" gmail Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more

Posts Tagged ‘gmail’

Is Gmail a Secure Way to Send Email?

Tuesday, October 30th, 2018

Four key points on HIPAA compliant emails

  • The messages you send to others need to be encrypted during transit/transport
  • Correspondents using non-compliant hosts should send secure messages to you
  • You must validate that you are only communicating with the intended party (part of the Privacy Rule)
  • You need to confirm that email cannot be intercepted (confidentiality aspect), and this is where encryption plays a key role

Gmail supports opportunistic TLS

Encryption at rest is a default setting in Gmail. If you use the free email service, your email is already encrypted at rest. However, once your email leaves Google’s servers, encryption may no longer be applied.

Is Gmail Secure

In one of its blog posts, Google says: Gmail has always supported encryption in transit using TLS, and will automatically encrypt your incoming and outgoing emails if it can. It also goes on to say: […] it’s really important that other services take similar measures to protect your messages–not just Gmail. 

Gmail supports opportunistic TLS. The sending server sends (or attempts to send) email encrypted. But if the receiving server doesn’t accept encrypted messages, then the message is transmitted unencrypted.

Sure, opportunistic TLS is an optimal encryption solution for personal Gmail use. But for business communication and messages of a sensitive nature, it is insufficient because you don’t have control over your email after it is transmitted to your recipient and you have no way to be sure that any particular message will be sent securely.

Gmail is secure up to a point. However, it does not offer a native email encryption solution. And it is certainly not HIPAA compliant nor can it be made HIPAA compliant because Google won’t sign a Business Associate Agreement (BAA) with Gmail users.

Gmail does offer some add-ons but for advanced features, you have no choice but to purchase G Suite.

Is G Suite the solution to HIPAA compliance?

The paid service G Suite – formerly known as Google Apps – is a collection of popular Google apps for business, including Google Calendar, Gmail and Google Drive.

G Suite users can sign a BAA with Google. But there’s a catch. You have to bear all responsibilities related to the contract and it can be confusing to manage all steps to compliance. Importantly, to be compliant, you must ensure that all messages you send are encrypted during transit and anyone using non-compliant hosts can send you secure messages.

G Suite administrators can set up rules requiring outgoing messages to be sent with S/MIME encryption. But the feature is available only with G Suite Enterprise, which charges $25/user/month. Furthermore, most people are not setup to use S/MIME.  G Suite does not include any native email encryption solution that enables you to email anyone in a compliant manner.  G Suite users who require HIPAA compliance for email must use a third-party solution to encrypt their outbound email (this is often called “smart hosting”).  G Suite also does not offer any option which would enable people to send HIPAA-compliant messages to you.

And even though you can be HIPAA compliant with G Suite, you will most probably need expert technical guidance to make your G Suite account compliant.

Google scans emails

Google automatically scans email for different purposes such as spam and security measures, and this is true regardless of whether you are a Gmail or G Suite user. Although the company offers assurance that the content is never read by a person, the risk arising from scanning emails still remains.

Although Google no longer scans email for keyword research, the company helps email marketers – some of whom are spammers – by showing images in email messages by default. Images are important to marketers as they contain tracking codes to track who has viewed the email. Details such as which recipients opened the email and when helps marketers test the success of their email campaigns. Suffice to say, there are numerous software programs that make light work of tracking email users’ behaviors.

Third-party encryption is essential

If you decide to go with G Suite, you still need a third-party to configure G Suite to ensure the encryption of outbound emails before being transmitted to recipients. LuxSci’s smart hosting solves the problem and meets HIPAA rules by encrypting email with SecureLine. You don’t have to change settings and can continue sending and receiving email as you normally do. Smart hosting is also a recommended encryption solution if you use Office365 or an in-house Exchange server.

In this case, you will be paying for G Suite and our encryption service. An email service purpose-designed for HIPAA compliance is a smart solution. LuxSci’s Secure Email comes with features that protect ePHI and adhere to HIPAA’s privacy and confidentiality requirements.  Note that under no circumstances, even if you have a partner like LuxSci encrypting your outbound email, is regular free Gmail HIPAA compliant.

Think you know how to protect yourself from phishing? Think again.

Wednesday, March 22nd, 2017

This year kicked off with a sophisticated phishing scam that fooled users and cybersecurity experts alike. Users were giving away their passwords to scammers through a seemingly legit Gmail login page. The scam had all the markers of a legitimate email, including the appearance that it was sent from a known sender.

There are many articles out there about the warning signs of phishing scams. We know the rules: Don’t click on URLs you don’t know, beware of emails that sound urgent or feel pressuring, etc. The reality is that many of these tips aimed to protect against phishing attacks would not have worked in the case of the Gmail attack.


Gmail’s spam filters already capture many emails that display common signs of scamming (formal language, unknown senders, etc.). However, phishing scammers and hackers, in general, are becoming more sophisticated in their techniques. A greater understanding of security will help you keep up with hackers in 2017. Here we’ll dive into the details of what made the Gmail scam so unique and address some sophisticated phishing scam avoidance tips you can start trying out today.

Read the rest of this post »

eBook: HIPAA-compliant Email Basics

Thursday, February 25th, 2016

Safeguarding Your Healthcare Practice and Protecting Patient Privacy

Book 1 in the LuxSci Internet Security Series.

Created by Erik Kangas, PhD

This LuxSci eBook is your well-researched guide to both a critical understanding of the specific issues and concepts of HIPAA, HITECH, and the Omnibus rule, and their practical application to your business with respect to email, so that you stay compliant with these government standards. This document will provide a framework for your health care entity to keep the privacy of patient information front and center. Providers will have the necessary tools to meet all requirements established by HIPAA to access email outsourcing services.

This eBook includes sections on:

  1. Overview of HIPAA
  2. What is ePHI?
  3. Provisions of the HIPAA Email Security Rule
  4. Additional Risk Analysis and the Need for Encryption
  5. Gmail and Google Apps?

Download the eBook

LuxSci as SMTP Relay for Gmail = LuxSci Encryption for Google

Monday, June 8th, 2015

Gmail and Google Apps users can route their outbound email through LuxSci to take advantage of SecureLine email encryption, which enables HIPAA compliant sent messages, plus LuxSci’s extensive outbound email management tools.  If you prefer the Google interface or need to use it for some reason, but require encryption and/or compliance, you can meet your needs by adding on LuxSci.

Google Apps

Read the rest of this post »

Google Apps HIPAA Compliance Gotchas: Email encryption not included and higher price

Wednesday, October 8th, 2014

There has been a lot of hype about Google offering a Business Associate Agreement to paid Google Apps customers who must abide by HIPAA regulations.  Those who are familiar with Google may be under the incorrect assumption that simply signing up for Google Apps will solve all their HIPAA compliance challenges.  This seems to be increasingly less likely as of October, 2014.

Myths and hidden costs pervade this equation. If a HIPAA-aspiring entity isn’t fully educated about the finer details of the compliance process, they could end up paying very large amounts of money for Google services and still be non-compliant. Here we discuss some misconceptions about Google services as they apply to HIPAA to help you avoid the pitfalls of non-compliance.

Read the rest of this post »