Challenge type: cloud services configuration review
Original code: found here
This week we had a GSuite email configuration, one that exists in a hypothetical HIPAA sensitive environment. Healthcare professionals exchanging PHI with one another.
In this case gmail was not set up to send email by forcing TLS encryption, one major requirement for handling PHI data. Another thing to note is the lack of a business associates agreement (BAA), this is a healthcare specific contract that deals with aspects of liability when it comes to healthcare data.
For some extra reading, check out the following links:
- HIPAA compliance with GSuite
- GSuite and cloud identity HIPAA implementation guide
- Security standards: technical safeguards
- A signed BAA between the organization and Google that covers gmail and all other services that are intended for use.
- Enable the enforcement of TLS while sending emails.
It's worth noting that there's a lot of easy ways that one call screw up handling PHI over regular email, I would advise using a dedicated service with tighter control over file sharing and more auditing.
If you're interested in keeping up on Coffee With A Splash Of Cyber each week, subscribe by entering your email address below.