<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1870732089876948&amp;ev=PageView&amp;noscript=1">

Compliance: HIPAA, Encryption, and Google's Confidential Mode

Photo by Markus Spiske

Note from Cloudbakers: All information and resources found in this article are based on the opinions of the contributing author (unless otherwise noted). All information is intended to motivate readers to potentially gain a bit of perspective surrounding the subject of the article as well as to add to their own discoveries based on the business/personal requirements and understanding of compliance.

Side note: Compliance may not equal law, but may involve the law if compliance is not adhered to, within the bounds of the particular business

Overview

Compliance. [shudder.]

Some folks fear it, some folks relish in it, most folks are confused by it. I can fall into all three buckets, depending on the day of the week, and if I were honest with you (which I will be), I’d say the latter happens more often than not. And that’s simply because every partner/client/friend we work with is unique. That being the case, we consistently learn more because every organization handles compliance differently.

Working with what I consider a modest, yet powerful, portfolio of partners, we are consistently challenged with questions like, “This third party SaaS App handles HIPAA, PII, <insert compliance rule here>, but how does Google?” This is an extremely loaded question!

The answer is "it depends on how you need to handle your data."

It depends because the answer is heavily based on organizational requirements (boring), what is on the roadmap of the organization (exciting) and what does legal have to say about it (abstain). 

A relevant real-world example

We recently had a conversation with a customer surrounding HIPAA compliance, specifically when dealing with G Suite’s Confidential ModeConfidential Mode is a fairly new feature that has been added to Gmail allowing you to send messages and attachments in Confidential Mode, effectively protecting sensitive information from unauthorized access. Using Confidential Mode, you can set an expiration date for messages or revoke access at any time, which is really great! Finally, senders will have the option for recipients of the confidential message to disable forward, copy, print, and download functionality. NEAT! 

The customer was making a potential case to use G Suite as their go-to for all of their organizational requirements surrounding security, namely seeing if the need for a third-party solution like Zix or Virtru was needed. Here is a snippet of that conversation:

“The first thing we have to understand is that sending via Confidential Mode does not provide the same type of additional encryption a service like Zix or Virtru provides; Confidential Mode uses the native encryption that goes along with sending a "normal" email and doesn't "wrap" the message in additional ciphers/encryption. Confidential Mode simply has extra controls (expiration, revoking access, disable the ability to forward/copy/print/download) that an end-user can define how the email can be interacted with.

Second, you can't enforce Confidential Mode; this is an end-user driven process. This would be a process/change management/org policy effort.

The main blocker now (as far as I can see) is that you can't enforce confidential mode for DLP-flagged emails. If Dan tries to send me Harry's SSN, Gmail won't say "Woah, this needs to be sent using confidential mode!" The best it can do is bounce that email and let them know why it wasn't sent.

After that, it's true that HIPAA doesn't require encryption per the documentation, but it does require that PHI data be reasonably protected according to the organization's workflow.

Encryption is "addressable" which means that if encryption were not appropriate per the organization, it may not even be the right choice for them as long as their security took other comprehensive measures to safeguard their data.”

As the conversation continued, and more people were in on the conversation, we were finding articles that were somewhat misleading, especially in this case the author wasn’t aware of (or simply omitted) the security features available in G Suite that you can enable (enforce TLS, S/MIME, Security Sandbox, Context-Aware Access, to name a few of many). This is one of the reasons we wrote this article!

It's more than a technical issue

Here’s the thing; I think what’s important to take away from this article is not necessarily a better understanding of compliance, but a better understanding of what your needs are as a business and how G Suite can help facilitate those requirements. While G Suite has wonderful baked-in security features, and we can certainly help you better understand what those are as well as decide if you need a 3rd party solution like Zix or Virtru, ultimately it’s taking the time to understand, both as an organization as well as what compliance standards you need to adhere to, to correctly build your security posture.

Resources

Originally published on February 27, 2020

If you enjoyed this post, please consider sharing

Want more tech tips?
Subscribe to our IT Superhero Newsletter!