Cloud Fax Changes the Game for Compliance

Why Highly Regulated Businesses Make the Switch and Integrating a Seccure Cloud Faxing Solution

Introduction: The Consequences of Poor Fax Compliance

Imagine having a long and prestigious history as the
country’s first bank, established as far back in 1695. Now
imagine that 300 year-old reputation getting skewered by
the press for breaches of the Data Protection Act, getting
investigated by the Information Commissioner’s Office
(ICO) and finally being slapped with a £75,000 fine in a
very public way.

That’s exactly what happened to the Bank of Scotland,
now part of the Lloyd’s Banking Group. Pay slips, bank
statements and account details, along with customers’
names, addresses and contact details were wrongly
divulged to a third party organization as well as a member
of the public. Both parties had fax numbers that were
one digit different from the intended recipient: an internal
department within the bank.

Though only 31 documents in total were sent to the two
parties, such a breach in security is taken seriously by the
ICO. The information that was leaked could have been
used by a criminal to carry out identity fraud.

$400,000 for a wrong fax number

Of course, this is but one of countless data breaches to
hit the news over the past few years, and certainly not the
first related to poor fax security protocols. In a somewhat
disturbing fax related case, misdirected documents
cost Mount Sinai St. Luke’s—a prominent New York City
hospital—nearly $400K in a HIPAA settlement, after a
patient that a staff member faxed the patient’s highly
sensitive protected health information (PHI) to his employer
rather than sending it to a personal post office box, as
requested.

Not a good look for a significant New York hospital.
If you’re concerned about fax compliance, you’re not
alone. Contrary to popular belief, fax usage in many
industries is increasing considerably.

Fax is Growing, Not Slowing

In fact, the latest research from International Data
Corporation (IDC) revealed that 82% of survey
respondents said their fax usage had actually increased.

Here are some highlights from their paper titled “Fax Market Pulse: Trends, Growth, and Opportunities.”

This enormous volume of faxing creates endless opportunities for privacy and security compliance issues, and begs the question: is there a simple way to maintain fax compliance? The answer is a resounding “yes.”

The objective of this white paper is to explore the fax compliances challenges that IT professionals face, how other companies have successfully overcome them with a simple Cloud fax solution, and how you can too. First, though, let’s look at the issues your business is almost certainly facing if you’re still sending and receiving paper faxes.

Data Breaches, Regulatory Compliance and Faxing Aren’t Going Away

Recently, more than 1,100 senior security executives from around the world participated in the “Data Threat Report” covering a comprehensive set of technology methodologies.

According to the report, a whopping 67% of global respondents worldwide, 71% stateside, indicated they had experienced a data breach at some point in the past, and 46% of the U.S. breaches happened in just the past year. This news is concerning, especially for those who are in the minority and have yet to experience an attack.

Last year alone, it was estimated that over 179 million records were exposed in 2017 because of data breaches, according to the Identity Theft Resource Center. The main causes were poor security, hacked IT systems, inside jobs, and lost or stolen hardware and media and employee negligence.

Data Records Stolen or lost by Top 5 Private Sectors

With these kinds of statistics, it is any wonder that the average cost of a single data breach is estimated at $7.3 million according to the Ponemon Group, and that figure represented a 66% increase.

If cyber threats weren’t enough to contend with, today’s regulatory landscape is more challenging than ever, with increased scrutiny by regulators, less time for companies to react, and stricter enforcement actions for violations. The Securities Exchange Commission (SEC) for example, recently issued its first data breach disclosure enforcement penalty, for $35 million, for the massive Yahoo data breach that went unreported for years.

With this many security threats and challenges, it’s easy to overlook fax as a compliance vulnerability. Yet that could be a costly mistake. If your staff receives and sends sensitive or confidential data by fax, you can’t afford to transmit and store faxed documents without proper security any more than you can afford a deficiency in your corporate email or network.

The fact is, faxing documents remains a key part of today’s business world—approximately 100 billion pages are sent every year, according to the research firm Davidson Consulting.

A CIO Insight article tells us that 72% of U.S. companies still have fax machines. Yet, as we learned with the Bank of Scotland and Mount Sinai St. Luke’s in New York, only a few poorly handled faxed documents can lead to severe compliance breaches and repercussions.

Cloud Fax to the Rescue

Fortunately, more companies are enhancing their fax compliance with a cloud solution. IDC’s report “Fax Market Pulse: Trends, Growth, and Opportunities” clearly shows that while 60% of companies that fax are still using traditional fax machines or multifunction printers (MFPs) with fax/scan capability, the trend is clearly moving to the Cloud.

Current and Future Fax Volume by Technology

One of the greatest benefits of Cloud faxing, beyond increasing savings, productivity and reliability, is that with the right provider, it also can significantly improve compliance efforts. Let’s take a look at why eFax Corporate is the global market leader of Cloud fax, and trusted by nearly half of the Fortune 500.

All Cloud Fax Solutions are NOT Created Equal

To be clear, not just any cloud fax service will be able to help your organization achieve and maintain regulatory compliance. Federal and state financial disclosure and privacy laws place tough privacy, security and accountability rules on public and private corporations and the financial industry, while in healthcare HIPAA has become even stricter, with enforcement actions more common and costly.

Most online fax services do not provide the necessary privacy, security and administrative capabilities or forensic analysis tools to support the strictest regulatory mandates. Some may claim to be HIPAA compliant, but are not willing to sign a business associate agreement (BAA) to back up that claim as required by HIPAA.

eFax Corporate Compliance

eFax Corporate’s fax technology was designed to comply with such financial security and privacy regulations as the Sarbanes-Oxley Act (SOX) that regulates the financial disclosures of public corporations, the Gramm- Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, as well as the Family Educational Rights and Privacy Act (FERPA) that protects the privacy of student education records, and similar federal, state and industry regulations.

In fact, the eFax Corporate family of products, which we will describe in detail later, have been tested to meet the most important security and quality assurance protocols for data protection — including ISO-27001, FIPS 140-2, and PCI-DSS.

HIPAA GLBA SOX PCI Compliant Secure Cloud Fax

In addition, the products meet the security standards for the Criminal Justice Information Services (CJIS) for use by federal, state and local law enforcement agencies, and have completed or are undergoing a rigorous compliance certification under the HITRUST Common Security Framework for HIPAA Compliance.

eFax Corporate is HIPAA Compliant and HITrust Certified

eFax Corporate Security Compliance

eFax Corporate is an enterprise level, cloud-based fax-by-email solution used by many of the world’s largest corporations (as well as small and medium sized business). As such, it meets the most stringent requirements for secure document transmission, including 256-bit encryption, and certificate-based authentication, via Transport Layer Security (TLS) v1.2, in compliance with the recommendations of the National Institute of Standards and Technology (NIST).

Similarly, the Payment Card industry’s Data SecurityStandard (PCI-DSS) for safeguarding card holder data, requires that anyone performing online credit card transactions secure their websites with a minimum of TLS v1.1 as of June of 2018. After that date, all versions of SSL and even TLS 1.0 will be out of compliance.

However, the eFax Corporate product portfolio has long been ahead of the curve with the most secure and fully compliant TLS v1.2.

Industry best practices and federal standards also require that confidential and personally identifiable information (PII) and other sensitive data should be encrypted not only during transmission but also while at rest — meaning while stored and archived in a digital environment. For example, SOX mandates that all electronic records (including faxes), be retained for a period of seven years and be secure against tampering.

To that end, NIST recommends the Advanced Encryption Standard (AES) with a key strength of at least 128-bit. eFax Corporate has taken it to a higher level of encryption at 256-bit for superior protection of your stored data.

It should be noted that some fax server brands still use the old Data Encryption Standard, known as triple DES (3DES). This protocol dates at least from the 1990s and the algorithm is now on the verge of being officially deprecated by NIST. At that time, those fax server encryption modules will no longer be compliant for Storage of ePHI and other sensitive customer data.

Now let’s take a look at other members of the eFax Corporate family of products and the different capabilities and features they have to offer.

eFax Secure and Sfax

The eFax Corporate portfolio includes two maximum security products called eFax Secure™ and Sfax^®, services that automatically encrypt incoming faxes using AES 256-bit, while notifying the user’s account via email that a new fax is available.

The email notification has a personal URL (PURL). When the user clicks on this link, a TLS connection is made to a secure HTTPS website and they must login with their user ID and a strong Password, and even multi-factor authentication can optionally be required, to view or download faxes.

In this system faxes are never sent as email attachments. However, the Sfax inbox can be polled for incoming faxes and automatically downloaded to the customer’s local server. Additionally, the encrypted and secure faxes can be stored as long as needed, reducing strain on any local email servers and local storage devices.

eFax Developer™

eFax Developer™ Secure Fax API– based product for high-volume fax environments such as national pharmacy chains, payment processors and others that need to integrate fax into their production faxing workflow processes. eFax Developer also implements TLS 1.2 encryption for faxes in transit and AES-256 bit for faxes at rest in storage for maximum security.

These are just a few of the many reasons nearly half of the Top 200 Law Firms (as identified by ALM) use eFax Corporate and its family of secure fax services for their most sensitive and confidential fax documents.

Hierarchical Administration Portal

To meet compliance as well as customer needs, eFax Corporate has developed extremely robust and hierarchical administration capabilities. The “Admin Portal” has tools that enable administrators to easily add, delete or manage users, to track inbound and outbound fax volumes, as well

as who sent or received a fax when and where and to whom; plus the ability to add billing codes; tag specific staff members; add job/matter or client ID numbers and much more.

eFax Corporate Secure Cloud Faxing Administration Portal

In addition, for security purposes, User Settings are highly flexible, offering the ability to set multiple access levels with granular permissions and privileges for your most sensitive data.

Every fax you send or receive with eFax Corporate is automatically saved in a standard electronic format (PDF or TIFF), along with all of its meta-data such as client ID and Matter, then stored securely in the cloud where you can access it anytime for compliance.

Due to the fact that compliance and security are such critical facets of faxing today, eFax Corporate also has flexible and comprehensive role-based administration tools. This makes it simple for a Super Admin to add other Admins for specific purposes, with differing levels of access to the Admin Portal to meet specific business needs and compliance protocols. Role-based access can be extended across different departments ensure that only authorized employees have access to ePHI, as required by HIPAA.

This hierarchical administration capability offers complete control and scalability over data access, enabling Admins to create an unlimited amount of groups or subgroups, which is scalable to larger multi-location enterprises, as well as to resellers and third party providers.

Detailed document tracking and auditing is an essential feature to meet compliance standards. Any faxing solution that does not offer a complete audit trail for each fax containing personally identifiable client or patient data cannot be fully compliant and may not pass an audit or meet the requirements of eDiscovery.

Reporting on 20 Different Fax Attributes

eFax Corporate is unique in offering 20 different tracking and reporting metrics, as shown below.

eFax Corporate has an fax Audit trail and detailed fax reporting

More Reasons Companies Choose eFax Corporate

Another popular and proprietary feature of eFax Corporate is called Fax Return, which enables users to attach the document that is being sent to any confirmations. In legal discovery or medical audit, a traditional fax confirmation only provides a time stamp that a document was sent at a certain time. But with Fax Return, it is simple to prove the exact documentation that was faxed to the recipient.

Another important feature that eFax Corporate implemented to help with HIPAA and other compliance is our customizable fax cover sheet feature. There are three primary reasons why a cover sheet is important for HIPAA compliant faxing in particular:

Protecting the fax document from view
Providing contact info in case of an incorrect recipient
Displaying the HIPAA disclaimer upfront.

In addition, there are specific items that HIPAA requires on every fax cover sheet:

Date and time sent
Name of recipient
Recipient’s fax number
Sender’s name and organization
Sender’s phone number
HIPAA fax disclaimer

Due to the fact that this is such a simple task, cover sheets can be easily forgotten, especially when sending faxes online. Fortunately, with the fully customizable cover sheet included with every fax sent through the eFax Corporate system, this compliance violation risk is eliminated.

Plus, cover pages can be managed and customized for specific groups within your organization, or shared across multiple groups.

The Cloud Fax Service of Choice for the Highest Regulated Businesses

To date, the most widely used and trusted provider of enterprise-caliber cloud faxing is eFax Corporate. For more than 21 years, we have been the cloud fax service of choice for more heavily regulated businesses than any other company.

If you’re not sure whether your organization falls under specific regulations, we would be happy to give you a walkthrough of how eFax Corporate’s processes will help bring your faxing protocols into alignment with that law.

prevent those workforce members who do not have access … from obtaining access to ePHI,” as part of its Workforce Security plan.

See 45 C.F.R. §164.308(a)(3)(ii)(B). Appropriate workforce screening procedures could be included as part of an organization’s Workforce Clearance process (e.g., background and OIG LEIE checks).
See 45 C.F.R. §164.308(a)(3)(ii)(C). Termination Procedures should be in place to ensure that access to PHI is revoked as part of a workforce exit or separation process.

More than a few data breaches involving ePHI were the result of employees accessing medical records for which they were not authorized to view. And in some cases these were celebrity patients who had their privacy violated due to curiosity or financial gain.

Unfortunately, it is not unusual for a provider to report that an ex-employee had been inappropriately accessing medical records long after they had been terminated. It is a requirement that terminated employees have their access to systems immediately terminated as well.

Issue #9: Disposal of PHI

See 45 C.F.R. §164.310(d)(2)(i). “When an organization disposes of electronic media which may contain ePHI, it must implement policies and procedures to ensure that proper and secure disposal processes are used.”

The implemented disposal procedures must ensure that “electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800–88: Guidelines for Media Sanitization, such that the PHI cannot be retrieved.”

Electronic media and devices identified for disposal should be disposed of in a timely manner to avoid accidental improper disposal.

Organizations must ensure that all electronic devices and media containing PHI are disposed of securely; including non-computer devices such as copier systems and medical devices.

This can involve paper records, which on more than a few occasions have been found in dumpsters behind medical offices, and also in less obvious places such as the memory of fax machines and printers, which are just a few of the many places that PHI can hide.

Issue #10: Backup and Contingency Planning

See 45 C.F.R. §164.308(a)(7). Organizations must ensure that adequate contingency plans (including data backup and disaster recovery) are in place and would be effective when implemented in the event of an actual disaster or emergency situation.

Leveraging the resources of cloud vendors may aid an organization with its contingency planning regarding certain applications or computer systems, but may not encompass all that is required for an effective contingency plan.
See 164.308(a)(7)(ii)(D). As reasonable and appropriate, organizations must periodically test their contingency plans and revise such plans as necessary when the results of the contingency exercise identify deficiencies.

In the wake of this year’s horrendous hurricane season, this issue should be front and center. As we pointed out in a recent webinar on this subject, natural and manmade disasters can happen anywhere, any time, and usually when you least expect it.

But some things can, and should be anticipated. If you are a hospital in a flood prone costal area, you really can’t afford to have your backup generators at ground level, or have all your servers in the basement.

Those are the kinds of issues that need to be included in a comprehensive disaster recovery plan.