Customer Spotlight — Zix “Automagically” Protects Patient Health Information

Healthcare organizations aren’t just responsible for protecting their patients’ health, they are also accountable for protecting their personal health information. Given the nature of the healthcare industry, hospitals and health systems are repositories for sensitive information ranging from medical histories and prescriptions to personal information such as billing information, Social Security Numbers and insurance claim information. Gathered in one place, this can be a treasure trove for someone with ill intentions.

Every day millions of emails containing patient health information are exchanged by healthcare organizations. To meet compliance needs and protect this information in transit, it must be properly encrypted. However, one of the biggest obstacles healthcare organizations face with any sort of technology, including encryption, is incorporating it into the day-to-day workflow without having it distract from their No. 1 priority — patient care.

When the Health Insurance Portability and Accountability Act (HIPAA) went into effect in 2003, one of East Tennessee’s largest primary care organizations, Summit Medical Group, was one of the first healthcare organizations to adopt an email encryption solution. Summit Medical Group’s goal was twofold — find a solution that effectively secures patients’ protected health information (PHI) and have it be un-intrusive for staff to use.

After looking at a variety of options, the team chose Zix Email Encryption. Eleven years later Summit Medical Group is still happy with the decision and just signed its third renewal.

“We originally brought Zix Email Encryption on board in 2003 due to HIPAA compliance laws as they related to protecting PHI,” said Joseph Ortiz, chief information officer for Summit Medical Group. “We continue to use the service because, quite frankly, it’s the best product that’s out there.”

With Zix Email Encryption, the team at Summit Medical doesn’t have to worry about an email slipping through the cracks unencrypted. The policy filters employed by ZixGateway automatically scan emails, including their attachments and subject lines, for any sensitive information and can encrypt, route or block those emails according to corporate policies.

With Zix, doctors and staff don’t have to think twice about hitting send on an email. Instead, they go about their day as if they were using regular email.

“With ZixCorp, we send email ‘automagically’ since it operates in the background. This has a minimal impact on both physician and employee workflows since no extra steps are required,” explained Ortiz. “If you know you’re sending PHI, you can explicitly encrypt the email using the encryption button, but even if you don’t think about it, ZixGateway will still catch it and ensure the safekeeping of PHI.”

A little about Summit Medical Group:

  • One of East Tennessee’s largest primary care organization
  • Comprises 215 physicians and more than 100 advanced practitioners at 53 practice locations in 12East Tennessee counties
  • Headquartered in Knoxville, Tenn., and provides healthcare services to more than 308,000 patients, averaging 81,000 encounters each month

Posted in Email Encryption | Tagged , , , , | Leave a comment

Working weekends, nights or during the holiday? You aren’t alone …

While it has been said that the holidays are best spent in the warm embrace of kith and kin, this season, 57 percent of full-time employees in the U.S. will spend at least part of their holiday break clutching laptops, smartphones and tablets to catch up on work.

holiday byod

In a recent study, ZixCorp asked more than 1,000 full-time employees about their work practices outside of their regular “9 to 5.” The survey explored not only how much time employees spend working outside regular business hours but also how they are accessing work outside the confines of corporate walls.

Let’s take a look at some high-level findings.

  1. There is a surprisingly large expectation that employees be reachable outside “9 to 5.” Of the respondents, 76 percent said it’s either stated or implied that they be accessible outside of regular work hours. Combined with the fact that the majority of employees use their personal (not company-owned) devices to access work after hours, it seems like a no brainer that companies would then invest in a non-intrusive BYOD solution on personal devices to access and protect corporate data on the go.
  2. BYOD impacts work/life balance. Of the respondents, 75 percent believe that the ability to use mobile devices to access work information or email outside of work hours is a positive development, and 68 percent said that being able to access their work outside of regular hours is necessary to do their job effectively. If used in excess, BYOD may hinder work/life balance, but overall BYOD provides the flexibility employees want to leave the office when needed and still be productive.
  3. Companies may not realize the extent to which their employees are accessing work after hours. On their days off, 64 percent of full-time employees spend time working, with 22 percent working four hours or more; 43 percent of full-time employees spend more than an hour working at night after they leave the office.
  4. Email is the driving force. Respondents said the primary work completed during their off time is checking/responding to work emails. Email is the backbone of business communications today, and with instant access on mobile devices, email assists employees in responding to customer requests, finalizing big deals or keeping them informed of a project status, even when on the go.

In this era of BYOD and accessibility, it’s more important than ever for employers to leverage the appropriate security measures for employees to securely access company data away from the office. To meet the growing need to access work outside the traditional office and enable a more productive workforce, employers should be accountable for implementing the right BYOD policy during the upcoming holiday season and thereafter.

Posted in Bring-Your-Own-Device | Tagged , , , , , , , , | Leave a comment

Reasonable Expectations of Employee Privacy in BYOD

In June 2014, the U.S. Supreme Court ruled in Riley v. California that police officers generally* may not search the digital information on a smartphone without first obtaining a warrant. Law enforcement professionals were surprised and appalled, because case law previously said the Fourth Amendment does not require a warrant for a search of personal items obtained incident to an arrest.

What does a criminal law case that limits police cell phone searches have to do with corporate Bring-Your-Own-Device (BYOD) policy? The case illustrates evolving legal theories about reasonable expectations of privacy in personal devices. If it is illegal for law enforcement to access personal information on a smart phone without a warrant, where do businesses stand when they demand access to data on their employees’ devices or remotely wipe that data?

As Chief Justice John Roberts explained:

“Modern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans ‘the privacies of life.’”

Privacy concerns in mobile devices are a hot topic. The FBI Director’s recent statements opposing stronger mobile device encryption, for example, raised concerns among privacy advocates who were already spooked by government surveillance revelations. Another example of the importance of device privacy was highlighted in a uSamp survey recently commissioned by Zix Corporation. Nearly one-third of respondents said that they would rather lose their wallet than their mobile device. That’s not surprising.

IT professionals and business owners are struggling with how Enterprise Mobility Management (EMM) impacts employees’ reasonable privacy concerns about giving their employer control over personal mobile devices. To alleviate employer concerns, human resources and legal departments are requiring employees to sign BYOD waivers, usually named Mobile Device User Agreements. Typically two to eight pages of intimidating legal provisions, those documents give the employer broad rights to access, read, alter and wipe information on the device.

Although the waivers may help solve some of management’s legal concerns, BYOD waivers do nothing to address employees’ legitimate privacy concerns or their objections to losing control over personal devices. Moreover, having access to mobile device data can create legal risks for the employer even if employees sign a BYOD waiver. An employee might assert, for example, that the employer discriminated against the employee based on information that the employer obtained from the employee’s device.

Defenders of BYOD waivers assert that employees voluntarily sign over device privacy and control in order to participate in BYOD. Employees may perceive, however, that BYOD is a job imperative and they have no real choice. And employees may conclude that the employer’s promise of EMM device containerization is more an illusion of privacy than a real comfort – because employees don’t often segregate their work and personal lives and data neatly into digital sandboxes.

At Zix, we have a completely different approach to providing mobile device access to work. With our ZixOne® app, employees can manage their work email, including attachments, and access their work calendar and contacts from their Android or iOS mobile devices. Employees interact with their email as usual – composing new messages, replying and forwarding existing messages and reviewing attachments – without storing that data on the mobile device. If the device is lost or stolen, the employer simply disables that device’s access to work email, calendar and contacts. Because ZixOne does not store corporate email on the mobile device, the employer doesn’t need to control or wipe the device.

ZixOne respects employee concerns about privacy and device control, while protecting corporate email content. That strikes us as a better approach than taking control of personal devices and demanding employee signatures on a BYOD waiver.

* The Court allowed for certain exceptions, such as exigent circumstances.

Posted in Bring-Your-Own-Device, Privacy | Tagged , , , , , | Leave a comment

Email Encryption: What’s in a Name?

We’ve all seen the headlines — The Year of Encryption — but that doesn’t mean people have been able to wrap their minds around the technology. Sure there’s a basic understanding of what it is:

via Google

via Google

Used to safeguard personally identifiable information (PII) — think medical records, social security numbers and banking information — email encryption could be the difference between a lawsuit and front-page headline, and a healthy successful business in day-to-day business communications.

But how does it work? And is it easy to use?

If you’re using an outdated, cumbersome solution, it can be anything but easy to understand. And when the “how to” isn’t exactly clear, you don’t want to rely on your employees using the fingers-crossed method, hoping sensitive information doesn’t leak into the wild each time an email is sent.

With Zix, there are no hops to jump through. Just an easy-to-use (ultra-secure) email encryption solution that everyone in an organization can love!

Posted in Email Encryption, Simple to Use | Tagged , , , , , | Leave a comment

Enterprise Mobility Management and the Maginot Line

Over the weekend I was reading up on my history of the early 20th Century and the aftermath of the “victory” of World War One. I came across references to the Maginot Line of the 1930s and the comfort the French took in knowing that should there be a new German military build-up, they, the French, would always feel safe behind the impregnable defenses of the Maginot Line. Even today, 80 years later, military experts confirm that despite having the best arms and technology of the time, the German military would never have been able to breach the defenses of the Maginot Line, then a state-of-the-art defensive system.

While reading, I was reminded of modern Enterprise Mobility Management (EMM) suites. They are state-of-the-art in providing a multitude of services and are becoming more versatile and powerful. They offer configuration management tools for mobility operating systems that run on smartphones and tablets, and enable access to corporate applications and content previously only available on desktops and laptop computers. Like the Maginot Line with all its personnel, EMM suites require a large amount of management support. In this case configuration support, mobile app deployment and updating, policy management, content management and troubleshooting. In fact, a fairly large staff must be dedicated to ensuring that the applications work seamlessly while still remaining secure against data loss. And on the face of things, security is being maintained. 

However you probably remember that back in May and June of 1940, the German forces defeated France despite the impregnability of the Maginot Line, but do you remember how they did it? The German forces simply drove into Belgium and went around the north of the Maginot Line, avoiding it completely. Within six weeks, France fell and would remain occupied for four years until liberation after D-Day.

Now I hear you ask, what has the Maginot Line to do with Enterprise Mobility Management? I see great similarities. In frontal attack, the security protecting the data on a smartphone is impressive, plus – ultimately – remote device wiping can wipe all the data from a stolen device.

Except that all the bad guys need to do is to go around these defenses, thereby nullifying them. When a smartphone is stolen, it can be disconnected by switching the device into airplane mode or by placing it into a Faraday bag, thus preventing any remote wipe. Using jailbreak software for either $10 or free depending upon where you search on the web, everything on the smartphone is accessible and the EMM safeguards circumvented.

Wouldn’t it be great to have a solution that avoids this threat? The ZixOne solution does not save any data on the device. If your smartphone is jailbroken or rooted, there is no business information that can be read from the device. Airplane mode or a Faraday bag is not a threat, because there is no need to wipe the stolen device to erase information that is not saved on the device in the first place.

A recent study found that 86% of corporate mobility users only require access to email and calendar functions. I feel the same way: my phone and tablet are great for writing or replying to emails at any time of the day. For intense creative work, I prefer the large screen at my work desk.

With ZixOne, there is no Maginot Line to be managed by a team of administrators, nor does it require time consuming training courses in order to understand how to use it. You just download ZixOne from the app store, and intuitively use it like any other familiar email client. For me and for our ZixOne customers, it is the perfect mobility solution.

Posted in Bring-Your-Own-Device | Tagged , , , , , | Leave a comment

Customer Spotlight — How One Healthcare Company Braved the Unknown of BYOD

With the amount of sensitive data that passes through healthcare organizations — along with stringent HIPAA regulations — it can seem like a daunting undertaking to embrace BYOD.

Innovative Care Management (ICM) was in this position recently — deciding if it would continue to only allow senior management access to corporate email through company-owned devices or open up access to work email on personally owned devices too. Hesitant at first, the team at ICM quickly realized that if it chose the right solution, BYOD was a great option. After a trial of ZixOne, team members were impressed at how easy it was to have secure email on their devices. The ZixOne app offered the security they needed, while providing employees with an easy-to-use interface that kept control and privacy in the employees’ hands.

“We knew BYOD would positively affect our staff, but we couldn’t enable it without addressing its vulnerabilities,” said Marion Shipley, COO of Innovative Care Management. “ZixOne was an easy fix and alternative to traditional BYOD solutions.”

Since deploying ZixOne, management has gained peace of mind knowing that senior management and mid-level employees accessing ZixOne can be productive away from the office without security concerns. It has gone so well, that the company is expanding its use of BYOD to other employees who choose to use their personal devices for business.

In the end, for healthcare companies like ICM, protecting customer data is most important, and with ZixOne, they know they have a solution that can be trusted to protect sensitive information on mobile devices.

“It’s important that ICM demonstrate to our customers that we understand the sensitive nature of the data we’re trusted with and remain HIPAA compliant,” said Shipley. “With ZixOne, we’ve opened up corporate email access to personal devices and have peace of mind knowing that employees stay productive without worrying about security threats that could impact customers.”

A little about Innovative Care Management

  • Healthcare management company in business for over 20 years
  • Specializes in working with self-insured employers
  • Headquartered in Portland, Oregon
  • Founded in 1990

Posted in Bring-Your-Own-Device | Tagged , , , , | Leave a comment

10 Commandments of Email Encryption

At no time in history has personal and corporate data been more widely targeted by criminals. With never-ending threats and compliance demands, it’s vital for IT and employees to work together to create the most secure environment possible. When both sides are on the same page, an organization is at its strongest.

To help with the cause, we wanted to provide ZixCorp’s “10 Commandments of Email Encryption” that highlight the responsibilities of both IT and employees to ensure data being transmitted from an organization is secure.

IT Commandments

  1. Thou Shalt Educate 

Unless your email encryption solution encrypts every single email sent by your employees, it’s crucial to implement policies and offer employee training to prevent leakage of sensitive information.

  1. Thou Shalt Stay Compliant with Regulatory Mandates 

Securing sensitive information in email isn’t just a best practice — it’s often the law. HIPAA, HITECH, GLBA, state data security laws and guidance from FFIEC agencies make it clear that protecting sensitive information is no longer optional. Make sure the solution you use leverages proven and up-to-date policy filters to catch any messages that might slip through the cracks.

  1. Thou Shalt Not Use Outdated Solutions 

Threats are constantly evolving and business should avoid getting trapped with a solution that is ill-equipped to handle modern threats. Instead of sticking with an outdated solution because it’s convenient or familiar, choose one that can adequately protect the needs of your business.

  1. Thou Shalt Choose a Solution that’s Easy AND Secure 

Not all email encryption solutions are created equal. Often they compromise ease-of-use, security, or both. Choose a solution that makes secure email convenient for you, your senders and your receivers. Don’t let the complexity and maintenance of a solution pose a barrier to getting work done effectively. When users have too many hoops to jump through, they may resort to insecure methods—putting your business at risk. 

  1. Thou Shalt  Take Mobility into Consideration  

Business is no longer conducted behind a desk. Mobile phones have expanded the workplace and work hours, and more users spend time on email than any other internet-enabled activity. With increasing dependence on mobile devices, convenient mobile delivery of encrypted messages is a critical consideration for keeping business moving forward and keeping your customers and business partners happy.

Employee Commandments

  1. Thou Shalt Understand the Importance of Email Encryption

Regular email isn’t a private conversation and can be easily intercepted and read by unwanted parties. By law, companies are required to protect certain types of personal information, but more importantly, it is simply a smarter way to do business. In addition, email encryption increases efficiencies by allowing the electronic transfer of sensitive information that has traditionally required slower manual delivery methods. Email encryption is one way you can take responsibility to protect sensitive information.

  1. Thou Shalt Take Responsibility to Protect Data

When you are sending unsecure emails, make sure there is nothing included that should be encrypted, such as social security numbers, contracts, financial information, and personal health information. Even if your company has policy filters, it’s still best to err on the safe side and to take responsibility for protecting sensitive data.

  1. Thou Shalt Make Email Encryption the Rule, Not the Exception

Again, if you aren’t sure if an email needs to be encrypted, play it safe and encrypt! There is too much at stake to take a chance. Often the worst breaches and policy violations stem from human error — well-meaning employees who have no idea that they are putting patient records, credit card information and client identities at risk.

  1. Thou Shalt Be Attentive

Whether you work for a healthcare company, law firm or financial services company, it is important to be aware of the type of regulatory compliance you need to adhere to. Even a basic understanding will help in the long run.

  1. Thou Shalt Ask Questions

Email encryption can be confusing if you are not tech savvy. If you ever have questions or concerns about email encryption and compliance, it is your responsibility to ask. In the end, it is better to ask a question than to let an email slip through that contains sensitive information.

By adhering to these commandments, IT and employees will ensure the organization they work for is as secure and regulatory compliant as possible. Protecting customer and patient data is a team effort and requires complete buy-in and accountability.

Posted in Email Encryption | Tagged , , , , | Leave a comment

The BYOD Data Dilemma: Is EAS Safe?

Skimming through old posts on the Zix blog, I came across this one from a year ago. A new Zix employee had pulled out his smartphone and demonstrated that although his ActiveSync account with his previous employer had been deactivated, all the emails, attachments and his customer contact list were still stored in the permanent memory of his device.

This got me to thinking – what is Exchange ActiveSync (EAS)? EAS is a protocol that has been developed to synchronize email, contacts and calendar entries from the Exchange mailbox to just about every mobile device or operating system, including Apple iOS, Android, Blackberry, and of course Microsoft Windows Mobile.

EAS delivers the very useful tool of replicating emails, calendar entries and contact lists across multiple devices so that all devices are up-to-date with what is stored on the messenger server. Once on the device, employees work on, copy or forward the data in emails and their attachments just as they would if the data was on a company desktop. It means, for example, that when called by a customer or colleague, a user can see her existing time commitments and confirm to that caller then and there that she is free to meet on Thursday at 2 p.m. This ability allows mobility users to be productive at times when traditionally we would not have been contactable or would not have been able to respond to questions or issues quickly.

As we all know, tablets and smartphones are very powerful consumer devices. Essentially they are micro-computers that will do a multiplicity of tasks required by their consumer owners. In doing so they are eminently fit-for-task. That is, they behave exactly as they were designed to behave. They respond quickly, and they “seamlessly” share information between apps so that we can forward a music clip via email, instantly upload a photo to Facebook, search “nearby” for a restaurant, and so on.

The very functionality that makes it easy to share information between applications turns these consumer devices into a business IT headache. In order for BYOD to work for the user, the password or PIN to use the device must be quick and easy to input – the antithesis of good IT security. More than this, the device must not time-out too quickly (requiring the password to be re-input to continue) because the users – your employees – would not accept this. A survey by McAfee and One Poll revealed that 36% of mobility users don’t lock their mobile devices with either PIN or password, while 30% have vital password information stored in notes apps.

And even if data is encrypted, the encryption keys are kept in known places on the devices and therefore hackable.

Most industry solutions to these dilemmas utilize sandboxing or containerization strategies to counter the very seamlessness that has been designed into BYOD devices. These solutions can work well in controlling what users can and cannot do with the corporate data on their own device. Unfortunately solutions like these can fall down when either a disgruntled employee decides to act against the employer or devices fall into the hands of savvy criminals.

Regardless of the security or encryption techniques used in combination with EAS, in my view EAS has one overarching security flaw. Business data is copied to the BYOD device. With data on the device, motivated criminals can access that data. And please don’t talk with me about remote wiping: that “remedy” is facile. Remote wiping works great if the device is lost – however “lost” implies that no-one has the device. It is down the back of the sofa, or in a pile of laundry; exactly when a remote wipe is unnecessary.  The ideal time for a wipe is when a thief has the device, however any thief smart enough to search for corporate data is smart enough to apply airplane mode or to put the device inside a Faraday bag, thereby defeating any attempt to remote wipe the device.

ZixOne however is a fresh solution that takes a different approach to solving this BYOD dilemma by keeping business data off the device in the first place. Even if the device encryption or passwords are broken, there is no data on the device to be found. It’s a BYOD solution that employees accept with ease. ZixOne enables easy access to email, calendar appointments and business contacts, all the while keeping business data secure and off the device.

Posted in Bring-Your-Own-Device | Tagged , , , , , , | Leave a comment

Thinking about CYOD? Not So Fast, My Friend

You may have heard about a new trend called Choose-Your-Own-Device, or CYOD.

It gives employees the “freedom” to use a device they know and understand by allowing them to choose from a narrow list of corporate pre-approved mobile devices. For employers, it provides more control over device management and security within their organizations.

In theory, it sounds like BYOD nirvana.

Our response to that comes courtesy of Lee Corso : “Not So Fast, My Friend”

CYOD is simply a new term for the old corporate device program.

The idea behind CYOD suggests that if you give employees a choice in what device they use, they’ll be satisfied with a small semblance of mobile freedom. However, BYOD originally came to light because employees wanted the freedom to use their own devices in the workplace. CYOD, on the other hand, is a step backwards, simply repackaging unpopular policies of the past. Beyond providing a false sense of choice and freedom to employees, CYOD also has a few pitfalls.

  • CYOD is costly for the employer.

In order for CYOD to be successful, companies need to invest in the latest devices, which increase cost. In addition, when you toss in the fact that once you invest in the smart phones and tablets, companies will need some form of mobile device management to track the devices they give out. Although you’ll need a BYOD security solution to protect data accessed by employee-owned devices, the costs are ultimately lower.

  • CYOD walks a privacy tightrope.

By deploying CYOD, employers are expecting employees to use their corporate-owned devices as their only connection to the office. In doing so, it’s unrealistic to think that employees won’t perform personal activities on those corporate devices. However, this raises a privacy problem. As employees conduct personal activities on the device, where is the line drawn as to what the company can monitor? If the company has access to that information, it could lead to legal issues, such as lawsuits associated with labor relations or employee terminations.

  • CYOD is inconvenient and hinders productivity.

One of the main benefits of BYOD is that it allows employees to be more productive. By simply having access to corporate email and applications on their personal devices, employees are more connected and can access company information when and where they need it. When you give employees a second device, they either experience the hassle of carrying around both or make the decision to only carry one — which, away from work, will usually be the personal device.

In the end, CYOD has many flaws. Mobile devices have become deeply ingrained in who people are. They are personalized with apps, shortcuts, photos and music. CYOD will never be able to replicate that level of personalization, and this could be its biggest flaw. As much as CYOD seems like a great idea, it will never be able to replace the experience of using your own device.

Whether your company chooses to use a BYOD or CYOD strategy, it’s important for company data to remain secure no matter the strategy. ZixCorp has a security solution to meet that security need without jeopardizing productivity, convenience or privacy.

Posted in Bring-Your-Own-Device, Technology | Tagged , , , , , | Leave a comment

Is the California Court of Appeals Ruling Really a BYOD Killer?

Back in August, the California Appeals Court ruled that when employees are required to use their personal cellphones for work-related calls, the employer must reimburse “a reasonable percentage of their cell phone bills.” That holds true whether the user has an unlimited plan or not.

Now that this ruling is officially in effect, it’s hard to believe some of the attention-grabbing headlines that originally surfaced:

“Court Ruling Could Bring Down BYOD” — “California Court Ruling Threatens BYOD Programs” — “CA Ruling Major Blow to BYOD!”

Does this ruling really mean BYOD is about to fall off the proverbial cliff?

Not in the least. Many employers have provided prorated reimbursement of call minutes and data for years and will continue to do so under BYOD policies (which, by the way, won’t go away any time soon).

It is important to call out that the class-action lawsuit fueling this ruling seems to be a situation where the employees needed to use a mobile device but did not have the option of using an employer-provided device (e.g., a laptop) or employer-provided connectivity (e.g., office phone network). Rather, the issue involved field representatives who were regularly required to use their personal cellphone plans for business purposes.

If employees are offered a choice — use of a company-provided phone, use of their own device with the understanding of no reimbursement — the employer would not be required to provide reimbursement of personal cellphone bills. In addition, if employees do not need a mobile device for work but prefer the convenience of accessing work outside the office, then reimbursement is not required.

What does the ruling really mean for BYOD?

California employers may need to re-think their BYOD reimbursement policies and make sure they have a clearly defined BYOD policy and strategy in place for their organizations (all good actions to take).

It’s also a wake-up call for employers who may be taking advantage of the consumerization of IT and making employees use their own mobile devices and data plans for work without offering any level of reimbursement or the option of providing a company-owned device.

At the end of the day, the value of BYOD lies in giving employees the ability to use the device of their choice to improve productivity — not infringing on their rights, whether that means offloading mobile costs to the user or requiring a solution that can remotely wipe the user’s personal device.

It’s clear that there’s no one-size-fits-all approach to BYOD, and it’s a delicate balancing act to accommodate the needs of all parties involved.

Posted in Bring-Your-Own-Device | Tagged , , , | Leave a comment