Blog

Browser bar with a mouse click next to it
How safe are HTTPS connections? Not as safe as you think. 1024 403 Alex Mushkin

How safe are HTTPS connections? Not as safe as you think.

While using the internet, there’s a chance that you’ve noticed some websites using HTTP connections while others use HTTPS ones. The major difference between these is that HTTPS connections are considered “secure” while HTTP ones are not. This begs the question, how safe really are HTTPS connections?

When making an online purchase, any reputable website will require a secure HTTPS connection before requesting payment information and completing the transaction.  HTTPS is the ubiquitous method used by browsers and websites to securely exchange sensitive data.  Its underlying encryption has historically been provided by SSL, which is a familiar term to many Internet users.  SSL uses digital certificates and strong encryption to create a secure tunnel between a web browser and web server.  For online purchases, it allows you to safely enter your account details, provide your credit card payment information and complete the transaction.

Unfortunately, weaknesses have been discovered in SSL encryption, making HTTPS connections not as safe as you’d expect. Hackers have used these exploits to break through its security projection.  So that sensitive data you exchanged over an HTTPS connection may not be as protected as you think.  Fortunately, HTTPS can use additional encryptions algorithms that don’t have the weaknesses uncovered in SSL.  Specifically, the TLS or Transport Layer Security algorithm can be used, and it’s already supported by a wide range of web browsers and websites.

But which web sites support TLS, and better yet, which ones have disabled SSL altogether so that only more secure TLS algorithms can be used?  Unfortunately, without running complicated third-party cryptography tools, it’s almost impossible to tell.

In many ways, you place your trust in those vendors that you do business with.  DataMotion specializes in data security and compliance with privacy regulations.  Being a trusted supplier to thousands of organizations over the past 16 years, we do not take that trust lightly.  As part of our continuous security operations, we stay informed of emerging threats like the SSL vulnerability and apply immediate corrective action.  While the security changes occurs behind the scenes, invisible to our users, the relationships we form with our customers are visible in everything that we do.

While many web browsers, websites, and email services use TLS encryption, is it really good enough?

Learn More
Blue lock on a blue background depicting online data security and privacy
Opportunistic TLS – Two Good Ways to Put Your Email at Risk 1024 403 Bob Janacek

Opportunistic TLS – Two Good Ways to Put Your Email at Risk

Email encryption allows organizations to protect sensitive messages and increase their compliance with privacy regulations.  One common encryption method, known as opportunistic TLS, automatically tries to secure the path that messages take when they travel to recipient email systems.  Since this type of encryption is completely transparent to users, organizations often utilize opportunistic TLS to comply with privacy and security regulations.

Unfortunately, compliance strategies based on opportunistic TLS result in frequent breaches where sensitive data is sent over the public internet without encryption.

There are two main scenarios where breaches can occur.

First, and the most common case, is when recipient email systems do not support TLS encryption.  As a result, encrypted paths are not established for sensitive messages to travel.  Opportunistic TLS systems will then step down to standard delivery, and send messages to those systems without any encryption.

Sign Up for Our Monthly Newsletter

Subscribe to the DataMotion Newsletter and we’ll send you a free eBook on how to solve the disconnect between compliance regulations and the customer experience.

The second case, also frequently encountered, is when the recipient utilizes a cloud-based anti-virus and anti-spam service.  These services often support TLS when receiving email, so a sending system configured for opportunistic TLS believes it has delivered the message securely to the recipient’s email server.  Actually, the message was delivered securely to an intermediary.  There is no way for the sending system to know if the next leg of the message’s journey, from the cloud service down to the recipient’s email system, is actually secure.  Unfortunately, in most cases, this leg of the message’s journey is not TLS enabled, so messages travel over the public internet in unencrypted form.  And as a result, a breach in compliance regulations has occurred.

Despite the problems of opportunistic TLS, when possible, delivering messages by TLS is still a good method to protect sensitive data.  However it should only be enabled on a case by case basis when end to end encryption between email systems can be confirmed.  As the holistic secure data delivery system, DataMotion SecureMail ensures that all of your messages are delivered with end to end security.  It does this by supporting a variety of delivery methods including TLS.  This allows your organization to easily exchange sensitive data with the widest range of customers, partners and vendors while maintaining compliance with privacy regulations.

Learn more about how we can help your business ensure that all communications are sent with end-to-end security.

Learn More
Person in white shirt working on a tablet with white mail icons floating above it
Best Practices: HIPAA Email Compliance – Patient Records 1024 403 Hugh Gilenson

Best Practices: HIPAA Email Compliance – Patient Records

With new HIPAA regulations, patients can have even more access to their medical records. With many patients wanting to receive their information by email, does your organization know the best practices for emailing patient records in compliance with HIPAA?

In January 2016, the HIPAA regulation got more teeth in the area of providing patients their medical records on request (files, notes, diagnostic images, lab results, C-CDAs). The US Department of Health and Human Services published detailed FAQs regarding patient’s rights with respect to requesting their medical records from their care providers:

  • Request full medical records from all HIPAA-covered entities, e.g.
    • labs, imaging and surgery centers
    • insurance plans, hospitals, pharmacies, and physicians
  • HIPAA covered entities have 30 days to respond
  • Provide in the format requested by the consumer
    • Electronic format
    • Specific messaging format
Learn more about how your organization can be sure that they're HIPAA compliant button

Under 45 CFR § 164.524, available at http://www.hhs.gov/hipaa/for-professionals/privacy

The department of Health and Human Services has generated some educational videos for consumers (patients) – instructing them of their rights, and showing some role play at the doctor’s office. There’s also an HHS infographic, which you can find below, that explains the rule as well.

As a secure messaging company, there was some initial dismay at the videos and written guidance HHS provides patients:

“…..covered entities must safeguard the information in transit, and are responsible for breach notification and may be liable for impermissible disclosures of PHI that occur in transit.  The only exception arises when an individual has requested that the PHI be sent to the third party by unencrypted e-mail or in another unsecure manner, which the individual has a right to request.  As long as the individual was warned of and accepted the security risks to the PHI associated with the unsecure transmission, the covered entity is not responsible for breach notification or liable for disclosures that occur in transit.”

Wow – unsecure email is OK for sending PHI (Protected Health Information) as long as the healthcare provider warns the patient that there is a security risk, and the patient accepts that risk. How do you track that? Is it realistic to think both sides of that transaction will be truly cognizant of the requirement to inform, and the real security risk?

I turned to our CMO, Dr. Peter Tippett for some guidance and perspective. What’s the best practice for a physician’s office to be in compliance with HIPAA when emailing medical records to a patient?

His response – so practical, and sensible:

Covered entities should always use some form of secure messaging when emailing medical records to patients for several reasons.

  1. Email encryption, logging and other HIPAA requirements are expected and required UNLESS the patient EXPLICITLY is warned, and EXPLICITLY agrees to unencrypted mail.  Keeping these warnings and permissions straight and getting the right message to the right patient via the right modality will fall in the “too hard” category for most covered entities.
  2. Covered entities will worry because they will be sued anyway if a patient, for example agrees to receive blood test results one week; and a few months / years later, gets sent something truly private, which is exposed because it was regular email.
  3. Most patients will not answer the question at all as to whether or not it would be ok after a warning to send the message via regular email – which could lead to errors, so a hard stop in the workflow, and risk of not meeting the 30 day delivery window.
  4. The fact that at least some patients will want the message securely, will require all covered entities to have a solution.

Given that email is such a convenient way to exchange files, and email encryption solutions such as DataMotion SecureMail is so affordable and easy to use by senders and recipients – this new HIPAA measure is another driver for adoption by covered entities. It also enables files up to 2GB – perfect for diagnostic images. It’s a small price to pay for HIPAA email compliance (and happy patients)!

Infographic about health information rights

Contact us to learn more about how we can help your organization remain HIPAA compliant.

Contact Us
Hands holding graphic of two white clouds with a lock symbol
Salesforce Service Cloud and HIPAA Compliance 1024 403 Hugh Gilenson

Salesforce Service Cloud and HIPAA Compliance

Q: My company sells to the healthcare industry. Is it a HIPAA violation when my Customer Service Rep replies to a support ticket on Service Cloud? I mean, Salesforce is HIPAA compliant, right?

A: You very well may be in violation of HIPAA standards.  Here’s why.

Yes, the Salesforce platform itself can be made HIPAA compliant.  Salesforce will sign a Business Associates Agreement (BAA) and if you connect Shield you’ll get monitoring, encryption, and auditing functionality of your Salesforce instance.  But that’s only part of the compliance story because it only covers the data while it’s residing within the Salesforce ecosystem – the data at rest.

HIPAA also applies to data in motion.  Simply stated; data containing protected health information traveling over a public network (like the Internet) must be encrypted in transit.

So let’s take a look at your scenario:  Suppose you’re a CSR using Service Cloud to view a new support ticket.  A customer sends an inquiry explaining that his doctor wants him to get additional testing to rule out prostate cancer and he wants to know if his insurance covers the new tests.  The customer’s contact information plus a medical condition equals Protected Health Information (PHI) and needs to comply with HIPAA.

While you’re viewing the information on Service Cloud, it’s covered by HIPAA (see the first paragraph above).  But when you reply to that ticket the PHI is almost always copied as part of the ongoing dialogue thread and is sent from your company to the customer via email or other messaging format.  It’s now data in motion traveling over the Internet, and your company (not Salesforce) is responsible to encrypt the message before it’s sent in order to be HIPAA compliant.

Luckily, there are solutions, like DataMotion SecureMail, that integrate easily with Salesforce, and have the ability to filter by policy rules and keywords and automatically encrypt messages containing PHI.  Our solution also adds logging and tracking for better visibility and governance (proof you need in the event of a HIPAA audit by the feds)!

Summary

Yes, the Salesforce Platform can be made HIPAA compliant.  But when you reply to a Service Cloud ticket, that’s data in motion and it’s not Salesforce’s responsibility.  Your company needs to ensure those messages are encrypted between Salesforce and your customers.  If not, you’re subject to fines, penalties and loss of reputation.

Learn more about our products to find out which ones will give your organization’s data exchange a clean bill of health.

Tour Services
Inside of a data center
Best Practices: Securing Data at Rest, in Use, and in Motion 1024 403 Team DataMotion

Best Practices: Securing Data at Rest, in Use, and in Motion

Sensitive business data is more vulnerable today than ever before. Corporate trade secrets, national security information, personal medical records, Social Security and credit card numbers are all stored, used, and transmitted online and through connected devices.

This proliferation of valuable data presents criminals with an increasingly wide range of opportunities to monetize stolen information and intellectual property. In addition, foreign governments and organized crime rings have embraced hacking as one of the most potent tools at their disposal.

Organizations are also at risk from internal threats. A negligent or disgruntled employee can expose confidential information even faster than a hacker if there aren’t adequate safeguards in place to prevent the accidental or intentional release of sensitive data.

Security is critical, but it can’t come at the expense of your ability to complete daily tasks. This article examines the best practices for securing data at rest, in use, and in motion.

The Three Critical Components of a Total Information Security Strategy

Data needs to be secured in three states: at rest, in use, and in motion. Each state presents unique security challenges.

Data at Rest

Data is at rest when it is stored on a hard drive. In this relatively secure state, information is primarily protected by conventional perimeter-based defenses such as firewalls and anti-virus programs. However, these barriers are not impenetrable. Organizations need additional layers of defense to protect sensitive data from intruders in the event that the network is compromised.

Encrypting hard drives is one of the best ways to ensure the security of data at rest. Other steps can also help, such as storing individual data elements in separate locations to decrease the likelihood of attackers gaining enough information to commit fraud or other crimes.

Data in Use

Data in use is more vulnerable than data at rest because, by definition, it must be accessible to those who need it. Of course, the more people and devices that have access to the data, the greater the risk that it will end up in the wrong hands at some point. The keys to securing data in use are to control access as tightly as possible and to incorporate some type of authentication to ensure that users aren’t hiding behind stolen identities.

Organizations also need to be able to track and report relevant information so they can detect suspicious activity, diagnose potential threats, and proactively improve security. For example, an account being disabled due to a certain number of failed login attempts could be a warning sign that a system is under attack.

Need to Secure Data in Motion While Maintaining a Simple Experience?

Sign up for our newsletter and receive our eBook “Customer Experience in Regulated Industries: Piecing Together the CX and Compliance Puzzle.”

Data in Motion

Data is at its most vulnerable when it is in motion, and securing information in this state requires specialized capabilities. Our expectation of immediacy dictates that a growing volume of sensitive data be transmitted digitally— forcing many organizations to replace couriers, faxes, and conventional mail service with faster options such as email. Today, more than 100 million business emails are sent every day.1

When you send an email, it typically takes a long and winding journey through the electronic infrastructure at universities, government facilities, and other network locations. Anyone with the right tools can intercept your email as it moves along this path. However, there are more effective ways to secure data in motion.

The best way to ensure that your messages and attachments remain confidential is to transmit them through an encryption platform that integrates with your existing systems and workflows.

Optimally, users should be able to send and receive encrypted messages directly from their standard email service. More than 90% of organizations that currently use email encryption report that they have this capability.2

Looking ahead, it will also become increasingly important for the encryption service your organization uses to cover mobile email applications. The Radicati Group1 predicts that 80% of email users will access their accounts via mobile devices by 2018, but more than 35% of organizations currently using email encryption say their users currently lack the ability to send secure messages from their mobile email client.2

How to Conduct an Effective Risk Assessment

Unless your organization has recently conducted a holistic risk assessment, the threat of a data breach is probably much larger and more immediate than you realize.

Organizations often underestimate their risk because they erroneously believe all of their sensitive data is contained within a few secure systems. In reality, this is seldom true.

Think about the situation from a workflow perspective. Do employees access corporate systems from their personal devices or use company-issued devices to work from home? What happens when employees take their devices on business trips? How is data transferred between devices or communicated to other stakeholders? And have you thought about what your customers or business partners do with any sensitive files you send them?

Almost inevitably, information is going to end up spread across multiple devices and networks with varying degrees of security and risk. Before you can take effective action to mitigate your risk, you need to have answers to the following questions:

  • What types of sensitive data does your organization store, use, or transmit?
  • Who has access to this data?
  • Where, when, and why are they using it?
  • How is data stored when it is not in use?
  • How is access to databases controlled?
  • What mechanisms are used to transport data?
  • What are the pertinent laws, regulations, and standards?

Once you have a solid grasp of the potential risks, work with data security experts to determine the next steps to implement a total information security strategy. But don’t wait for the risks to make themselves clear; by that time it will almost certainly be too late to take effective action.

There is a long and growing list of organizations that have learned painful first-hand lessons about data security, including Target, Home Depot, Anthem, the Federal Office of Personnel Management, and the National Security Agency. Take action today to secure your data at rest, in use, and in motion to ensure your organization doesn’t end up on this list.
1. The Radicati Group. “Email Statistics Report, 2015–2019.” 2. DataMotion. “Secure Email and File Transfer Corporate Practices 3rd Annual Survey Results.”

How can you further protect your data in motion?

Download our guide.

Get the Guide
Hand held out beneath white mail icons
Major Email Compliance Regulations That You Need to Know 1024 403 Bob Janacek

Major Email Compliance Regulations That You Need to Know

Keeping up with industry and government email compliance regulations impacting the exchange of sensitive information can be exhausting. So, we’ve put together a list of four big ones you need to know about.

  • Payment Card Industry Data Security Standard (PCI DSS)
  • Health Information Portability and Accountability Act / Health Information Technology for Economic and Clinical Health Act (HIPAA/HITECH)
  • Gramm-Leach-Bliley Act (GLBA)
  • General Data Protection Regulation (GDPR)

PCI DSS

Security for credit card information stored, processed or transmitted by merchants and associated vendors is regulated by PCI DSS. All cardholder data passing over an open, public network such as the internet, must be protected (encrypted), according to requirement number 4.

PCI DSS helps organizations focus on security, not compliance, by making payment security business-as-usual. By raising security standards and making compliance status quo, monitoring effectiveness of security controls and maintaining a PCI DSS compliant environment is easy.

All credit card processors have adopted the Payment Card Industry Data Security Standard (PCI DSS). The goal of this regulation is to prevent identity theft and protect cardholder data and it applies to any company that processes credit card data. The most recent version of PCI (3.2) was released in April 2016 with a minor update (3.2.1) issued in July 2018 to update migration dates.

PCI DSS 3.2 mainly consists of changes meant to streamline and clarify the regulation, but there are a few updates that fall under the “evolving requirement” category that affects how you handle credit card data as of February 1, 2018.

One of the changes is that there is now a “new requirement for service providers to maintain a documented description of the cryptographic architecture.” Although more documentation is required to stay compliant with the new PCI DSS update, the goal is to protect sensitive client information and ensure safer communications between business processes. This update will also help companies detect bottlenecks in their cryptography functionality, giving them to opportunity to make the appropriate changes.

A more detailed description of the updates can be found here.

HIPAA/HITECH

Congress passed HIPAA in 1996 and is probably the most well known compliance regulation impacting email The HIPAA Privacy Rule, also called the Standards for Privacy of Individually Identifiable Health Information, provided the first nationally recognized regulations for the use/disclosure of an individual’s health information. Essentially, the Privacy Rule defines how covered entities use individually identifiable health information or PHI (Protected Health Information).

The key HIPAA impacts on email are:

HITECH was passed as part of 2009’s American Recovery and Reinvestment Act, HITECH and is intended to push the healthcare industry toward faster adoption and use of health information technology. Subtitle D of HITECH addresses “the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

In 2013, HIPAA/HITECH was expanded by the Department of Health and Human Services with the Omnibus rule, which became effective on September 23, 2013. The reach of HIPAA data privacy and security requirements expanded to include “business associates” of covered entities making them also subject to HIPAA as well as giving HIPAA more power in enforcement.The rule expanded significantly the number and type of organizations covered by re-defining who is a business associate of covered entities.  Because civil and criminal penalties may now apply to business associates, these businesses also need to take steps to secure Protected Health Information (PHI).

Business associate agreements

Another important term related to HIPAA is the Business Associate Agreement (BAA), which is a contract required to be established between a HIPAA-covered entity (CE) and a HIPAA business associate (BA). This contract protects PHI in accordance with HIPAA guidelines. Subcontractors who have access to or who store PHI now also need to sign business associate agreements and be able to demonstrate compliance. HIPAA now effectively applies not just to medical providers, but to the entire ecosystem of vendors supporting them. A typical example of CE is a healthcare organization that handles PHI for its patients, and a typical example of a BA is a service provider that securely handles, transmits or processes PHI for a CE. Under the HITECH Act, BAs are responsible for securely handling PHI and can be held accountable for data breaches and penalized for noncompliance.

GLBA

GLBA is the third major email compliance regulation on our list. GLBA was passed in 1999 with primary goal of protecting the private financial data of consumers. The fancy term for this is “Nonpublic Personal Information” (NPI). Although this act applies mostly to financial institutions, today, many more organizations in a variety of industries maintain NPI for their customers.

The Financial Privacy rule is the key consideration for most organizations. This rule governs the collection, use, and disclosure of private financial data. The process companies must take to safeguard this information is also defined.

The Safeguards Rule instructs organizations to develop security programs in alignment with the amount of NPI data they maintain.

Although the law is technology neutral, the Safeguards Rule instructs the organization to implement policies to encrypt or block email traffic based on the message sender, recipient or content.

GDPR

GDPR is a new major privacy regulation that went into effect in May 2018. It is a European Union (EU) directive but does impact organizations outside of the EU if those organizations market to and collect information on EU residents.

In a nutshell, when an organization is collecting, processing and/or storing the personal data of any EU resident – regardless of where the organization is located – express permission must be obtained first. This means the individual must have opted in, not only to collect the data, but to process and store it. Data collectors/processors (the organization) must also be clear with the individual about how the data will be used, stored and protected.  These individuals must also be given an easy way to withdraw their permission and have it completely deleted from an organization’s database(s). You can learn more about GDPR here.

Article 5 of the GDPR details the principles covered by the regulation.  5.1 lays out the requirements for treating private data of EU citizens:

“(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

Take the Steps to Comply

A major facet of meeting the requirements of all these email compliance regulations is ensuring that your email is secure and well protected against hackers, scammers, and those with the intent of committing fraud. Failure to comply with mandated regulations leads to not only financial consequences but can permanently damage your company’s reputation as well as scare clients from coming back. Don’t take chances when it comes to staying compliant. It isn’t worth the risk.

Learn more about securing your email and other moving data.

Learn how DataMotion can help you comply with these major email compliance regulations.

Contact Us
Doctor holding phone with an icon of a doctor on it
What Exactly is a HISP? 1024 403 Hugh Gilenson

What Exactly is a HISP?

The term “HISP” is often used when discussing Direct Secure Messaging, but what exactly is a HISP?

A Health Information Service Provider, or HISP, is an accredited network service operator that enables nationwide clinical data exchange using Direct Secure Messaging (aka Direct, Direct Messaging and the Direct Project). Direct is a HIPAA compliant and interoperable transport method promoted by the Office of the National Coordinator of Health IT of the US Department of Health and Human Services (ONC/HHS). HISPs and Direct are regulated and monitored by the DirectTrust.org, a governance organization empowered by HHS.

HISPs offer healthcare organizations (hospitals, physicians, health plans, health information exchanges) and consumers an onramp to the Direct Secure Messaging network where trading partners can exchange protected health information (PHI), in a structured and unstructured format, across the internet with maximum security and privacy.  Exchange partners can easily discover each other’s address on the DirectTrust network through a healthcare provider directory (HPD). The addresses are compiled, shared, and published by HISPs participating in the DirectTrust HPD program.

The nationwide messaging service delivered by HISPs and overseen by DirectTrust represents a modern, affordable, and standards-based alternative to sharing clinical data by fax, virtual private networks, and proprietary interfaces. The latter exchange methods are costly and increasingly outmoded as healthcare embraces digital communications with the economies, scale, and ubiquity of the internet.  Operationally, HISP-delivered Direct Secure Messaging services are most closely related to fax in that both methods “push” data between senders and recipients and return a delivery notification upon completion.

Hand touching honeycomb hologram design

Collectively, HISPs are the communications backbone of the DirectTrust health information exchange.  Individually, they are access points to the DirectTrust Network and referred to as DirectTrust network service providers or Direct Trusted Agents.  Direct Secure Messaging, Direct exchange, ONC Direct, and HISP services are the terms generally used to describe the clinical data exchange service HISPs provide.

Because the electronic medical record message attachments (HL7 C-CDAs or CDA) processed by HISPs meet Health IT interoperability standards, PHI exchanged via Direct Secure Messaging can be sent and received from EHR workflows.  The same standard allows data sharing among any EHR and any software solution connected to a HISP.  To use email as an analogy, you may have Microsoft Outlook installed on your computer, but if it isn’t connected to an email network, your emails can’t go anywhere, and none can get to you.  Similarly, your EHR can send and receive Direct-compliant messages, but those messages won’t go anywhere unless you and those who you are communicating with have valid HISP service, addresses and Direct Trust certificates.

For Health IT developers seeking ONC/EHR Certification, HISPs are important partners.  HISPs provide certification requirements related to Direct Secure Messaging that are out of scope for most developers, enabling them to meet and satisfy Certification requirements.

Some HISPs are end-user facing with recognizable brand names and user interfaces while others operate behind the scenes as an integrated module of an EHR or similar health IT solution.  Those that tightly integrate with EHRs or HIEs are sometimes owned and operated by the solution vendor and provide a captive service tailored to the solution.  Independent (aka: pure-play) HISPs are typically full-service providers offering a range of connectivity and service options to suit the needs of a range of end-user requirements.

Share Protected Health Information Easily and Securely

Reach out to our team of experts to learn more about DataMotion’s clinical data exchange services.

HISPs provide multiple sub-services underlying the Direct Secure Messaging service, including:

  • Direct Secure Messaging Addresses
    • Direct addresses are similar to typical email addresses with the exception that they operate exclusively on the DirectTrust network.  The specialized digital certificate affixed to a Domain/Direct Address is recognized by DirectTrust network operators and can only be issued by an accredited DirectTrust HISP. The digital passport represented by the certificate makes Direct addresses unique from Gmail, Outlook, Yahoo, and similar addresses that operate on standard email.  The Certificate also encrypts messages and confirms the identity of the sender and receiver, resulting in non-repudiation.
  • DirectTrust Onramp Connectivity Options
    • Edge protocols (eg: XDR or S/MIME)
    • Web-based mail portal with accessibility support
    • Protocol transformation and routing: SMIME/SMTP, IHE XDR, web services
  • Digital Certificate Issuance and Live Cycle Management
    • The DirectTrust-authorized digital certificates provisioned by HISPs require specialized management and sharing capabilities that only HISPs are qualified to provide.
    • Participation in the DirectTrust Accredited bundle
    • Certificate issuance and registration authority
  • Identity Authentication (aka: identity proofing)
    • To keep the DirectTrust network clean of bad actors (e.g: spammers), HISPs are required to confirm the true identity of participants in Direct Messaging prior to provisioning a Direct Address
  • Message Delivery Notification
    • Message completion acknowledgements collected and reported out by HISPs are considered to be irrevocable proof of message delivery and thus have important weight in legal and CMS reporting
  • Direct Secure Messaging Service Support
    • Online and phone support for onboarding, connectivity issues and outages, and other service needs
    • High-availability and disaster recovery
  • Healthcare Provider Directory (HPD)
    • Publish Direct Addresses to DirectTrust HPD
  • Enforcing DirectTrust Rules of the Road
    • Maintain accreditation attesting to trust relations
    • Security and Trust Framework

Now that you know everything about HISPs, be sure to read our blogs to learn everything you need to know about Direct and the Healthcare Provider Directory. DataMotion is an accredited HISP of Direct Secure Messaging.

Doctor typing on a laptop
Direct Secure Messaging 1024 403 Hugh Gilenson

Direct Secure Messaging

If you work in the healthcare industry, then you may have heard the terms “Direct” or “Direct Secure Messaging” several times. Whether you consider yourself to know everything about the subject or you are just starting to get familiar with the terms, now is as good a time as any to brush up on what Direct is, who uses it, why it’s important, how it’s used, and more. So, let’s begin, what is Direct?

What is Direct Secure Messaging?

Developed in 2010 under a part of a federal project for standards-based communications, Direct is a national encryption standard for securely exchanging clinical healthcare data via the Internet. Also known as the Direct Project, Direct Exchange and Direct Secure Messaging, it specifies the secure, scalable and standards-based method for the exchange of Protected Health Information (PHI).

As a part of qualifying for incentive payments under the Meaningful Use Stage 2 criteria issued by the Office of the National Coordinator for Health IT (ONC), healthcare organizations and providers must meet data transfer requirements using Direct Messaging. These requirements can be demonstrated with Electronic Health Records (EHRs) that comply with the ONC’s 2014 Edition EHR Certification Criteria which specifies electronic exchange of transition of care records with Direct Messaging.

Who uses Direct?

  • Hospitals
  • Providers/Clinicians
  • Care Team Members
  • Patients
  • Laboratories
  • Pharmacies
  • Long Term Care
  • Skilled Nursing
  • Specialists
  • Dental

Why should you care?

Direct helps to cut costs and deliver improved quality of care.

On the clinical side, Direct Secure Messaging addresses gaps in transitions of care which have been identified as a significant patient safety issue. Incomplete exchange of patient health information among providers when transitioning from one care environment to another is a point of vulnerability that can compromise the overall quality of care a patient receives.

On the business side, Direct Messaging can reduce or eliminate the costs associated with fax workflows by transitioning relatively expensive fax communication to less expensive email workflows.

There are many additional benefits to Direct Messaging, including:

  • Strong security and privacy protection of PHI
  • One unified standard that all systems can leverage
  • Improved communications between providers
  • Easily sent and received referral information
  • Efficient report exchange
  • Ease of sharing patient information
  • Improved practice workflow

How is Direct used?

Here are some of the ways Direct can be used to communicate or share private health information:

  • Transitions of care (CCD, CCD-A documents)
  • Physician consult requests
  • Admit-Discharge-Transfer Requests (ADT)
  • Medication reconciliation
  • Lab/Test results
  • Patient communication
  • Order submission
  • Report distribution
  • Peer to peer collaboration

How does Direct work?

Direct can be incorporated into a variety of user interfaces such as an email client, a mobile device, healthcare IT system portals or as an automated data delivery feed. Any of these interfaces are capable of sending or receiving Direct messages. But in order to participate, both sender and recipient users will need a specific Direct email address provided by their HISP. Healthcare IT systems can integrate Direct in multiple ways depending on the desired workflow.

Where can you get Direct?

Direct messaging services are provided by Health Information Service Providers or HISPs, such as DataMotion, and the DataMotion Direct messaging service. To learn more about HISPs click here.

So, do you know everything about Direct now?

Contact us to learn more about our Direct Secure Messaging service.

Contact Us