIPAA compliance program, as with your company’s overall cybersecurity posture, is only as strong as your weakest link. In light of this, it’s essential to educate the staff within your company who are involved in your healthcare engagement campaigns on the secure use of ePHI and HIPAA-compliant marketing practices.

Additionally, this needs to be reflected in your onboarding process, so new hires are made familiar with HIPAA regulations, should their role require it.

6. Do you have effective protection against malware?

In the unlikely event you need any further encouragement to revisit your company’s anti-malware (viruses, ransomware, Trojans, etc.) measures, there are always HIPAA compliance requirements! 

To better protect your sensitive customer data against a slew of increasingly sophisticated cyber threats, start with these three key considerations:

  1. Do you have anti-malware protection running on all of your organization’s devices? Additionally, does this extend to your employee’s personal devices on which they handle PHI?
  2. How frequently do you update your anti-malware solution?
  3. Does your email marketing provider have sufficient protection malware mitigation measures in place, as per HIPAA requirements?

7. Do you have valid Business Associate Agreements (BAA) in place?

It’s normal to outsource activities like email marketing to a third party, but for the service they provide to be HIPAA-compliant, you must have a business associate agreement (BAA) in place.

A BAA documents how two organizations will share PHI and under what circumstances. A BAA also details the legal responsibilities of each party in the event of a serious issue. With a BAA being a core component of HIPAA compliance, failure to have one in place with your email service provider is an immediate HIPAA violation – and one that can result in serious consequences for a healthcare company.

Getting Better Results from HIPAA-Compliant Email Marketing

Now that you’ve confirmed your systems are HIPAA-compliant, let’s move on to making sure your email marketing strategy aligns with your overall business objectives.

In pursuit of this, the following questions serve as a handy “monthly review” for refining the effectiveness of your email-based patient outreach efforts .

8. Why am I sending this email?

First and foremost, for the best results, each email you send should have a single, clearly defined purpose.

I know what you’re thinking – “my customers and patients are smart, they can handle multiple points in a single message.”  And while that’s true, at whatever point your email reaches a recipient, they’re already juggling several different priorities at once. While they’re capable of juggling multiple points in a message – they’re unlikely to want to; when it comes to email marketing, a single goal is the best way to go.

Similarly, it’s important to remember that your email is one of dozens –  or hundreds – received by your patient that day. So, if your message is long and overly complicated, the reader will likely skip over or delete it.

9. Is my email’s subject line standing out?

Following on the above point, is your email subject line impactful enough to stand out amidst the pile of messages that will land in the patient’s inbox that day? The email subject line is the most important part of your email because it’s responsible for persuading the reader to open your message.

Despite this, many marketers still use terrible, ineffective subject lines and wonder why their emails are failing to produce results!

For the best results, write up three to ten subject lines for your next email, step away for 5-10 minutes, and then choose the headline you determine as best.

Consider these examples to check your understanding:

Ineffective Email Subject Lines

  1. Blank (no subject): writing nothing in the subject line
  2. Clinic Newsletter (tell them more, e.g., the subject or theme for the month)
  3. Overusing exclamation marks!!!

Effective Email Subject Lines (examples based on a dental practice)

  1. BRAND-NEW Dental Product Released Today
  2. How to Cut Down on Your Health Insurance Paperwork
  3. [Case Study] How We Helped 3 Ex-Smokers Get White Teeth

10. What is the recipient’s brand and product awareness level?

Whether promoting medical devices, new digital solutions technology, or any healthcare product or service, understanding the prospect’s awareness level is essential.

If your email is designed to introduce a brand-new product, stick to high-level features and benefits while avoiding technical jargon and granular product details. Conversely, if you’re writing an email to experienced, highly knowledgeable readers, going into greater depth makes sense.

Advanced list management and segmentation tools, as offered by Luxsci Secure Marketing, are key for ensuring the communications you send match the reader’s awareness level.

11. Have I tested my message for readability?

Do you know one of the reasons that Hemingway was popular? He   was skilled at writing short phrases and phrases. Consequently, his writing was easy to understand and appealed to a wide variety of people. When in doubt, keep your writing short and free of jargon, abbreviations and “insider” terms.

When you’re deeply involved in the details of your business, it’s so easy to overlook just how much specialized jargon and language you frequently use. However, if you want your communications to engage with patients and customers, they need to be as accessible as possible.

Fortunately, there are simple solutions to this, with tools like the Text Readability Calculator that are designed to quickly enhance the readability of your emails.

12. Have I sent my message to a test email account?

Finally, if you’ve followed all of the above advice, you’re almost ready to hit SEND…there’s just one more thing you need to check.

Determine how your email will look to recipients, including its clarity, and readability by simply sending a test email to one of your own email accounts once it is received.

In particular, pay attention to how the subject line looks and test all the links in the email to ensure they take the reader through to the intended destination, such as a product or service page. A broken link will only frustrate the recipient – who was interested enough to click through, no less – and lower your conversion rate.

Better still, send the test email to a colleague somebody and ask for their opinion about the quality of the message and whether it creates the desired impression.

Demystifying HIPAA-Compliant Email Marketing

As the most experienced HIPAA-compliant email provider, LuxSci specializes in providing secure and HIPAA-compliant solutions for companies aiming to send hundreds of thousands – or millions – of emails. Our hypersegmentation tools allow you to precisely target an unlimited number of patient sub-populations to maximize the efficacy of your messaging.

Are you interested in discovering how LuxSci’s secure email marketing platform will streamline your healthcare engagement efforts?

Contact us to learn more about our products and pricing.

Read More
HIPAA Compliant Hosting Requirements

What Are HIPAA Compliant Hosting Requirements?

HIPAA compliant hosting requirements include administrative policies for workforce training and access management, physical controls for data center security and equipment protection, and information protections for data encryption, access controls, and audit logging. Healthcare organizations using hosting services must ensure providers implement appropriate business associate agreements, security measures, and compliance documentation that meet Privacy and Security Rule obligations for protecting electronic PHI. Healthcare organizations increasingly rely on cloud hosting and managed services to support their operations while reducing internal IT infrastructure costs. Outsourcing hosting responsibilities does not eliminate HIPAA compliant hosting requirements, requiring careful vendor selection and ongoing oversight.

Administrative Protection Standards

Workforce training requirements mandate that hosting providers educate their personnel about HIPAA obligations and PHI handling procedures. All staff with potential access to healthcare client data must understand privacy requirements and security protocols before gaining system access. Access management procedures ensure that hosting provider personnel receive appropriate permissions based on their job responsibilities and healthcare client needs. Role-based access controls limit employee exposure to PHI while enabling necessary system administration and support activities. Security officer designation requires hosting providers to appoint qualified individuals responsible for developing and implementing security policies that protect healthcare client data. Officers must have appropriate authority and expertise to ensure comprehensive compliance across hosting operations.

Infrastructure & HIPAA Compliant Hosting Requirements

Data center security controls must protect servers and network equipment from unauthorized physical access through multiple layers of security including perimeter controls, biometric access systems, and surveillance monitoring. These protections help prevent unauthorized individuals from accessing systems containing PHI. Equipment disposal procedures ensure that storage devices and servers containing healthcare client data receive appropriate destruction when they reach end of life. Hosting providers must implement certified data destruction methods that prevent PHI recovery from disposed equipment. Environmental protections including fire suppression, climate control, and power management help ensure that healthcare client data remains available and protected from physical threats. Systems of this nature support business continuity while maintaining data integrity and accessibility.

Control Measures for HIPAA Compliant Hosting Requirements

User authentication systems verify the identity of individuals accessing hosting infrastructure before granting permissions to view or modify healthcare client data. Multi-factor authentication provides additional security layers for privileged access to systems containing PHI. Unique user identification ensures that hosting provider activities can be traced to specific individuals through comprehensive account management and monitoring systems. These controls support accountability and enable investigation of potential security incidents involving healthcare client data. Emergency access procedures provide alternative authentication methods when normal access controls might delay urgent system maintenance or security response activities. These procedures must include enhanced monitoring and documentation requirements to maintain security while enabling necessary operations.

Audit Controls and Activity Monitoring

Comprehensive logging systems capture detailed records of all activities affecting healthcare client data including user access, system modifications, and data transfers. These logs must be protected from unauthorized modification and preserved for appropriate periods to support compliance demonstrations. Regular log analysis helps hosting providers identify unusual activity patterns that might indicate security threats or compliance violations. Automated monitoring tools can detect suspicious behavior and alert security personnel to potential incidents requiring investigation. Audit trail preservation ensures that activity records remain available for compliance reviews and incident investigations throughout required retention periods. Hosting providers must maintain secure log storage while providing healthcare clients with access to relevant audit information.

Data Integrity and Transmission Security

Encryption implementation protects healthcare client data during storage and transmission through approved cryptographic methods and key management practices. Hosting providers must maintain current encryption standards while ensuring that decryption capabilities remain available for legitimate access needs. Data validation procedures verify that healthcare client information maintains accuracy and completeness throughout processing and storage activities. These procedures help detect unauthorized modifications or corruption that could compromise data integrity or patient care. Backup and recovery systems maintain additional copies of healthcare client data while preserving security protections and access controls. Frequent testing ensures that backup systems function properly and can restore data without compromising compliance requirements.

Network Security and Communication Controls

Firewall configuration creates secure network boundaries that control traffic between healthcare client systems and external networks. These controls help prevent unauthorized access while enabling necessary communication for healthcare operations and patient care. Intrusion detection systems monitor network traffic for potential security threats and unauthorized access attempts involving healthcare client data. Automated alerting helps hosting providers respond quickly to potential incidents while maintaining comprehensive security coverage. Secure communication channels protect data transmission between healthcare clients and hosting infrastructure through encrypted connections and authenticated access methods. These channels help ensure that PHI remains protected during transfer and remote access activities.

Business Associate Agreement Obligations

Contractual requirements establish hosting provider responsibilities for PHI protection including specific security measures, incident response procedures, and compliance monitoring activities. These agreements must address all applicable HIPAA compliant hosting requirements while defining clear performance expectations. Liability allocation between healthcare organizations and hosting providers depends on their respective roles in PHI protection and which party controls different aspects of data security. Clear contractual provisions help define responsibility for various compliance obligations and potential violations. Termination procedures address how healthcare client data is handled when hosting relationships end including data return, destruction, or transfer requirements.

Compliance Monitoring and Vendor Oversight

Risk assessment procedures help healthcare organizations evaluate hosting provider security practices and identify potential vulnerabilities that could compromise PHI protection. These assessments should be conducted regularly and documented to demonstrate due diligence in vendor oversight. Performance monitoring tracks hosting provider compliance with contractual obligations and HIPAA requirements through security audits, incident reviews, and service level assessments. Healthcare organizations must maintain ongoing oversight rather than relying solely on initial vendor evaluations. Documentation requirements ensure that hosting providers maintain records demonstrating their compliance efforts including policies, training materials, audit results, and incident reports. Well kept records support healthcare client compliance demonstrations and regulatory reviews when requested.

Read More
Best HIPAA Compliant Email Providers

How Do Healthcare Organizations Choose the Right Secure Email Providers?

Healthcare organizations look at provider capabilities across security architecture, compliance certifications, integration options, support quality, and pricing structures to identify solutions that meet their operational requirements and regulatory obligationsSecure email providers offer platforms that encrypt communications, maintain audit trails, and ensure compliance with healthcare privacy regulations while delivering reliable message transmission and user-friendly interfaces. Healthcare organizations must evaluate provider capabilities across security architecture, compliance certifications, integration options, support quality, and pricing structures to identify solutions that meet their operational requirements and regulatory obligations. The selection process involves analyzing encryption standards, business associate agreement terms, scalability options, and vendor stability to ensure long-term partnership success.

Security Architecture and Encryption Standards

End-to-end encryption capabilities distinguish professional secure email providers from standard business email services by protecting message content throughout the entire communication lifecycle. Advanced Encryption Standard (AES) 256-bit encryption transforms patient information into unreadable code before transmission, ensuring that intercepted messages cannot reveal sensitive health data to unauthorized parties. Transport Layer Security protocols create secure tunnels between email servers, preventing message interception during transmission across public internet infrastructure while maintaining message integrity throughout delivery processes.

Authentication mechanisms verify sender and recipient identities through digital certificates and multi-factor verification systems that prevent unauthorized access to healthcare communications. Certificate-based authentication ensures that only verified healthcare providers and authorized recipients can access encrypted patient information sent through email channels. Two-factor authentication requirements add security layers by requiring users to provide secondary verification through mobile devices, hardware tokens, or biometric identification before accessing their secure email accounts.

Key management systems protect the encryption keys that safeguard patient information while ensuring that legitimate healthcare providers can access necessary communications without delays that might interfere with patient care activities. Secure key storage prevents unauthorized access to encryption keys while maintaining backup procedures that prevent data loss if primary key storage systems experience failures. Automatic key rotation schedules strengthen security by regularly updating encryption keys without requiring manual intervention from busy healthcare staff members. Message integrity controls detect attempts to modify email content during transmission and alert recipients when communications may have been compromised by malicious actors. Digital signatures provide mathematical proof that messages originated from legitimate healthcare sources and have not been altered during transmission processes. These verification mechanisms enable healthcare providers to trust that patient communications received through secure email providers maintain their original content and authenticity.

Compliance Certifications and Regulatory Requirements

HIPAA compliance capabilities form the foundation for evaluating secure email providers serving healthcare organizations, as these platforms must meet strict administrative, physical, and technical safeguards required under federal privacy regulations. Providers should demonstrate their compliance through comprehensive business associate agreements that specify exactly how they will protect patient information, what security measures they maintain, and detailed procedures for reporting security incidents to healthcare organizations. Documentation requirements include maintaining audit trails, conducting risk assessments, and providing compliance reporting that supports healthcare organizations during regulatory inspections.

SOC 2 Type II certifications demonstrate that secure email providers maintain appropriate controls for security, availability, processing integrity, confidentiality, and privacy of customer data throughout their operations. These independent audits verify that providers implement effective security controls and maintain them consistently over extended periods rather than just during initial certification assessments. Healthcare organizations should request recent audit reports and verify that certification scopes include all services they plan to use from potential providers.

HITRUST certification addresses healthcare-specific security requirements and indicates that secure email providers understand the compliance challenges healthcare organizations experience daily. This certification framework incorporates requirements from multiple regulatory standards including HIPAA, HITECH, and state privacy laws to provide comprehensive security validation for healthcare technology vendors. Providers with current HITRUST certification have demonstrated their ability to protect healthcare information according to industry-recognized standards and best practices. International compliance standards may be relevant for healthcare organizations operating across multiple countries or serving patients with diverse privacy expectations. General Data Protection Regulation compliance enables secure email providers to serve healthcare organizations with European operations or patients, while other regional privacy regulations may require specialized compliance capabilities. Healthcare organizations should verify that their chosen providers can meet all applicable regulatory requirements for their specific operational scope and patient populations.

Integration Capabilities and Workflow Enhancement

Electronic health record integration enables seamless communication workflows by connecting secure email platforms with clinical documentation systems that healthcare providers use daily. API connectivity allows patient communications to populate appropriate sections of electronic health records automatically, eliminating duplicate data entry while ensuring comprehensive documentation of all patient interactions. Real-time synchronization ensures that email communications appear in patient records immediately, supporting clinical decision-making with complete communication histories.

Mobile device support enables healthcare providers to access secure communications from smartphones and tablets without compromising security standards or patient privacy protections. Native mobile applications should maintain the same encryption and authentication requirements as desktop platforms while providing convenient access for busy healthcare providers working from various locations. Cross-platform compatibility ensures that healthcare teams can communicate effectively regardless of their preferred devices or operating systems. Patient portal connections create unified communication platforms that give patients convenient access to their healthcare information through single sign-on interfaces. These integrated systems allow patients to receive test results, communicate with their care teams, and access educational resources through platforms that maintain consistent security standards across all communication channels. Unified patient experiences improve satisfaction while reducing technical support requirements for healthcare organizations managing multiple communication systems.

Vendor Stability and Support Quality

Financial stability assessments help healthcare organizations evaluate whether potential secure email providers can maintain service quality and security standards throughout long-term contract periods. Publicly available financial information, funding sources, and growth trajectories provide insights into provider stability and their ability to invest in security improvements and feature development. Healthcare organizations should avoid providers experiencing financial difficulties that might compromise service reliability or security investments during contract periods.

Customer support capabilities directly impact healthcare organization productivity when email issues arise during patient care activities or compliance requirements need immediate attention. Twenty-four hour support availability ensures that healthcare providers can resolve email problems quickly when patient communications are at risk or system outages threaten operational continuity. Dedicated healthcare support teams understand industry-specific requirements and can provide specialized assistance with compliance questions and workflow optimization challenges.

Implementation support quality determines how smoothly healthcare organizations can transition to new secure email providers without disrupting patient care activities or compromising security standards. Professional services teams should provide data migration assistance, system configuration guidance, and staff training programs that minimize transition disruption. Experienced implementation teams understand healthcare workflow requirements and can customize deployment approaches to accommodate operational constraints and compliance obligations.

Update and maintenance procedures ensure that secure email providers maintain current security standards and feature capabilities without requiring manual intervention from healthcare IT staff. Automatic security updates protect against emerging threats while maintaining email system availability during critical patient care periods. Scheduled maintenance windows should accommodate healthcare operation schedules and include advance notification procedures that allow organizations to plan around potential service interruptions from their secure email providers.

Pricing Models and Total Cost Considerations

Per-user pricing structures allow healthcare organizations to scale email costs directly with their workforce size while maintaining predictable budget planning capabilities. Volume discounts for larger organizations can reduce per-user costs substantially, making secure email more affordable for health systems and large practices with hundreds or thousands of users. Healthcare organizations should evaluate pricing tiers carefully to identify optimal user count thresholds that maximize cost efficiency while accommodating anticipated growth patterns.

Storage allocation policies affect long-term costs for healthcare organizations that must retain email communications for extended periods to meet regulatory and legal requirements. Unlimited storage plans provide cost predictability and eliminate concerns about archive capacity limits, while metered storage options may offer lower initial costs but create potential budget overruns if retention requirements exceed initial estimates. Healthcare organizations should calculate their long-term storage needs based on communication volume patterns and regulatory retention requirements.

Feature-based pricing allows organizations to customize their secure email investments by paying only for capabilities they actually need rather than comprehensive packages that include unused functionality. Basic encryption and compliance features constitute entry-level costs, while advanced capabilities like data loss prevention, integration APIs, and custom reporting may require supplementary charges. Healthcare organizations should evaluate feature requirements carefully to avoid both overpaying for unused capabilities and underestimating needs that require costly upgrades later.

Implementation costs include data migration services, system configuration assistance, and staff training programs that enable successful deployment of new secure email platforms. Professional services charges may range from thousands to tens of thousands of dollars depending on data volume, customization requirements, and integration complexity. Healthcare organizations should budget for these one-time expenses while evaluating total cost of ownership across expected contract periods with secure email providers, rather than focusing solely on recurring subscription fees.

Evaluation Criteria and Selection Process

Security assessment procedures should evaluate encryption strength, authentication mechanisms, access controls, and audit logging capabilities that secure email providers implement to protect healthcare communications. Penetration testing results, vulnerability assessments, and security certifications provide objective evidence of provider security capabilities. Healthcare organizations should request detailed security documentation and verify that provider security measures meet or exceed their internal requirements and regulatory obligations.

Compliance verification involves reviewing business associate agreements, audit reports, and compliance certifications to ensure that potential providers can meet healthcare privacy requirements effectively. Legal teams should evaluate contract terms, liability allocation, and incident response procedures to protect healthcare organizations from regulatory penalties or security breaches. Due diligence processes should include reference checks with current healthcare customers and verification of provider compliance track records.

Pilot testing enables healthcare organizations to evaluate secure email provider functionality, performance, and user experience before committing to long-term contracts or organization-wide implementations. Limited pilot programs with small user groups can identify potential issues with workflow integration, security controls, or usability that might affect broader deployments. Testing periods should include realistic usage scenarios and stress testing to verify that providers can handle anticipated communication volumes and user loads.

Vendor comparison matrices help healthcare organizations systematically evaluate multiple secure email providers across security, compliance, integration, support, and pricing criteria that matter most for their specific requirements. Weighted scoring systems can prioritize evaluation criteria based on organizational priorities and constraints. Comprehensive evaluations should include total cost of ownership calculations, implementation timeline estimates, and risk assessments that account for vendor stability and long-term viability considerations.

Read More
hands on a keyboard sending secure email

How to Secure SMTP Email Delivery with TLS

Secure email sending is a priority for organizations that communicate sensitive data externally. One of the most common ways to send secure emails is with SMTP TLS. TLS stands for Transport Layer Security and is the successor of SSL (Secure Socket Layer). TLS is one of the standard ways that computers on the internet transmit information over an encrypted channel. In general, when one computer connects to another computer and uses TLS, the following happens:

  1. Computer A connects to Computer B (no security)
  2. Computer B says “Hello” (no security)
  3. Computer A says, “Let’s talk securely over TLS” (no security)
  4. Computers A and B agree on how to do this (secure)
  5. The rest of the conversation is encrypted (secure)

In particular:

  • The conversation is encrypted
  • Computer A can verify the identity of Computer B (by examining its SSL certificate, which is required for this dialog)
  • The conversation cannot be eavesdropped upon (without Computer A knowing)
  • A third party cannot modify the conversation
  • Third parties cannot inject other information into the conversation.

TLS and SSL help make the internet a more secure place. One popular way to use TLS is to secure SMTP to protect the transmission of email messages between servers.

Secure SMTP Email Delivery with TLS 

The mechanism and language by which one email server transmits email messages to another email server is called Simple Mail Transport Protocol, or SMTP. For a long time, email servers have had the option of using TLS to transparently encrypt the message transmission from one server to another.

When available, using TLS with SMTP ensures the message contents are secured during transmission between the servers. Unfortunately, not all servers support TLS! Many email providers, especially free or public ones, have historically not supported TLS. Thankfully, the trend is shifting. LuxSci found that most providers now support TLS- approximately 85% of domains tested as of July 2022.

Using TLS requires that the server administrators:

  1. purchase SSL certificates
  2. configure the email servers to use them (and keep these configurations updated)
  3. allocate additional computational resources on the email servers involved.

For TLS transmission to be used, the destination email server must offer support for TLS, and the sending computer or server must be configured to use TLS connections when possible.

The sending computer or server could be configured for:

  1. No TLS: never use it.
  2. Opportunistic TLS: use it if available; if not, send it insecurely.
  3. Forced TLS: use TLS or do not deliver the email at all.

How Secure is Email Delivery over SMTP TLS?

TLS protects the transmission of the email message contents. It does nothing to protect the security of the message before it is sent or after it arrives at its destination. For that, other encryption mechanisms may be used, such as PGP, S/MIME, or storage in a secure portal.

For sending sensitive information to customers, transmission security is the minimum standard for compliance with healthcare and financial regulations. TLS is appropriate to meet most compliance requirements and offers an excellent alternative to more robust and less user-friendly encryption methods (like PGP and S/MIME).

There are different versions of TLS- 1.0 and 1.1 use older ciphers and are not as secure, while TLS 1.2 and 1.3 use newer ciphers and are more secure. When an email is sent, the level of TLS used is as secure as can be negotiated between the sending and receiving servers. If they both support strong encryption (like AES 256), then that will be used. If not, a weaker grade of encryption may be used. The sending and receiving servers can choose the types of encryption they will support. If there is no overlap in what they support, then TLS will fail (this is rare).

What About Replies to Secure Messages?

Let’s say you send a message to someone that is securely delivered to their inbox over TLS. Then, that person replies to you. Will that reply be secure? This may be important if you are communicating sensitive information. The reply will use TLS only if:

  1. The recipient’s servers support TLS for outbound email (there is no way to test this externally).
  2. The mail servers (where the “From” or “Reply” email address is hosted) support TLS for inbound email.
  3. Both servers support overlapping TLS ciphers and protocols and can agree on a mutually acceptable means of encryption.

Unless familiar with the providers in question, it cannot be assumed that replies will use TLS. So, what should you do? Ultimately, it depends on what compliance standards you must meet, the level of risk you are willing to accept, and the types of communications you send. There are two general approaches to this question:

  1. Conservative. If replies must be secure in all cases, assuming TLS will be used is unreasonable. In this case, a more secure method should be used to encrypt the messages in transit and store them upon arrival. The recipient must log in to a secure portal to view the message and reply securely. Alternatively, PGP or S/MIME could be used for additional security.
  2. Aggressive. In some compliance situations like HIPAA, healthcare providers must ensure that ePHI is sent securely to patients. However, patients are not beholden to HIPAA and can send their information insecurely to anyone they want. If the patient’s reply is insecure, that could be okay. For these reasons, and because using TLS for email security is so easy, many do not worry about the security of email replies. However, this should be a risk factor you consider in an internal security audit. Consider nuanced policies that allow you to send less sensitive messages with TLS while sending more sensitive messages with higher security.

What are the Weaknesses of SMTP TLS?

As discussed, SMTP TLS has been around for a long time and has recently seen a great deal of adoption. However, it has some deficiencies compared to other types of email security:

  • There is no mandatory support for TLS in the email system.
  • A receiver’s support of the SMTP TLS option can be trivially removed by an active man-in-the-middle because TLS certificates are not actively verified.
  • Encryption is not used if any aspect of the TLS negotiation is undecipherable/garbled. It is very easy for a man-in-the-middle to inject garbage into the TLS handshake (which is done in clear text) and have the connection downgraded to plain text (opportunistic TLS) or have the connection fail (forced TLS).
  • Even when SMTP TLS is offered and accepted, the certificate presented during the TLS handshake is usually not checked to see if it is for the expected domain and unexpired. Most MTAs offer self-signed certificates as a pro forma. Thus, in many cases, one has an encrypted channel to an unauthenticated MTA, which can only prevent passive eavesdropping.

The Latest Updates to Secure SMTP TLS

Some solutions help remedy these issues—for example, SMTP Strict Transport Security. SMTP STS enables recipient servers to publish information about their SMTP TLS support in their DNS. This prevents man-in-the-middle downgrades to plain text delivery, ensures more robust TLS protocols are used, and can enable certificate validation.

In addition, users can adopt TLS 1.3. NIST recommends that government agencies develop migration plans to support TLS 1.3 by January 1, 2024. LuxSci supports both SMTP MTA-STS and TLS 1.3.

How Secure SMTP TLS Email Works with LuxSci

Inbound TLS

LuxSci’s inbound email servers support TLS for encrypted inbound email delivery from any sending email provider that also supports that. For selected organizations, LuxSci also locks down its servers to only accept email from them if delivered over TLS.

Outbound Opportunistic TLS

LuxSci’s outbound email servers will always use TLS with any server that claims to support it and with whom we can talk TLS v1.0+ using a strong cipher. The message will not be sent securely if the TLS connection to such a server fails (due to misconfiguration or no security protocols in common). Outbound opportunistic TLS encryption is automatic for all LuxSci customers, even those without SecureLine.

Forced TLS

When Forced TLS is enabled, the message is either dropped or sent with an alternate form of encryption if the recipient’s server does not support TLS. This ensures that messages will never be sent insecurely. Forced TLS is also in place for all LuxSci customers sending to banks and organizations that have requested that we globally enforce TLS to their servers.

Support for strong encryption

LuxSci’s servers will use the strongest encryption supported by the recipient’s email server. LuxSci servers will never employ an encryption cipher that uses less than 128 bits (they will fail to deliver rather than deliver via an excessively weak encryption cipher), and they will never use SSL v2 or SSL v3.

Does LuxSci Have Any Other Special TLS Features?

When using LuxSci SecureLine for outbound email encryption:

  1. SMTP MTA STS: LuxSci’s domains support SMTP MTA STS, and LuxSci’s SecureLine encryption system leverages STS information about recipient domains to improve connection security.
  2. Try TLS: Account administrators can have secure messages “try TLS first” and deliver that way. If TLS is unavailable, the messages would fall back and use more secure options like PGP, S/MIME, or Escrow. Email security is easy, seamless, and automatic when communicating internally or with others who support TLS.
  3. TLS Exclusive: This is a special LuxSci-exclusive TLS sending feature. TLS Exclusive is just like Forced TLS, except that messages that can’t connect over TLS are just dropped. This is ideal for low-importance emails that must still be compliant, like email marketing messages in healthcare. In such cases, the ease of use of TLS is more important than receiving the message.
  4. TLS Only Forwarding: Account administrators can restrict any server-side email forwarding settings in their accounts from allowing forwarding to any email addresses that do not support TLS for email delivery.
  5. Encryption Escalation: Often, TLS is suitable for most messages, but some messages need to be encrypted using something stronger. LuxSci allows users to escalate the encryption from TLS to Escrow with a click (in WebMail) or by entering particular text in the subject line (for messages sent from email programs like Outlook).
  6. Domain Monitoring: When TLS delivery is enabled for SecureLine accounts, messages will never be insecurely sent to domains that purport to be TLS-enabled, i.e., TLS delivery is enforced and no longer “opportunistic.” The system monitors these domains and updates their TLS-compliance status daily.
  7. Double Encryption: Messages sent using SecureLine and PGP or S/MIME will still use Opportunistic TLS whenever possible for message delivery. In these cases, messages are often “double encrypted.” First, they are encrypted with PGP or S/MIME and may be encrypted again during transport using TLS.
  8. No Weak TLS: Unlike many organizations, LuxSci’s TLS support for SMTP and other servers only supports those protocol levels (e.g., TLS v1.0+) and ciphers recommended by NIST for government communications and which are required for HIPAA. So, all communications with LuxSci servers will be over a compliant implementation of TLS.

For customers who can use TLS to meet security or compliance requirements, it enables seamless security and “use of email as usual.” SecureLine with Forced TLS enables clients to take advantage of this level of security whenever possible while automatically falling back to other methods when TLS is unavailable.

Of course, using Forced TLS as the sole method of encryption is optional; if your compliance needs are more substantial, you can turn off TLS-Only delivery or restrict it so that it is used only with specific recipients.

If your email use cases are complicated, LuxSci’s flexibility enables the secure sending of emails to any recipient, regardless of their email service provider’s support for TLS. Contact the LuxSci sales team to learn more about our secure SMTP TLS email sending.

Read More