Concord Fax Online Compliance Considerationsdownloads.concordfax.com/documents/datasheets/...Concord Fax Online Compliance Considerations :: ... words there are seemingly infinite

Concord Fax Online Compliance Considerations

Concord Fax Online Compliance Considerations :: www.concordfax.com :: [email protected] :: (888) 271-0653 • 2

Contents

General considerations for security and privacy of fax ........ 3

Concord Fax Online Overview ............................................... 5

Communication and Connectivity considerations ............... 7

E-Mail based fax service ............................................. 7

Concord Fax Online Web services ............................. 9

Concord FaxLync ........................................................ 9

Document Storage ............................................................... 10

Concord Network Safeguards ..............................................11

Physical Security ........................................................11

Application Security ..................................................11

Encryption ..................................................................11

International Considerations .....................................11

HIPAA ...................................................................................12

Payment Card Industry Data Security Standard (PCI DSS) . 16

Conclusion ............................................................................17

About Concord .................................................................... 18


General considerations for securi ty and privacy of fax

Fax was invented many years before the telephone and is

one of the oldest communication methods in use today

(originally patented by Scottish inventor Alexander Bain

in 1843), yet it remains one of the most widely used methods

of communicating documents around the world and current

estimates are that there are over 100 million fax machines in

active use around the world today.

There are a number of very good reasons that fax has

continued to be so widely used in the face of competition from

competing technologies such as email and Secure File Transfer.

The most commonly cited reasons for this are that fax is delivered point-to-point (it is not relayed

through unknown internet mail servers), the transmission is confirmed and time-stamped instantly

to both parties, the transmission is very hard to tamper with, fax documents are generally legally

admissible, and very importantly, it’s an easy one-step process to send paper-based documents

(especially useful for documents with a physical signature).


Historically, fax was considered as a paper-to-paper process and still conjured up images of rolled up piles of thermal paper for many people. That is not a reality of where the technology has evolved to today. We are in a world today where more faxes are sent by applications as part of an automated process than by all the individual people sending and receiving faxes (referred to as Production Fax in the industry) and the vast majority of fax transmissions either originate or terminate as a digital document, rather than a piece of paper. The automation available by sending digital documents or by receiving digital documents to your computer rather than having them printed to a random physical fax machine in the building is the reason that the majority of faxes today are tied directly to business transactions and it’s also the reason why security and privacy are able to be addressed more holistically than the lock-and-key style of security. There are many companies in business today that still implement some pseudo security for fax documents by locking the machine in a closed room and only giving a few people a key to get access to the room. There are far better ways to implement a secure environment for document transmissions without so negatively impacting productivity and usability.

The number of regulatory controls over security and privacy of information is only limited by the amount of acronyms that can be formed with letters; in other words there are seemingly infinite rules, regulations, guidelines and requirements for compliance in a multitude of different industries and processes. This document can’t possibly address each and every one individually; but with the exception of a few very specific military or diplomatic compliance standards that require safeguards that restrict access based on criteria such as citizenship; the vast majority of compliance standards are very similar in particular as far as utilizing an online fax service is concerned. We will discuss some options for attaining and supporting these compliance requirements further in this document and will especially address the issue related to security of Concord Fax Online. ◆


Concord Fax Online Overview

Before we can take a look at individual requirements and how Concord Fax Online meets

those, it is necessary to dissect what Concord Fax Online actually is. It is common that

Concord’s fax service is looked at like any typical SaaS (Software as a Service) offering

although this is not actually the case. Many large business IT departments have created complex

security questionnaires designed to help protect their critical data when being handled by

external parties. These questionnaires regularly include a broad range of topics such as data

backups, their storage and encryption, none of which apply to Concord Fax Online. We have

even seen security requirements that mandated that our network have no connections to the

public phone network; compliance with that would of course eliminate the purpose of Concord’s

fax platform: the delivery of faxes to and from the phone network.


While Concord Fax Online is an online cloud-architected service, it is not a traditional software service where a customer’s data is processed, collected and stored. In the most basic terms, Concord provides a messaging platform where customer’s messages are essentially switched or passed along to a 3rd party destination in a different format to what was submitted. It is common that we would receive a Microsoft Word document and deliver that as a fax message to a fax machine on the other side of the world or that we would receive a fax and deliver to a recipient as a PDF attachment to an email message. Concord is not in the business of archiving messages, processing information, and extracting, storing or analyzing data.

Using Concord, HIPAA and PCI compliance is in fact much more easily achieved than with conventional fax machines, which would have to be physically secured to be compliant. With secure delivery to a secured e-mail system, Concord eliminates privacy issues by limiting access to fax documents to specific, authorized users. ◆


Communication and Connectivi ty considerations

Many regulations and standards such as HIPAA specifically do not allow the transmission

of non-encrypted messages over the public internet. Concord supports a number

of different methods for connecting to our platform through a variety of user tools

and API’s. The security and encryption of data in transit from each of these different transport

mechanisms is discussed here:

E-Mail based fax service

Email remains the primary interface for Concord Fax Online with a majority of users using email as the primary method for submitting new outbound faxes and also for receiving inbound faxes securely into their inbox. Email communication is not typically encrypted and secure, so attention needs to be paid to properly securing the messages as they travel between the Concord email servers and your own mail server. Fortunately this is easy to do and can be achieved using 2 different approaches: The 2 networks can be securely connected over a Virtual Private Network (VPN); or the messages exchanged between the mail servers can be encrypted using Transport Layer Security (TLS)

VPN technology is commonly used to connect remote branch offices of large companies or for connecting remote employees to the central network. They are highly secure and already trusted by almost any IT department as a defacto standard for secure connectivity. There are a number of detailed configuration options for VPN connectivity and Concord will gladly provide guidance and recommendations on best practices for connectivity using this method. VPN’s are inherently more complex to manage and will require a minimum of 2 tunnels created so that appropriate redundancy is in place in alignment with Concord’s high standard for resilience and redundancy. These tunnels would connect with at least 2 core data-centers in the Concord network. Additional documentation and information is available from Concord should you require pricing or any further explanation of the configuration options and requirements for VPN connectivity.


TLS is much easier to implement and remains a highly flexible way of securing communication between mail servers. Virtually all corporate mail systems support TLS out of the box and little work is required to put safeguards in place that TLS is enforced for all communication between the mail servers. Once established, TLS will be enforced without any intervention required from the user at all – all encryption and security happens “behind the scenes”.

By default, most mail systems will use what is called “opportunistic TLS”, which means that the message stream is encrypted when possible, but messages are sent using regular SMTP if a secure communication cannot be established. To ensure compliance encryption has to be enforced (not opportunistic or optional).

This configuration has to be made on both Concord’s mail systems and the customer’s mail systems. Once enabled on Concord’s side, incoming faxes and all notification messages for those domains will only be sent to the customer if a secure connection is confirmed to be in place. To enforce encryption for messages, the customer’s mail system has to have a defined path to Concord’s fax domains (such as concordsend.com) that mandates the use of TLS. The specifics of how to configure this will vary on the mail system and whether specific front end devices or services are used. In Microsoft Exchange for example, a so called “Connector” is configured for the concordsend.com address space and a simple check box is set to require TLS. Once set up, only messages that are in an encrypted and compliant data stream are transmitted. Concord recommends establishing a policy to monitor TLS enforcement and verify that any system changes or upgrades are made in compliance with this change to prevent any unnecessary delay in the processing of fax traffic.

With TLS enforced, all e-mail based communications such as the integration with Microsoft Office, the e-mail based features of Concord FaxAssist, Concord FolderFax and Concord Print2Fax automatically become encrypted.

By default, most mail

systems will use what is

called “opportunistic

TLS”, which means

that the message

stream is encrypted

when possible, but

messages are sent

using regular SMTP if a

secure communication

cannot be established.


Concord Fax Online Web services

Most of Concord Fax Online utilities support Web Services communications in addition to e-mail. Concord’s web services APIs use 2048-bit SSL (Secure Socket Layer) encryption for any information exchanged with our platform. While technically Web Services could also be used through a VPN tunnel, this is not required to provide a compliant service. Custom integrations using web services simply use an HTTPS URL and all communications are encrypted using similar security to what you may be familiar seeing with your online banking transactions.

Concord FaxLync

Concord FaxLync is a physical device which enables customers to connect physical fax machines and MFP’s to the Concord Fax Online network. FaxLync features a proprietary protocol that also uses SSL and HTTPS to ensure that all transmissions are inherently encrypted to and from Concord. Customers that use e-mail based confirmations, in particular if they are using the optional attachment of the original fax document, would have to ensure that the e-mail communications are appropriately encrypted as discussed above. ◆


Document Storage

Many compliance requirements surround the archiving and storage of information.

Concord Fax Online allows customers to select how long documents are stored on

Concord’s network. Any information stored on Concord’s servers are in both logically

and physically secure environments, and other than call detail records (which do not include any

content of faxes) no customer fax information is ever removed from secured facilities.

Since customers with stringent storage requirements usually have well secured backup solutions for their e-mail systems or file shares with audit policies, Concord recommends to set document storage policies to zero, resulting in Concord Fax Online destroying the fax document once it has been delivered (or failed) eliminating any duplicate images being present on Concord’s platform at all.

Customers who choose to keep documents on Concord’s platform still benefit from a fully secured environment with stringent security policies and state of the art protection technology. ◆


Concord Network Safeguards

Physical Security

Concord operates two fully secured, redundant data centers with biometric and key card access in secured and guarded facilities. Access to Concord data centers is logged and limited to essential Concord personnel.

Application Security

Concord uses unique username and passwords with high complexity requirements. Access is strictly limited and all logins and actions are logged. Concord follows strict update procedures and uses state of the art intrusion prevention and detection technology and enforces strict anti-virus policies across its network.

Encryption

Concord uses 2048 bit or stronger RSA keys to protect customer data on the internet.

International Considerations

Concord is compliant with the guidelines for the US-EU Safe Harbor and the US-Switzerland Safe Harbor framework. ◆


HIPAA

The Health Insurance Portability and Accountability

Act (HIPAA) was introduced in 1996 in an effort by

Congress to implement national patient record privacy

standards. Later, in 1999 the US Department of Health and

Human Services (HHS) published proposed regulations to

guarantee patients protection against misuse or disclosure

of their health records. The law was designed to improve

efficiency and reduce costs for health care organizations by

stimulating and promoting the adoption of digital records

management platforms. It also included extensive regulations governing how information should

be safeguarded and that the confidentiality of Protected or Patient Health Information (PHI) is

enforced.

HIPAA does not prohibit the use of fax machines, but has implemented regulations that many health care practices are finding difficult to meet with these traditional paper-based devices. Concord Fax Online supports organizations meeting HIPAA regulations much more easily and effectively than could be achieved using traditional devices and in some ways, even more so than with on-premise fax servers.


Some of the regulatory requirements that are challenging to consistently apply with traditional fax technology are:

1. Fax machines are to be secured and not generally accessible. Some organizations will lock the fax machine in a private “fax” room or use other physical methods to secure the device that could deliver and print incoming PHI at any time. However, meeting the needs for rapid patient service when key information is secured behind lock-and-key can be both challenging for personnel and not reliably secure.

• Concord Fax Online allows practitioners to continue to use their traditional fax machines and MFP’s for sending existing paper-based records to their required destinations all while securing the transmission and logging the transmission, status and call outcome in detailed audit logs and call records. Incoming faxes can be sent directly to an email address and health care businesses will commonly assign each key individual within a practice with a unique fax number associated with their email address. Information that exists in a digital form already can be sent directly from the application using Concords print-to-fax or email-to-fax features or alternatively leveraging one of the many existing integrations with EHR and EMR applications.

2. Faxes are to include a cover sheet on all faxes containing PHI clearly stating that the fax contains confidential health information, is being sent with the patient’s authorization and should not be passed to other parties without express consent; and should be destroyed if not received by the intended recipient. Any patient data should be appended to the fax cover sheet and not be visible on the first page of the transmission.

• Concord Fax Online supports both optional and enforced cover sheets by user, department or across the organization. Cover sheets can easily be customized to include all required disclosures and can be designed to reject the entry of any PHI on the cover sheet.


3. Retain copies of the confirmation sheet of all fax transmissions including the necessary data such as the date and time and the recipients fax number. Also retain all transmission and transaction log summaries.

• Concord Fax Online stores detailed records of all fax transmission and receipts and makes these available for search and retrieval via our secure online web portal (Account Administration Center or AAC). The actual images of the faxes and the associated PHI are not stored on Concord’s network and are not visible to an administrator utilizing the portal to retrieve transmission of billing records.

4. Received faxes are to be stored in a secure location and should be removed from the paper-tray of the physical fax device immediately (and delivered to the intended recipient).

• Using Concord Fax Online, all received faxes are immediately delivered to the correct recipient’s email address and as soon as delivery to that individual’s email address is confirmed, the images and associated data are completely removed from the Concord platform. Since authentication is required on the email client to access the faxes, there is no concern that the PHI will be accidentally (or intentionally) accessed by a 3rd party. Email provides an easy method for a user to quickly search for particular faxes from a particular sender and retrieve the records that they need quickly and efficiently. Furthermore, most healthcare practices have adopted email archiving to securely back-up all email records for the required retention periods and having faxes embedded in email, means that these records are also securely backed up and stored.


It is important to note a point made above, that no PHI is stored on the Concord platform. As discussed elsewhere in this document, configurations are available on the Concord platform to immediately remove all fax images containing PHI. Communication between the Concord platform and the user’s email server is handled securely via TLS (also discussed in more detail in this document) to ensure that confidential information remains secure and protected at all times.

In addition to these physical security controls, Concord contractually functions as a Business Associate to our Health Care Clients. A Business Associate is a person or entity that performs certain functions or activities on behalf of a covered entity involving the use or disclosure of PHI. For fax transmissions of PHI, both the covered entity and the Business Associate are required to implement and follow security measures pursuant to HIPPA regulations. This contractual commitment assures our clients total peace of mind. ◆

It is important to note a

point ..., that no PHI is

stored on the Concord

platform.


Payment Card Industry Data Securi ty Standard (PCI DSS)

PCI DSS has been established as a standard to evaluate and control the security and privacy of

personal banking information related to the Payment Card Industry. PCI DSS has a set of clearly

defined and strict requirements governing access to and storage of private information. Concord

Fax Online can be used in complete compliance with PCI DSS. Doing so requires enforcement

of a number of optional security configuration parameters. Most importantly, it is crucial that

information between the customer’s network and Concord is secured by being communicated

over a VPN or secured using TLS or SSL (discussed above).

Concord also recommends that a zero image retention policy is implemented for any PCI traffic so as to simplify any audit requirements for PCI DSS compliance. In this configuration, Concord stores no data related to the transaction and thus no PCI data so it removes the requirement for the customer to include Concord’s network in any regular audit requirements. If a need exists to retain some level of image retention on Concord’s network, then please discuss your requirements with a Concord security specialist for further guidance. ◆


Conclusion

Concord Fax Online can be used in a compliant manner with virtually all security and privacy

standards. The attainment and enforcement of these regulations and compliance standards are

always far more complex than merely validating technology or vendors. Securing information

and access to that information within your business requires diligent implementation, continual

review and detailed governance of a large range of measures to ensure that your own, and your

customers’, information remains secure and confidential. It requires that you implement compliant

processes in your business governing every aspect of the transaction and communication.

Concord is a trusted partner of many of the world’s largest corporations who have set their trust in us for managing their most secure communications for more than a decade. We’ve worked hard to deserve your trust and continue to work hard to stay one step ahead of the market challenges you face each day. ◆


About Concord

Concord is the premier provider of integrated fax solutions for business. Its advanced

network architecture provides best-of-breed capacity, reliability, security features and

supports a comprehensive range of service offerings, including versatile Web Services

that facilitate integration with any corporate software application.

Concord customers enjoy all the benefits of feature-rich fax communications without the cost, effort, and maintenance issues associated with conventional fax systems and alternative fax technologies. This is achieved by platform-independent integration of fax and email, which in turn adds value to existing IT infrastructure and maximizes return on IT investments. Our network architecture is flexible enough to accommodate internal corporate policies (features such as specific fax cover pages or file formats) or to ensure compliance with internal and external industry requirements. Concord’s secure fax delivery system is fully compliant with the Gramm-Leach Bliley Act (GLB).

Leadership Through Technology

Since its inception in 1996, Concord has lead the industry with innovative solutions that push the edge of what is possible. Today, Concord is spearheading the industry with its fully redundant, SIP/T38 enabled network. Based on a pair of fully redundant data centers located in Seattle, WA and Chicago, IL, Concord provides full fax functionality even in the case of regional catastrophic events. Concord’s revolutionary data center failover technology provides real-time failover for both inbound and outbound communications. The former, a product of significant capital investment, represents a technological breakthrough in the industry by enabling the rerouting of fax traffic in the blink of an eye. This results in exceptional business continuity and reliability. ◆

101 Stewart Street, Suite 1000Seattle, Washington 98101 USAwww.concordfax.com E-mail: [email protected]

Corporate Sales: Toll Free: 1 888 271 0653USA: (+1) 206 486 6955Germany: (+49) 89 1250373530

Documents

Concord Fax Online Compliance Considerationsdownloads.concordfax.com/documents/datasheets/...Concord Fax Online Compliance Considerations :: ... words there are seemingly infinite