2018-0409 Solution - Learning Should Be A Joy

Challenge type: cloud services configuration review

Original code: found here


This week we had a GSuite email configuration, one that exists in a hypothetical HIPAA sensitive environment. Healthcare professionals exchanging PHI with one another. 

In this case gmail was not set up to send email by forcing TLS encryption, one major requirement for handling PHI data. Another thing to note is the lack of a business associates agreement (BAA), this is a healthcare specific contract that deals with aspects of liability when it comes to healthcare data. 

For some extra reading, check out the following links:

There are two main things that need to get in place here:
  1. A signed BAA between the organization and Google that covers gmail and all other services that are intended for use.
  2. Enable the enforcement of TLS while sending emails.

It's worth noting that there's a lot of easy ways that one call screw up handling PHI over regular email, I would advise using a dedicated service with tighter control over file sharing and more auditing. 

If you're interested in keeping up on Coffee With A Splash Of Cyber each week, subscribe by entering your email address below.

Leave a comment