AI Powered Ransomware Protection and Backup Made Simple. What to learn more about Spin Technology? Contact us here.

    Workspace Login (Old)     |     Workspace Login (New)     |     Office 365 Login     |     Request Demo     |     Free Trial     |     Support   

    Is G Suite HIPAA Compliant? An Admin Guide For Configuring G Suite for HIPAA Compliance

    Spin Technology / Blog  / Is G Suite HIPAA Compliant? An Admin Guide For Configuring G Suite for HIPAA Compliance
    G Suite HIPAA Compliance

    Is G Suite HIPAA Compliant? An Admin Guide For Configuring G Suite for HIPAA Compliance

    As your business moves into the cloud,  compliance regulations must be your top priority.

    An extremely important compliance regulation today is the Health Insurance Portability and Accountability Act (HIPAA).

    What is HIPAA?  If you fall under HIPAA compliance and use Google G Suite, is G Suite HIPAA compliant?  What about G Suite services like Gmail, Calendar, Keep, Hangouts, Vault, and others?

    What is the Health Insurance Portability and Accountability Act (HIPAA)?

    The main stated purpose of Health Insurance Portability and Accountability (HIPAA) is to protect health care coverage for individuals who lose or change jobs. However, HIPAA Title II, part of the Administrative Simplification defines how electronically protected health information (PHI) should be protected and secured.

    HIPAA includes the following five main directives:

    1. Privacy rule – Defines how the privacy of PHI data should be maintained by health care providers and safeguards PHI information disclosure

    2. Security rule –  HIPAA PHI data should be secured at all times.  This includes security across administrativephysical, and technical systems.

    3. Unique identifiers rule – The Unique Identifiers Rule provides a standard for identification of healthcare providers

    4. Transactions and code set rule – This rule outlines standards for code sets.  It is based on the following: International Classification of Diseases, 9th Edition, Current Procedural Terminology, HCFA Common Procedure Coding System, HCFA Common Procedure Coding System (HCPCS), Code on Dental Procedures and Nomenclature 2nd Edition, and National Drug Codes.

    5. Enforcement rule – The HIPAA Enforcement Rule relates to compliance and investigations, as well as penalties for non-compliance.

    The official resource for HIPAA standards and information is the hhs.gov site.  You will want to reference this resource to fine-tune your understanding and implementation of HIPAA throughout your environment, including in cloud environments like G Suite.

    Are you migrating your data to the cloud?  If you have decided that G Suite is the SaaS environment that makes the most sense for your business, is it compliant with HIPAA regulations?

    Is G Suite HIPAA compliant?

    Google’s official statement is that it is compliant with HIPAA and is compatible with this important compliance framework for protected health information (PHI). It is important to note that Google G Suite is noted as HIPAA compliant as long as certain requirements are met.

    These include the following:

    1. You use a paid G Suite version
    2. You signed a Business Associate Agreement (BAA) with Google
    3. Your G Suite is configured correctly to support HIPAA compliance

    Which G Suite plan can be HIPAA compliant?  

    To become HIPAA certified when using G Suite, the G Suite plan your organization chooses must be a paid plan.  This means that any of the free G Suite offerings are not allowed as options if you must align with HIPAA regulations.

    Google has historically scanned content for advertising purposes. While it has stopped doing this circa 2017, there is nothing to prevent Google from doing this again in the future with a free G Suite plan.

    With the paid version, and to be compliant with the protected health information (PHI), Google does not scan content for advertising purposes.  Are there differences or features in terms of HIPAA compliance between the paid G Suite plans?  Yes.

    When thinking about making Gmail email compliant with HIPAA, organizations need to use end-to-end encryption for email communications.  This ensures that information contained in emails is secured as it is transmitted across the Internet.

    Google does offer S/MIME email encryption.  However, S/MIME encryption relies on your organization using the G Suite Enterprise plan as documented in Google’s S/MIME administration guide.  Without the end-to-end encryption of the Enterprise plan, you will need to look at a third-party solution.

    There are some settings that may benefit your organization when configuring Google core services to be HIPAA compliant that are limited to certain G Suite plans.  As an example, you may want to restrict sharing outside your organization to an organizational unit or configuration group.

    You can only select a child OU or group if you have G Suite Enterprise, Business, Education, Nonprofits, or Drive Enterprise edition as detailed here.  It is important to understand that between the various plans, there may be limitations to certain types of configurations for getting a HIPAA compliance certification.

    What legal agreements do you need to sign with Google?

    As mentioned above, you need to sign a Business Associate Agreement (BAA) with Google to be HIPAA compliant.  What is the BAA and what role does it play in HIPAA?

    In the world of HIPAA, the regulation only applies to covered entities which include health care providers, plans, clearinghouses, and others.  However, if these covered entities use the services of another person or business, these are considered to be business associates of the health care providers.

    These business associates provide assurances that PHI information they have access to will be used only for the purposes that were explicitly defined by the provider who entered into the agreement with them.

    In other words, if your organization uses a third-party that will in some way interact with PHI that falls under HIPAA, you will need to sign a Business Associate Agreement with them.  Since Google’s G Suite will be housing information that may contain PHI data, the BAA needs to be signed with Google.

    How is the BAA signed with Google?  Google makes the process to review and accept the Business Associate Agreement fairly easily.  To sign the HIPAA Business Associate Agreement for G Suite, you sign in to your paid G Suite account as an administrator and opt into the HIPAA BAA.  As outlined in the official G Suite Admin help, to do this:

    1. Sign in to the G Suite Admin console
    2. Click Company Profile
    3. Click Show more > Legal & compliance
    4. In the Security and Privacy Additional Terms next to HIPAA Business Associate Amendment, click Review and Accept.
    5. Answer the three questions presented and if you are confirmed as a HIPAA covered entity, click I accept to accept the HIPAA BAA.

    Does technical support from Google help you make your G Suite HIPAA compliant?

    Does Google technical support deal with HIPAA related issues?  No.  It is important to understand the technical support provided by Google is not part of the included HIPAA compliant services they provide.  With that being said, you do not need to disclose PHI to Google with technical support cases.

    How to make G Suite HIPAA compliant

    After you have signed the Business Associate Agreement (BAA), you are in a position to begin configuring G Suite under the regulation of HIPAA compliance.  When considering how to make G Suite HIPAA compliant, it is important to note that G Suite services must be used and configured in such a way that it satisfies HIPAA requirements.

    An important methodology when it comes to ensuring your G Suite environment is HIPAA compliant comes down to the People, Processes, and Technology triangle.  It will generally be a mix of all three to ensure that end users are trained to use technology systems including G Suite in such a way that aligns with HIPAA compliance, and the processes and technology support keeping PHI secure.

    Google lists certain core services that can be used by your organization in conjunction with HIPAA and PHI information.  Additionally, there may be services in the list below that require certain features or functionality either be used or not used for PHI purposes as listed.  What are these core services that are PHI compliant?  These include the following:

    • Gmail
    • Calendar
    • Drive (including Docs, Sheets, Slides, and Forms)
    • Tasks
    • Keep
    • Sites
    • Jamboard
    • Hangouts classic (chat messaging features only)
    • Hangouts Chat
    • Hangouts Meet
    • Google Cloud Search
    • Google Groups
    • Google Voice (managed users only)
    • Cloud Identity Management
    • Vault

    Are there Google services that are not permitted for use under HIPAA regulations and PHI information?  Yes.  These include:

    • Google Contacts
    • Google+

    It is also important to understand that by default G Suite users may have access to other Google services that are not permitted for use with HIPAA PHI.  These other Google services that are not listed in the core services and for which Google has not made available a separate Business Associate Agreement (BAA) are not permitted for use with HIPAA PHI information.  These include:

    • YouTube
    • Blogger
    • Google Photos

    Google has provided a G Suite Admin Help guide discussing how you can see the list of additional G Suite services as well as how these additional services can be turned off to be HIPAA compliant.  It is important to review this article and make sure that all services that have not been approved for use for those who manage PHI within your organization have been disabled.

    From a management perspective, you can manage different users in your organization by creating what is referred to as organizational units in G Suite.  You can segregate users who interact with PHI from users who do not and adjust the services they see based on the organizational unit they are a member of.

    What about the configuration and tweaks needed for specific Google services?  Let’s take a look at those.

    Google Drive (including Docs, Sheets, Slides, and Forms)

    Google Drive provides cloud storage for your organization when using the G Suite SaaS service. With Google Drive, there are configuration and administration items that you want to make sure to give attention to for safeguarding your HIPAA PHI.  There will be a mix of user training as well as technical items that you want to have in place.

    Is Google Drive HIPAA compliant?

    Users need to be made aware of the following:

    • Do not put PHI into the titles of files, folders, or Team Drives
    • Do not attempt to share information in an unsanctioned way outside the Google Drive

    The G Suite administrator will play an integral part in making sure the G Suite Google Drive configuration is sufficient to protect HIPAA PHI.  There are two main components of making sure from a technical perspective that HIPAA PHI is protected appropriately.  This includes configuring visibility and permissions appropriately.

    The following list of items details configuration settings the G Suite admin will want to enforce with Google Drive to ensure PHI is safeguarded appropriately:

    • G Suite admins will want to see the visibility level appropriately for the G Suite account.
    • Restrict how employees can share information outside the sanctioned G Suite domain
    • When you set this setting to off – “Prevents users from sharing Google Drive files with people outside your organization through invitations, links, and email attachments. Users outside of your organization will not be able to view new published sites. Also, prevents users from submitting Google Forms that require them to share documents outside your organization”
    • Change the default visibility to Private
    • Limit and restrict content sharing even with Team Drives
    • Restrict having external members as team members
    • Restrict who can download, copy, or print files in the Team Drive
    • Make use of the file exposure report in G Suite
    • Disable the installation of third-party apps

    Gmail

    Gmail is an extremely important part of your G Suite core services that you want to make sure you configure correctly to align with HIPAA email rules.  Any time end users have the ability to send information and potentially the wrong types of information (PHI) outside your domain, it deserves extra scrutiny.

    G Suite Gmail provides the controls needed to help ensure that information as well as attachments are only sent to the intended, sanctioned recipients.  The last thing you want to happen is PHI to be sent out intentionally or unintentionally, outside your organization.

    What are some of the controls in place that can help to ensure that Gmail messages and attachments are not inadvertently sent containing PHI?

    G Suite Gmail and HIPAA compliance

    G Suite Gmail provides powerful email capabilities that can align with HIPAA

    Admins use the following G Suite controls:

    • Make sure users only share messages and attachments with the intended recipients
    • Create DLP policies that scan emails for PII/PHI identifiers and act appropriately to prevent transmission or sharing

    It’s also important to understand that G Suite cloud storage and Gmail work hand-in-hand as employees will most likely be choosing attachments from the Google Drive storage.  Having the aforementioned controls in place for Google Drive is necessary to ensure HIPAA compliance.  Let’s now look at another important consideration for Gmail message transmission itself – encryption.

    TLS and S/MIME Gmail encryption

    So, is Gmail HIPAA compliant? For Gmail email to be compliant with HIPAA regulations, it needs to be encrypted.  Encrypted communication has long been a way to prevent prying eyes from having visibility to information. Configuring and making use of G Suite email encryption with Gmail is an extremely important part of ensuring that protected health information is secured appropriately.

    All Gmail uses what is known as TLS (Transport Layer Security) encryption.  However, it is important to understand with the default TLS implemented by Google for Gmail is that it is basically optional.  Without administrative rules to enforce it, if the email server of the sender/recipient does not support TLS encryption, Gmail will be exchanged without TLS encryption.

    An additional drawback of TLS encryption is that it does not guarantee the email message will be secure after it reaches its destination.  While encrypted in-transit, anyone can open an email that has been encrypted by TLS once it has been received.

    As you step up into the paid G Suite accounts, G Suite administrators can create transport rules that disallow any email to be exchanged if TLS isn’t supported.  Google does offer a step up from the basic TLS encryption that is provided by default.  This is called S/MIME (Secure/Multipurpose Internet Mail Extensions).  As mentioned earlier, S/MIME is only available with the paid accounts at the Enterprise plan level.  What advantage over TLS does S/MIME bring to the table?

    With S/MIME encryption, the email is encrypted with encryption keys specific to a user so that only that intended user recipient can open the email.  This ensures the email stays encrypted and is only readable in-transit and at-rest with the destination recipient.

    S/MIME has some of the same limitations as TLS does such as the requirement for both parties having email systems that can support the encryption mechanism.  In addition, it requires some work to be carried out on the frontend by the organizations that you wish to exchange information with.  This includes exchanging encryption keys in advance so emails can be encrypted and decrypted properly by both parties.

    You can set up compliance and routing rules that require that outgoing messages be signed and encrypted using S/MIME.  Using S/MIME routing rules at the G Suite organization level ensures that even if end users turn off encryption, the routing rules override this action.

    There are third-party solutions that allow implementing easier and more thorough encryption solutions for your G Suite environment.  Your organization will need to weigh out the pros and cons of each solution and the costs involved to see which encryption implementation makes sense.

    Calendar

    Sharing calendars between users and teams in G Suite is a great way to enhance collaboration and team productivity.  However, the G Suite Calendar is another service that needs to be configured properly for ensuring that PHI is protected accordingly in line with HIPAA guidelines.

    Again, proper end user sharing processes and technology controls in place can help make sure that PHI is not exposed.  Like many of the other core G Suite services, the calendars in G Suite share all information with everyone in the G Suite organization.

    End users can set calendar entries to Private for any event related to PHI.  Additionally, G Suite admins can change the default behavior with visibility and sharing options that can change the default behavior across the entire G Suite domain.

    Keep

    Google Keep allows your end-users to take notes and create lists and other items that could possibly contain PHI.  With Keep, G Suite administrators need to make sure that the Google Drive sharing settings are set for restricting information appropriately.  G Suite administrators can set the sharing options to either Restrict or Allow sharing outside the organization.

    Google Keep features

    With Keep, many of the default sharing settings are in line with HIPAA configurations since Keep by default sets notes to Private regardless of Drive settings.

    Sites

    Google Sites allows easily creating team sites to share content between team members in G Suite.  When thinking about PHI information, it is important to understand that Google Sites can be visited by members outside your G Suite organization.

    According to the main Google Sites page:

    • Can external visitors access a company site? 

    Yes. People outside your company can access your site, even without a G Suite account. You can also opt to restrict access through sharing settings.

    G Suite Apps: Google Sites

    Google Sites easily allows creating websites. Care must be taken with HIPAA compliance

    Since Google’s “bread and butter” is advertising, Google Adsense can be added to Google Sites websites for advertising purposes.  This needs to be turned off for sites that include HIPAA PHI.

    Other considerations to make and change:

    • Limit who has access to edit the information on the site
    • Do not include text, images, or other content such as calendar information that may contain PHI
    • Limit publishing sites externally, perhaps limiting to the internal domain

    Google Cloud Search

    Google cloud search offers built-in applications that can be used out-of-the-box.  Connectors are made available that can pull in information from other systems such as CRM, G Suite documents, and others.  Using Google’s patented search technology, information can be found much more efficiently.

    Information intensive industries like healthcare deal with an overwhelming amount of information.  So, Google Cloud Search technology can be extremely helpful for healthcare organizations.

    Google Cloud: HIPAA compliance

    Google Cloud Search brings Google search technology to your organization’s data

    To ensure that your organization uses Google Cloud search in line with HIPAA policies, admins will want to control how search history is used and who has search history turned on or off.  This can be limited for everyone or it can be turned on or off for specific organizational units (must have G Suite Enterprise).

    Additionally, part of the shared responsibility model that customers have when using G Suite in regards to HIPAA is making sure third-party connectors or other connections that allow aggregating data for search indexing is properly secured with appropriate permissions.

    Google Hangouts and Meet

    Google Hangouts is now Google Meet.  Google Meet provides secure videos meetings for your business that allows effective collaboration and communication.  It’s important to note that the classic Google Hangouts video calls are not compliant with Google’s Business Associate Agreement.

    Instead of the classic Hangouts, you will want to make sure you are using the new Google Meet platform.  Users can be prevented from starting video calls from the classic Hangouts application.  See how to do this here.

    Google Meet

    Google Meet allows G Suite team members to communicate and collaborate

    Another important consideration to make with Meet is whether external guests can participate in your Hangouts Meet video meetings.  The organizers of the Hangouts Meet video call have to decide whether or not to allow anonymous guests to join or to allow only internal G Suite organization users to join the call.

    If your organization uses G Suite Enterprise, it allows the ability to record meetings in MP4 format to Google Drive.  Will the recording potentially have PHI subject matter?  This is functionality that G Suite admins can control as well through policies set to control whether G Suite Enterprise users have the ability to record their meetings to Drive.

    Vault

    Vault is Google’s eDiscovery and compliance solution for G Suite.  It is used to retain, hold, search, and export data to support retention and eDiscovery activities.  Vault is only included in the G Suite enterprise plan.  It is an additional add-on for the other G Suite plans if your organization chooses to purchase licenses for your users.

    Google does not provide a great deal of information regarding specific settings or configurations of vault related to HIPAA.  In fact, in the recent HIPAA guide from Google, Vault is only briefly mentioned.  However, it is included in the services that Google defines as HIPAA compliant.

    When Vault is used with the other Google core G Suite services that are correctly configured for HIPAA, Vault can be used in a sanctioned way to store PHI.

    How Google Vault helps your compliance

    Google Vault provides eDiscovery and compliance functionality to G Suite

    Other important G Suite settings for HIPAA compliance

    Other G Suite configuration changes and G Suite admin best practices lend themselves to good overall G Suite security.  The better your overall security posture across your G Suite environment, the easier it is to comply with compliance frameworks such as HIPAA.

    The following other considerations and best practices can help secure your G Suite environment and protect HIPAA PHI:

    • Enable Two-factor authentication
    • Monitor account activity
    • Enable role-based access
    • Control third-party apps, systems, or databases

    Let’s briefly consider each of these best practices and see how each helps to secure your G Suite environment and align your organization with HIPAA regulations.

    Enable two-factor authentication

    Enabling two-factor authentication is one of the best ways to drastically increase the security of your G Suite environment.  Passwords have long been a weak point in most environments.  End users have a tendency to choose weak passwords.  This can very quickly place business-critical and sensitive data such as HIPAA PHI at risk.

    With two-factor authentication, it requires users to verify their identity with something they know (their password) as well as something they have such as a physical key or a code that is sent to a device such as a cell phone.  It is critically important to protect your G Suite administrator accounts with two-factor authentication.  If an attacker cracks a G Suite administrator account, they have all the “keys to your kingdom” and can do anything they want in your environment.

    With G Suite, there are several different ways the two-factor verification can be validated.  These include:

    • Security keys
    • Google prompt
    • Google Authenticator
    • Backup codes
    • A text message or phone call

    Enabling two-factor authentication is certainly a recommended best practice to improve the overall security of your G Suite environment.  When it comes to HIPAA compliance, HHS.gov recommends two-factor authentication for protecting electronic PHI.

    Monitor Account Activity

    Having visibility of the account activity is a great way to protect and monitor potential security threats in your G Suite environment.  G Suite provides the alert center to provide a place to aggregate events and alerts.  This includes account activities and alerts.

    The G Suite alert center can send out email alerts of many different kinds of alerts that happen in the environment.  However, the alert center must be configured to send out email notifications.  To configure alert center email notifications, follow the documentation found here.

    Enable role-based access (RBAC)

    To follow best practices for permissions and access in G Suite, you want to make sure end users have permissions assigned based on their job role.  All too often, end-users have more permissions than they need.  G Suite provides administrators the ability to easily view a list of user’s roles and privileges in the Google Admin console.

    This is not limited to normal end-users.  Users that serve as administrators in the G Suite can be assigned those administrator permissions they actually need.  Very few will need the Super Admin role in G Suite.  G Suite provides pre-built administrator roles that allow assigning administrator permissions based on the role the administrator will actually play in your organization.

    Predefined G Suite admin roles include the following:

    • Super Admin
    • Groups Admin
    • User Management Admin
    • Help Desk Admin
    • Services Admin
    • Mobile Admin
    • Google Voice Admin
    • Reseller Admin

    You can read more about the permissions and capabilities that each role has in the G Suite environment here.

    Assigning the roles and permissions to users and especially to the users who will serve as administrators in the G Suite environment helps to ensure that permissions are scoped appropriately.  This is in line with HIPAA best practices and is part of the Administrative Safeguards that need to be put in place as part of the HIPAA security rule.

    Control third-party apps, systems, or databases

    Cloud Software-as-a-Service environments like G Suite allow customers to extend the native functionality by way of third-party apps found in the marketplace.  Despite providing extended functionality, third-party apps can expose PHI data as well as bring other security and data leak threats.

    Left unchecked, end users can potentially install third-party apps that gain access to sensitive HIPAA PHI.  This can easily happen as end users may simply grant permissions that are requested by a third-party app that either could be malicious in nature or “leaky”, exposing sensitive data.

    Monitoring and controlling third-party apps in G Suite is essential to securing your G Suite environment and in ensuring the security of HIPAA PHI.

    G Suite provides some native functionality to control which third party and domain-owned apps can access sensitive G Suite. The access and restricted access to G Suite services are provided via OAuth 2.0.  App access control allows organizations to:

    • Restrict or leave unrestricted access by third-party apps to G Suite
    • Whitelist apps so they can access restricted G Suite data
    • Trust domain-owned apps

    How do you make sure your staff doesn’t accidentally cause a HIPAA breach?

    The worst thing that can happen to protect health information (PHI) and HIPAA is a data breach. Breached PHI can mean the worst for a healthcare organization, including fines, tarnished reputation, and potential repercussions that can last for years.

    HIPAA violations can lead to fines ranging from $100 to $50,000 per violation (or per record) depending on the perceived negligence that is found within your organization at the time of the HIPAA violation.  Your organization must do its due diligence to put the measures in place to ensure that PHI is protected in a suitable manner.

    As mentioned in the outset, this is usually a combination of people, processes, and technology to ensure that PHI is protected adequately.  How do you put all the information presented thus far together in a way that allows you to make sure that your staff doesn’t accidentally cause a HIPAA breach?

    HIPAA is a very complex and delicate framework that requires a lot of planning, training, and technology solutions to allow employees to be productive and at the same time ensure that PHI is protected in line with the guidelines set forth by HIPAA.

    To summarize the people, processes, and technology that is needed to make sure your staff doesn’t accidentally cause a HIPAA breach, consider the following:

    • End-user training – End-user training for HIPAA is absolutely required.  End-users need to be aware of all the aspects of how they need to interact with protected health information properly and the role they play in keeping this data safe.
    • Proper configuration of G Suite services – Paid versions of G Suite can be HIPAA compliant, however, it requires that all services used by your organization be configured correctly and restricted in certain ways to protect health information data.
    • Two-step verification – Two-step verification provides greatly enhanced security for end-users including administrators.  It combines something you know (your password) with something you have (a code delivered via device, text, call, app, and other means).
    • OAuth 2.0 and third-party apps control – OAuth 2.0 is a mechanism that cloud service providers including Google are using to allow end-users to easily integrate and grant applications with G Suite data without disclosing their password.  However, this can present security concerns as “leaky” or outright malicious apps can be integrated into the G Suite environment with just a few clicks on an end-user device.
    • Information rights management (IRM) – With IRM, you can disable actions that are risky to HIPAA PHI such as downloading, printing, and copying from G Suite.
    • Proper monitoring, auditing, and alerting – Monitoring, auditing and alerting are key administrative security tasks that help G Suite admins keep on top of potential security events in G Suite.  To bring your organization in line with HIPAA privacy and security controls, these are essential activities.
    • Email security and advanced protection – Email is often the gateway to security breaches or malware attacks.  Taking the proper steps to secure Gmail allows your organization to ensure data is protected between the sender/receiver, as well as malware and other types of malicious email such as phishing attacks, are filtered, and minimized as much as possible.
    • Encryption – Encrypting data makes certain that sensitive data is unreadable outside of sanctioned users.  Make sure that information is encrypted both in-flight and at-rest will guarantee that PHI data is protected from prying eyes or those outside of the business associate agreement.
    • Mobile device management (MDM) – If you have mobile devices that are tied into the G Suite environment, using G Suite’s MDM solution allows enforcing policies, encrypting data, and remotely wiping or locking stolen or lost devices.
    • Backup G Suite – Backing up your G Suite environment containing protected health information (PHI) is critical to protecting PHI and other business-critical data from data loss.  G Suite is limited in what it can natively provide in terms of proper backups of your data.  Your organization will want to bolster data protection of G Suite with a capable third-party solution that can protect your data across all G Suite services.

    Outside of the above, your organization will want to have a bullet-proof process that includes the technical processes needed to ensure that all access to HIPAA and other business-critical data is immediately terminated if an employee leaves the company.

    By effective training of your end-users, putting processes in place to help provide the “guard rails” for daily business activities involving PHI, and having the technology solutions in place, will help to greatly minimize the risk that any staff will accidentally cause a data breach.

    Let’s take a look at a technology solution that can help bolster your organization’s efforts to ensure that protected health information is secured appropriately and effectively.

    How to make G Suite HIPAA compliant with SpinOne

    While G Suite has many great built-in technology capabilities and features to help secure your G Suite environment and align with HIPAA regulations, it can fall short in and of itself in protecting PHI.  Google G Suite native security solutions fall short in  the following ways:

    1. Ransomware protection
    2. Backups of your data
    3. Third-party apps protection and auditing
    4. Consolidated ease of use
    5. Automated responses

    Let’s take a look at each area and see how SpinOne allows us to meet and exceed HIPAA compliance regulations in G Suite much more easily.

    1.  Ransomware protection

    Ransomware is one of the biggest threats to your organization’s data, both on-premises and in cloud SaaS environments such as G Suite.  Modern ransomware can hold your cloud data hostage and new variants are even releasing sensitive data as part of the threat and leverage for a ransom payment.

    Think about the consequences of your cloud SaaS environment data encrypted with ransomware and threats of releasing this data, potentially including HIPAA PHI.  This would be a nightmare scenario.  SpinOne allows effectively countering ransomware in the cloud with a seamless, automated solution that requires no administrator interaction.

    SpinOne’s automated ransomware protection provides automatic responses to ransomware infections.  This includes:

    1. SpinOne’s AI-powered solution automatically detects the ransomware infection underway using effective file-behavior analysis
    2. It automatically blocks the attack source in real-time
    3. SpinOne automatically identifies the files that have been infected/encrypted with ransomware
    4. It automatically recovers damaged files from the latest good backup of your G Suite environment taken with Spinbackup

    Imagine as a G Suite administrator, waking up to a notification that Spin detected a ransomware infection, blocked it, and completely remediated the effects of the ransomware, all without requiring a single interaction by G Suite administrators.

    2.  Backups of your data

    Part of the shared responsibility model that Google maintains with G Suit customers is that customers are responsible for protecting their data.  There is no official backup solution provided by Google that allows for enterprise-grade backups of your G Suite data, including PHI.

    According to HHS.gov, being able to SLAs can include provisions that address such HIPAA concerns as…

    • Back-up and data recovery (e.g., as necessary to be able to respond to a ransomware attack or other emergency situation).  
    • Automatic backups 1-3x daily
    • Encrypted backups both in-flight and at-rest
    • Deletion and version control
    • Fast search
    • Analytics and reports

    3.  Third-party apps protection

    With SpinAudit as part of Spinone, you get a total apps risk assessment that helps to identify applications that are risky to your data and which applications that have read, write, and delete permissions to your sensitive data.  This also helps to reduce the risk of shadow IT applications being installed by end-users that bypass organizational policies and other best practices.

    SpinAudit provides a database of 55,000+ (and growing) apps and browser extensions that have passed Spin’s AI-based scoring.  This allows your organization to have a completely automated auditing and risk assessment platform for any application that end users attempt to integrate with the G Suite environment containing PHI information.

    SpinAudit contains:

    • Application whitelisting and blacklisting
    • Custom security policies
    • Visibility to app permissions granted in G Suite
    • The business risk level of G Suite apps

    4.  Consolidated ease of use

    Even though many of the cloud service providers have security solutions built into their platform, many of the different security dashboards and consoles are disaggregated and are configured in their own administrative interface.

    This means that you have to configure various aspects of your security in different UI’s and interfaces.  This can lead to confusion, more administrative overhead, and can even lead to security vulnerabilities as events can get missed. With SpinOne, the solution provides a single-pane-of-glass UI for configuring the security of your G Suite environment.

    5.  Automated responses

    In your fast-moving, complex environment involving HIPAA PHI in your G Suite cloud SaaS environment, you don’t have time for manual processes.  Your organization is no doubt moving too fast to be held back by legacy approaches to security and other operational processes.

    SpinOne is built around artificial intelligence (AI) and machine learning (ML) architecture that allows the solution to be intelligent and provide a high level of automation.  This takes a great deal of the administrative burden from the administrator so time can be better spent elsewhere.

    When it comes to HIPAA PHI and the complex and dangerous security threats that target healthcare and other organizations today, you want to have an automated security intelligence watching and protecting your environment 24x7x365.  This is exactly what SpinOne was designed to do.

    With automated intelligence, SpinOne protects your HIPAA PHI from ransomware and other dangerous threats with automated threat detection, visibility, and remediation.


    Get a free trial or request a demo now!


    Learn more about compliance:

    1. GDPR Compliance Checklist for Businesses 

    2. The Financial Impact of Non-Compliance On Businesses

    3. SOX Compliance Checklist and Requirements

    4. Cloud Data Security and Compliance Best Practices

    No Comments

    Sorry, the comment form is closed at this time.