Healthcare IT Cyber Security Update


Protecting Patient Privacy with Cloud Fax Services


As a professional responsible for the technology infrastructure of a healthcare organization, you carry a unique burden within the IT community. Actually, you carry two unique burdens.
Unique burden 1: The healthcare data your IT team is responsible for safeguarding - the electronic personal health information (ePHI) of your company's patients - has become the most sought-after type of data for hackers and cyber thieves to target.
Unique burden 2: Due to the highly personal and sensitive nature of the individual health records your organization generates, transmits and stores, the government - through HIPAA and related laws - has drafted and now aggressively enforces some of the strictest data-privacy regulations against healthcare providers.
As a healthcare IT professional, you face the dual burdens of safeguarding the most sought after type of data for hackers while also keeing your company complaint with agressively enforced data privacy laws.
In other words, in addition to all of your team's responsibilities for maintaining an efficient, cost-effective and smooth-running IT infrastructure, you have the added obligations of securing your organization's data from increasingly sophisticated cybercriminals eager to steal it, and ensuring that your company stays on the right side of one of the strictest regulatory regimes policing any industry.
This paper will discuss how these unique burdens - cybersecurity and regulatory compliance - affect your industry generally and your organization in particular. We will then offer a simple, cost-effective solution that can help you address both of these challenges in one area of your IT's infrastructure that probably receives little attention but nonetheless remains a target: faxing.
That solution is an enterprise-caliber cloud fax service.
After reading this paper, we believe you will be convinced both that your existing fax infrastructure leaves your organization vulnerable, and that migrating to a fully hosted cloud fax solution - designed for the unique challenges of healthcare providers - is an intelligent step toward enhanced data security and compliance.

Why Healthcare Records Are the Most Attractive Type of Data to Steal

Why is the personal healthcare data your company is responsible for protecting such a high-value target among cyber criminals?
Why, as HealthcarelTNews reported, did hackers attack 320% more health providers in 2016 than they did in 2015? And why did Cyber Security Officer (CSO) Magazine title one of its articles "Healthcare Industry is the Bullseye for Hackers in 2017"?
The primary reason is straightforward: money Healthcare records on the black market can command 10 to 20 times the value of credit card data. Whereas the market price on the dark web for stolen credit card numbers ranges from $.50 to $5.00 per number, personal health information (PHI) can bring in $10 to $50 per record. In fact, in some cases, as the title of a 2017 Forbes article explains, "Your Electronic Medical Records Could Be Worth $1,000 to Hackers."
The reasons that PHI can command such a high premium are straightforward as well. While a credit card can be cancelled immediately when the holder discovers it has been stolen, PHI contains wealth of permanent information that cannot be quickly or easily changed - such as full names, Social Security numbers, and other details that can be used for such crimes as identity theft.
Additionally, because PHI can contain an individual's health history, including medical or psychological diagnoses, this data can be used to commit blackmail.
For these and other reasons - including the fact that businesses are simply generating and maintaining more personal health information than they ever have - government enforcement is increasing against covered entities found to be noncompliant with HIPAA.

HIPAA Enforcement is Ramping Up Against Covered Entities and Their Business Associates

As you can see from the numbers below, the healthcare industry now represents more than a third of all data breaches across all industries and government entities. The Identity Theft Resource
Center's report estimates about 16 million health records were compromised in 2016 - accounting for nearly half of all stolen records that year.
With the increasing attacks on the health industry, you can understand why - as the stats shown here from the Dept. of Health and Human Services' Office for Civil Rights (responsible for HIPAA compliance) explain - regulators impose steep penalties against covered entities whose noncompliance is determined to have allowed data breaches. Since the OCR began HIPAA enforcement, the agency's regulators have received 144,000 complaints, resolved 97% of them, and have taken some form of action against 24,617 of the businesses involved.
Also worth noting: Although there have been only a few dozen cases so far resulting in civil money penalties, the average settlement was more than a million dollars. HIPAA's auditors do not take lightly what they consider serious lapses in compliance.
How Might This Affect Your Organization?
The $48 million levied so far against healthcare companies for HIPAA violations is also significant because the HIPAA audit program is, by necessity, self-funded. This means the auditors use the proceeds of their fines and settlements to fund more audits, investigations and legal cases against companies caught in noncompliance.
Healthcare Compliance Review Quote
Inentity Theft Resource Center Address
Which means that even if yours is a small healthcare organization, and you do not believe you are large enough to make it onto the radar of HIPAA's auditors, you need to keep in mind that as the agency's enforcement arm raises more money from penalizing violators, it becomes more equipped to cast a wider net against more covered entities.
Could HIPAA's Phase-2 Audit Program Include You?
The Office for Civil Rights, for example, stated that Phase Two of its audit program, which began in 2016, would involve double the audits that the regulators conducted in Phase One.
Additionally, for the first time, business associates were also included in the audit program - expanding the coverage beyond healthcare companies to the wide range of businesses that serve them, including cloud service providers. Indeed, tens of thousands of such companies have already been identified by HIPAA auditors as business associates worth looking into.
Most Phase Two audits will be desktop audits, where regulators require a covered entity or business associate to simply submit documentation demonstrating that their processes are in compliance with HIPAA's Security Rule, Privacy Rule and the Breach Notification Rule.
If a company's documentation does not satisfy HIPAA's auditing team that they are meeting the law's requirements, this might trigger a more thorough and invasive onsite audit.
A word of caution: If your company receives an audit notice and a request" for documentation from the HHS Office for Civil Rights, do not take this lightly. You will need to respond within 10 days to comply with the request.
And yes, your organization - no matter how large or small, and regardless of whether you are a covered entity or a business associate - can be the subject of one of these audits. As OCR Deputy Director Deven McGraw explains, "we can open a compliance review for any reason whatsoever."
Department of Health And Human Services Office for Civil Rights Address

Real-World Examples of HIPAA Enforcement Actions

Advocate Health Care    -$5,550,000
University of Miss. Medical Center    -$2,750,000
Oregon State University Health Services    -$2,700,000
St. Joseph’s Health System    -$2,100,000
Catholic Health Care of Philadelphia    -$650,000
Complete P.T. Physical Therapy    -$25,000

The list above shows some very large settlements against large institutions, but also a relatively small fine against a small healthcare provider. In addition to its audit program, the OCR is always on the lookout for complaints and reported data breaches - and its auditors investigate them all.
Although a data breach obviously puts at risk the patients whose personal information is stolen, there are also serious consequences for the health provider or the offending business associate. Here are just a couple of these consequences:

     1.  A data breach compromising patients’ health records can result in negative publicity for the covered entity or business associate, which can damage the company’s trust with patients, vendors, stockholders and the general public.

      2.  HIPAA investigations that result from data breaches or other lapses in compliance can lead to direct fines against the company.

As you can see from the penalties and settlements shown here, landing on the wrong side of HIPAA can result in significant monetary penalties for covered entities, no matter how large or small they are.
The Biggest Fine Ever: Advocate Health Care
The largest fine in HIPAA enforcement history was a claim against Advocate Health Care Network, Illinois's largest healthcare system. The company was ordered to pay $5.55 million in fines and adopt a corrective plan for safeguarding its ePHI.
This case is worth reviewing because, as you will see, the original error that led to the breach was a seemingly simple oversight that many businesses could make.
The OCR's investigation into Advocate Health Care stemmed from several breach notifications, beginning with an unencrypted company laptop containing patients' eP HI, which was stolen from an employee's unlocked car.
The OCR found that Advocate:

•  Failed to perform a risk analysis
•  Failed to take corrective action
•  Failed to implement access controls
•  Failed to get a signed Business Associate Agreement (BAA) with a business associate
•  Failed to encrypt a Laptop that was left in an unlocked car overnight.

It's also important to note that the OCR's penalties are not limited to multimillion-dollar judgments against healthcare giants. For example, a small physical-therapy practice, was forced to pay $25,000 for a HIPAA violation - a violation it's difficult to imagine the typical small-business health provider would even be aware of. The therapy practice simply posted testimonials and pictures of satisfied customers on its website - but without obtaining prior written authorization from those customers, which is a HIPAA violation. And unlike pictures on an office wall, things posted to the web are there forever.
The Key Lesson
The important insight to take away from these enforcement actions can be best summed up in a statement issued by the HHS's OCR. As a covered entity or business associate, national health system or local clinic, you need to be certain that your organization's practices are up to HIPAA standards at all times, because: "No company is too big or too small to escape compliance enforcement."

The Causes of Data Breaches - and How to Prevent Them

One bit of good news when it comes to securing ePHI is the fact that most healthcare data breaches are not the result of elaborate and sophisticated hacks - but rather simple employee error such as losing devices that contain ePHI or allowing them to be stolen.
As you can see from chart here, based on large-scale data breaches (those affecting more than 500 individuals) reported to the Office for Civil Rights, device theft and loss account for a combined 53% - a majority - of all incidents.
This means that statistically speaking, you can make your company's ePHI much more secure simply by tightening up your policies regarding employees storing health data on portable media devices (don't allow), and encrypting any devices they use to store and access such data.
One caveat is that if this analysis were based on the total number of records breached, almost the entire chart would be blue because hacking accounts for most of the records illegally accessed.
Another point to keep in mind, the OCR considers seemingly isolated events such as a lost or stolen laptop containing unencrypted ePHI as the proverbial •canary in the coal mine" meaning that it may just be the tip of the iceberg revealing a pattern of non-compliance below the water. The thinking is that If an organizations policies allowed ePHI to be taken off the premises in an unprotected state, there are probably more compliance violations waiting to be uncovered. ​
Un-authorized data access

The Biggest Cybersecurity Concerns for IT Professionals

Given the breach causes listed in this OCR chart, the responses by healthcare IT professionals to the Cisco annual "Security Capabilities Benchmark Study" make perfect sense.
''A chain is only as strong as its weakest link." William Jomes
According to those IT pros, their top four concerns when it comes to the potential for a cyberattack against their organizations' ePHI are:

•  Mobile device usage – 58%*
•  Data in the public cloud – 57%*
•  Cloud infrastructure vulnerabilities – 57%*
•  User behavior – 57%*

*Percentage of Security Professionals Who Find the Categories Very or Extremely Challenging
The proliferation of mobile devices creates more endpoints to protect. And notice that "cloud" was mentioned twice. This is because the uptake of cloud services is expanding the security perimeter outside the traditional corporate firewall.
As businesses embrace further digitization - and the Internet of Everything (loE) begins to take shape - defenders of corporate data will have even more to worry about. The attack surface will only expand, giving adversaries more space to operate. And users are, as they've always been, the weak link in the security chain.

Compliance in the Cloud - Do Cloud Service Providers Need to Be HIPAA Compliant?

One important area that many covered entities overlook in assessing their overall HIPAA compliance is how they work with vendors such as cloud service providers (CSPs). Specifically, a common misperception is that your CSP fall under the "conduit exception rule" - and that they therefore do not need to sign a Business Associate Agreement (BAA) with your company and share the responsibility for protecting your data.
It is true that the conduit exception applies to companies that merely transport data from point A to point B and any processing of that data is incidental to the transmission process. Examples would be a telecommunications carrier or Internet Service Provider (ISP) that offers basic Internet access.
But according to recently released guidance from the OCR, if a cloud service provider creates, maintains, receives or transmits ePHI, for, or on behalf of, a covered healthcare entity or business associate, that cloud provider is required to sign a BAA with the covered entity responsible for that data.
The key clause, when it comes to your cloud service providers, is "maintains." Because many common types of CSPs - online data storage, backup and disaster recovery companies, for example, and software-as-a-service providers - store your ePHI for a "more than temporary basis," the OCR will not apply the conduit exception rule to them. Instead, the OCR will treat these cloud service providers as business associates, required to sign a BAA and to be HIPAA compliant themselves in how they store and protect your ePHI. And the OCR has al ready levied fines on organizations that did not have BAAs in place.
This means that as you review your relationships with any CSP that currently maintains your company's health data, and as you evaluate new CSPs to partner with, you should keep in mind that these companies should be well-versed in HIPAA's guidelines, should ideally be HIPAA-certified, and should be willing to sign a BAA with your company.

Ransomware: The Fastest Growing Threat to Your Data

As if you didn't already have enough forms of cyberattacks to defend against, hackers continue to devise new ones.
One of the fastest-growing new cybercrimes is corporate ransomware - where hackers trick an employee into downloading software that then encrypts all of the organization's data and systems, effectively locking the company out of its own networks. Next, the hackers contact the company and demand a "ransom" payment in exchange for unlocking their systems.
In one high-profile case, MedStar, the second-largest health system in Maryland, was the victim of a ransomware attack in 2016. Hackers effectively shut the entire staff out of its data network.
As hospital administrators explained it, this attack left the system's 30,000 employees and 6,000 doctors having to record and share patient information with pen and paper. This is more than just a financial crime. It can potentially cause physical harm and even death, because it degrades healthcare professionals' ability to treat their patients.
Does a Ransomware Attack= Data Breach?
According to OCR guidance on ransomware, covered entities and business associates that face a ransomware attack need to ask themselves several questions with regard to how the event affects their HIPAA compliance:

 1.  Does this ransomware attack constitute a “data breach” as defined by HIPAA?
    2.  Does this attack therefore require a breach notification report to the OCR?
    3.  What is the probability that your ePHI has been compromised?

Now many of you might argue that your data and ePHI was not stolen or disclosed by the Ransomware attack, you were simply unable to access that data until access was restored, and therefore the attack did not trigger the reporting requirement under HIPAA's Breach Notification Rules. That argument would be wrong, based on how the OCR interprets these events, because if hackers were able to penetrate your networks and systems to be able to encrypt them and effectively lock you out, what else might they

Why Compliance Alone Does Not Equal Security

One of the most important principles to understand when it comes to safeguarding your ePHI is that HIPAA compliance and data security are two very different initiatives.
As important as complying with HIPAA is, you need to go even further in fortifying your processes to protect your ePHI. That's because HIPAA does not and cannot address every possible type of breach. As we saw with the advent of ransomware, cybercriminals are constantly evolving, growing more sophisticated and trying new techniques.
It's better to think of HIPAA compliance as the baseline, or starting point, for data security, and build from there.
With that in mind, though, here is a brief overview of some of what HIPAA has to say about securing ePHI in transmission. The summary here offers a good illustration of why working with HIPAA experts is so important for your compliance.

Under the law’s section 45 CFR 164.306, HIPAA demands that covered entities:
•  Ensure ePHI confidentiality
•  Protect from reasonably anticipated threats
•  Use any security measures that comply

Vague, non-specific mandates like these are the norm throughout HIPAA's language. The regulators say they left the requirements broad intentionally, to allow for new technologies and processes. But what this means is that unless you're a HIPAA or compliance expert, you really should be engaging the services of those who are.

Also, under the law’s section 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.312(e)(2)(i), HIPAA refers to a two-factor requirement for ePHI transmission security:
    1.  ePHI Encryption: A covered entity must
“implement a mechanism to encrypt and decrypt electronic protected health information.”
    2.  ePHI Integrity: A covered entity must
“implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.”

Does this mean encryption is required for HIPAA compliance?

What Are the Technical Requirements for ePHI Security?

At this point you might be wondering, if HIPAA doesn't recommend specific technologies or step-by-step processes for complying with the law, then what resources can you use to determine what protocols will satisfy the regulators? For example, how can you know if the law considers your ePHI to be secure?
The best source of information, experience tells us, is the federal government itself. And when it comes to setting standards for data security and encryption, the OCR has publicly embraced the standards set by NIST: The National Institute of Standards and Technology.
In terms of encrypting ePHI, there are two important factors to consider: data that's at rest, and data that's in motion. NIST has three publications that describe encryption methods for data-at-rest and data-in-motion. The links to those will be included at the end.
The Encryption Standard for Data-in-Motion
When it comes to data-in-motion (or transmission), TLS encryption - or Transport Layer Security - is the latest standard for encrypting communications across the Internet. It's designed to prevent interception of sensitive information, tampering and message forgery, for example, like a 'man in the middle' attack. It's worth noting that the TLS predecessor - SSL (Secure Sockets Layer) - has well known vulnerabilities to these types of cyberattacks.
NIST •strongly recommends" that all organizations upgrade to the latest TLS version 1.2, and a private industry consortium, the Payment Card Industry (PCI) has also mandated use of TLS 1.2 for credit card payment processing by next year.
It is that version which is currently supported by eFax Corporate®. This is important, because not all cloud providers are using this. Some are still using SSL.
The Encryption Standard for Data-at-Rest
Any ePHI stored on devices or in the cloud should be also encrypted as a best practice. NIST recommends the Advanced Encryption Standard (AES) 256-bit to secure data at rest.
But a fax in this scenario is secure only during the actual transmission phase over the telephone network. And as this humorous illustration shows, a fax lives on - at the sites of both sender and receiver - long after the instant it reaches the recipient's fax machine. In fact, there are in fact many potential HIPAA compliance pitfalls with traditional fax machines. For example:

•  ‘Fat-fingering’ fax numbers is a common source of complaints to the OCR.
•  If you fax ePHI to an unauthorized recipient, you have just committed a HIPAA violation. It doesn’t matter if it was done by mistake.
•  Documents containing PHI may be left unattended on the machines where they are vulnerable to unauthorized viewers.
•  If you don’t have a written policy that specifies a set of procedures to secure faxed PHI at both ends, you are not in compliance.

When you research the many reported breaches in healthcare, you find that accidental access by unintended or unauthorized recipients is a common cause of reportable events, and can result in significant fines.
In fact, the Office of Civil Rights recently reported that it fined a healthcare organization more than $400,000 for repeatedly faxing ePHI to the wrong fax numbers.

What is Cloud Fax - and Why is it Superior to Traditional Fax?

As you can see from the diagram here, with a cloud fax service you'll have your faxes transmitted over the Internet as secure email attachments. In other words, your fax messages start their journey as natively digital, not as analog fax images that need to transcoded into digital and analog formats multiple times along the way.

Why Healthcare Providers Trust eFax Corporate

Not all cloud fax services are created equal. For two decades, eFax Corporate has been helping businesses in regulated industries to fax more efficiently, cost-effectively and in compliance. Today eFax Corporate is the partner of choice for more healthcare providers than any other cloud fax company.
In addition, eFax Corporate is HIPAA certified, and our parent company Consensus is willing and able to sign Business Associate Agreements with our healthcare customers which demonstrates our commitment to your customers' privacy and security.
Helpful Resources

•    NIST Special Pub 800-52 rev1
(Transport Layer Security)
•    NIST’s Special Pub 800-111
(Storage Encryption)
•    HHS Guidance on HIPAA & Cloud Computing
•    Ponemon Institute: Data Security Report
•    Cisco 2017 Cybersecurity Report
•    Identity Theft Resource Center 2016 Breach Report

The Real Costs of A Data Breach

We discussed earlier some of the serious con-sequences a covered entity faces when it suffers a data breach - specifically the potential for monetary penalties and negative publicity that can harm the company's reputation.
But just how serious are these costs? And is the likelihood that any healthcare company -yours, for example - will actually suffer such an attack great enough that it's even worth worrying about? Consider the following statistics:

•  49% of all companies across all industries suffered a data breach in 2016 (Cisco 2017 Cybersecurity Report)
•  1 in 3 patients’ personal data was compromised by cybercrime in 2016 (/DC Research)
•  The average cost to the covered entity of each breached healthcare record was $221 (The Ponemon Institute 2016 State of Cybersecurity in Healthcare)

Now $221 may not sound like a large amount of money, but multiply $221 times 1,000 records, it starts to add up. Multiply by 10,000 records, and you can see costs for a large data breach quickly soaring in the millions of dollars.
But then there is the fallout of negative publicity in the aftermath of the breach, publicity that can cause long term damage to an organization's reputation in the community.
The numbers shown below, from the Cisco Cybersecurity Survey, speak for themselves - with around 40% of companies that experienced a data breach facing significant losses in business opportunities, revenues and customers.
A Data Breach can have substantial consequences to revenues, customers, reputation

42% lost 20% or more opportunities
38% lost 20% or more customers
39% lost 20% or more revenues
49% had to manage public scrutiny
(Cisco 2017 Cybersecurity Report)

have done and how would you know that ePHI was not compromised? Can you accurately state, after performing a risk analysis, that there was a low probability ePHI could have been compromised?
Also, under HIPAA, your patients have a right to access their medical record on demand. So even if a ransomware attack simply blocks your company from accessing that record - as opposed to leaving it vulnerable to theft - you can't be in compliance unless you are able to provide patients' with on-demand access to their information.
But there is one way to significantly lower the risks that any data accessed by the attackers could be compromised is to make sure this data is encrypted at all times, wherever it may reside. Only data that has been protected from unauthorized access by the encryption methods and technologies recommended by the federal government is in fact not subject to the breach reporting requirement.
As with most questions that arise when reviewing this law, the answer is complicated. The short answer, in fact, might most accurately be summed up as ... No, but possibly yes.
If your company has implemented strong encryption protocols and you suffer a data breach, you will be protected
Although encryption is an addressable issue, encryption remains the Gold Standard for protection of ePHI."
Director HHS Office of Civil Rights
legally under the Safe Harbor provision from even having to file a Breach Notification Report with the Office for Civil Rights. So clearly, HIPAA's regulators encourage encryption.
But this does not mean that encryption is mandatory under the law. Consider, for example, how Jocelyn Samuels, the previous Director of HHS's Office for Civil Rights, explains HIPAA's view on encryption: "Although encryption is an addressable issue, encryption remains the Gold Standard for protection of ePHI."
If you're wondering what "addressable" means in that statement, the term is one of two ways that HIPAA classifies issues - the other classification is "required."
The Director was using the term addressable to mean that, to the letter of HIPAA law, encryption is not mandatory for ePHI transmissions. But generally speaking, where HIPAA refers to "addressable," your safest course of action is to treat the issue as "required."
To underscore that point, here is what Iliana Peters, OCR's Senior Advisor for Compliance and Enforcement, has to say about encryption: "You should be encrypting and you should implement good security controls. However, if you choose not to encrypt, and you have a breach, we are going to ask you for the documentation on the reasonable compensating controls that you implemented to secure that data."
In other words, although technically you do not have to encrypt your ePHI, if your company suffers a breach and you cannot satisfy OCR's auditors that you used "reasonable compensating controls" to mitigate against the vulnerability you allowed by failing to encrypt, you could find your company on the wrong side of HIPAA compliance.
Data may be encrypted using 128- or 256-bit encryption keys. Either one is acceptable, but the highest level of encryption is always recommended for protecting ePHI because it is the most difficult to crack.
As noted earlier, there is also a strong regulatory advantage to encrypting all ePHI, including data-at-rest. As a guidance from the Secretary of Health and Human Services has stated:
"If protected health information is encrypted pursuant to this guidance, then no breach notification is required following an impermissible use or disclosure of the information."
And as we've seen, many healthcare organizations could have saved themselves millions of dollars in penalties if they had only encrypted the data on their laptops and mobile devices.

Isn't Fax Always HIPAA Compliant?

There is a widespread and longstanding misperception in the healthcare community that the use of traditional analog fax is intrinsically HIPAA compliant, and therefor always safe to use. But as with so much else in HIPAA law, the truth is more complicated.
Mike Baldwin Comic Healthcare Faxing
Yes, it is true that traditional fax transmission is reasonably secure, because it goes over the public switched telephone network and not the Internet. Moreover, thanks to the conduit exception rule, this type of document transmission, similar to telephone calls, does not require encryption to be compliant.
And the process works exactly the same in reverse; inbound analog faxes sent from fax machines are converted to digital documents, either PDF or TIFF (image) formats, and arrive in your inbox attached to an email message.
Your cloud fax provider will assign your company standard business telephone ('fax') numbers, with your choice of local or toll-free area code. And with a good cloud fax provider, you will be able to move, or "port" your existing fax numbers to the new service so there is no need to publish new fax numbers.
Save Money With Cloud Fax
As with most cloud-based services, you won't need to buy, install or maintain fax machines, fax servers or any other traditional on-premises hardware/software system to receive or send a fax. And you can disconnect those analog or digital telecom lines since all faxes will run over your Internet connection.
When you move to a cloud fax model, you eliminate nearly all of these expenses, and management overhead - and replace them with a cloud service that lets you outsource all of the hardware, software, upgrades and troubleshooting to a trusted provider.
The Cloud Fax Cost Model

•    Telco Line Costs    None
•    Software Costs    None
•    Hardware Costs    None
•    Printing Costs    None
•    Maintenance Costs    None
•    Power/Rackspace Costs    None

Moreover, with the right cloud fax partner you will enjoy a pay-as-you-go model where you can pay only for what you actually use, plus a small fixed monthly cost for each fax number, which usually includes a set number of free fax pages per month.
The eFax Corporate Check List
  • Our solutions are trusted by many of the world’s leading businesses in heavily regulated industries.
  • We prov ide service to near ly half of the Fortune 500 companies worldwide.
  • eFax Corporate is certified for HIPAA compliance. Will sign HIPAA Business Associate Agreement.
  • Faxes in transit and at rest are secured with the strongest NIST approved encryption standards – TLS 1.2 and 256 -bit AES.
  • eFax Corporate is already compliant with PCI-DSS v.3.2 encryption requirements  for 2018.
  • Consensus® has   invested millions of dollars  to  build a secure, compliant and redundant global cloud fax network.
  • eFax Corporate operates on a geographically diverse global network comprised of redundant data centers and Tier Ill/IV rated colocations providing 99.9% server uptime.
  • SLA for service availability and rapid Fax delivery. 24/7/ 365 customer support.

Cut Costs, Save Time & Increase Productivity with eFax Corporate

Or do you just need a single fax number?
If you need a single fax number, you can sign up online at