White Papers

Information Security

Fluix Limited is committed to keeping data secure at all times. Businesses and government organizations all over the world trust their everyday workflow to Fluix. Protecting the integrity of the corporate network and the privacy of sensitive data is of utmost concern to any company. We recognize that security and stability are the two most important choice making factors for our customers.
This document dwells on Fluix security infrastructure and policies. In case further questions regarding our security policies arise, please feel free to get in touch with us.

Check what you can do with Fluix. Explore features >

Was this article helpful?
Thanks for your feedback!
Oops, something went wrong. Please, try again later.
We’re sorry about that, please contact our support for help.
0 out of 0 found this helpful

Secure Document Signing

Document Signing

Fluix allows for the electronic signing of contracts, agreements, NDAs, forms and other documents. Such paperless contract execution can save companies money on labor, printing, scanning, faxing, mailing and the storage of paper documents.

With Fluix, it is easy and intuitive to capture handwritten signatures on iPad, much like traditional signatures on paper, while still maintaining the same sense of security.

Digital Signature Process

Fluix’s digital signature process makes PDF-based e-signing secure and reliable for both the customer and the company. It solves crucial problems that can arise with the use of e-signatures in PDF documents:

  1. Discourages changes being made to the document after being signed.
  2. Prevents signatures being copied for use in another document.

Once a signature is captured, the document is sealed with a digital certificate. Any subsequent change to the document will result in the signature being invalidated. A document signed in Fluix can be validated to prove its authenticity by using the free Adobe Reader software.

Capturing eSignatures in Fluix

Fluix provides several ways to reach your customers and colleagues according to their signee role and available tools:

In person: The simplest scenario is when a signature is captured in the field, most often produced with the finger on iPad/iPhone screen. This is a modern and convenient way to seal the deal both visually and electronically. Locking documents with a digital certificate ensures security and helps to identify invalidated documents, when changes are made after signing.

Via workflow: Another method is to reassign a document to an existing Fluix user according to a pre-defined workflow. Signee might already have his own signatures stored on the device, and even apply company’s digital certificate to fully authorize decisions. Signing documents via workflow will help you save multiple signatures for repeated use, accelerate time to document completion and streamline approval processes.

Via email: Most recently added capability allows anyone with an email addresses and a web browser to officially sign documents. Fluix user fills in a document and submits it for signing to a person outside the Fluix system. Signee receives email notification, opens a secure link, types in the name in the signature field, and the document is automatically returned to the workflow.

Offering your customers, suppliers and contractors the capability to receive documents from you, fill in required information, and sign digitally provides your business with even further back-office efficiencies from a digital workflow, now extended to non-employees.

Digital Signature Technical Specifications

Fluix uses proven cryptographic technology to ensure a document’s validity and protects it from forgery or misuse. This technology enhances Fluix deployment with a Digital Identity (a pair of private and public 2048 bit key).

As a document is signed, Fluix generates a Document Digest by computing a SHA-1 hash of the PDF content. A Document Digest is a set of characters (letters and numbers) that corresponds to a given document. Altering anything in the document will cause an immediate and dramatic change in the Document Digest value.

To create the Digital Signature, Fluix uses a Digital Identity private key to RSA encrypt the Document Digest. In the final step, the Digital Signature and Digital Identity public key are put into the document.

Whoever receives the document can then use the embedded Digital Identity public key to decrypt the Digital Signature and retrieve the Document Digest corresponding to the original document. Then, the receiver can compare the Document Digest with the SHA-1 hash of the received PDF content. If these two digests match, it means that the document has not been changed after being signed and the content is valid. In case of any difference, the document will be marked as invalid.

In order to digitally sign documents in Fluix, you will need to have:

  • A valid Digital Signature Certificate
  • Signature fields in your PDF form

There are two ways a document can be signed with a Digital Certificate in Fluix:

  1. Using Fluix certificates. Fluix automatically generates and deploys unique certificates (RSA algorithm, 2048 bit). No iPad user interaction is required.
  2. Manually create Digital Signature Certificates. Adobe Acrobat Pro enables formal signer’s verification through powerful encryption and public key infrastructure support. This kind of certificates have to be deployed by manually copying files to the iPad/iPhone (Signature section).

Fluix Signatures Are Legal & Secure

Electronic signatures created through Fluix are legal and secure. Digital Signatures support allows both the company and the customer to check the authenticity of a document signed on the iPad with Fluix. The document is also sealed to ensure that it can’t be changed after it is signed.

All these Fluix security enhancements remove the worry of document validity, allowing you to focus on more important business activities.

Choose a secure way to eSign documents

Create your Fluix account.

Get Started for Free
14 days free trial.
No card required.
Was this article helpful?
Thanks for your feedback!
Oops, something went wrong. Please, try again later.
We’re sorry about that, please contact our support for help.
0 out of 0 found this helpful

HIPAA Compliance

Fluix provides all the necessary tools, required for compliance with HIPAA regulations.

What is HIPAA?

HIPAA is the Health Insurance Portability and Accountability Act of 1996, which amends the Internal Revenue Service Code of 1986. This law impacts all areas of the healthcare industry and is designed to improve the portability and continuity of health benefits. It calls for greater accountability in the area of healthcare, simplification of the administration of health insurance, and placement of administrative, technical and physical safeguards to protect confidential health information of patients.

More specifically, HIPAA requires healthcare providers to adopt sound practices for protecting the confidentiality of all patient information in any form. More information around HIPAA can be found here: http://www.hhs.gov/ocr/privacy/index.html

What is the HITECH Act and the Final HIPAA Omnibus rule?

The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in 2009, to promote the adoption and meaningful use of health information technology in the U.S.

In 2013, the final HIPAA Omnibus rule set further statutory requirements, which greatly enhanced a patient’s privacy rights and protections, including holding all custodians of Protected Health Information (PHI) — including HIPAA Business Associates (BA) — subject to the same security and privacy rules as Covered Entities under HIPAA.

How does Fluix facilitate HIPAA compliance for its customers?

All businesses, regardless of their size, which engage in the handling, maintenance, storage or exchange of private health or patient-related information, are subject to HIPAA. As your technology partner, Fluix is committed to ensure the confidentiality, integrity and availability of all protected electronic information. While we do not sign BAAs, the track record demonstrates an ongoing investment in security, compliancy and control for our customers.

Paperless Document Management in Healthcare

More and more often doctors and medical professionals prefer switching to paperless environment and get their practices online (e.g. use electronic prescriptions, set up web appointments, practice remote medicine, which is getting trendy in the tightening medical market). Such switch to mobile includes sharing electronic files with protected health information with patients and collecting similar private data from them using mobile devices. The Health Insurance Portability and Accountability Act (HIPAA) is the official compliance document for the use of computers and patient privacy when dealing with patient data and information. These standards ensure that data is transmitted on a standard that patient privacy and information is secure and within guidelines established for this act.

Impact of HIPAA on Fluix

Fluix offers a secure way to store content, including protected health information (PHI), and improves collaboration around it via various communication channels. All elements of the platform, such as built-in cloud storage, secure connection to the server, and iPad / iPhone / Web applications support security and privacy requirements of the HIPAA regulations. Security standards include administrative, physical and technical safeguards, with the latter being the only applicable to Fluix service. Technical Safeguards include processes that are put in place to protect and control information access and data that is stored and transmitted over a communications network. The chart below provides the summary of HIPAA requirements and how they can be supported by Fluix to create a fully secure digitized environment for healthcare organizations. Each set of safeguards has particular standards that require implementation mechanisms, which are either required (R) or addressable (A). An Implementation Mechanism is a detailed instruction for the service compliance with particular HIPAA Security Rule standard.

HIPAA Security Standards and Implementation Specifications

Technical Safeguards

(R) – required, (A) – addressable

Access Controls (R)

• Unique User Identification (R)

• Emergency Access Procedure (R)

• Encryption & Decryption (A)

Audit Controls (R)

• Notification and Archiving (R)

Integrity (R)

• Mechanism to Authenticate ePHI (A)

Transmission Security (R)

• Encryption (A)

There is no unified way to achieve HIPAA security compliance for any given service. It is not enough to have a single piece of hardware, software, or process in place. All IT technologies and processes must be working accordingly, to create a completely secure environment. Prior to enforcing any particular process within the service, full risk assessment within the technological environment should be completed.

Technical Safeguards

 

The following outlines the general processes used to protect data and to control access to ePHI. They include authentication controls to verify sign-ons and transfer security (encryption) to protect confidentiality and integrity of data.

Access Control (R)

Implement policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights.

Unique User Identification (R)

REQUIREMENT: Assign a unique name and/or number for identifying and tracking user identity entity.

Each user within Fluix company account has his/her own login credentials to authorize into the application on their device. Based on a particular role (company admin, group admin, messenger, user) unique login, password and device ID are associated with each person and depending on these they are granted access to only particular areas/parts of the account, hence to the information within it. In case additional layer of security is required to access company web administration portal with all the company configurations, the admins can be required to go through two-factor authentication, when they will also be associated with particular phone numbers on which random codes will be sent when accessing the portal.

Emergency Access Procedure (R)

REQUIREMENT: Establish and implement procedures for obtaining necessary ePHI during an emergency.

Company storage: if all sensitive information is stored on the organization servers / storages, it is up to in-house team to implement Emergency Access Procedures. Most of the time, it is easy to set up data retrieval, update and renewal.

Built-in storage: if sensitive company information is stored in built-in storage, it is redundantly backed up and can be manually restored from the hosting environment upon written request to technical support team. The turnaround time is defined by Service Level Agreement and has default value of 1 business day.

Mobile apps (Mobile apps refer to iPad / iPhone / Web applications): all the master documents/forms that are distributed to the mobile app are normally delivered using automatically synchronized and backed up methods. In case of emergency, such as device loss, they can be retrieved from the server. Files stored locally on the iPad / iPhone can be backed up via iCloud, retrieved via programs like iTunes and iExplorer, sent by email or uploaded storage as means of back up.

Audit Control (R)

Implement hardware, software, and/or procedural mechanisms that record and examine activity in any system that contains or uses ePHI.
Notification and Archiving (R)

REQUIREMENT: Procedures and/or mechanisms should be put in place to track and record activity on systems containing ePHI and customer data.

Web Admin portal: messages and notifications can be pushed to the iPads / iPhone on any updates within the account. There are also indicators that display when the application was last synchronized / updated and whether a pushed message or a document was delivered. Every document traveling through the workflow leaves audit trail of all the edits, that can be reviewed by company administrator with sufficient privileges. Each record includes document author, status, date and time of modification, and the actual changes made.

Mobile apps: every time messages, documents and links are pushed to the app, users receive notifications. Every automatic synchronization, which updates the content on the device is accompanied by additional notifications.

Integrity (R)

Implement policies and procedures to protect ePHI from improper alternation and destruction.

Mechanism to Authenticate ePHI (A)

REQUIREMENT: Implement electronic mechanisms to corroborate that ePHI have not been altered.

Web Admin portal: documents travelling through the workflows are tightly encapsulated, and as such cannot be edited, copied or forwarded, unless explicitly authorised, thus protecting the integrity of the document and preventing harmful unnecessary data modification or exposure.

Mobile apps: documents with a signature field are sealed with a digital certificate. Any subsequent change to the document will result in the signature being invalidated. ‘Completed’ section could be configured in a way that disallow further modification of the document after completion, providing a record of achieving the goal of automated medical process.

Transmission Security

Implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communication network.

Encryption and Decryption (A)

REQUIREMENT: Implement protection of dataat-rest and data-in-motion.

Fluix service uses a combination of Secure Sockets Layer (SSL) protocol to create a uniquely encrypted channel for private communication of healthcare data in motion.

Summary

Mobile document management and paperless workflows will continue to grow at a fast, consistent pace in the years to come. Fluix as a flexible and mobile document management solution created a great system for the healthcare sector that provides an easy-to-use, cost-effective and extremely secure iOS platform. Fluix answers the following requirements to be a HIPAAcompliant solution:

• Transport Encryption: is always encrypted as it is transmitted over the Internet

• Backup: data is never lost as it’s backed up on the servers and can be recovered

• Authorization: is only accessible by authorized personnel using unique, audited access controls

• Integrity: is not tampered with or altered

• Storage Encryption: is encrypted when stored or archived

• Disposal: can be permanently disposed of when no longer needed

• Omnibus/HITECH: data is hosted in-house or on the Amazon S3 servers that meet HIPAA security requirements.

Was this article helpful?
Thanks for your feedback!
Oops, something went wrong. Please, try again later.
We’re sorry about that, please contact our support for help.
0 out of 0 found this helpful