LuxSci

Menu
Contact us
Login

LuxSci Establishes New Headquarters Offices in Cambridge, Mass.

LuxSci New Headquarters Offices

We’re thrilled to announce the opening of LuxSci’s new headquarters offices at Harvard Square in Cambridge, Massachusetts!

The move marks another milestone in our continuing journey to innovate and grow in secure healthcare communications. The new workspace aims to bring our people and teams together for in-person interactions and collaboration, and to better connect with our customers, partners and thought leaders. Located in the heart of one of the world’s most prestigious educational and technology hubs, our new office space reflects our roots and connections to the Massachusetts Institute of Technology (MIT), and our founder Erik Kangas, an MIT alumnus and advisor.

A Strategic Move for Continued Growth and Expansion

Opening our Cambridge office, part of the Industrious complex of offices, is not just about a change in location. The new office puts us at the center of cutting-edge technology in a thriving area for healthcare innovation. As a company deeply rooted in delivering the latest in secure, HIPAA-compliant communication solutions, this move allows us to leverage the rich talent pool and dynamic environment that Cambridge and the Greater Boston area have to offer.

Leading the Way in HIPAA Compliance for Healthcare Communications

At LuxSci, we’re proud to be the leader in HIPAA-compliant communication solutions for the healthcare industry, which includes serving some of the largest organizations in the US. With over two decades of experience, we understand the critical importance of safeguarding sensitive patient information and protected health information (PHI), but also how to increase patient and customer engagement.

The Next Step into Personalized Healthcare Engagement

Effective healthcare communication goes beyond just compliance—it’s about creating personalized and meaningful interactions with patients and customers. This often requires healthcare organizations to move beyond patient portals to open-up new communications channels and use cases, including email, marketing, text and forms—all in a HIPAA-compliant way. By protecting PHI data and using it in your communications for better personalization, you can deliver improved experiences and better outcomes for everyone involved.

Multi-Channel Suite of Secure Healthcare Communications Solutions

Today, LuxSci offers a suite of secure healthcare communication solutions, including support for high volume email, marketing, text messaging, and forms. As the demand for secure, compliant communication tools grows, LuxSci is at the forefront of delivering solutions that keep up with regulations and protect you from the latest threats.

“With our new Cambridge office, we’re launching the company into a new future with valuable connections to our past and where LuxSci was born,” said Mark Leonard, CEO of LuxSci. “Cambridge offers an unparalleled environment for innovation, and we’re excited to to bring our employees, partners and customers together – and to be part of this vibrant community.”

Want to see for yourself?

Contact us today for an in-person visit to talk about the future of secure healthcare
communications. 

Picture of LuxSci

LuxSci

Get in touch

Find The Best Solution For Your Organization

Talk To An Expert & Get A Quote




A member of our staff will reach out to you

Follow us on LinkedIn

Search

Search

Category

Recent Posts

Get Your Free E-Book!

LuxSci High Email Deliverability Best Practices Paper

What you’ll learn:

  • How to opitmize email performance
  • Key strategies to increase email deliverability rates
  • How email deliverability impacts marketing ROI
Get Free Ebook

Related Posts

LuxSci Automated Email Encryption

“Encryption Optional” Email Will Fail Audits in 2026 and Beyond

For years, healthcare organizations have relied on click-to-encrypt email workflows and secure portals as a practical compromise between usability and compliance. Or in some cases, they simply thought most of their emails did not need to be compliant. In regulated industries where data security and privacy are paramount, this approach was still considered “good enough.”

That era is ending.

As we progress into 2026 and beyond, regulators, auditors, and cyber insurers are sending a clear and consistent message: encryption that depends on human choice is no longer acceptable. It’s already happening. Encryption optional email isn’t merely raising concerns, it’s failing audits outright.

An Email Threat Landscape That’s Changing Faster Than Email Habits

Historically, email encryption was treated as a best practice rather than a hard requirement. If an organization could demonstrate that encryption tools existed and that employees had access to them, auditors were often satisfied. The box was checked, everybody moved on.

Today, the questions auditors ask are fundamentally different. Instead of asking whether encryption is available, they are asking whether sensitive data can ever leave the organization unencrypted. If the answer is yes, even in rare cases, or even accidentally, that’s no longer viewed as an acceptable gap. It’s viewed as inadequate control.

Why 2026 Is a Tipping Point for Email Security

Several forces are converging here in 2026 that make optional encryption increasingly untenable. Regulatory scrutiny around PHI and PII exposure continues to intensify. Breach costs and litigation are rising, with email remaining one of the most common vectors for data exposure and breaches. AI is also changing the game for cybercriminals, and attacks will continue to increase and be more sophisticated. As a result, cyber insurers are tightening underwriting requirements and demanding stronger, more predictable controls.

At the same time, email user behavior is unpredictable and inconsistent, which is a non-starter for data security in today’s world.

Taken together, these trends and behaviors point to a single requirement: email security controls must be automated. They must be enforced by systems, not dependent on employee memory, judgment, or good intentions.

The Reality of “Encryption Optional” in Practice

On paper, optional encryption can sound reasonable. In practice, it creates gaps large enough to open you up to a breach.

Secure portals are a good example. They require recipients to click a link, authenticate, and access content in a controlled environment. While this protects data in transit, and is a better approach than no security at all, it also introduces friction. And people don’t like friction. Senders forget to use the portal. Recipients ask for “just a quick email instead.” Shortcuts are taken to save time. And every shortcut becomes a risk.

Click-to-encrypt systems suffer from a similar problem. They rely on users to correctly identify sensitive data and remember to take action. But people often misclassify information, forget to click the button, or assume someone else has already secured the message. From an auditor’s perspective, this isn’t a training failure. It’s a set-up and control failure.

Email Security Defaults Are the New Normal

The latest message from regulators, auditors, and insurers is clear. If encryption is optional, data vulnerabilities become inevitable.

What can you do?

Below is a quick email security checklist to help you get started. Cyber insurers may require or recommend the following safeguards during the underwriting process, such as:

  • Multi-factor authentication (MFA)
  • Endpoint protection
  • Encrypted backups
  • Incident response planning
  • Encryption protocols for sensitive data in transit and at rest, including PHI in emails

In 2026 and beyond, healthcare organizations and regulated industries will be judged not by what they allow, but by what they prevent. Automated, encrypted email is the new. normal.

Want to learn more about LuxSci HIPAA compliant email? Reach out today.

Read More
LuxSci Oiva Health

LuxSci and Oiva Health Combine to Form Transatlantic Healthcare Communications Group

Boston & Helsinki, February 12, 2026 – LuxSci, a provider of secure healthcare communications solutions in the United States, and Oiva Health, a Nordic provider of Digital Care solutions in social and healthcare services, today announced that the companies are joining forces. Backed by Main Capital Partners (“Main”), the combination brings together two complementary platforms and teams, forming a strong transatlantic software group focused on secure healthcare communications.

Founded in 1999, LuxSci is a U.S. provider of HIPAA‑compliant, secure email, marketing, and forms solutions. Its application and infrastructure software enable organizations to securely deliver personalized, sensitive data at scale to support a broad range of healthcare communications and workflows including care coordination, benefits and payments, marketing, wellness communications, after care and ongoing care. Certified by HITRUST for the highest levels of data security, LuxSci serves dozens of healthcare enterprises and hundreds of mid‑market organizations.

Founded in 2010, Oiva Health is a provider of digital care and communications solutions in the Nordics. Headquartered in Finland, with additional offices in Denmark, Norway, and Sweden, Oiva Health offers digital care and digital clinic solutions – including digital visits, secure messaging, online scheduling and appointments, and caregiver communications – serving the long-term care, especially elderly care, and occupational healthcare verticals. The company employs approximately 60 people and has recently expanded across the Nordic region, with a growing presence in Norway and Sweden.

The combination of LuxSci and Oiva Health creates a larger, cross Atlantic group with complementary solutions, serving the U.S. and European markets. Together, the companies offer healthcare providers, payers, and suppliers a comprehensive suite of tools to communicate securely and compliantly, spanning communications, workflows, and virtual care delivery.

Daan Visscher, Partner and Co-Head North America at Main, commented: “We are pleased to announce this cross Atlantic transaction, creating an internationally active secure communications player within the healthcare and home care space. The combined product suite enables healthcare organizations to drive much needed efficiency gains in healthcare provision addressing a global trend of rising costs, aging population, and increasing pressure on resources needed to provide high-quality care.”

Mark Leonard, CEO of LuxSci, said, “We are thrilled to join forces with Oiva Health and believe that together we can truly make a difference in healthcare coordination, access, and delivery. We see an exciting path forward with our customers benefiting from an end-to-end, secure and compliant approach to optimizing both healthcare communications and today’s frontline workers, which we need now more than ever.”

Juhana Ojala, CEO at Oiva Health, concluded, “We look forward to this new chapter together with LuxSci. We are very excited about the strong alignment between our solutions, which especially strongly positions us to expand our flagship Digital Care offering to the high-potential U.S. care market – from care coordination to care delivery to in-home and institutional care.”

Nothing contained in this Press Release is intended to project, predict, guarantee, or forecast the future performance of any investment. This Press Release is for information purposes only and is not investment advice or an offer to buy or sell any securities or to invest in any funds or other investment vehicles managed by Main Capital Partners or any other person.

[END OF MESSAGE]

About LuxSci

LuxSci is a U.S.-based provider of secure healthcare communications solutions for the healthcare industry. The company offers secure email, marketing, forms and hosting, delivering HIPAA‑compliant communication solutions that enable organizations to safely manage and transmit sensitive data. Founded in 1999, LuxSci serves more than 1,900 customers across healthcare verticals, including providers, payers, suppliers, and healthcare retail, home care providers, and healthcare systems, as well as organizations operating in other highly regulated industries. LuxSci is HITRUST‑certified with example clients being Athenahealth, 1800 Contacts, Lucerna Health, Eurofins, and Rotech Healthcare, among others.

About Oiva Health

Oiva Health is a Digital Care provider in the Nordics, offering a comprehensive Digital Platform for integrated health and care services to digitalize primary healthcare, social care, hospital healthcare and long-term care services. The company was founded in 2010 and currently employs approximately 60 people in Finland, Denmark, Norway, and Sweden serving domestic municipalities, customers and partners, such as City of Helsinki, Keski-Suomi Welfare Region, Länsi-Uusimaa Welfare Region in Finland, and Viborg municipality in Denmark with its Digital Care platform. Annually over 5 million customer contacts are handled digitally through Oiva Health’s Digital Care and Digital Clinic platforms.  

About Main Capital Partners

Main Capital Partners is a software investor managing private equity funds active in the Benelux, DACH, the Nordics, France, and the United States with approximately EUR 7 billion in assets under management. Main has over 20 years of experience in strengthening software companies and works closely with the management teams across its portfolio as a strategic partner to achieve profitable growth and create larger outstanding software groups. Main has approximately 95 employees operating out of its offices in The Hague, Düsseldorf, Stockholm, Antwerp, Paris, and an affiliate office in Boston. Main maintains an active portfolio of over 50 software companies. The underlying portfolio employs approximately 15,000 employees. Through its Main Social Institute, Main supports students with grants and scholarships to study IT and Computer Science at Technical Universities and Universities of Applied Sciences.

The sender of this press release is Main Capital Partners.

For more information, please contact:

Main Capital Partners
Sophia Hengelbrok (PR & Communications Specialist)

sophia.hengelbrok@main.nl

+ 31 6 53 70 76 86

Read More
HIPAA Compliant Email

Rethinking HIPAA Compliant Email – Not Just a Checkbox

The compliance-only mentality is outdated.

Let’s be honest—when most healthcare organizations think about HIPAA compliant email, it’s usually in the context of avoiding fines or satisfying checklists. And while yes, compliance is critical, viewing it only through the lens of risk management is a missed opportunity.

In reality, HIPAA compliant email, when implemented properly, is one of the most powerful tools for patient and customer engagement. Why? Because it unlocks the ability to leverage protected health information (PHI) safely, enabling personalized, timely, and high-impact email communication that drives better engagement, satisfaction, and outcomes.

What Makes Email Truly HIPAA Compliant?

As a reminder, HIPAA compliant email requires that protected health information (PHI) is safeguarded both in transit and at rest. That means your email provider must:

  • Use encryption at all times
  • Be access-controlled
  • Include audit logs
  • Be stored and transmitted in a secure manner
  • Provide a Business Associate Agreement

Regular email services just don’t cut it. In fact, most consumer or marketing email platforms like Sendgrid or Constant Contact, while great at sending email, are not HIPAA compliant or have limitations when it comes to using PHI in your messages. Even when bolted-on encryption solutions are used, they often lack the flexibility, scalability, and automation needed for safe and effective healthcare email engagement.

LuxSci goes beyond the basics with policy-based encryption, secure TLS, PKI encryption and escrow/secure portal options. LuxSci’s SecureLine™ encryption technology dynamically selects the appropriate encryption method based on recipient capabilities and messaging context and can be configured to enforce secure delivery automatically according to organizational policies. LuxSci also provides the ability to enforce advanced multi-factor authentication. Every message is tracked with full audit trails—no guesswork, no loose ends.

The Real Opportunity – Secure, Personalized Email with PHI

Using PHI to Drive Personalized Messaging
Imagine sending a personalized reminder to a diabetic patient about an upcoming check-up. Or reaching out to new mothers with postnatal care resources tailored to their needs. Or sending automated email workflows to all your members to accelerate and increase new plan enrollments. Or email customer and prospects about a new product upgrade or new service offering. The list goes on. That’s the power of PHI-personalized email—when done securely.

Targeted Segmentation with Sensitive Data
With HIPAA compliant email solutions like LuxSci, you can segment your audience based on real health data with high levels of precision, such as chronic conditions, appointment history, insurance status, health risks, and more, without compromising patient trust or security.

Breaking the One-Size-Fits-All Approach in Healthcare Email
Generic email blasts are over. Modern patients expect personalization. With LuxSci, you can deliver highly targeted, highly secure emails with encrypted content, while staying HIPAA compliant.

Real Business Results from Secure Email

Here’s how secure, personalized email can drive improved results across a range of healthcare communications, including:

  • Increased Patient Appointments and Follow-ups – Sending encrypted, personalized appointment reminders and follow-up notices can reduce no-shows and boost overall appointment volume.
  • Boosting Preventative Care with Outreach Campaigns – Preventative campaigns (think flu shots or cancer screenings) sent securely to the right segments can lead to higher response rates, better health outcomes, and a lower cost of care.
  • Improving Health Plan Enrollments – Targeted email outreach during open enrollment, tailored by eligibility or plan type, and powered by automated workflows leads to higher enrollments and lower call center costs.
  • Driving Awareness and Sales of New Services or Products – Have a product upgrade offer, new wellness program or telehealth service? Send secure, PHI-informed HIPAA compliant email to the right audience for increased sales and faster adoption.
  • Optimize Explanation of Benefits NoticesReplace snail mail with email that’s fast, reliable and trackable, ensuring customers are informed and compliance is met.

The Healthcare Marketer’s Secret Weapon: Using PHI Responsibly

In a world moving away from third-party cookies, first-party data is more valuable than ever, and PHI is the most powerful form of it in healthcare. With secure HIPAA compliant email, PHI doesn’t have to be locked away. Marketers can safely use it to understand patient needs and send relevant, timely messages. PHI-driven segmentation lets you build hyper-targeted campaigns that speak to relevant conditions, unique needs and timely topics, increasing open rates, clicks throughs, and campaign conversions.

Meeting the Personalization Demands of Today’s Patients and Customers

HIPAA-compliant email is no longer just about checking a box. It’s about unlocking the full potential of your patient and customer data to drive better engagement, healthier outcomes, and measurable business results.

In closing, below are some final thoughts on how secure, HIPAA compliant email delivers long-term value for your organization and better connections with your patients and customers, including:

    • Future-Proofing Healthcare Engagement – Patients expect Amazon-level personalization. HIPAA-compliant tools let you meet those expectations securely.

    • Adapting to Data Privacy Regulations Beyond HIPAA – From GDPR to state-level privacy laws, secure communication is no longer optional, it’s foundational.

    • Building Trust Through Secure Communication – Each secure, personalized message sent is a trust-building moment with your patients and customers.

Why LuxSci? The Infrastructure Behind the Performance

With LuxSci’s secure email infrastructure and email marketing solutions, healthcare organizations can confidently personalize communication, reach patients more effectively, and fuel growth with PHI-safe segmentation, messaging, and email automation.

LuxSci takes data security and email performance to the next level by offering dedicated cloud infrastructure for each customer, which means your email campaigns aren’t slowed down by other vendors on shared cloud services and your attack footprint is much smaller. In short, you get higher delivery rates and throughput with proven HIPAA compliance and data security.

The future of healthcare engagement is personal, secure, and performance-driven—and it starts with HIPAA compliant email done right.

Reach out today with any questions or to learn more about LuxSci.

FAQs

1. Is HIPAA-compliant email necessary for marketing communications?
Yes—if your emails include or are based on PHI (like appointment reminders, condition-based messaging, or insurance info), you need HIPAA-compliant email and recipient consent to avoid legal risk and preserve patient trust.

2. Can PHI be used in marketing emails under HIPAA?
Yes, with proper consent and secure, HIPAA compliant infrastructure like LuxSci’s, PHI can be safely used in emails for personalized, segmented campaigns.

3. How does LuxSci ensure high email deliverability for healthcare messages?
LuxSci uses dedicated cloud servers for each customer, active email reputation monitoring, and best-practice configurations to ensure high deliverability rates for sensitive emails.

4. Is LuxSci only for marketing teams?
No—LuxSci supports marketing, clinical, operations, and IT teams by enabling secure, compliant email communication across the entire organization.

5. What types of PHI can I use to segment campaigns using LuxSci?
You can segment based on chronic conditions, visit history, insurance status, provider details, age, gender, location, and more—all while staying fully compliant.

Read More
HIPAA compliant email

Most Popular LuxSci Blog Posts of 2025

As we close out 2025, healthcare communicators, IT and compliance leaders, and digital marketers face an ever-changing landscape of security threats, regulatory updates, and technology innovations. At LuxSci, we’re committed to helping you with continuous updates and guidance on the future of secure healthcare communications.

In case you missed it, or need a refresh, below are some of our most popular blog posts from 2025. Enjoy!

1. Improve Email Engagement and Marketing Results with Automated Workflows

Automated workflows are transforming how healthcare organizations engage patients and customers — enabling dynamic, event-driven campaigns that easily scale your outreach and keep you HIPAA compliant. In this post, we introduce LuxSci’s Automated Workflows capability for our Secure Marketing healthcare solution. Learn how sequence-based journeys can personalize outreach and optimize engagement with behavior-based triggers that improve campaign performance — without sacrificing data security.

Read the full post: LuxSci Enhances Secure Marketing with Automated Workflows

2. Healthcare Email Threat Readiness Strategies

Email remains a frontline channel for healthcare communications, and a prime target for cyber threats and criminals. This deep-dive into email threat readiness strategies covers essential practices like continuous monitoring, business continuity planning, and workforce training to mitigate email-borne security risks. Whether you’re responsible for clinical systems, marketing, or enterprise IT, this post provides a strategic playbook to strengthen your defenses, while maximizing your results.

Read the full post: Healthcare Email Threat Readiness Strategies

3. HIPAA Compliant Email — 20 Tips in 20 Minutes

For practical guidance you can apply right now, this on-demand webinar distills 20 key tips for HIPAA-compliant email across technical, legal, and operational domains. Whether you’re refining your infrastructure, improving deliverability, or modernizing your data security posture in 2026, this resource is a time-efficient way to elevate your compliance and security.

Read the post and watch the webinar on demand: HIPAA Compliant Email: 20 Tips in 20 Minutes

4. Is SendGrid HIPAA-Compliant? What You Should Know

Choosing the right email provider matters, especially when Protected Health Information (PHI) is at stake. In this post, we examine SendGrid’s capabilities in the context of HIPAA compliance, outline what it takes to send PHI securely, and offer guidance on evaluating third-party services for secure healthcare email and communication needs.

Read the full post: Is SendGrid HIPAA-Compliant?

5. LuxSci Shines in G2 Winter 2026 Reports

Customer feedback matters to LuxSci. In this post, we share the most recent news about LuxSci’s performance in the G2 Winter 2026 Reports, where we earned 20 badges across categories like Email Security, Encryption, Gateway, and HIPAA-Compliant Messaging. These reviews reflect not just product excellence, but trust from real users, which we work hard to build every day!

Read the full post: LuxSci Shines in G2 Winter 2026 Reports

Looking Ahead to 2026

We look forward to providing more information and insights on secure healthcare communications in the coming year, including the latest on HIPAA compliant email, PHI security, healthcare marketing, threat readiness, and personalized engagement. In the meantime, if you’re not already, follow us on LinkedIn below, and we’ll see you here in 2026!

Follow LuxSci on LinkedIn

Read More

You Might Also Like

encrypted email transmission

Is the Email Encrypted? How to Tell if an Email is Transmitted Using TLS

SMTP TLS encryption is popular because it provides adequate data protection without creating a complicated user experience for email recipients. Sometimes, though, the experience is too seamless, and recipients may wonder if the message was protected at all.

Luckily, there is a way to tell if an email was encrypted using TLS. To see if a message was sent securely, we can look at the raw headers of the email. However, it requires some knowledge and experience to understand the text. It is actually easier to tell if a recipient’s server supports TLS than to tell if a particular message was securely transmitted.

To analyze a message for transmission security, we will look at an example email message sent from Hotmail to LuxSci. We will explain what to look for when decoding the message headers and how to tell if the email was transmitted using TLS encryption.

An Example Email Message

First, we must understand how an email message typically travels through several machines on its way from the sender to the recipient. Roughly speaking:

  1. The sender’s computer talks to the sender’s email or WebMail server to upload the message.
  2. The sender’s email or WebMail server then talks to the recipient’s inbound email server and transmits the message to them.
  3. Finally, the recipient downloads the message from their email server.

It is step 2 that people are most concerned about when trying to understand if their email message is transmitted securely. They usually assume or check that everything is secure and OK at the two ends. Indeed, most users who need to can take steps to ensure that they are using SSL-enabled WebMail or POP/IMAP/SMTP/Exchange services so that steps 1 and 3 are secure. The intermediate step, where the email is transmitted between two different providers, is where messages may be sent insecurely.

To determine if the message was transmitted securely between the sender’s and recipient’s servers (over TLS), we need to extract the “Received” header lines from the received email message. If you look at the source of the email message, the lines at the top start with “Received.” Let’s look at an example message from a Hotmail user below. The email addresses, IPs, and other information are obviously fake.

LuxSci:

The Outlook email was sent to a LuxSci user. The Received headers appear in reverse chronological order, starting with the server that touched the message last. Therefore, in this example, we see the LuxSci servers first.

Received: from abc.luxsci.com ([1.1.1.1])
	by def.luxsci.com (8.14.4/8.13.8) with ESMTP id r7JEfLgH003867
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
	for <user-xyz@def.luxsci.com>; Mon, 19 Aug 2019 10:41:21 -0400
Received: from abc.luxsci.com (localhost.localdomain [127.0.0.1])
	by abc.luxsci.com (8.14.4/8.13.8) with ESMTP id r7JEfK0Z030182
	for <user-xyz@def.luxsci.com>; Mon, 19 Aug 2019 09:41:20 -0500
Received: (from mail@localhost)
	by abc.luxsci.com (8.14.4/8.13.8/Submit) id r7JEfKXD030178
	for user-xyz@def.luxsci.com; Mon, 19 Aug 2019 09:41:20 -0500
Received: from dispatch1-us1.ppe-hosted.com (dispatch1-us1.ppe-hosted.com [2.2.2.2])
	by abc.luxsci.com (8.14.4/8.13.8) with ESMTP id r7JEfIkK030002
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
	for <someone@luxsci.net>; Mon, 19 Aug 2019 09:41:19 -0500

Proofpoint:

LuxSci uses an email filtering service, Proofpoint. Messages reach Proofpoint’s servers before being delivered to LuxSci. Here’s what their servers report about the email transmission:

Received: from unknown [65.54.190.216] (EHLO bay0-omc4-s14.bay0.hotmail.com)
	by dispatch1-us1.ppe-hosted.com.ppe-hosted.com
        (envelope-from <someone@hotmail.com>);
	Mon, 19 Aug 2019 08:41:18 -0600 (MDT)

Outlook:

And finally, here’s what we see from Oultook’s server.

Received: from BAY403-EAS373 ([65.54.190.199]) by bay0-omc4-s14.bay0.outlook.com
       with Microsoft SMTPSVC(6.0.3790.4675); 
       Mon, 19 Aug 2019 07:41:19 -0700

How to Use Received Message Headers to Tell if the Email is Encrypted

The message headers contain information that can help us determine if an email is encrypted. Here are a few helpful notes to help you decode the text:

  1. We said this above, but the message headers appear in reverse chronological order. The first one listed shows the last server that touched the message; the last one is the first server that touched it (typically the sending server).
  2. Each Received line documents what a server did and when.
  3. There are three sets of servers involved in this example: one machine at Hotmail, one machine at Proofpoint, where our Premium Email Filtering takes place, and some machines at LuxSci, where final acceptance of the message and subsequent delivery happened.

Presumably, the processing of email within each provider is secure. The place to be concerned about is the hand-offs between Hotmail and Proofpoint and between Proofpoint and LuxSci, as these are the big hops across the internet between providers.

In the line where LuxSci accepts the message from Proofpoint, we see:

(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)

This section, typical of most email servers running “sendmail” with TLS support, indicates that the message was encrypted during transport with TLS using 256-bit AES encryption. (“Verify=not” means that LuxSci did not ask Proofpoint for a second SSL client certificate to verify itself, as that is not usually needed or required for SMTP TLS to work correctly). Also, “TLSv1/SSLv3” is a tag that means that “Some version of SSL or TLS was used;” it does not mean that it was SSL v3 or TLS v1.0. It could have been TLS v1.2 or TLS v1.3.

So, the hop between Proofpoint and LuxSci was locked down and secure. What about the hop between Hotmail and Proofpoint? The Proofpoint server’s Received line makes no note of security at all! This means that the email message was probably not encrypted during this step.

Hotmail either did not support opportunistic TLS encryption for outbound emails, or Proofpoint did not support receipt of messages over TLS, and thus, TLS could not be used. With additional context, you can know which server supports TLS and which does not.

In this case, we know that Proofpoint supports inbound TLS encryption. In fact, from another example message where LuxSci sent a message to Proofpoint, we see the Received line:

Received: from unknown [44.44.44.44] (EHLO wgh.luxsci.com)
	by dispatch1-us1.ppe-hosted.com.ppe-hosted.com
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	with ESMTP id b-022.p01c11m003.ppe-hosted.com
        (envelope-from <from@domain.com>);
	Mon, 02 Feb 2009 19:28:27 -0700 (MST)

The red text makes it clear that the message was indeed encrypted. Based on the additional context, we can deduce that the Hotmail sending server did not securely transmit the email using TLS.

How To Tell if an Email is Encrypted With TLS

  1. When analyzing your message headers, consider the following items to determine if the email is encrypted:
    1. The receiving server will log what kind of encryption, if any, was used in receiving the message in the headers.
    2. Different email servers use different formats and syntax to display the encryption used. Look for keywords like “SSL,” “TLS,” and “Encryption,” which will signify this information.
    3. Not all servers will record the use of encryption. While LuxSci has always logged encryption use, not every email service provider does. It is possible to use TLS encryption and not log it. Sometimes, there is no way to tell from the headers if a message is encrypted if it is not logged.
    4. Messages passed between servers at the same provider do not necessarily need TLS encryption to be secure. For example, LuxSci has back-channel private network connections between many servers so that information can be securely passed between them without SMTP TLS. So, the lack of TLS usage between two servers does not mean the transmission between them was “insecure.” You may also see multiple received lines listing the same server: the server passes the message between different processes within itself. This communication also does not need to be TLS encrypted.
    5. If you are a LuxSci customer, you can view online email delivery reports to see if TLS was used for any particular message. We record the kind of encryption in the delivery reports, so it’s easy to see which emails were encrypted.

How can you Ensure Emails Are Securely Transmitted?

With some servers not recording TLS in message headers, how can you determine if a message was transmitted securely from sender to recipient?

To answer this question accurately, you must understand the properties, servers, and networks involved. It may be easy to determine that the message was transmitted securely if included in the header information. However, the absence of information does not necessarily mean the message was insecurely transmitted. You can only know this if you know what each system’s servers record.

In our example of a message from Hotmail to LuxSci, you need to know that:

  1. Proofpoint and LuxSci will always log the use of TLS in the headers. We can infer that the Hotmail to Proofpoint transmission was not secure as nothing was recorded there.
  2. The transmission of messages within LuxSci’s infrastructure is secure due to private back channel transmissions. So, even though there is no mention of TLS in every Received line after LuxSci accepts the message from Proofpoint (in this example), transferring the messages between servers in LuxSci is as secure as using TLS. Also, the same server can add multiple received lines as it talks to itself. Generally, these hand-offs on the same server will not use TLS, as there is no need. In the LuxSci example, we see this as “abc.luxsci.com” adds several headers.
  3. We don’t know anything about Hotmail’s email servers, so we don’t know how secure the initial transmissions within their network are. However, since we know they did not securely transmit the message to Proofpoint, we are not confident that the transmissions and processing within Hotmail (which may have gone unrecorded) were secure.

Was the email message sent and received using encryption?

We skipped steps 1 and 3 and focused on step 2 – the transmission between servers. Steps 1 and 3 are equally, if not more, necessary. Why? Because eavesdropping on the internet between ISPs is less of a problem than eavesdropping near the sender and recipient (i.e., in their workplace or local wireless hotspot). So, it’s essential to ensure messages are sent securely and received securely. This means:

  • Sending: Use SMTP over SSL or TLS when sending messages from an email client or use WebMail over a secure connection (HTTPS).
  • Receiving: Ensure your POP or IMAP connection is secured via SSL or TLS. If using WebMail to read your email, be sure it is over a secure connection (HTTPS).
  • WebMail: There is generally no record in the email headers to indicate if a message sent using WebMail was transmitted from the end-user to WebMail over a secure connection (SSL/HTTPS).

You can typically control one side and ensure it is secure; you can’t control the other without taking extra steps. So, what can you do to ensure your message is secure even if it might not be transmitted with encryption or if the recipient tries to access it insecurely?

You could use end-to-end email encryption (like PGP or S/MIME, which are included in SecureLine) or a secure web portal that doesn’t require the recipient to install or set up anything to get your secure email message. These methods meet HIPAA and other regulatory compliance requirements for secure data transmission and provide complete confidence that the message will be sent and received securely.

LuxSci’s SecureLine offers flexible encryption options, including TLS, secure web portal, PGP, and S/MIME. Its dynamic capabilities can determine what types of encryption the recipient’s server supports to ensure your emails are always sent securely. Contact our team today to learn more about how to secure your emails.

Read More
b2b medical marketing

Why Is Doctor Patient Email Communication Transforming Healthcare?

Doctor patient email communication is changing healthcare delivery by providing secure, convenient channels for medical consultations, follow-up care, and health information sharing between physicians and their patients. This digital communication method enables patients to ask questions, receive test results, and discuss treatment concerns outside traditional office visits while maintaining HIPAA compliance through encrypted platforms. Healthcare providers increasingly recognize that doctor patient email communication improves patient satisfaction, reduces phone call volumes, and creates documented records of medical discussions that enhance care coordination and clinical decision-making.

Clinical Benefits of Doctor Patient Email Communication

Patient outcomes improve when physicians maintain electronic communication channels with their patients between scheduled appointments. Chronic disease management becomes more effective as patients can report symptoms, share monitoring data, and receive medication adjustments through secure messaging rather than waiting weeks for the next office visit. Diabetic patients who communicate glucose readings electronically show better glycemic control compared to those relying solely on quarterly appointments for blood sugar management discussions. Healthcare providers leveraging doctor patient email communication can send personalized reminders and educational content directly to patient email accounts, increasing preventive care compliance. Vaccination schedules, cancer screening appointments, and wellness check-ups receive higher participation rates when patients receive convenient electronic reminders with easy scheduling options. Follow-up care after procedures becomes more systematic when physicians can check on patient recovery progress through structured email communications rather than hoping patients will call with concerns.

Medication adherence patterns show improvement when patients have direct access to their prescribing physicians for questions about side effects, dosing concerns, or treatment effectiveness. Patients experiencing medication-related issues can receive prompt guidance through secure email, preventing treatment discontinuation that might otherwise occur if patients cannot reach their physicians quickly. Mental health patients particularly benefit from email communication options that allow them to discuss medication effects and mood changes between therapy sessions. Emergency situation prevention occurs when patients can communicate concerning symptoms to their physicians promptly rather than waiting for symptoms to worsen. Early intervention opportunities arise when patients describe symptom changes through secure messaging, allowing physicians to provide guidance about when to seek immediate care versus when to monitor symptoms at home. These timely communications can prevent unnecessary emergency department visits while ensuring appropriate medical attention when needed.

Better Patient Experience Through Electronic Communication

Convenience factors drive patient satisfaction scores higher in practices offering robust email communication options. Patients appreciate being able to ask questions about their health concerns without taking time off work for phone calls during business hours. Working parents find email communication particularly valuable for discussing their children’s health issues when calling during school hours is impractical. Elderly patients often prefer written communication that allows them time to formulate questions thoughtfully and review physician responses carefully. Communication barriers decrease when patients can express complex health concerns in writing rather than trying to remember everything during brief office visits. Language differences become more manageable when patients can use translation tools to compose questions in their native language and receive responses they can translate at their own pace. Hearing-impaired patients benefit significantly from written communication that eliminates telephone communication challenges.

Documentation benefits emerge when patients receive written responses to their health questions that they can reference repeatedly and share with family members or other healthcare providers. Medication instructions, dietary recommendations, and treatment plans become clearer when patients can review detailed written guidance from their physicians. Care coordination improves when patients can forward physician communications to specialists or other healthcare team members involved in their treatment. Access equity expands when patients in rural areas can communicate with specialists through secure email rather than traveling long distances for brief consultations. Transportation barriers that prevent some patients from accessing healthcare are reduced when routine follow-up discussions can occur electronically. Doctor patient email communication creates opportunities for healthcare access that would otherwise be limited by geographic, mobility, or scheduling constraints.

Practice Efficiency and Workflow Optimization

Administrative burden reduction is a by product of routine patient questions being answered through email rather than requiring phone calls that interrupt clinical workflow. Reception staff spend less time taking messages and scheduling callbacks when patients can communicate directly with their physicians through secure platforms. Documentation time decreases when physician responses are automatically captured in electronic health records rather than requiring manual notes from telephone conversations. Appointment scheduling can become more efficient when patients can request appointments, receive confirmations, and make changes through secure email systems integrated with practice management software. No-show rates decline when patients receive email reminders with options to reschedule or cancel appointments conveniently. Last-minute appointment changes can be communicated quickly through email, allowing practices to fill cancelled slots with other patients needing care.

Revenue optimization results from improved care coordination and patient retention that doctor patient email communication facilitates. Patients who feel connected to their healthcare providers through convenient communication channels are more likely to remain with practices long-term and refer family members for care. Billing efficiency improves when patient questions about statements, insurance coverage, or payment options can be handled through email rather than requiring phone calls during busy reception hours. Quality metrics change when physicians can provide consistent, documented responses to patient questions rather than relying on verbal communication that may be misunderstood or forgotten. Patient safety indicators benefit from written communication that creates clear records of medical advice, treatment instructions, and patient concerns. Continuity of care strengthens when multiple healthcare team members can review email communications to understand patient status and treatment responses.

Risk Management with Doctor Patient Email Communication

Privacy protection requirements necessitate robust security measures for all electronic communications containing patient health information. Healthcare providers implementing doctor patient email communication must ensure their platforms include end-to-end encryption, secure authentication protocols, and audit logging capabilities that meet HIPAA standards. Business associate agreements with email service providers must specify exactly how patient communications will be protected and what security measures will be maintained throughout message transmission and storage. Liability considerations require healthcare providers to establish clear policies about what types of medical issues are appropriate for email discussion versus what requires telephone or in-person evaluation. Emergency situations, urgent symptoms, and complex medical decisions typically require immediate communication methods rather than email responses that patients may not check promptly. Professional liability insurance policies should be reviewed to ensure coverage for medical advice provided through electronic communication channels.

Documentation standards for electronic communications must meet the same requirements as other medical records, with secure storage, appropriate retention periods, and accessibility for audit purposes. Email communications containing medical advice or patient health information must be integrated with electronic health record systems to maintain comprehensive patient documentation. These records must be available for legal discovery, regulatory audits, and quality improvement activities. Consent procedures should inform patients about the security measures protecting their email communications while acknowledging that electronic transmission carries inherent privacy risks despite protective measures. Patients should understand their role in protecting their email accounts from unauthorized access and know what steps to take if they suspect their health information has been compromised. Healthcare providers benefit from obtaining written acknowledgment that patients understand email communication policies and security limitations.

Platform Selection for Doctor Patient Email Communication

Electronic health record integration ensures that doctor patient email communication becomes part of comprehensive patient documentation rather than existing as separate communication silos. Seamless data flow between email platforms and clinical documentation systems eliminates duplicate data entry while ensuring that all patient interactions are properly recorded in medical records. Integration capabilities should include automatic population of patient communications into appropriate sections of electronic health records. Mobile accessibility enables both physicians and patients to participate in secure email communication from various devices without compromising security standards. Healthcare providers need platforms that maintain encryption and authentication requirements across desktop computers, tablets, and smartphones used for patient communication. Mobile applications should provide the same security features as desktop platforms while offering convenient access for busy healthcare providers and patients.

Scalability planning ensures that email communication systems can accommodate growing patient populations and increasing message volumes without degrading performance or security. Healthcare practices experiencing growth need platforms that can add users, increase storage capacity, and expand functionality without requiring complete system replacements. Those mastering doctor patient email communication recognize that technology investments should support long-term practice development rather than creating limitations that require frequent system changes. Interoperability standards enable email platforms to communicate effectively with other healthcare information systems, including laboratory reporting systems, pharmacy networks, and specialist referral platforms. These connections create seamless workflows that reduce administrative burden while ensuring that patient communications are appropriately integrated with all aspects of their healthcare experience. Healthcare providers benefit from email systems that can exchange information securely with the various technology platforms used throughout modern healthcare delivery.

Read More
Best HIPAA Compliant Email Software

Is ProtonMail HIPAA Compliant?

ProtonMail can be HIPAA compliant with proper implementation and a signed Business Associate Agreement (BAA). The platform offers end-to-end encryption, secure message storage, and multiple authentication factors that align with HIPAA security requirements. Healthcare organizations must obtain ProtonMail’s BAA, implement appropriate usage policies, and ensure staff understand proper email handling practices to maintain compliance when using the service for patient communications.

ProtonMail’s Security Architecture and HIPAA Compliant Status

ProtonMail provides several security features that support HIPAA compliance requirements. End-to-end encryption protects message content from interception during transmission and prevents ProtonMail itself from accessing message contents. Zero-access encryption ensures emails remain encrypted while stored on ProtonMail’s servers. Two-factor authentication adds protection beyond passwords when accessing accounts. Message expiration allows senders to set automatic deletion timeframes for sensitive communications. The platform’s Swiss location provides additional privacy protections under Swiss law. While these technical features are the foundation for becoming HIPAA complia, tentchnology alone doesn’t create compliance without proper organizational measures and agreements.

Business Associate Agreement Availability

Healthcare organizations must obtain a Business Associate Agreement before using any service for protected health information. ProtonMail offers BAAs for users of their Professional and Enterprise plans, but not for free or Plus accounts. The agreement establishes ProtonMail’s responsibilities for protecting healthcare data according to HIPAA regulations. Organizations should review the BAA terms carefully to understand which ProtonMail features and services it covers. The agreement outlines breach notification procedures and compliance responsibilities for both parties. Without this formal agreement in place, healthcare organizations cannot legally use ProtonMail for patient information regardless of the platform’s security capabilities or other protective measures implemented.

Limitations and Compliance Challenges

Despite strong security features, ProtonMail presents several challenges for healthcare organizations seeking HIPAA compliance. When sending emails to non-ProtonMail users, end-to-end encryption requires recipients to access messages through a separate portal using shared passwords, potentially creating friction in patient communications. Access controls may not provide the granularity needed for larger healthcare organizations with complex permission requirements. Audit logging capabilities could fall short of HIPAA’s detailed tracking requirements for some implementations. Integration with existing healthcare systems might require custom development work. Organizations must evaluate these limitations against their workflow needs and compliance requirements before selecting ProtonMail as their email solution.

Implementation Requirements for Healthcare Users

Healthcare organizations using ProtonMail must implement several measures beyond basic account setup. Administrative policies should clearly define what types of patient information may be communicated via email. Staff training needs to cover proper handling of protected health information, including when encryption is required and how to verify recipient addresses. Organizations must establish procedures for securely communicating passwords when sending encrypted messages to non-ProtonMail users. Account management processes should address staff departures and role changes to maintain appropriate access controls. Documentation practices need to demonstrate compliance measures during potential regulatory reviews or audits. The completeness of these organizational measures ultimately determines whether ProtonMail functions as a HIPAA compliant solution.

Comparison with Healthcare-Focused Email Solutions

ProtonMail differs from email services specifically designed for healthcare organizations. While ProtonMail emphasizes general security and privacy, healthcare-focused providers build their services around HIPAA compliance requirements. Specialized solutions often include features like automated patient data detection, healthcare-specific DLP rules, and integration with electronic health records. Their administrative tools typically provide more detailed compliance reporting tailored to healthcare requirements. Support staff understand healthcare workflows and compliance challenges. Healthcare-specific platforms may offer simpler HIPAA compliant documentation to streamline regulatory requirements. Organizations must weigh whether ProtonMail’s general security approach or a healthcare-specialized solution better addresses their individual requirements.

Practical Usage Guidelines for Healthcare Organizations

Healthcare organizations can maximize ProtonMail’s HIPAA compliant potential through thoughtful usage practices. Creating clear distinction between communications containing protected health information and general business emails helps maintain appropriate security boundaries. Implementing standardized subject line tags identifies messages containing patient information. Establishing approved contact lists ensures protected information goes only to verified recipients. Creating email templates for common patient communications helps maintain consistency and proper security practices. Developing escalation procedures addresses situations where email might not provide appropriate security for particularly sensitive information. Regular security reviews verify that ProtonMail usage continues to meet both regulatory requirements and organizational security standards as practices evolve.

Read More
hands on a keyboard sending secure email

How to Secure SMTP Email Delivery with TLS

Secure email sending is a priority for organizations that communicate sensitive data externally. One of the most common ways to send secure emails is with SMTP TLS. TLS stands for Transport Layer Security and is the successor of SSL (Secure Socket Layer). TLS is one of the standard ways that computers on the internet transmit information over an encrypted channel. In general, when one computer connects to another computer and uses TLS, the following happens:

  1. Computer A connects to Computer B (no security)
  2. Computer B says “Hello” (no security)
  3. Computer A says, “Let’s talk securely over TLS” (no security)
  4. Computers A and B agree on how to do this (secure)
  5. The rest of the conversation is encrypted (secure)

In particular:

  • The conversation is encrypted
  • Computer A can verify the identity of Computer B (by examining its SSL certificate, which is required for this dialog)
  • The conversation cannot be eavesdropped upon (without Computer A knowing)
  • A third party cannot modify the conversation
  • Third parties cannot inject other information into the conversation.

TLS and SSL help make the internet a more secure place. One popular way to use TLS is to secure SMTP to protect the transmission of email messages between servers.

Secure SMTP Email Delivery with TLS 

The mechanism and language by which one email server transmits email messages to another email server is called Simple Mail Transport Protocol, or SMTP. For a long time, email servers have had the option of using TLS to transparently encrypt the message transmission from one server to another.

When available, using TLS with SMTP ensures the message contents are secured during transmission between the servers. Unfortunately, not all servers support TLS! Many email providers, especially free or public ones, have historically not supported TLS. Thankfully, the trend is shifting. LuxSci found that most providers now support TLS- approximately 85% of domains tested as of July 2022.

Using TLS requires that the server administrators:

  1. purchase SSL certificates
  2. configure the email servers to use them (and keep these configurations updated)
  3. allocate additional computational resources on the email servers involved.

For TLS transmission to be used, the destination email server must offer support for TLS, and the sending computer or server must be configured to use TLS connections when possible.

The sending computer or server could be configured for:

  1. No TLS: never use it.
  2. Opportunistic TLS: use it if available; if not, send it insecurely.
  3. Forced TLS: use TLS or do not deliver the email at all.

How Secure is Email Delivery over SMTP TLS?

TLS protects the transmission of the email message contents. It does nothing to protect the security of the message before it is sent or after it arrives at its destination. For that, other encryption mechanisms may be used, such as PGP, S/MIME, or storage in a secure portal.

For sending sensitive information to customers, transmission security is the minimum standard for compliance with healthcare and financial regulations. TLS is appropriate to meet most compliance requirements and offers an excellent alternative to more robust and less user-friendly encryption methods (like PGP and S/MIME).

There are different versions of TLS- 1.0 and 1.1 use older ciphers and are not as secure, while TLS 1.2 and 1.3 use newer ciphers and are more secure. When an email is sent, the level of TLS used is as secure as can be negotiated between the sending and receiving servers. If they both support strong encryption (like AES 256), then that will be used. If not, a weaker grade of encryption may be used. The sending and receiving servers can choose the types of encryption they will support. If there is no overlap in what they support, then TLS will fail (this is rare).

What About Replies to Secure Messages?

Let’s say you send a message to someone that is securely delivered to their inbox over TLS. Then, that person replies to you. Will that reply be secure? This may be important if you are communicating sensitive information. The reply will use TLS only if:

  1. The recipient’s servers support TLS for outbound email (there is no way to test this externally).
  2. The mail servers (where the “From” or “Reply” email address is hosted) support TLS for inbound email.
  3. Both servers support overlapping TLS ciphers and protocols and can agree on a mutually acceptable means of encryption.

Unless familiar with the providers in question, it cannot be assumed that replies will use TLS. So, what should you do? Ultimately, it depends on what compliance standards you must meet, the level of risk you are willing to accept, and the types of communications you send. There are two general approaches to this question:

  1. Conservative. If replies must be secure in all cases, assuming TLS will be used is unreasonable. In this case, a more secure method should be used to encrypt the messages in transit and store them upon arrival. The recipient must log in to a secure portal to view the message and reply securely. Alternatively, PGP or S/MIME could be used for additional security.
  2. Aggressive. In some compliance situations like HIPAA, healthcare providers must ensure that ePHI is sent securely to patients. However, patients are not beholden to HIPAA and can send their information insecurely to anyone they want. If the patient’s reply is insecure, that could be okay. For these reasons, and because using TLS for email security is so easy, many do not worry about the security of email replies. However, this should be a risk factor you consider in an internal security audit. Consider nuanced policies that allow you to send less sensitive messages with TLS while sending more sensitive messages with higher security.

What are the Weaknesses of SMTP TLS?

As discussed, SMTP TLS has been around for a long time and has recently seen a great deal of adoption. However, it has some deficiencies compared to other types of email security:

  • There is no mandatory support for TLS in the email system.
  • A receiver’s support of the SMTP TLS option can be trivially removed by an active man-in-the-middle because TLS certificates are not actively verified.
  • Encryption is not used if any aspect of the TLS negotiation is undecipherable/garbled. It is very easy for a man-in-the-middle to inject garbage into the TLS handshake (which is done in clear text) and have the connection downgraded to plain text (opportunistic TLS) or have the connection fail (forced TLS).
  • Even when SMTP TLS is offered and accepted, the certificate presented during the TLS handshake is usually not checked to see if it is for the expected domain and unexpired. Most MTAs offer self-signed certificates as a pro forma. Thus, in many cases, one has an encrypted channel to an unauthenticated MTA, which can only prevent passive eavesdropping.

The Latest Updates to Secure SMTP TLS

Some solutions help remedy these issues—for example, SMTP Strict Transport Security. SMTP STS enables recipient servers to publish information about their SMTP TLS support in their DNS. This prevents man-in-the-middle downgrades to plain text delivery, ensures more robust TLS protocols are used, and can enable certificate validation.

In addition, users can adopt TLS 1.3. NIST recommends that government agencies develop migration plans to support TLS 1.3 by January 1, 2024. LuxSci supports both SMTP MTA-STS and TLS 1.3.

How Secure SMTP TLS Email Works with LuxSci

Inbound TLS

LuxSci’s inbound email servers support TLS for encrypted inbound email delivery from any sending email provider that also supports that. For selected organizations, LuxSci also locks down its servers to only accept email from them if delivered over TLS.

Outbound Opportunistic TLS

LuxSci’s outbound email servers will always use TLS with any server that claims to support it and with whom we can talk TLS v1.0+ using a strong cipher. The message will not be sent securely if the TLS connection to such a server fails (due to misconfiguration or no security protocols in common). Outbound opportunistic TLS encryption is automatic for all LuxSci customers, even those without SecureLine.

Forced TLS

When Forced TLS is enabled, the message is either dropped or sent with an alternate form of encryption if the recipient’s server does not support TLS. This ensures that messages will never be sent insecurely. Forced TLS is also in place for all LuxSci customers sending to banks and organizations that have requested that we globally enforce TLS to their servers.

Support for strong encryption

LuxSci’s servers will use the strongest encryption supported by the recipient’s email server. LuxSci servers will never employ an encryption cipher that uses less than 128 bits (they will fail to deliver rather than deliver via an excessively weak encryption cipher), and they will never use SSL v2 or SSL v3.

Does LuxSci Have Any Other Special TLS Features?

When using LuxSci SecureLine for outbound email encryption:

  1. SMTP MTA STS: LuxSci’s domains support SMTP MTA STS, and LuxSci’s SecureLine encryption system leverages STS information about recipient domains to improve connection security.
  2. Try TLS: Account administrators can have secure messages “try TLS first” and deliver that way. If TLS is unavailable, the messages would fall back and use more secure options like PGP, S/MIME, or Escrow. Email security is easy, seamless, and automatic when communicating internally or with others who support TLS.
  3. TLS Exclusive: This is a special LuxSci-exclusive TLS sending feature. TLS Exclusive is just like Forced TLS, except that messages that can’t connect over TLS are just dropped. This is ideal for low-importance emails that must still be compliant, like email marketing messages in healthcare. In such cases, the ease of use of TLS is more important than receiving the message.
  4. TLS Only Forwarding: Account administrators can restrict any server-side email forwarding settings in their accounts from allowing forwarding to any email addresses that do not support TLS for email delivery.
  5. Encryption Escalation: Often, TLS is suitable for most messages, but some messages need to be encrypted using something stronger. LuxSci allows users to escalate the encryption from TLS to Escrow with a click (in WebMail) or by entering particular text in the subject line (for messages sent from email programs like Outlook).
  6. Domain Monitoring: When TLS delivery is enabled for SecureLine accounts, messages will never be insecurely sent to domains that purport to be TLS-enabled, i.e., TLS delivery is enforced and no longer “opportunistic.” The system monitors these domains and updates their TLS-compliance status daily.
  7. Double Encryption: Messages sent using SecureLine and PGP or S/MIME will still use Opportunistic TLS whenever possible for message delivery. In these cases, messages are often “double encrypted.” First, they are encrypted with PGP or S/MIME and may be encrypted again during transport using TLS.
  8. No Weak TLS: Unlike many organizations, LuxSci’s TLS support for SMTP and other servers only supports those protocol levels (e.g., TLS v1.0+) and ciphers recommended by NIST for government communications and which are required for HIPAA. So, all communications with LuxSci servers will be over a compliant implementation of TLS.

For customers who can use TLS to meet security or compliance requirements, it enables seamless security and “use of email as usual.” SecureLine with Forced TLS enables clients to take advantage of this level of security whenever possible while automatically falling back to other methods when TLS is unavailable.

Of course, using Forced TLS as the sole method of encryption is optional; if your compliance needs are more substantial, you can turn off TLS-Only delivery or restrict it so that it is used only with specific recipients.

If your email use cases are complicated, LuxSci’s flexibility enables the secure sending of emails to any recipient, regardless of their email service provider’s support for TLS. Contact the LuxSci sales team to learn more about our secure SMTP TLS email sending.

Read More