Virtru Security Insights

Meeting HIPAA Encryption Requirements with Google Apps for Work (now G Suite)

What You Need to Know

The Health Insurance Portability and Accountability Act (HIPAA), for those not familiar, requires that entities exchanging protected health information (PHI) do so securely. Sharing unprotected PHI is a serious compliance and data security risk, so all organizations should have technologies and policies in place to protect their data. Healthcare organizations, governments, universities, and corporate HR departments all regularly exchange PHI via email, which makes ensuring secure HIPAA-compliant messaging a critical priority across industries.

Ensuring HIPAA compliance and data security is a responsibility shared by service providers like Google, enterprise IT organizations, and end users. One of the benefits of Google for Work’s secure cloud platform is that it helps organizations meet many HIPAA encryption requirements for data security. By leveraging its shared infrastructure, Google offers its customers greater security and compliance than legacy on-premise solutions, at a fraction of the cost.

Google provides a solid foundation for HIPAA compliance with both out-of-the-box features and configuration options to help meet data security requirements, particularly for information stored and shared inside the Google ecosystem.

To maximize HIPAA compliance, most experts recommend a layered security approach that ensures that data is protected no matter where it is shared. By combining the Google Apps for Work (now known as G Suite) platform with data-centric encryption and data loss prevention (DLP), covered entities can ensure these critical levels of security and compliance.

In this blog, we clarify how Google and its partners protect you, share key best practices, and debunk some common misperceptions.

1. If Google signs a Business Associate Agreement (BAA) for my organization, does that mean that all of the emails I send will be HIPAA-compliant?

If your organization signs a BAA with them, Google supports HIPAA data security requirements for information stored and shared between your organization, and within the broader Google ecosystem.

However, as with all things in the cloud era, security relies on shared commitments from platform providers and customers. Google has developed tools and guidelines to ensure security and compliance, and they have strongly encouraged other service providers to leverage encryption, too. Despite these efforts, there are no assurances that your data will remain secure once it leaves Google’s protected ecosystem.

Since many covered entities must share PHI with patients, providers, insurers, and other organizations with environments less secure than Google for Work, it is prudent to add a data-centric encryption solution, like Virtru Pro, to ensure compliance. As the name implies, data-centric encryption protects your data from the time it is created until it is consumed by your recipients. This additional layer of protection ensures perpetual HIPAA compliance, regardless of where you or your recipients share your data.

As the diagram below shows, Virtru Pro encrypts your content from the client-side, which ensures HIPAA encryption requirements no matter what platforms your recipients use:

HIPAA Diagram

2. I thought Gmail had built-in encryption–doesn’t that mean my emails are secure?

Google made a big step forward in 2014 by mandating secure server connections for all emails sent from or received by Gmail users. By providing transport layer security (TLS), Google for Work adds a critical layer of security to your messages that some on-premise solutions lack, and helps to ensure that communications sent to or from your mail server will remain encrypted provided the other servers that they travel through also support TLS.

However, since not all email platforms provide the default TLS encryption that Google does, you cannot ensure that emails sent to non-Google users will be encrypted throughout their full transmission.

You have no control over how many servers your emails will pass through, and no way to predict the security controls that these servers provide. That reality, coupled with the fact that most on-prem email platforms do not support TLS like Google does, means that you need to add an data-centric encryption tool like Virtru Pro to your Google Apps domain if you want to ensure that your messages remain protected no matter where they travel.

The below diagrams highlight where Google can ensure encryption by default, and where Google plus Virtru might be a good fit for your team:

Standard Google Point-to-Point Encryption

Encryption Diagram

Virtru Data-Centric Encryption

3. How does Data Loss Protection (DLP) impact HIPAA encryption requirements?

The majority of HIPAA data breaches are caused by user error. DLP tools eliminate these errors by scanning messages for PHI and other sensitive info, and automatically encrypting any content that triggers certain preconfigured rules and policies.

G Suite administrators can use Gmail’s Content compliance and DLP features to establish rules like these. Gmail’s DLP features scan sensitive content after it has already left the sender’s inbox. Even though these emails travel to Google’s servers via SSL and never ultimately reach their intended recipients, the message payload still has to be accessed by Google, since that is required in order for Google to run its DLP scans.

This means that your sensitive data will still hit the cloud unencrypted, even if it is caught by the DLP tools provided with Gmail.

Virtru Pro offers client-side DLP capabilities for organizations looking to ensure that PHI never leaves their devices unencrypted. Virtru DLP scans content before it ever leaves the sender’s inbox, which keeps PHI from hitting the cloud unprotected. Virtru DLP also comes equipped with HIPAA-related rule packs that can be turned on to scan emails for PHI, ICD-9 codes, and other sensitive medical content.

Also, by notifying end users when they have triggered these rules and why, Virtru DLP educates individuals about HIPAA compliance directly in their emails, which helps foster long-term adoption of company policies and industry best practices.

4. What additional protections should be added to protect PHI?

HIPAA was created to help keep PHI only in the hands of authorized parties who need to see it. Thus, you should maximize access control over the data you share via G Suite to enhance your HIPAA security posture.

Even if you are using Gmail and Google Drive encryption with a signed BAA, there are multiple ways that PHI can leak, and create risk and exposure for your organization. For instance, an email could be sent to wrong party, your recipient’s inbox could be compromised through a phishing or other attack, or the PHI could be accidentally or intentionally forwarded to an unauthorized party.

Virtru Pro enables you to revoke messages and files at any time–even after the recipient has accessed them. It also enables you to set forwarding policies and expiration dates. While encryption is critical, these control features can be equally as valuable in not just preventing and remedying compliance violations, but also in protecting the overall privacy of your patients.

Bottom Line: HIPAA compliance and data security are shared responsibilities. For maximum compliance, a layered security policy is recommended.

Google offers some of the industry’s best security and compliance capabilities for data shared within the Google ecosystem. However, like all cloud providers, Google cannot ensure compliance outside of its ecosystem and protect its customers from human error.

To maximize security and ensure HIPAA encryption requirements are met, a layered security approach is recommended. If you’re using G Suite, you’re already in a good position. Here’s what else you should consider:

1. Ensure that your G Suite security controls have been configured properly for maximum security when sharing with parties inside of the Google ecosystem.

2. Add a data-centric encryption service like Virtru Pro to ensure compliance and data security when sharing with parties outside the Google ecosystem.

3. Avoid data leaks caused by human error by using revocation and data loss prevention (DLP) to automatically detect and client-side encrypt PHI before it leaves your device.

4. Enable data security measures to retain control of PHI even after it has been shared. The ability to revoke messages and files, even after they’ve been opened, can limit HIPAA compliance exposure.

As a trusted Google partner, Virtru complements your G Suite experience with granular control capabilities like revocation, client-side DLP, and data-centric encryption that prevents Google or Virtru from ever accessing your data.

Virtru DLP

Want to learn more more about HIPAA compliance for G Suite? Request a Virtru demo today, or check out the free eBook, HIPAA Compliance in the Cloud.

And if you’re interested in trying out Virtru Pro for yourself, download it for free today.