Posts Tagged :

Project

Green background with white cross icons on top of it
Healthcare Provider Directory Boosts Direct Secure Messaging Value 1024 403 Team DataMotion

Healthcare Provider Directory Boosts Direct Secure Messaging Value

The Direct Secure Messaging network overseen by DirectTrust.org is growing rapidly. At mid-year 2019, there are over 190,000 clinical organizations using Direct, and almost 2 million addresses have been issued. This critical mass has the power to enable interoperable health information exchange between disparate systems nationwide, but recipient addresses must be easily discoverable in order to achieve this. Luckily, many health information service providers (HISPs) provide access to a DirectTrust federated directory known as the Healthcare Provider Directory (HPD). This directory grants you access to a constantly growing Direct subscriber database, allowing you to easily discover recipient addresses.

What to Look For in a Healthcare Provider Directory (HPD):

When choosing an HPD, there are a variety of different features that you should be on the lookout for. Some of the key features that we recommend you search for are:

  • The ability to search for a recipient by multiple criteria, including:
    • Provider name
    • National Provider Identifier (NPI)
    • Medical specialty
    • Function/role
    • Etc.
  • HPD sharing agreements with other Health Information Service Providers (HISPs) and the DirectTrust organization
  • Integration with the nationwide NPI registry. This enables updates and appends data for individual records in the directory

So, How Can the DataMotion HPD Meet Your Needs?

DataMotion Direct Community Web Portal Users

All users of our DataMotion Direct Community Web Portal (CWP) have access to the DataMotion HPD through the search field integrated into the CWP Address Book function. This address book allows you to search by a variety of criteria including by provider name, organization, location, NPI, or specialty, making it easy to find your intended recipient address. Once an address is found, all you have to do is set the address in a message or save it to your address book.

DataMotion Direct Integration Partners

Are you a DataMotion Direct Integration Partner? If you are, then you receive comprehensive access to the DataMotion HPD via the HPD Web Services API for EHR software vendors and other health IT solution providers. This allows HPD integration into an application user interface. The web services API exposes search functionality using the same parameters so it can be integrated into existing software and workflows.

Infographic of Data Motion HPD

What Kinds of Features and Benefits are We Able to Offer Your Organization?

  • Extensive Data Set – With over 20 searchable data fields, you can expect much better search accuracy
  • NPI Registry Integration – Our HPD regularly checks the NPI Registry, meaning it is constantly up-to-date and appending data for individual records in the directory
  • API access – Allows you to integrate HPD search/retrieval into your existing applications and workflows
  • HISP partnerships – Allows us to continuously expand the DataMotion HPD and make DataMotion Direct addresses discoverable to other providers across the country

If you’re ready to learn more, please contact us.

Contact Us
Blurred cars driving quickly through a tunnel
Adding a Secure Message Center to Self-Service Portals and Apps 1024 403 Christian Grunkemeyer

Adding a Secure Message Center to Self-Service Portals and Apps

Self-service started long ago with things like the self-service gas pump (1947) and automated teller machine (1967) – primarily for economic reasons. Self-service often helps to reduce the cost of doing business, and when it comes to digital self-service – is available 24×7. But ever since the introduction of online banking and online brokerage services, the idea of “self-service” has become increasingly more important – particularly in financial services. Account holders want online access to view a balance, initiate payment transactions, buy investments or to check credit account charges – from portals and smartphone apps. A perfect self-service arrangement – convenient and efficient for both the consumer and the business. But every self-service process can reach its limit – and then customers want an equally effective communication channel to get help. That’s where a secure message center becomes a key link between efficient self-service and efficient customer service.

Infographic displaying how secure message centers work with internal users and external clients

What is a secure message center?

A secure message center adds web-mail, web-form or web-chat services natively to financial services self-service customer portals or apps so that clients can easily ask questions about their account and even share supporting files or images (receipts for a credit charge dispute, a tax return as part of a loan application process). Client messages and files are routed to responsible employees – account teams, support personnel, or contact center agents for a response. Case numbers may be assigned for tracking in ticketing systems, and response notifications are sent via email or SMS text channels to notify customers of a waiting reply. For security and regulatory compliance reasons, the message content (and any uploaded file or image attachments) must use encryption for security, and detailed logging and tracking reports which provide history and proof for compliance audits.

How is a secure message center enabled?

Enabling an efficient secure message center requires an assessment of the workflows end-to-end. What type of inquires are expected? Can they be categorized for efficient routing? What is the log-on process to use it? How should the secure message center look? What type of message features does it need? What type of file attachments do customers need to upload and share? Which employees need to respond to messages? What type of applications and user interfaces will the employees use to receive messages? There’s a litany of questions that will drive the design and requirements for the secure message center – all centered around making the communications workflow as seamless and efficient as possible.

Figure: Secure Message Center architecture

Infographic for DataMotion's SDX Platform

How should customers access a secure message center?

Secure message centers have evolved from traditional email encryption services, which provide similar security and tracking features, but generally force users to create a separate login on a separate web-portal to send or receive secure messages. By contrast, an integrated secure message center shares a financial services portal login (via SSO techniques) at a minimum, and at best – blends seamlessly into the service portal’s user interface. Taken a step further – corresponding mobile apps can be offered as an alternative to web portal access and the secure message center features and functions are replicated in the mobile app as well. Under the hood – this requires a secure messaging service that supports SSO services and exposes web service APIs for the secure messaging service functions, management and provisioning. This simplifies the addition of secure message center features in financial services self-service portals and mobile apps.

How do employees access the secure message center?

For account management and lower volume, or ‘un-categorized’ inquires – an email client such as Outlook may be most suitable. For high volume, contact center workflows, employees will often use a CRM like Salesforce Service Cloud to manage the customer database, automate and track customer interactions for support and retention – even for marketing and sales touchpoints. So, the secure message center must integrate with the backend applications and UIs that your employees use, while maintaining end-to-end message security and verifiable compliance with security policy and privacy regulations – always ‘must have’ table stakes of a secure message center design for financial services firms.

The benefits to digitally integrating and transforming your self-service customer portal

By updating your self-service customer portal and mobile apps with a secure message center, you can transform the way you and your customers/clients work together. Your customer feels enabled to easily do business with you. Your response and outreach are more complete and efficient. And, your business can often reduce costs. A win-win for everyone. This solution is a notch on the belt of “digital transformation” and how to improve the interaction between clients and your customer teams that respond to their needs.

Want to learn more about how to secure workflows in self-service customer portals? Visit us at the DataMotion Developer’s Center, financial services solutions pageor Contact Us for a consultation.

Find out the 10 questions you should ask when implementing a secure message center

Get Whitepaper
Hand holding an animated white hand with a stick coming out of it
What are Open APIs and FHIR for Health Information? 1024 403 Team DataMotion

What are Open APIs and FHIR for Health Information?

In clinical healthcare, the use of Open APIs is a relatively new form of secure data sharing in clinical healthcare. API, which stands for Application Programming Interface, allows the health care provider to expose data on the web so correspondents can download it through automated applications. Currently, the industry is consolidating around an API technique called Fast Healthcare Interoperable Resources (FHIR), an HL7 standard. Although FHIR is not yet considered fully functional, it has a stable draft and has been integrated into several EHRs.

How are Open APIs / FHIR used?

Oftentimes, FHIR and Open APIs are used for retrieving selected C-CDA fields from an EHR, polling EHR field data from mobile applications, offering new services to compliment email style “push” messaging, and more.

What are the advantages of Open APIs / FHIR?

Open APIs and FHIR are attractive to software solution developers because they represent a programmatic, web services approach to retrieving specific data from another source. Web services APIs have proven a very efficient and cost effective method of presenting existing data within a new application. Some very common and recognizable solutions include using web service APIs to expose local weather, stock market data, or a news feed in a web portal.

What are some of the challenges of Open APIs / FHIR?

As was previously noted, Open APIs and FHIR are relatively new techniques for sharing and acquiring clinical health data. There are many trials and production uses, but deployment at the source of data, most prominently provider EHR systems, is at the initial stage of implementation. Therefore, new services and solutions that seek to use Open APIs and FHIR to retrieve patient data fields will find limited availability – and may need a narrow use case and / or population (i.e. – a specific health system where FHIR is available for test), trials and production rollout.

DataMotion Direct on FHIR

The DataMotion Direct Messaging service and DataMotion Direct APIs are data sharing techniques complementary to the emerging FHIR Open API standard. DataMotion is working with partners to leverage both health information exchange techniques for innovative new solutions that enable patient engagement, care management, transitions of care, patient enrollment and other digital health solutions that align with the vision and health delivery transformation tenets of the 21st Century Cures Act.

Standards Groups, Direct Messaging and Open APIs/FHIR

DirectTrust, the organization responsible for managing and promoting the Direct Messaging standard, and the HL7 organization responsible for the FHIR API initiative, both have active tracks developing synergy, interoperability and testing use case scenarios and techniques for using FHIR and Direct Messaging in concert.

The current set of scenarios are identified as follows:

  1. Sending FHIR resources within a Direct Message as an attachment
  2. Utilizing Direct Trust certificates with the FHIR RESTful API to enable trust relationships to scale

Do you want to learn more about how your organization can leverage Open APIs/FHIR?

Contact Us
Blue background with numbers and rectangles
Is Encryption Enough to Protect Yourself? 1024 403 Bob Janacek

Is Encryption Enough to Protect Yourself?

With a continuing increase in cybercrime, businesses have turned to encryption to protect themselves and their data online. Recently, high-profile data breaches have added a sense of urgency for enterprises to ensure their employees are taking preventative action as part of their day-to-day business. Should businesses fail to implement procedures to safeguard the data of their enterprise and customers, they may be subject to fines, bad publicity and a lack of trust amongst customers.

To protect personally identifiable information (PII) and personal health information (PHI) while it is transmitted from one system to another, businesses often implement a secure messaging and document exchange solution. Those requiring seamless secure exchange capabilities within their workflows may integrate a solution, such as DataMotion’s secure message center to enable compliance while not compromising the user experience.

However, using encryption is not always enough to protect your business from malicious attackers. In this blog post, we’ll cover the reasons why a robust data security plan that extends beyond just encryption and other software solutions is important to keep your enterprise data safe.

Is Encryption Safe if Using a VPN?

Security services such as a Virtual Private Network (VPN) encrypt your internet connection. Some businesses believe relying on a VPN alone offers enough protection because it uses a type of encryption to encode data. While VPNs are often a crucial component of data privacy and safety, they are far from comprehensive. In fact, some countries regulate, or even ban, VPN usage, leaving businesses that operate in those areas without a VPN component entirely.

VPN encryption adds an extra layer of protection for browsing activity and sent or received files, and it’s ideal for businesses working with a distributed team or remote employees. That said, even businesses with the most robust VPN membership are still vulnerable to threats such as:

  • Malware, spyware, and viruses
  • Phishing schemes
  • Compromised files and websites
  • Unauthorized server access
  • Online hacking
  • Account mismanagement
  • Unsecured data storage
  • Data loss through natural disasters
Why Encryption Alone Won't Protect Your Enterprise Data

Encryption Alone Won’t Protect Your Enterprise Data

Your business can (and should) use encryption to protect sensitive information and confidential communications. But this should be part of a larger strategy. If a cybercriminal finds a vulnerability somewhere along the data transmission path, or by getting their hands on your data encryption keys, your encrypted enterprise data can still be hacked and your systems compromised.

Below are five reasons why encryption as a sole line of defense isn’t enough to protect your enterprise data:

1. Limited Protection

Encryption converts data into ciphertext, which usually prevents hacker access to it in the first place. Though they can try to bypass it, a high level of encryption, such as AES 256-bit, will provide a strong layer of protection that can take several years to crack. Most software (including DataMotion’s pre-built solutions and APIs) utilizes AES 256-bit encryption.

No matter how high its level, encryption alone does not prevent hacking. If hackers can’t bypass your encryption they will seek out other access points to your enterprise data. Encryption only protects whatever is encrypted, such as your internet connection, email, or files, but it does nothing to prevent you from other online threats. For example, a VPN might encrypt your internet connection, but your online accounts could still get hacked.

Email is particularly vulnerable as it can be intercepted and read. Most services, including popular ones such as Google, can’t guarantee their email is encrypted from every angle.

For example, if you are sending mail from one Gmail account to another Gmail account, great; if you’re sending it “out of network,” Google’s encryption no longer works. There are a number of solutions available to help here. Third-party services, such as those that use SafeTLS, help fully encrypt your email messages, something you won’t find included as a default in just regular old email. Other, more robust and integrable services, such as DataMotion’s secure message center, are available to build secure exchange into an enterprise’s workflows so you can easily and efficiently send sensitive data at scale.

Encryption is a roadblock for hackers, but not a door to a vault–they will simply find another way inside. It’s important to understand that using encryption is still helpful, but you’ll also need to use other methods to prevent data breaches to protect yourself online.

2. Online Threats Remain a Risk

Encryption and a VPN can protect you against malware that is injected onto your device by a hack via your internet connection, but it doesn’t safeguard against clicking on malicious hyperlinks or inadvertently leaving your accounts open to attacks. You still need to avoid visiting risky sites and downloading potentially harmful files.

In a 2021 survey, more than half of the respondents with known data encryption issues cited unencrypted cloud services as a significant part of the problem. For businesses that rely on the cloud for data storage and communication, inadequate encryption could be a costly oversight.

It’s also easy to forget that mobile devices are at risk. There are apps available to encrypt your internet connection and files, but accessing the internet on a mobile device poses the same risk it would as if you were on a regular computer.

3. Inadequate Vendor Vetting Creates Vulnerabilities

Even if you encrypt your internet connections and use caution when visiting websites and downloading files, the risk of a data breach remains. The threat may even lie with your vendors. Take the recent SolarWinds breach for example. A hacker injected malicious code into the vendor’s software update, the update was released, and once the update was deployed a hacker was able to walk right into the systems of a SolarWinds’ customer and steal their data.

Ensuring your vendors take proper precautions to protect their systems is one way to reduce the risk of this type of attack. For instance, DataMotion takes a zero-trust approach to security and uses military-grade encryption to secure your data in motion and limit access to only those people and systems who require it.  

Read more about the SolarWinds breach, as well as how to protect yourself from ransomware.

4. It Doesn't Replace Basic Net Security

Even though complete immunity from cyberattacks doesn’t exist, learning about basic net security is likely to keep you much safer compared to the average internet user. When you are aware of the risks of completing certain tasks and know how to spot subtle details, you’ll eventually be able to notice suspicious ads, websites, links, messages and scams in advance.

If you’re running a business, be sure to train your employees so they can also help prevent cyberattacks. Having your employees properly educated on internet security is especially important if they have access to customer data or any devices that contain personal information of any kind. Update training materials and have ongoing awareness plans to keep your team up to date on emerging security risks, especially any that are trending in your specific industry. While you’re at it, take the time to review your current security infrastructure. Remember that security that is complicated won’t get used. If your current security measures are difficult to navigate or disrupt workflows, employees may bypass them, even if they’re aware of the risks.

Consider installing an anti-virus program if you don’t already have one, as it will allow you to scan for malware and remove it. It would be a good idea to use other security software as well, particularly ones that serve different purposes, so you have a higher level of protection overall.

You should also make sure you keep your encryption keys safe — many businesses make the mistake of storing this information on an unsecured server, like an unencrypted cloud platform, or keeping them in the same place as sensitive data.

5. Encryption Can't Prevent Accidental Data Loss

Human error continues to play a pivotal role in data loss across industries. In fact, an IBM study found that it is a major factor in 95% of data breaches. No matter how highly-encrypted your data is, it is still susceptible to being transmitted to the wrong recipient via email, or otherwise shared via incorrect attachments or unsecured encryption keys.

Pairing encryption with other security and privacy tools, such as a content filter that detects (and then, in some cases, encrypts) sensitive information, and having a detection and escalation plan in place for accidental data misuse is most effective.

Get Tips, Tricks & Techniques Delivered Once a Month

Subscribe to the DataMotion Newsletter and be the first to know the latest news about DataMotion, industry trends, and best practices surrounding secure exchange.

How to Protect Your Business Against Online Threats

We’ve established why it isn’t possible to stay protected with encryption alone — so what can you do to keep your enterprise, employee, and customer data safe?

Some of the larger, common risks include data being leaked and deleted from your device and database, accounts being compromised, your device being affected by malware, and identity theft because of leaked information. A few basic ways you can keep yourself safe — other than using security software — include:

  • Develop safer online habits. Be cautious when clicking on links and ads. Before clicking, hover your mouse over the URL to see what page it really links to. Keep an eye out for subtle differences in the text and appearance of sites or emails as well, since there are a lot of ways an individual can be easily tricked into handing over personal information. And be careful what you share on social media, don’t overshare personal information that may be used in your password or security questions. Finally, avoid storing passwords on your web browser and log out of your accounts when you’re done using them.
  • Secure your accounts with strong passwords. An ideal password is a combination of numbers, uppercase and lowercase letters, and symbols. Your passwords should exclude any personal information, single words found in the dictionary, and anything that could be linked to your identity. Avoid reusing passwords—this makes it easier for hackers to access more than one of your accounts if you’re using the same password for multiple logins.
  • Use multi-factor authentication for added security. A strong password isn’t always enough. If a hacker guesses your password or steals it from another source, they will gain access to any accounts with that same password. Multi-factor authentication requires employees to complete an extra step to verify their identity after entering their password. This may include steps such as entering a one-time code sent to their email or cell phone or using an authentication app on their smartphone. Along these lines, ensure that your software vendors support multi-factor authentication so you can secure those systems as well.
  • Pay attention to news about internet security. If there is a common scam going around, you’ll likely hear about it. Set up online notifications, such as a Google Alert, to notify you whenever there is a new data breach or scam in the headlines. When a new event occurs, you’ll be notified via email right way so you can quickly take the appropriate actions to secure your systems.
Connect and Exchange Data Securely with DataMotion. Contact Us.

Connect and Exchange Data Securely with DataMotion

An encrypted connection can keep hackers out; it can also keep your email from being read if intercepted. But encryption cannot prevent human error, such as manually downloading malware—or preventing your account from being stolen by cybercriminals if you do.

There’s no doubt that encryption can be helpful in protecting your privacy and data at the very least, but a robust, multi-layered approach to security is often the best choice. Most of all, you will have to do your part to keep yourself (or your business) safe, and that means knowing what to look for and avoid.

A secure messaging platform that complies with industry standards and protects data while at rest and in transit helps mitigate the risk of a data breach while simplifying your workflow. Our suite of pre-built solutions, APIs and no-code solutions offer easy-to-use and highly secure, top-level protection without the need for encryption keys. Your team gets better visibility and control, and you get peace of mind knowing that your sensitive business and customer data is safe and secure.

Explore our industry-specific services to learn more, or contact our team of security experts to see how DataMotion services can help streamline and secure your day-to-day enterprise operations.

Want to learn more about securing your communications?

Learn about DataMotion secure email today

Learn More
Mail icons blurred above a browser search bar
Gmail TLS Email Encryption – is it good enough? 1024 403 Alex Mushkin

Gmail TLS Email Encryption – is it good enough?

Major cloud email services such as Gmail and Yahoo Mail announced their use of TLS about two years ago (TLS is transport layer security – a type of encryption that can be applied to email transmissions). Both services announced they would send email (and attachments) using TLS whenever possible – which means – whenever the receiving email service or server is configured to accept TLS encrypted email.

For the average user – this is a good thing. We certainly hear enough these days about unsecure email and exposure of private conversations – so we should all be thinking about using a secure email service just to keep our communications private. After all – if we wanted them to be public – we could always post them on Facebook! And private conversations can cause harm if exposed to the wrong people – even if there’s nothing nefarious being disclosed regarding our business or personal dealings.

As noted – TLS has been the default transmission policy for Gmail for at least two years – but it was just brought to my attention that you can check if a Gmail message is sent or received using TLS by clicking on the ‘details’ of the message. It looks like this:

Screenshot of email with red highlight over the Standard (TLS) encryption

Gmail offers details of what TLS encryption is and how it is applied – ‘Learn More’ will take you to a page that describes what is happening when Standard (TLS) encryption is being used:

“TLS is being adopted as the standard for secure email. While it’s not a perfect solution, if everyone uses it, snooping on email will be more difficult and costly than it is today.”

‘While it’s not a perfect solution’ – this means it’s applied ‘opportunistically’. If the far end email service/server is configured to accept TLS – great – everything is secure end-to-end. If not – it drops back to unsecure delivery – and the risks of exposure that presents.

Gmail links to another page that goes into more detail about how TLS works – and again notes that it’s not going to work all the time:

 “Whenever possible, Gmail protects your info by using Transport Layer Security (TLS) to automatically encrypt emails you send or receive. TLS doesn’t work with messages from some email services. 

If you’re on a computer or Android device, you’ll know an email is not encrypted when you see the No TLS icon No TLS . It looks like an open red padlock.”

SafeTLS Trumps Opportunistic TLS Email Encryption

Where Gmail’s ‘opportunistic TLS’ is good, DataMotion SafeTLS is better.  As an overlay to virtually any email service or address, SafeTLS checks the availability of TLS email encryption before it send the message – and if it is not available, it falls back to an alternative email encryption method that is not dependent on the recipient’s email service or server – so it always works.

SafeTLS gives users and recipients the best of both worlds. TLS is great because it is virtually transparent to the sender and recipient – it just works, and there’s no complexity to receiving the message or attachments. But to be really confident your message is secure (READ COMPLIANT!) – SafeTLS is the way to go. Yes – there’s a small cost to have it. But exposing your secrets, or the regulated information of a patient, partner, or business associate – can cost a whole lot more – in reputation, notification costs, fines or intellectual property loss.

Be confident that your communications are secure with DataMotion SecureMail

Learn More
Purple browser windows with white mail icons above them
Is TLS email encryption good enough? 1024 403 Alex Mushkin

Is TLS email encryption good enough?

As most people are aware, the need for secure messaging, email encryption or email compliance is on the mind (or should be) of almost all managers inside every business. The need for TLS (Transport Layer Security) can vary from avoiding a data leak, ensuring there are no prying eyes on confidential information or even something as simple as validating that someone received your message.

Working for an email encryption and security company I constantly get questions and inquiries about TLS  and why using TLS isn’t “good enough”. Most of the time these questions are immediately followed by statements like “It’s good enough, and it’s free!” Free? Sure, but remember there is no such thing as a free lunch!

Here are a few different points that should be considered before making a decision on whether TLS is “good enough” for you and your organization’s email needs.

What is TLS?

Before any comparisons or pro’s and con’s discussion, we need to establish what TLS actually is and where it is used. TLS stands for Transport Layer Security and is intended to secure the communications between two points. When we talk about TLS in relation to a web browser we have the little “lock” icon on our URL bar showing a secure connection from the web server to your browser. This means when you submit a form with your credit card information on it, no one can snatch that data if they intercepted your web session.

Same thing for email. When you have one email server send a message to another email server over TLS, the connection itself is encrypted so no one can intercept the payload information. But, the actual data itself is still unencrypted. It’s secure and compliant because it was sent over an encrypted channel.

“Good Enough” Isn’t Always Good Enough

Ensure your sensitive data is delivered securely, regardless of the recipient’s endpoint. Learn more about our secure exchange integrations today.

When we talk about encryption in every day talk, we have openly accepted and use the “TLS” acronym to imply that it only applies to email and “SSL” as it applies to the web. In reality you can apply TLS encryption to a variety of protocols, including HTTP for the web and SMTP for email. For clarity, the predecessor of TLS is SSL or Secure Socket Layer, which was more commonly used on the web before email so hence the common associations of the acronyms. Now that we have a bit of a primer we can take a deeper dive and talk about workflows as they relate to email.

TLS and SPAM/Anti-Virus Workflows

When we talk about servers we know that if TLS is used between servers then that connection is secure. It’s assumed that if two servers have TLS then the message is secure and they don’t need to worry about anything. This is a VERY common misconception that while mostly accurate needs to have some additional questions asked of the recipient mail server.

Most companies have some kind of SPAM and Anti-Virus service implemented. We know that those services or appliances look at messages and if they are deemed “OK” they are then delivered to the receiving mail server. The question needs to be asked does SPAM or Anti-Virus service actually sends messages to the receiving server over TLS or not. Just because a sender sent the message and something received it via TLS does not mean that the whole connection to the receiving server is encrypted. This is a potential point for a breach. So it is important to ask recipients where auto TLS delivery or a forced TLS delivery is in place, to see if true end-to-end TLS is implemented, or if there is a gap.

TLS and Replies

As an email recipient sending a reply, we can have a scenario where the recipient needs to reply securely. Just because a message is received from someone over TLS there is no guarantee that the recipient’s sending email server will use TLS encryption to send a reply. The question that needs to be asked of the recipient’s IT team is about priority of use. For example, will TLS always be used? Is there a fallback to an encryption or delivery provider in situations where TLS is not available or is there even support of TLS for sending messages?

The number of organizations that I see where they accept TLS due to having some kind of email SPAM or AV service but don’t have TLS in use for inbound or outbound email on their server is more than I would like to admit. So if you are adopting TLS as your primary method for security it’s important to establish trusted relationships with the people you send messages to and ensure that you (as the sender) have your email server forced to send messages only to those recipients via TLS.

Special Considerations

Another point to be considered as a sender is to determine if you want your message to be available to the recipient in their own mailbox with no secondary level of protection. Traditionally the answer is yes, but what if you are sending a confidential document or sensitive information like a routing or account number and the someone you are sending to has a traditional email account from a provider like Gmail. We traditionally would feel OK since we know that Gmail does support TLS. However we often don’t consider the risk of have the account itself breached. Putting it simply, if someone has their public email account compromised then in all cases the confidential information you sent them is also compromised.

Yes, in the eyes of compliance you are covered but there are certain ethical and best practice issues that you should take into account. By forcing people to use two-factor authentication, or to log into a portal with a separate password, or even have a message exist for a finite amount of time, you can ensure security for confidential information regardless of whether the recipient’s primary account is compromised.

As a recipient there isn’t too much you can do. In situations where you are the one receiving content, you can insist that people send you confidential messages through their own secure portal system. In many cases you can leverage a custom portal or messaging center if made available by your vendor. A best practice should always be to not send sensitive information unless it is encrypted. Most secure email providers (DataMotion included) provide a means for you to reply to the sender securely. Alternatively you could initiate a new secure message so that your recipient can reply to you securely as well.

In closing, TLS is great for making sure that messages and data between servers and systems are encrypted from prying eyes. However, it is only part of a somewhat potentially complex equation and it is in your best interest as a sender or a recipient to ask some key questions around how your information is sent, stored and delivered to its final destination. In many cases just because there are open standards or something may be free, it is commonly not the full answer to your needs. TLS is the foundation for solutions but may not be a solution in itself. So, TLS email encryption is not always “good enough”, that’s why if your organization frequently handles sensitive information you need a solution that is more reliable. To learn more about how DataMotion’s solutions can solve your organization’s needs, contact us.

Need to ensure that your communications are sent and received securely?

Look to DataMotion SecureMail

Contact Us
Blue globe, keyboard and numbers
Achieve Office 365 CJIS Compliance 1024 403 Christian Grunkemeyer

Achieve Office 365 CJIS Compliance

Moving from an on-premises Exchange server to Microsoft Office 365 (O365) can have numerous benefits. Microsoft promotes its cloud productivity suite to yield better collaboration, increased productivity and a reduced cost of ownership.  Many state and local government agencies eager for those benefits are making a move to the cloud with O365. According to Microsoft, approximately 5.2 million people use Microsoft Cloud for Government services including Azure Government, Office 365 Government, and Dynamics CRM Online Government, an impressive figure. However some government agencies need to access the FBI’s Criminal Justice Information Systems (CJIS) database to fulfill their mission. These agencies must achieve Office 365 CJIS compliance for security rules that restrict their ability to use O365 to exchange CJIS information, or CJI for short. This information must be protected in motion and at rest whenever it is outside a secure CJIS datacenter.  Specific rules and the entire FBI CJIS Security Policy are posted here.

According to its website, Microsoft will sign a CJIS Security Addendum for Office 365 CJIS compliance in states where they have established CJIS Information Agreements. At this time there are 26 states where Microsoft has a signed CJIS Security Addendum – the most recent being with Missouri (February 2017).   States that don’t have CJIS approval for O365 as of March 2017 include Alabama, Connecticut, Florida, Idaho, Indiana, Iowa, Louisiana, Maine, Maryland, Mississippi, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Dakota, Ohio, Oklahoma, Rhode Island, South Dakota, Vermont, West Virginia, Wisconsin and Wyoming.

While these states are not prohibited from using cloud services, they must be able to demonstrate Office 365 CJIS compliance if using those services.   For them to use O365 to transmit CJI and PII (Personally Identifiable Information), the following CJIS security policy sections must be addressed.

“5.8        Policy Area 8: Media Protection

Media protection policy and procedures shall be documented and implemented to ensure that access to digital and physical media in all forms is restricted to authorized individuals. Procedures shall be defined for securely handling, transporting and storing media.

5.8.1      Media Storage and Access

The agency shall securely store digital and physical media within physically secure locations or controlled areas. The agency shall restrict access to digital and physical media to authorized individuals. If physical and personnel restrictions are not feasible then the data shall be encrypted per Section 5.10.1.2.

5.8.2      Media Transport

The agency shall protect and control digital and physical media during transport outside of controlled areas and restrict the activities associated with transport of such media to authorized personnel.

5.8.2.1   Digital Media during Transport

 Controls shall be in place to protect digital media containing CJI while in transport (physically moved from one location to another) to help prevent compromise of the data. Encryption, as defined in Section 5.10.1.2 of this Policy, is the optimal control during transport; however, if encryption of the data isn’t possible then each agency shall institute physical controls to ensure the security of the data.”

When an agency moves from an on premise secure Exchange server to O365, emails containing CJI must be protected – and that is commonly done through encryption. While O365 does contain an email encryption capability, that encryption occurs after the O365 cloud receives the unencrypted data.  For those 24 states without a Microsoft CJIS Security Addendum, this is a violation of CJIS security policy. To achieve Office 365 CJIS compliance, the email must be encrypted before it arrives in the O365 cloud, and must remain encrypted until it is received or retrieved by the intended recipient.

One solution to this issue is to employ a third party email encryption solution designed to enhance the security of O365 and address the CJIS security policy issues.  Such solutions offer more depth in encryption features and capabilities and integrate well with the Office 365 suite of applications. To achieve this end-to-end encryption requirement, the email can be encrypted at the Outlook client using an encryption plug-in, and routed through O365 to the recipient, or to an email encryption platform in a CJIS compliant datacenter to await recipient retrieval. In this way – O365 can be adopted, while maintaining CJIS compliance for PII and CJI. You can learn more about securing email in Office 365 here.

Office 365 is a great tool and can offer state and local agencies many benefits – and with proper implementation can meet the stringent requirements for CJIS security.

Learn more about how we can help state and local agencies meet CJIS compliance requirements

Learn More
Browser bar with a mouse click next to it
How safe are HTTPS connections? Not as safe as you think. 1024 403 Alex Mushkin

How safe are HTTPS connections? Not as safe as you think.

While using the internet, there’s a chance that you’ve noticed some websites using HTTP connections while others use HTTPS ones. The major difference between these is that HTTPS connections are considered “secure” while HTTP ones are not. This begs the question, how safe really are HTTPS connections?

When making an online purchase, any reputable website will require a secure HTTPS connection before requesting payment information and completing the transaction.  HTTPS is the ubiquitous method used by browsers and websites to securely exchange sensitive data.  Its underlying encryption has historically been provided by SSL, which is a familiar term to many Internet users.  SSL uses digital certificates and strong encryption to create a secure tunnel between a web browser and web server.  For online purchases, it allows you to safely enter your account details, provide your credit card payment information and complete the transaction.

Unfortunately, weaknesses have been discovered in SSL encryption, making HTTPS connections not as safe as you’d expect. Hackers have used these exploits to break through its security projection.  So that sensitive data you exchanged over an HTTPS connection may not be as protected as you think.  Fortunately, HTTPS can use additional encryptions algorithms that don’t have the weaknesses uncovered in SSL.  Specifically, the TLS or Transport Layer Security algorithm can be used, and it’s already supported by a wide range of web browsers and websites.

But which web sites support TLS, and better yet, which ones have disabled SSL altogether so that only more secure TLS algorithms can be used?  Unfortunately, without running complicated third-party cryptography tools, it’s almost impossible to tell.

In many ways, you place your trust in those vendors that you do business with.  DataMotion specializes in data security and compliance with privacy regulations.  Being a trusted supplier to thousands of organizations over the past 16 years, we do not take that trust lightly.  As part of our continuous security operations, we stay informed of emerging threats like the SSL vulnerability and apply immediate corrective action.  While the security changes occurs behind the scenes, invisible to our users, the relationships we form with our customers are visible in everything that we do.

While many web browsers, websites, and email services use TLS encryption, is it really good enough?

Learn More
Blue lock on a blue background depicting online data security and privacy
Opportunistic TLS – Two Good Ways to Put Your Email at Risk 1024 403 Bob Janacek

Opportunistic TLS – Two Good Ways to Put Your Email at Risk

Email encryption allows organizations to protect sensitive messages and increase their compliance with privacy regulations.  One common encryption method, known as opportunistic TLS, automatically tries to secure the path that messages take when they travel to recipient email systems.  Since this type of encryption is completely transparent to users, organizations often utilize opportunistic TLS to comply with privacy and security regulations.

Unfortunately, compliance strategies based on opportunistic TLS result in frequent breaches where sensitive data is sent over the public internet without encryption.

There are two main scenarios where breaches can occur.

First, and the most common case, is when recipient email systems do not support TLS encryption.  As a result, encrypted paths are not established for sensitive messages to travel.  Opportunistic TLS systems will then step down to standard delivery, and send messages to those systems without any encryption.

Sign Up for Our Monthly Newsletter

Subscribe to the DataMotion Newsletter and we’ll send you a free eBook on how to solve the disconnect between compliance regulations and the customer experience.

The second case, also frequently encountered, is when the recipient utilizes a cloud-based anti-virus and anti-spam service.  These services often support TLS when receiving email, so a sending system configured for opportunistic TLS believes it has delivered the message securely to the recipient’s email server.  Actually, the message was delivered securely to an intermediary.  There is no way for the sending system to know if the next leg of the message’s journey, from the cloud service down to the recipient’s email system, is actually secure.  Unfortunately, in most cases, this leg of the message’s journey is not TLS enabled, so messages travel over the public internet in unencrypted form.  And as a result, a breach in compliance regulations has occurred.

Despite the problems of opportunistic TLS, when possible, delivering messages by TLS is still a good method to protect sensitive data.  However it should only be enabled on a case by case basis when end to end encryption between email systems can be confirmed.  As the holistic secure data delivery system, DataMotion SecureMail ensures that all of your messages are delivered with end to end security.  It does this by supporting a variety of delivery methods including TLS.  This allows your organization to easily exchange sensitive data with the widest range of customers, partners and vendors while maintaining compliance with privacy regulations.

Learn more about how we can help your business ensure that all communications are sent with end-to-end security.

Learn More
Person in white shirt working on a tablet with white mail icons floating above it
Best Practices: HIPAA Email Compliance – Patient Records 1024 403 Team DataMotion

Best Practices: HIPAA Email Compliance – Patient Records

With new HIPAA regulations, patients can have even more access to their medical records. With many patients wanting to receive their information by email, does your organization know the best practices for emailing patient records in compliance with HIPAA?

In January 2016, the HIPAA regulation got more teeth in the area of providing patients their medical records on request (files, notes, diagnostic images, lab results, C-CDAs). The US Department of Health and Human Services published detailed FAQs regarding patient’s rights with respect to requesting their medical records from their care providers:

  • Request full medical records from all HIPAA-covered entities, e.g.
    • labs, imaging and surgery centers
    • insurance plans, hospitals, pharmacies, and physicians
  • HIPAA covered entities have 30 days to respond
  • Provide in the format requested by the consumer
    • Electronic format
    • Specific messaging format
Learn more about how your organization can be sure that they're HIPAA compliant button

Under 45 CFR § 164.524, available at http://www.hhs.gov/hipaa/for-professionals/privacy

The department of Health and Human Services has generated some educational videos for consumers (patients) – instructing them of their rights, and showing some role play at the doctor’s office. There’s also an HHS infographic, which you can find below, that explains the rule as well.

As a secure messaging company, there was some initial dismay at the videos and written guidance HHS provides patients:

“…..covered entities must safeguard the information in transit, and are responsible for breach notification and may be liable for impermissible disclosures of PHI that occur in transit.  The only exception arises when an individual has requested that the PHI be sent to the third party by unencrypted e-mail or in another unsecure manner, which the individual has a right to request.  As long as the individual was warned of and accepted the security risks to the PHI associated with the unsecure transmission, the covered entity is not responsible for breach notification or liable for disclosures that occur in transit.”

Wow – unsecure email is OK for sending PHI (Protected Health Information) as long as the healthcare provider warns the patient that there is a security risk, and the patient accepts that risk. How do you track that? Is it realistic to think both sides of that transaction will be truly cognizant of the requirement to inform, and the real security risk?

I turned to our CMO, Dr. Peter Tippett for some guidance and perspective. What’s the best practice for a physician’s office to be in compliance with HIPAA when emailing medical records to a patient?

His response – so practical, and sensible:

Covered entities should always use some form of secure messaging when emailing medical records to patients for several reasons.

  1. Email encryption, logging and other HIPAA requirements are expected and required UNLESS the patient EXPLICITLY is warned, and EXPLICITLY agrees to unencrypted mail.  Keeping these warnings and permissions straight and getting the right message to the right patient via the right modality will fall in the “too hard” category for most covered entities.
  2. Covered entities will worry because they will be sued anyway if a patient, for example agrees to receive blood test results one week; and a few months / years later, gets sent something truly private, which is exposed because it was regular email.
  3. Most patients will not answer the question at all as to whether or not it would be ok after a warning to send the message via regular email – which could lead to errors, so a hard stop in the workflow, and risk of not meeting the 30 day delivery window.
  4. The fact that at least some patients will want the message securely, will require all covered entities to have a solution.

Given that email is such a convenient way to exchange files, and email encryption solutions such as DataMotion SecureMail is so affordable and easy to use by senders and recipients – this new HIPAA measure is another driver for adoption by covered entities. It also enables files up to 2GB – perfect for diagnostic images. It’s a small price to pay for HIPAA email compliance (and happy patients)!

Infographic about health information rights

Contact us to learn more about how we can help your organization remain HIPAA compliant.

Contact Us