Hidden Security Dangers of G Suite and Google Drive

November 8th, 2018

G Suite includes privacy and security protections aimed at securing data. Google signs a BAA with HIPAA covered entities. However, G Suite has hidden dangers that may lead to a violation of HIPAA rules.

Emails sent from Google Calendar are not encrypted

Calendar is a core service of G Suite and covered by Google’s BAA. The problem is, email encryption is not a standard feature of G Suite. That is, although Google supports encrypted messages within its servers, email sent to other systems are not encrypted.

Google does not even offer a native end-to-end email encryption solution; one has to purchase such services from a third party and integrate it with your Google account.

So, even though Calendar and other core services – including Gmail, Drive, Hangouts and Google Cloud Search – are covered by the company’s BAA, the emails that Gmail automatically schedules and sends via Calendar are not encrypted.

You may end up sending unencrypted PHI

 HIPAA has a ‘per violation’ penalty, imposing a fine on every email that fails to comply with HIPAA rules. As far as emails go, you can send PHI via email as long as it is secure and encrypted and other requirements are met (i.e., access control, backups, audit trails, etc.). If you think about it, encryption protects PHI in many ways; for instance, if an email containing PHI is sent to the wrong recipient, it cannot be read or used without the keys needed to decrypt it. On the other hand, by choosing to send emails unencrypted, you expose your organization to security, financial and legal risks.

For the record, ‘reasonable cause’ penalties range from $1,000-$50,000 per breached data item, ‘willful neglect (corrected)’ attracts penalties between $10,000-$50,000. ‘Willful neglect (not corrected)’ penalties will cost you a flat $50,000 fine per breached data item.

You can, potentially, send out all kinds of ePHI courtesy of Calendar-Gmail integration. Examples include:

  • Meeting invitations
  • Appointment reminders
  • Appointment follow-up instructions
  • Health-related advice and comments
  • Patient satisfaction survey containing identifying information
  • Mentions of new or urgent symptoms
  • A brief discussion of mental or sensitive health problems
  • Details of the patient’s care
  • Emailing patient’s details to a colleague
  • Information related to test results or prescription refills

All these and several other types of ePHI within outbound email from Google Calendar, Tasks or Contacts are not secured for compliance. Your BAA with Google won’t really be useful if G Suite poses a regulatory risk of ePHI breach.

You can automatically secure all outbound email from G Suite apps

Nip the email encryption challenge in the bud with SecureLine. The end-to-end email encryption from LuxSci ensures HIPAA compliance for email and is compatible with any email program.

SecureLine is a simple system that offers advanced email security. You can choose the encryption method (TLS, PGP, S/MIME or ESCROW), and automatically secure all outbound email from G Suite apps as well as receive email from any program or web service.

SecureLine is linked with the SecureSend Portal, our free web-based service that your recipients can access for free in order to send encrypted email.

Use smart hosting to add encryption to outbound email

By configuring your G Suite account to send all outbound email through LuxSci for processing and delivery, you will not only be adding encryption that secures ePHI but also masking your IP address, can add outbound email archival and leverage a ton of other useful features.

LuxSci offers a far better value proposition than G Suite and its add-on services. For starters, G Suite costs you more on a per-user basis than LuxSci, and expenses will soar with an increase in the number of users. Check out more reasons to choose LuxSci over Google here.

PHI cannot be used with these Google Services

Your BAA does not cover all Google Services. For example, your internal policies should disallow the use of PHI with Google+ and Google Talk, should you enable these services. To be on the safe side, you also need to set checks and balances for HIPAA-compliant services in G Suite.

  • Files uploaded to Google Drive must not contain PHI in file or folder titles or within team drives. File and folder sharing can be restricted to trusted entities.
  • Free Gmail accounts pose a big risk of ePHI breach. Gmail does not offer a native encryption solution, and on its own, it can never be made HIPAA compliant. As part of G Suite, email can be made secure with our smart hosting service.
  • Assess the appropriate uses of Google Hangouts in relation to PHI and train staff appropriately. The use of Hangouts on mobile devices is one area where violations can occur and potentially stack up pretty quickly.
  • G Suite email can not be used with PHI, even if you have a BAA with Google, unless you have an appropriate third-party HIPAA-compliant email encryption service plugged into your G Suite account.

Want to discuss how LuxSci’s HIPAA-Compliant Email Solutions can help your organization?  Interested in more information about “smart hosting” your email from Microsoft to LuxSci for HIPAA compliance? Contact Us

Similar Posts:

    None Found