Posts Tagged :

Project

Green background with white cross icons on top of it
Healthcare Provider Directory Boosts Direct Secure Messaging Value 1024 403 Team DataMotion

Healthcare Provider Directory Boosts Direct Secure Messaging Value

The Direct Secure Messaging network overseen by DirectTrust.org is growing rapidly. At mid-year 2019, there are over 190,000 clinical organizations using Direct, and almost 2 million addresses have been issued. This critical mass has the power to enable interoperable health information exchange between disparate systems nationwide, but recipient addresses must be easily discoverable in order to achieve this. Luckily, many health information service providers (HISPs) provide access to a DirectTrust federated directory known as the Healthcare Provider Directory (HPD). This directory grants you access to a constantly growing Direct subscriber database, allowing you to easily discover recipient addresses.

What to Look For in a Healthcare Provider Directory (HPD):

When choosing an HPD, there are a variety of different features that you should be on the lookout for. Some of the key features that we recommend you search for are:

  • The ability to search for a recipient by multiple criteria, including:
    • Provider name
    • National Provider Identifier (NPI)
    • Medical specialty
    • Function/role
    • Etc.
  • HPD sharing agreements with other Health Information Service Providers (HISPs) and the DirectTrust organization
  • Integration with the nationwide NPI registry. This enables updates and appends data for individual records in the directory

So, How Can the DataMotion HPD Meet Your Needs?

DataMotion Direct Community Web Portal Users

All users of our DataMotion Direct Community Web Portal (CWP) have access to the DataMotion HPD through the search field integrated into the CWP Address Book function. This address book allows you to search by a variety of criteria including by provider name, organization, location, NPI, or specialty, making it easy to find your intended recipient address. Once an address is found, all you have to do is set the address in a message or save it to your address book.

DataMotion Direct Integration Partners

Are you a DataMotion Direct Integration Partner? If you are, then you receive comprehensive access to the DataMotion HPD via the HPD Web Services API for EHR software vendors and other health IT solution providers. This allows HPD integration into an application user interface. The web services API exposes search functionality using the same parameters so it can be integrated into existing software and workflows.

Infographic of Data Motion HPD

What Kinds of Features and Benefits are We Able to Offer Your Organization?

  • Extensive Data Set – With over 20 searchable data fields, you can expect much better search accuracy
  • NPI Registry Integration – Our HPD regularly checks the NPI Registry, meaning it is constantly up-to-date and appending data for individual records in the directory
  • API access – Allows you to integrate HPD search/retrieval into your existing applications and workflows
  • HISP partnerships – Allows us to continuously expand the DataMotion HPD and make DataMotion Direct addresses discoverable to other providers across the country

If you’re ready to learn more, please contact us.

Contact Us

Join our Newsletter

Blurred cars driving quickly through a tunnel
Adding a Secure Message Center to Self-Service Portals and Apps 1024 403 Christian Grunkemeyer

Adding a Secure Message Center to Self-Service Portals and Apps

Self-service started long ago with things like the self-service gas pump (1947) and automated teller machine (1967) – primarily for economic reasons. Self-service often helps to reduce the cost of doing business, and when it comes to digital self-service – is available 24×7. But ever since the introduction of online banking and online brokerage services, the idea of “self-service” has become increasingly more important – particularly in financial services. Account holders want online access to view a balance, initiate payment transactions, buy investments or to check credit account charges – from portals and smartphone apps. A perfect self-service arrangement – convenient and efficient for both the consumer and the business. But every self-service process can reach its limit – and then customers want an equally effective communication channel to get help. That’s where a secure message center becomes a key link between efficient self-service and efficient customer service.

Infographic displaying how secure message centers work with internal users and external clients

What is a secure message center?

A secure message center adds web-mail, web-form or web-chat services natively to financial services self-service customer portals or apps so that clients can easily ask questions about their account and even share supporting files or images (receipts for a credit charge dispute, a tax return as part of a loan application process). Client messages and files are routed to responsible employees – account teams, support personnel, or contact center agents for a response. Case numbers may be assigned for tracking in ticketing systems, and response notifications are sent via email or SMS text channels to notify customers of a waiting reply. For security and regulatory compliance reasons, the message content (and any uploaded file or image attachments) must use encryption for security, and detailed logging and tracking reports which provide history and proof for compliance audits.

How is a secure message center enabled?

Enabling an efficient secure message center requires an assessment of the workflows end-to-end. What type of inquires are expected? Can they be categorized for efficient routing? What is the log-on process to use it? How should the secure message center look? What type of message features does it need? What type of file attachments do customers need to upload and share? Which employees need to respond to messages? What type of applications and user interfaces will the employees use to receive messages? There’s a litany of questions that will drive the design and requirements for the secure message center – all centered around making the communications workflow as seamless and efficient as possible.

Figure: Secure Message Center architecture

Infographic for DataMotion's SDX Platform

How should customers access a secure message center?

Secure message centers have evolved from traditional email encryption services, which provide similar security and tracking features, but generally force users to create a separate login on a separate web-portal to send or receive secure messages. By contrast, an integrated secure message center shares a financial services portal login (via SSO techniques) at a minimum, and at best – blends seamlessly into the service portal’s user interface. Taken a step further – corresponding mobile apps can be offered as an alternative to web portal access and the secure message center features and functions are replicated in the mobile app as well. Under the hood – this requires a secure messaging service that supports SSO services and exposes web service APIs for the secure messaging service functions, management and provisioning. This simplifies the addition of secure message center features in financial services self-service portals and mobile apps.

How do employees access the secure message center?

For account management and lower volume, or ‘un-categorized’ inquires – an email client such as Outlook may be most suitable. For high volume, contact center workflows, employees will often use a CRM like Salesforce Service Cloud to manage the customer database, automate and track customer interactions for support and retention – even for marketing and sales touchpoints. So, the secure message center must integrate with the backend applications and UIs that your employees use, while maintaining end-to-end message security and verifiable compliance with security policy and privacy regulations – always ‘must have’ table stakes of a secure message center design for financial services firms.

The benefits to digitally integrating and transforming your self-service customer portal

By updating your self-service customer portal and mobile apps with a secure message center, you can transform the way you and your customers/clients work together. Your customer feels enabled to easily do business with you. Your response and outreach are more complete and efficient. And, your business can often reduce costs. A win-win for everyone. This solution is a notch on the belt of “digital transformation” and how to improve the interaction between clients and your customer teams that respond to their needs.

Want to learn more about how to secure workflows in self-service customer portals? Visit us at the DataMotion Developer’s Center, financial services solutions pageor Contact Us for a consultation.

Find out the 10 questions you should ask when implementing a secure message center

Get Whitepaper

Join our Newsletter

Hand holding an animated white hand with a stick coming out of it
What Are Open APIs and FHIR for Health Information? 1024 403 Team DataMotion

What Are Open APIs and FHIR for Health Information?

In 1989, Health Level Seven International (HL7) released HL7 V2 to ensure enterprise-level interoperability across the healthcare industry. HL7 was followed up with HL7 V3 in 2003, which was based on XML coding. However, the limitations were quickly known — it was not backward compatible and lacked the interoperability, flexibility, real-time data exchange capabilities and applicability of modern technologies.

In 2014, HL7 released the Fast Healthcare Interoperability Resources’ (FHIR) standard, defining rules for how healthcare information can be electronically exchanged. FHIR uses a RESTful application programming interface (API) approach, making it web-friendly and allowing developers to access and exchange healthcare data in a more efficient and standardized manner. It modularizes resources, which are individual pieces of data such as patient records, observations and medications. These resources can be combined to create comprehensive health records and enable better interoperability among healthcare systems and applications.

The use of open APIs simplifies the process of sharing and accessing information among various healthcare players and systems. The healthcare industry has widely adopted Direct Secure Messaging as well as FHIR due to its flexibility, ease of implementation and suitability for various healthcare scenarios.

How Are FHIR Open APIs Used?

FHIR APIs have a wide range of uses in the healthcare industry. Below are some of the common ways FHIR APIs are utilized:

  • Patient portals: FHIR APIs allow patients to access their health data through web or mobile applications. Patients can view their medical history, test results and prescriptions, promoting improved patient engagement and better self-care.
  • Electronic health record (EHR) integration: FHIR APIs allow healthcare providers to integrate EHR systems with other applications, allowing for the seamless exchange of patient information between different healthcare organizations and facilities.
  • Telemedicine and remote monitoring: FHIR APIs enable telemedicine platforms, allowing healthcare professionals to provide remote care and consultations. APIs also enable real-time monitoring of vital signs and medication management.
  • Clinical decision support: FHIR APIs support the retrieval of patient information from EHRs and other systems to provide evidence-based recommendations and alerts.
  • Medical research and clinical trials: Researchers can use FHIR APIs to access and share patient data for clinical trials and streamline data collection and analysis while maintaining patient privacy.
  • Mobile health and wearable devices integration: FHIR APIs can be used to integrate data from health and wellness-focused mobile apps and wearable devices for improved patient care and tracking overall public health.
  • Government and public health initiatives: Government agencies and public health organizations can use FHIR APIs to collect, analyze and share health data for disease surveillance, health policy formulation and public health campaigns.

The use of FHIR APIs has become crucial for managing healthcare data — so much so that the Office of the National Coordinator for Health Information Technology (ONC) now mandates the use of FHIR APIs in EHR programs for Meaningful Use.

What Are the Advantages of FHIR APIs?

FHIR APIs offer several advantages that contribute to improved interoperability, resulting in improved patient outcomes. Some of the key advantages include:

  • Standardized data exchange and interoperability: The use of FHIR APIs provides a standardized framework for data exchange. This ensures the data is uniformly structured and formatted, making it easier for various systems and applications to interpret and manage.
  • Modularity and granularity: FHIR APIs are designed with modularity and granularity in mind, allowing developers to retrieve only the data they need. This reduces data transfer overhead and minimizes the risk of sharing unnecessary data.
  • Efficient development: Interacting with healthcare data is made easier with FHIR APIs, providing a standardized approach to development. RESTful APIs are commonly used in non-healthcare industries, making it easy to find developers. With the availability of numerous tools, libraries and documentation, developers can seamlessly integrate FHIR APIs into their applications.
  • Real-time data access: Accessing patient data in real-time through FHIR APIs improves the accuracy and timeliness of care provided.
  • Migration and integration: FHIR APIs can be used to migrate data from legacy systems to modern EHRs, improving data accuracy and consistency.

What Are the Challenges of Open APIs/FHIR?

While open APIs and FHIR have come a long way in the past few years, as with any new technology, some challenges are to be expected. For example, managing various versions of FHIR and ensuring backward compatibility can be a challenge, particularly when updates to the standard are issued. FHIR implementations can vary between EHR vendors and healthcare systems, leading to inconsistencies in how data is exchanged.

A lot of healthcare organizations do not possess the required IT knowledge to efficiently set up and manage FHIR API systems. Hence, these organizations partner with web service API providers such as DataMotion.

Trust API and FHIR Healthcare Solutions from DataMotion

The DataMotion Direct Secure Messaging service and DataMotion Direct APIs are datasharing techniques complementary to the FHIR Open API standard. DataMotion works with partners to leverage health information exchange techniques for innovative new solutions that enable patient engagement, care management, care transitions and patient enrollment.

Contact our sales team to increase interoperability with FHIR open APIs.

Updated September 25, 2023

Do you want to learn more about how your organization can leverage Open APIs/FHIR?

Contact Us

Join our Newsletter

Blue background with numbers and rectangles
Is Encryption Enough to Protect Yourself? 1024 403 Bob Janacek

Is Encryption Enough to Protect Yourself?

With a continuing increase in cybercrime, businesses have turned to encryption to protect themselves and their data online. Recently, high-profile data breaches have added a sense of urgency for enterprises to ensure their employees are taking preventative action as part of their day-to-day business. Should businesses fail to implement procedures to safeguard the data of their enterprise and customers, they may be subject to fines, bad publicity and a lack of trust amongst customers.

To protect personally identifiable information (PII) and personal health information (PHI) while it is transmitted from one system to another, businesses often implement a secure messaging and document exchange solution. Those requiring seamless secure exchange capabilities within their workflows may integrate a solution, such as DataMotion’s secure message center to enable compliance while not compromising the user experience.

However, using encryption is not always enough to protect your business from malicious attackers. In this blog post, we’ll cover the reasons why a robust data security plan that extends beyond just encryption and other software solutions is important to keep your enterprise data safe.

Is Encryption Safe if Using a VPN?

Security services such as a Virtual Private Network (VPN) encrypt your internet connection. Some businesses believe relying on a VPN alone offers enough protection because it uses a type of encryption to encode data. While VPNs are often a crucial component of data privacy and safety, they are far from comprehensive. In fact, some countries regulate, or even ban, VPN usage, leaving businesses that operate in those areas without a VPN component entirely.

VPN encryption adds an extra layer of protection for browsing activity and sent or received files, and it’s ideal for businesses working with a distributed team or remote employees. That said, even businesses with the most robust VPN membership are still vulnerable to threats such as:

  • Malware, spyware, and viruses
  • Phishing schemes
  • Compromised files and websites
  • Unauthorized server access
  • Online hacking
  • Account mismanagement
  • Unsecured data storage
  • Data loss through natural disasters
Why Encryption Alone Won't Protect Your Enterprise Data

Encryption Alone Won’t Protect Your Enterprise Data

Your business can (and should) use encryption to protect sensitive information and confidential communications. But this should be part of a larger strategy. If a cybercriminal finds a vulnerability somewhere along the data transmission path, or by getting their hands on your data encryption keys, your encrypted enterprise data can still be hacked and your systems compromised.

Below are five reasons why encryption as a sole line of defense isn’t enough to protect your enterprise data:

1. Limited Protection

Encryption converts data into ciphertext, which usually prevents hacker access to it in the first place. Though they can try to bypass it, a high level of encryption, such as AES 256-bit, will provide a strong layer of protection that can take several years to crack. Most software (including DataMotion’s pre-built solutions and APIs) utilizes AES 256-bit encryption.

No matter how high its level, encryption alone does not prevent hacking. If hackers can’t bypass your encryption they will seek out other access points to your enterprise data. Encryption only protects whatever is encrypted, such as your internet connection, email, or files, but it does nothing to prevent you from other online threats. For example, a VPN might encrypt your internet connection, but your online accounts could still get hacked.

Email is particularly vulnerable as it can be intercepted and read. Most services, including popular ones such as Google, can’t guarantee their email is encrypted from every angle.

For example, if you are sending mail from one Gmail account to another Gmail account, great; if you’re sending it “out of network,” Google’s encryption no longer works. There are a number of solutions available to help here. Third-party services, such as those that use SafeTLS, help fully encrypt your email messages, something you won’t find included as a default in just regular old email. Other, more robust and integrable services, such as DataMotion’s secure message center, are available to build secure exchange into an enterprise’s workflows so you can easily and efficiently send sensitive data at scale.

Encryption is a roadblock for hackers, but not a door to a vault–they will simply find another way inside. It’s important to understand that using encryption is still helpful, but you’ll also need to use other methods to prevent data breaches to protect yourself online.

2. Online Threats Remain a Risk

Encryption and a VPN can protect you against malware that is injected onto your device by a hack via your internet connection, but it doesn’t safeguard against clicking on malicious hyperlinks or inadvertently leaving your accounts open to attacks. You still need to avoid visiting risky sites and downloading potentially harmful files.

In a 2021 survey, more than half of the respondents with known data encryption issues cited unencrypted cloud services as a significant part of the problem. For businesses that rely on the cloud for data storage and communication, inadequate encryption could be a costly oversight.

It’s also easy to forget that mobile devices are at risk. There are apps available to encrypt your internet connection and files, but accessing the internet on a mobile device poses the same risk it would as if you were on a regular computer.

3. Inadequate Vendor Vetting Creates Vulnerabilities

Even if you encrypt your internet connections and use caution when visiting websites and downloading files, the risk of a data breach remains. The threat may even lie with your vendors. Take the recent SolarWinds breach for example. A hacker injected malicious code into the vendor’s software update, the update was released, and once the update was deployed a hacker was able to walk right into the systems of a SolarWinds’ customer and steal their data.

Ensuring your vendors take proper precautions to protect their systems is one way to reduce the risk of this type of attack. For instance, DataMotion takes a zero-trust approach to security and uses military-grade encryption to secure your data in motion and limit access to only those people and systems who require it.  

Read more about the SolarWinds breach, as well as how to protect yourself from ransomware.

4. It Doesn't Replace Basic Net Security

Even though complete immunity from cyberattacks doesn’t exist, learning about basic net security is likely to keep you much safer compared to the average internet user. When you are aware of the risks of completing certain tasks and know how to spot subtle details, you’ll eventually be able to notice suspicious ads, websites, links, messages and scams in advance.

If you’re running a business, be sure to train your employees so they can also help prevent cyberattacks. Having your employees properly educated on internet security is especially important if they have access to customer data or any devices that contain personal information of any kind. Update training materials and have ongoing awareness plans to keep your team up to date on emerging security risks, especially any that are trending in your specific industry. While you’re at it, take the time to review your current security infrastructure. Remember that security that is complicated won’t get used. If your current security measures are difficult to navigate or disrupt workflows, employees may bypass them, even if they’re aware of the risks.

Consider installing an anti-virus program if you don’t already have one, as it will allow you to scan for malware and remove it. It would be a good idea to use other security software as well, particularly ones that serve different purposes, so you have a higher level of protection overall.

You should also make sure you keep your encryption keys safe — many businesses make the mistake of storing this information on an unsecured server, like an unencrypted cloud platform, or keeping them in the same place as sensitive data.

5. Encryption Can't Prevent Accidental Data Loss

Human error continues to play a pivotal role in data loss across industries. In fact, an IBM study found that it is a major factor in 95% of data breaches. No matter how highly-encrypted your data is, it is still susceptible to being transmitted to the wrong recipient via email, or otherwise shared via incorrect attachments or unsecured encryption keys.

Pairing encryption with other security and privacy tools, such as a content filter that detects (and then, in some cases, encrypts) sensitive information, and having a detection and escalation plan in place for accidental data misuse is most effective.

Get Tips, Tricks & Techniques Delivered Once a Month

Subscribe to the DataMotion Newsletter and be the first to know the latest news about DataMotion, industry trends, and best practices surrounding secure exchange.

Subscribe

How to Protect Your Business Against Online Threats

We’ve established why it isn’t possible to stay protected with encryption alone — so what can you do to keep your enterprise, employee, and customer data safe?

Some of the larger, common risks include data being leaked and deleted from your device and database, accounts being compromised, your device being affected by malware, and identity theft because of leaked information. A few basic ways you can keep yourself safe — other than using security software — include:

  • Develop safer online habits. Be cautious when clicking on links and ads. Before clicking, hover your mouse over the URL to see what page it really links to. Keep an eye out for subtle differences in the text and appearance of sites or emails as well, since there are a lot of ways an individual can be easily tricked into handing over personal information. And be careful what you share on social media, don’t overshare personal information that may be used in your password or security questions. Finally, avoid storing passwords on your web browser and log out of your accounts when you’re done using them.
  • Secure your accounts with strong passwords. An ideal password is a combination of numbers, uppercase and lowercase letters, and symbols. Your passwords should exclude any personal information, single words found in the dictionary, and anything that could be linked to your identity. Avoid reusing passwords—this makes it easier for hackers to access more than one of your accounts if you’re using the same password for multiple logins.
  • Use multi-factor authentication for added security. A strong password isn’t always enough. If a hacker guesses your password or steals it from another source, they will gain access to any accounts with that same password. Multi-factor authentication requires employees to complete an extra step to verify their identity after entering their password. This may include steps such as entering a one-time code sent to their email or cell phone or using an authentication app on their smartphone. Along these lines, ensure that your software vendors support multi-factor authentication so you can secure those systems as well.
  • Pay attention to news about internet security. If there is a common scam going around, you’ll likely hear about it. Set up online notifications, such as a Google Alert, to notify you whenever there is a new data breach or scam in the headlines. When a new event occurs, you’ll be notified via email right way so you can quickly take the appropriate actions to secure your systems.
Connect and Exchange Data Securely with DataMotion. Contact Us.

Connect and Exchange Data Securely with DataMotion

An encrypted connection can keep hackers out; it can also keep your email from being read if intercepted. But encryption cannot prevent human error, such as manually downloading malware—or preventing your account from being stolen by cybercriminals if you do.

There’s no doubt that encryption can be helpful in protecting your privacy and data at the very least, but a robust, multi-layered approach to security is often the best choice. Most of all, you will have to do your part to keep yourself (or your business) safe, and that means knowing what to look for and avoid.

A secure messaging platform that complies with industry standards and protects data while at rest and in transit helps mitigate the risk of a data breach while simplifying your workflow. Our suite of pre-built solutions, APIs and no-code solutions offer easy-to-use and highly secure, top-level protection without the need for encryption keys. Your team gets better visibility and control, and you get peace of mind knowing that your sensitive business and customer data is safe and secure.

Explore our industry-specific services to learn more, or contact our team of security experts to see how DataMotion services can help streamline and secure your day-to-day enterprise operations.

Want to learn more about securing your communications?

Schedule a demo with our sales team today.

Schedule a Demo

Join our Newsletter

Purple browser windows with white mail icons above them
Unveiling Email Vulnerabilities: Is TLS Email Encryption the Complete Answer? 1024 403 Bob Janacek

Unveiling Email Vulnerabilities: Is TLS Email Encryption the Complete Answer?

Digital information exchange is paramount, and the security of sensitive data is equally as significant. Various encryption protocols must be deployed to maintain the highest levels of security, ensuring the integrity and confidentiality of digital communications. One such essential technique is Transport Layer Security (TLS). This comprehensive discussion aims to delve into the intricate details of TLS, analyze its potential vulnerabilities, and strategize its effective utilization.

What is TLS: Understanding the Transport Layer Security (TLS) Protocol

Transport Layer Security (TLS) is a standard protocol that facilitates authentication, privacy, and data integrity in interactions between two computer applications. TLS is the most extensively used security protocol today, ideal for applications that require secure data transfer over a network, including web browsers, file transfers, VPN connections, remote desktop sessions, and VoIP. TLS is also being incorporated into modern cellular transport technologies like 5G to safeguard core network functionalities across the radio access network (RAN).

At its core, TLS is a cryptographic protocol that provides communications security over computer networks. Widely used for internet communications and online transactions, TLS aims to ensure privacy and data security between communicating applications and their users over the internet. However, it’s critical to remember that while TLS secures the communication channel, it does not inherently encrypt the payload, leaving it in plaintext and potentially exposing it to security vulnerabilities under certain conditions.

“Good Enough” Isn’t Always Good Enough

Ensure your sensitive data is delivered securely, regardless of the recipient’s endpoint. Learn more about our advanced encryption standard and secure exchange integrations today.

Learn More

TLS vs. Secure Sockets Layer (SSL)

When discussing encryption, TLS and SSL are often used interchangeably, but it’s important to understand the minute distinctions to make informed decisions regarding data security and compliance. TLS is the more modern and secure protocol. It protects data while being transferred between applications over a network. In contrast, SSL, TLS’ predecessor, was commonly used to secure web communications before the adoption of email encryption. Today, both play a crucial role in securing different parts of the email process.

When an email is sent, either TLS or SSL can encrypt the connection from the sender’s mail server to the recipient, preventing unauthorized access and interception of the email content during transmission. It’s important to understand that both TLS and SSL do not encrypt the actual email content, only the connection. To achieve end-to-end encryption, additional data protection measures are necessary, such as using a specialized secure data exchange solution, like DataMotion’s secure message center, to ensure the secure handling of sensitive information.

Opportunistic TLS: A Beneficial Yet Risky Solution

The spotlight is often cast on Opportunistic TLS, an automatic variant of TLS that aims to secure data transmission. Its allure lies in its ability to establish a secure TLS connection without requiring user intervention. This balance between usability and security is appealing but has its shortcomings. The trade-off of this intuitive approach is often the inadvertent transmission of sensitive data over public networks without encryption. Consequently, reliance on Opportunistic TLS risks non-compliance with stringent data protection regulations.

Investigating Breach Scenarios in Opportunistic TLS

The potential vulnerability of Opportunistic TLS is particularly noticeable in two common scenarios. In the first instance, when the recipient’s email system does not support TLS, Opportunistic TLS fails to establish an encrypted connection. The system falls back to unencrypted transmission, exposing sensitive data to security threats.

For instance, many major cloud email providers like Gmail and Yahoo Mail have been using TLS to secure their email connections for several years. In Gmail, you’ll recognize that a message was sent over TLS by clicking on the ‘details’ of the message. If you see “Standard (TLS)” on web or the lock icon in the Gmail app on your mobile device, you’ll know that your message was sent securely. However, for TLS to work, the receiving server must also employ TLS encryption. If your recipient does not, then Gmail will revert to unencrypted transmission, leaving your message content vulnerable to a breach.

A screenshot of gmail highlighting the "Standard encryption (TLS)" lock icon indicating that a message was sent with TLS

The second scenario arises when the recipient uses a cloud-based anti-virus or anti-spam service. Despite supporting TLS for receiving emails, these services often create a false sense of security. The sender system may be under the illusion that the message has been delivered securely, while in reality it was delivered securely to the intermediary (the anti-virus or anti-spam service). However, the journey from this intermediary to the recipient’s email server often lacks TLS encryption, leading to an unencrypted transmission over public networks and a breach in compliance.

Demystifying Misconceptions Surrounding TLS and SPAM/Anti-Virus Services

Further exploration into email encryption necessitates debunking misconceptions about TLS and SPAM/Anti-Virus services. While it’s true that these services contribute to data protection, they do not guarantee comprehensive security. A decisive factor in securing data is ensuring the secure transfer of messages via a TLS-enabled connection. A potential security gap can emerge when this level of protection is absent, opening the door to possible data breaches.

Moreover, assuming that all replies to messages received over a TLS connection are inherently secure is erroneous. The validity of this assumption hinges on whether the recipient’s server employs TLS encryption for outgoing messages, which is contingent on the recipient’s IT policy.

Defining Robust Compliance Strategies

In the quest for data security, organizations must recognize the importance of implementing secondary protective measures alongside TLS. Mechanisms like two-factor authentication, secure portal logins with unique recipient passwords, or setting a lifespan for messages offer additional layers of protection. These protocols enhance data security and mitigate the risk of breaches, even when potential vulnerabilities exist in the recipient’s primary email account.

Need to ensure that your communications are sent and received securely?

Ensure Complete Encryption

Maximizing the Benefits of Secure Data Delivery Systems

Advanced secure data delivery systems like DataMotion’s secure message center offer an integrated solution to address concerns around data security. By supporting various delivery methods, including clickless SafeTLS, these platforms facilitate the safe exchange of sensitive information across a wide range of recipients while ensuring adherence to privacy regulations. Instead of falling back to unencrypted delivery, the secure message center provides end-to-end encryption for messages that cannot be sent with TLS. Additionally, by offering simple methods for recipients to securely reply to the sender, it reduces the risk of sensitive data being exchanged over an insecure channel. Implementing such systems underlines the importance of ensuring end-to-end encryption between email systems before enabling TLS.

Concluding Thoughts: Leveraging TLS and Beyond for Enhanced Data Security

Navigating the digital landscape, it becomes clear that while TLS is a powerful tool, there are more encompassing solutions for data security challenges. Its effectiveness depends largely on correct implementation, integration with existing workflows, and additional security measures in place. Organizations handling sensitive data must approach reliance on TLS or Opportunistic TLS cautiously. Implementing a comprehensive data delivery system that ensures end-to-end security can provide a challenging line of defense, ensuring that digital communications remain confidential and secure. As we continue to work to understand the continually evolving domain of data security, gaining proficiency in encryption methods like TLS and formulating robust data security strategies is critical.

Don’t compromise on your data security. Learn more about DataMotion’s comprehensive secure data exchange solutions, like our secure message center and our robust integrations, by contacting our sales team today. Subscribe to the DataMotion Newsletter to stay informed on the latest advancements in data security, industry best practices, and other thought leadership.

Updated July 28, 2023

Contact Us to Implement Robust Encryption Solutions for Your Business.

Enhance Your Data Security Today!

Blue globe, keyboard and numbers
Achieve Office 365 CJIS Compliance 1024 403 Christian Grunkemeyer

Achieve Office 365 CJIS Compliance

Moving from an on-premises Exchange server to Microsoft Office 365 (O365) can have numerous benefits. Microsoft promotes its cloud productivity suite to yield better collaboration, increased productivity and a reduced cost of ownership.  Many state and local government agencies eager for those benefits are making a move to the cloud with O365. According to Microsoft, approximately 5.2 million people use Microsoft Cloud for Government services including Azure Government, Office 365 Government, and Dynamics CRM Online Government, an impressive figure. However some government agencies need to access the FBI’s Criminal Justice Information Systems (CJIS) database to fulfill their mission. These agencies must achieve Office 365 CJIS compliance for security rules that restrict their ability to use O365 to exchange CJIS information, or CJI for short. This information must be protected in motion and at rest whenever it is outside a secure CJIS datacenter.  Specific rules and the entire FBI CJIS Security Policy are posted here.

According to its website, Microsoft will sign a CJIS Security Addendum for Office 365 CJIS compliance in states where they have established CJIS Information Agreements. At this time there are 26 states where Microsoft has a signed CJIS Security Addendum – the most recent being with Missouri (February 2017).   States that don’t have CJIS approval for O365 as of March 2017 include Alabama, Connecticut, Florida, Idaho, Indiana, Iowa, Louisiana, Maine, Maryland, Mississippi, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Dakota, Ohio, Oklahoma, Rhode Island, South Dakota, Vermont, West Virginia, Wisconsin and Wyoming.

While these states are not prohibited from using cloud services, they must be able to demonstrate Office 365 CJIS compliance if using those services.   For them to use O365 to transmit CJI and PII (Personally Identifiable Information), the following CJIS security policy sections must be addressed.

“5.8        Policy Area 8: Media Protection

Media protection policy and procedures shall be documented and implemented to ensure that access to digital and physical media in all forms is restricted to authorized individuals. Procedures shall be defined for securely handling, transporting and storing media.

5.8.1      Media Storage and Access

The agency shall securely store digital and physical media within physically secure locations or controlled areas. The agency shall restrict access to digital and physical media to authorized individuals. If physical and personnel restrictions are not feasible then the data shall be encrypted per Section 5.10.1.2.

5.8.2      Media Transport

The agency shall protect and control digital and physical media during transport outside of controlled areas and restrict the activities associated with transport of such media to authorized personnel.

5.8.2.1   Digital Media during Transport

 Controls shall be in place to protect digital media containing CJI while in transport (physically moved from one location to another) to help prevent compromise of the data. Encryption, as defined in Section 5.10.1.2 of this Policy, is the optimal control during transport; however, if encryption of the data isn’t possible then each agency shall institute physical controls to ensure the security of the data.”

When an agency moves from an on premise secure Exchange server to O365, emails containing CJI must be protected – and that is commonly done through encryption. While O365 does contain an email encryption capability, that encryption occurs after the O365 cloud receives the unencrypted data.  For those 24 states without a Microsoft CJIS Security Addendum, this is a violation of CJIS security policy. To achieve Office 365 CJIS compliance, the email must be encrypted before it arrives in the O365 cloud, and must remain encrypted until it is received or retrieved by the intended recipient.

One solution to this issue is to employ a third party email encryption solution designed to enhance the security of O365 and address the CJIS security policy issues.  Such solutions offer more depth in encryption features and capabilities and integrate well with the Office 365 suite of applications. To achieve this end-to-end encryption requirement, the email can be encrypted at the Outlook client using an encryption plug-in, and routed through O365 to the recipient, or to an email encryption platform in a CJIS compliant datacenter to await recipient retrieval. In this way – O365 can be adopted, while maintaining CJIS compliance for PII and CJI. You can learn more about securing email in Office 365 here.

Office 365 is a great tool and can offer state and local agencies many benefits – and with proper implementation can meet the stringent requirements for CJIS security.

Learn more about how we can help state and local agencies meet CJIS compliance requirements

Learn More

Join our Newsletter

Person in white shirt working on a tablet with white mail icons floating above it
Best Practices: HIPAA Email Compliance – Patient Records 1024 403 Team DataMotion

Best Practices: HIPAA Email Compliance – Patient Records

With new HIPAA regulations, patients can have even more access to their medical records. With many patients wanting to receive their information by email, does your organization know the best practices for emailing patient records in compliance with HIPAA?

In January 2016, the HIPAA regulation got more teeth in the area of providing patients their medical records on request (files, notes, diagnostic images, lab results, C-CDAs). The US Department of Health and Human Services published detailed FAQs regarding patient’s rights with respect to requesting their medical records from their care providers:

  • Request full medical records from all HIPAA-covered entities, e.g.
    • labs, imaging and surgery centers
    • insurance plans, hospitals, pharmacies, and physicians
  • HIPAA covered entities have 30 days to respond
  • Provide in the format requested by the consumer
    • Electronic format
    • Specific messaging format
Learn more about how your organization can be sure that they're HIPAA compliant button

Under 45 CFR § 164.524, available at http://www.hhs.gov/hipaa/for-professionals/privacy

The department of Health and Human Services has generated some educational videos for consumers (patients) – instructing them of their rights, and showing some role play at the doctor’s office. There’s also an HHS infographic, which you can find below, that explains the rule as well.

As a secure messaging company, there was some initial dismay at the videos and written guidance HHS provides patients:

“…..covered entities must safeguard the information in transit, and are responsible for breach notification and may be liable for impermissible disclosures of PHI that occur in transit.  The only exception arises when an individual has requested that the PHI be sent to the third party by unencrypted e-mail or in another unsecure manner, which the individual has a right to request.  As long as the individual was warned of and accepted the security risks to the PHI associated with the unsecure transmission, the covered entity is not responsible for breach notification or liable for disclosures that occur in transit.”

Wow – unsecure email is OK for sending PHI (Protected Health Information) as long as the healthcare provider warns the patient that there is a security risk, and the patient accepts that risk. How do you track that? Is it realistic to think both sides of that transaction will be truly cognizant of the requirement to inform, and the real security risk?

I turned to our CMO, Dr. Peter Tippett for some guidance and perspective. What’s the best practice for a physician’s office to be in compliance with HIPAA when emailing medical records to a patient?

His response – so practical, and sensible:

Covered entities should always use some form of secure messaging when emailing medical records to patients for several reasons.

  1. Email encryption, logging and other HIPAA requirements are expected and required UNLESS the patient EXPLICITLY is warned, and EXPLICITLY agrees to unencrypted mail.  Keeping these warnings and permissions straight and getting the right message to the right patient via the right modality will fall in the “too hard” category for most covered entities.
  2. Covered entities will worry because they will be sued anyway if a patient, for example agrees to receive blood test results one week; and a few months / years later, gets sent something truly private, which is exposed because it was regular email.
  3. Most patients will not answer the question at all as to whether or not it would be ok after a warning to send the message via regular email – which could lead to errors, so a hard stop in the workflow, and risk of not meeting the 30 day delivery window.
  4. The fact that at least some patients will want the message securely, will require all covered entities to have a solution.

Given that email is such a convenient way to exchange files, and email encryption solutions such as DataMotion SecureMail is so affordable and easy to use by senders and recipients – this new HIPAA measure is another driver for adoption by covered entities. It also enables files up to 2GB – perfect for diagnostic images. It’s a small price to pay for HIPAA email compliance (and happy patients)!

Infographic about health information rights

Contact us to learn more about how we can help your organization remain HIPAA compliant.

Contact Us

Join our Newsletter

Hands holding graphic of two white clouds with a lock symbol
Salesforce Service Cloud and HIPAA Compliance 1024 403 Team DataMotion

Salesforce Service Cloud and HIPAA Compliance

Q: My company sells to the healthcare industry. Is it a HIPAA violation when my Customer Service Rep replies to a support ticket on Service Cloud? I mean, Salesforce is HIPAA compliant, right?

A: You very well may be in violation of HIPAA standards.  Here’s why.

Yes, the Salesforce platform itself can be made HIPAA compliant.  Salesforce will sign a Business Associates Agreement (BAA) and if you connect Shield as an addon HIPAA compliance tool, you’ll get monitoring, encryption, and auditing functionality of your Salesforce instance.  But that’s only part of the compliance requirements story because it only covers the data while it’s residing within the Salesforce data storage ecosystem – the data at rest.

HIPAA also applies to data in motion.  Simply stated; data containing protected health information traveling over a public network (like the Internet) must be encrypted in transit.

So let’s take a look at your scenario:  Suppose you’re a customer service account representative using Service Cloud to view a new support ticket.  A customer sends an inquiry explaining that his doctor wants him to get additional testing to rule out prostate cancer and he wants to know if his insurance covers the new tests.  The customer’s contact information plus a medical condition equals Protected Health Information (PHI) and needs to comply with HIPAA guidelines.

While you’re viewing the information on Service Cloud, it’s covered by HIPAA (see the first paragraph above).  But when you reply to that ticket the PHI is almost always copied as part of the ongoing dialogue thread and is sent from your company to the customer via email or other messaging format.  It’s now data in motion traveling over the Internet, and your company (not Salesforce) is responsible to encrypt the message before it’s sent in order to be HIPAA compliant.

Luckily, there are solutions, like DataMotion SecureMail, that integrate easily with Salesforce and Salesforce Marketing Cloud, and have the ability to filter by policy rules and keywords and automatically encrypt messages containing PHI.  Our solution also adds event monitoring, logging, and tracking for better visibility and governance (proof you need in the event of a HIPAA audit by the feds)!

Summary

Yes, the Salesforce Platform can be made HIPAA compliant.  But when you reply to a Service Cloud ticket, that’s data in motion and it’s not Salesforce’s responsibility to encrypt that data.  Your company needs to ensure those messages are encrypted between Salesforce , or any customer relationship management platform, and your customers.  If not, you’re subject to fines, penalties, data breaches, and loss of reputation.

Updated April 12, 2023

Learn more about our products to find out which ones will give your healthcare organization’s patient data exchange a clean bill of health.

Tour Services

Join our Newsletter

Inside of a data center
Best Practices: Securing Data at Rest, in Use, and in Motion 1024 403 Team DataMotion

Best Practices: Securing Data at Rest, in Use, and in Motion

Sensitive business data is more vulnerable today than ever before. Corporate trade secrets, national security information, personal medical records, Social Security and credit card numbers are all stored, used, and transmitted online and through connected devices. The proliferation of valuable data provides cybercriminals with an increasingly wide range of opportunities to monetize stolen information and intellectual property. In addition, foreign governments and organized crime rings have embraced hacking as one of their most potent tools. Organizations are also at risk from insider threats and social engineering attacks. A negligent or disgruntled employee can expose confidential information even faster than a hacker if there aren’t adequate safeguards in place to prevent the accidental or intentional release of sensitive data.

Security is critical, but it can’t come at the expense of your ability to complete daily tasks. For over 20 years, DataMotion has led the information security industry in cutting-edge data and email security, providing pre-built solutions and APIs that offer flexibility, security, and ease of use while enabling compliance across industries. In this article, we’ll examine best practices around securing data at rest, in use, and in motion as well as how to conduct a holistic data security risk assessment. We will also show you how DataMotion’s secure messaging and document exchange solutions keep your data platforms safe.

The Three Critical Components of a Total Information Security Strategy

Data needs to be secured in three states: at rest, in use, and in motion. Each state presents unique security challenges.

Data at Rest

Data is considered to be “at rest” when it is stored on a hard drive. In this relatively secure state, sensitive information such as Personal Identifiable Information (PII), Personal Health Information (PHI), and otherwise confidential enterprise data is primarily protected by conventional, perimeter-based defenses such as firewalls and anti-virus programs. However, these barriers are not impenetrable, and a data breach is still possible. Organizations need additional layers of defense to protect sensitive data from intruders in the event that the network is compromised.

Encrypting hard drives is one of the best, most effective ways to ensure the security of your enterprise’s data while at rest. In the event of a data breach, your data will be rendered unreadable to cybercriminals, making it worthless. There are other steps you can take that also help, such as storing individual data elements in separate locations. This extra step greatly decreases the likelihood of attackers gaining enough information to commit fraud or other crimes. One way in which DataMotion mitigates risk in this area is through our zero-trust security approach, which goes beyond perimeter protection, offering high-level data security from the inside out.

Data in Use

We just spoke to the importance of strong data security measures, such as data encryption, when sensitive information is at rest. But data in use is especially vulnerable to theft, and therefore requires additional security protocols. This is because, by the “in use” definition, the data must be accessible to those who need it. The greater the number of people and devices that have access to the data, the greater the risk that it will end up in the wrong hands.

There are two major keys to securing data while in use. The first is to control access as tightly as possible. Not everyone in your enterprise will need access to every piece of data, and there should be data permissions and protocols in place. The second key is to incorporate some type of authentication to ensure that users are who they say they are and aren’t hiding behind stolen identities. This is known as multi-factor authentication (MFA) and can include one small extra step, such as a verification code being sent to an email address or a phone. This small step can be a giant leap toward improved data security.

Organizations also need to be able to easily track and report relevant information so they can detect suspicious activity, diagnose potential threats, and proactively improve security. For example, an account being disabled due to a certain number of failed login attempts could be a warning sign that a system is under attack.

Data in Motion

Data is at its most vulnerable when it is in motion and securing information in this state requires specialized capabilities and strong security. Our expectation of immediacy dictates that a growing volume of sensitive data be transmitted digitally—forcing many organizations to replace couriers, faxes, and conventional mail service with faster options such as email. Today, more than 333 billion business and consumer emails are sent and received every day.1

When you send an email, it typically takes a long and winding journey through the digital infrastructure at enterprises, healthcare organizations, universities, government facilities, and other network locations. Anyone with the right tools can intercept your email as it moves along this path, which is where the need for increased email security and secure email gateways comes in.

There are a number of effective ways to secure data in motion. The best method to ensure that your messages and attachments remain confidential is to transmit them through an easy-to-use data encryption platform that integrates with your existing systems and workflows. This not only prevents careless mistakes, but ease of use helps mitigate risky shortcuts. Users should be able to send and receive encrypted messages directly from their standard email service. More than 29% of organizations place this capability on their email encryption and customer experience ‘wish list’.2

Email is considered the largest threat to data security in most organizations and sending data and documents (especially those containing sensitive information) in an unsecured manner is risky business. Email is vulnerable to a number of types of cyberattacks, including phishing, spoofing, and spam. It is easy for hackers to steal sensitive data while it is en route from Point A to Point B. Encrypting data while in motion is an ideal first line of email security, as encryption will render stolen data unreadable to thieves. In addition to strong encryption, your enterprise should include security controls such as employee security training, secure email gateways (which act as a policy-based filter based on the rules set forth by an admin) and multi-factor authentication.

The encryption service your organization uses should be used for desktops and all user devices with data access. It is also important that the service offers and supports mobile email applications. It is reported that 59% of Millennials check their email using their mobile device3, but more than 39% of organizations currently using email encryption say the number of ways users can securely interact with them is limited.2

How can you further protect your data in motion?

Download our eBook.

Get the Guide

How to Conduct an Effective Risk Assessment

Unless your organization has recently conducted a data security risk assessment, the threat of a data breach is probably much larger and more immediate than you realize. Organizations often underestimate their risk because they believe all their sensitive data is contained within a few secure systems. They feel access to this sensitive data is restricted to only those who need it. This is rarely true.

Think about the situation from a workflow perspective. Do employees access corporate systems from their personal devices, or use company-issued devices to work from home? What happens when employees take their laptops on business trips? How is data transferred between devices or communicated to other stakeholders? Have you thought about what your customers or business partners do with sensitive files you send them?

Inevitably, information is going to end up spread across multiple devices and networks with varying degrees of security and risk. Before you can take effective action to mitigate your risk you need to identify where your risks of a data breach lie. You should conduct a thorough security risk assessment, starting with a data and email security review. Such a review will identify vulnerabilities within your organization and where they lie. This assessment should provide answers to core questions, including:

  • What types of sensitive data does your organization store, use, or transmit?
  • Who has access to this data?
  • Where, when, and why are they using it?
  • How is data stored when it is not in use?
  • Is data kept beyond periods stated in your data retention policy?
  • How is access to databases controlled?
  • What mechanisms are used to transport data?
  • What are the pertinent laws, regulations, and standards?
  • How is data shared in collaboration tools?

Once you have a solid grasp of the potential risks, we recommend that you work with data security experts to determine the steps needed to implement a total information security strategy. This strategy will likely include aspects such as a data retention policy, data sharing policy, an incident response plan, and implementing a policy based on the principle of least privilege.

Data vulnerability assessments should be truly holistic and not just look for threats within your organization for an effective risk management strategy. If your vendors have vulnerabilities, then your enterprise does as well. We recommend checking in regularly with your vendors about current and planned security protocols and exploring a vendor consolidation strategy. When checking in or vetting a single vendor as part of a consolidation strategy be sure to ask the right questions about security protocols.

Don’t wait for the risks to your data and email security to make themselves known; by that time, it will be too late to take any effective action.

Summary

Your enterprise data is incredibly valuable to both your organization and cybercriminals. Data security strategy should be high on your business process priority list. Leaving security to chance puts you at risk of joining the long and growing list of organizations that have learned painful first-hand lessons about data security, including Target, Home Depot, Anthem, the Federal Office of Personnel Management, and the National Security Agency.

DataMotion’s platform protects data at rest, in use, and in motion by offering ironclad security that includes military-grade encryption, a governed database, a zero-trust security approach, and data tracking and monitoring. Visit our website to learn more about how we can help your enterprise’s data and email security efforts or contact our team of security experts today for an introductory call.

1. The Radicati Group. “Email Statistics Report, 2021–2025.”
2. DataMotion. “Compliance Issues Plague Customer Engagement: Customer Engagement Trends in Financial Services and Insurance.”
3. HubSpot. “The Ultimate List of Email Marketing Stats for 2022.”

Updated April 12, 2023

Empower Your Connections, Safeguard Your Interactions. Contact Sales Today to Get Started.

Secure Digital Engagement Made Simple

Hand held out beneath white mail icons
Major Email Compliance Regulations That You Need to Know 1024 403 Bob Janacek

Major Email Compliance Regulations That You Need to Know

Keeping up with industry and government email compliance regulations impacting the exchange of sensitive information can be exhausting. So, we’ve put together a list of four big ones you need to know about.

  • Payment Card Industry Data Security Standard (PCI DSS)
  • Health Information Portability and Accountability Act / Health Information Technology for Economic and Clinical Health Act (HIPAA/HITECH)
  • Gramm-Leach-Bliley Act (GLBA)
  • General Data Protection Regulation (GDPR)

PCI DSS

Security for credit card information stored, processed or transmitted by merchants and associated vendors is regulated by PCI DSS. All cardholder data passing over an open, public network such as the internet, must be protected (encrypted), according to requirement number 4.

PCI DSS helps organizations focus on security, not compliance, by making payment security business-as-usual. By raising security standards and making compliance status quo, monitoring effectiveness of security controls and maintaining a PCI DSS compliant environment is easy.

All credit card processors have adopted the Payment Card Industry Data Security Standard (PCI DSS). The goal of this regulation is to prevent identity theft and protect cardholder data and it applies to any company that processes credit card data. The most recent version of PCI (3.2) was released in April 2016 with a minor update (3.2.1) issued in July 2018 to update migration dates.

PCI DSS 3.2 mainly consists of changes meant to streamline and clarify the regulation, but there are a few updates that fall under the “evolving requirement” category that affects how you handle credit card data as of February 1, 2018.

One of the changes is that there is now a “new requirement for service providers to maintain a documented description of the cryptographic architecture.” Although more documentation is required to stay compliant with the new PCI DSS update, the goal is to protect sensitive client information and ensure safer communications between business processes. This update will also help companies detect bottlenecks in their cryptography functionality, giving them to opportunity to make the appropriate changes.

A more detailed description of the updates can be found here.

HIPAA/HITECH

Congress passed HIPAA in 1996 and is probably the most well known compliance regulation impacting email The HIPAA Privacy Rule, also called the Standards for Privacy of Individually Identifiable Health Information, provided the first nationally recognized regulations for the use/disclosure of an individual’s health information. Essentially, the Privacy Rule defines how covered entities use individually identifiable health information or PHI (Protected Health Information).

The key HIPAA impacts on email are:

HITECH was passed as part of 2009’s American Recovery and Reinvestment Act, HITECH and is intended to push the healthcare industry toward faster adoption and use of health information technology. Subtitle D of HITECH addresses “the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

In 2013, HIPAA/HITECH was expanded by the Department of Health and Human Services with the Omnibus rule, which became effective on September 23, 2013. The reach of HIPAA data privacy and security requirements expanded to include “business associates” of covered entities making them also subject to HIPAA as well as giving HIPAA more power in enforcement.The rule expanded significantly the number and type of organizations covered by re-defining who is a business associate of covered entities.  Because civil and criminal penalties may now apply to business associates, these businesses also need to take steps to secure Protected Health Information (PHI).

Business associate agreements

Another important term related to HIPAA is the Business Associate Agreement (BAA), which is a contract required to be established between a HIPAA-covered entity (CE) and a HIPAA business associate (BA). This contract protects PHI in accordance with HIPAA guidelines. Subcontractors who have access to or who store PHI now also need to sign business associate agreements and be able to demonstrate compliance. HIPAA now effectively applies not just to medical providers, but to the entire ecosystem of vendors supporting them. A typical example of CE is a healthcare organization that handles PHI for its patients, and a typical example of a BA is a service provider that securely handles, transmits or processes PHI for a CE. Under the HITECH Act, BAs are responsible for securely handling PHI and can be held accountable for data breaches and penalized for noncompliance.

GLBA

GLBA is the third major email compliance regulation on our list. GLBA was passed in 1999 with primary goal of protecting the private financial data of consumers. The fancy term for this is “Nonpublic Personal Information” (NPI). Although this act applies mostly to financial institutions, today, many more organizations in a variety of industries maintain NPI for their customers.

The Financial Privacy rule is the key consideration for most organizations. This rule governs the collection, use, and disclosure of private financial data. The process companies must take to safeguard this information is also defined.

The Safeguards Rule instructs organizations to develop security programs in alignment with the amount of NPI data they maintain.

Although the law is technology neutral, the Safeguards Rule instructs the organization to implement policies to encrypt or block email traffic based on the message sender, recipient or content.

GDPR

GDPR is a new major privacy regulation that went into effect in May 2018. It is a European Union (EU) directive but does impact organizations outside of the EU if those organizations market to and collect information on EU residents.

In a nutshell, when an organization is collecting, processing and/or storing the personal data of any EU resident – regardless of where the organization is located – express permission must be obtained first. This means the individual must have opted in, not only to collect the data, but to process and store it. Data collectors/processors (the organization) must also be clear with the individual about how the data will be used, stored and protected.  These individuals must also be given an easy way to withdraw their permission and have it completely deleted from an organization’s database(s). You can learn more about GDPR here.

Article 5 of the GDPR details the principles covered by the regulation.  5.1 lays out the requirements for treating private data of EU citizens:

“(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

Take the Steps to Comply

A major facet of meeting the requirements of all these email compliance regulations is ensuring that your email is secure and well protected against hackers, scammers, and those with the intent of committing fraud. Failure to comply with mandated regulations leads to not only financial consequences but can permanently damage your company’s reputation as well as scare clients from coming back. Don’t take chances when it comes to staying compliant. It isn’t worth the risk.

Learn more about securing your email and other moving data.

Learn how DataMotion can help you comply with these major email compliance regulations.

Contact Us

Join our Newsletter

  • 1
  • 2