Posts

Echo of Non-Compliance

Everyday, we hear about new ways we can use our smart speakers. Retailers, radio stations, product companies, and others remind us that we can use our Amazon Echo or Google Home to buy, listen, or learn. The term “smart speaker”, however, is misleading.  These are microphones and they are always listening. They are also likely recording everything they hear.

If you are covered by HIPAA or other privacy regulations, do not talk about protected information within earshot of Alexa.

This warning stems from a 2015 murder case in Arkansas. Believing that the Amazon Echo may have “heard” a murder, the District Attorney subpoenaed any recordings that Amazon may keep from the device. Amazon fought the decision on First Amendment and privacy rights, not by claiming that it was not recording. Amazon did not deny having recordings.

The issue for data privacy compliance is that your smart speaker may be listening to and recording conversations you have about protected information.  Allowing this is a violation of HIPAA and other regulations protecting personal identifying information (PII).

When is your Amazon Echo recording?

The short answer is: we are not sure, but maybe always.

Looking at the Alexa Terms of Use, Amazon tells us “Alexa streams audio to the cloud when you interact with Alexa” and “Alexa uses recordings of your voice to create an acoustic profile of your voice characteristics.” Alexa use is also covered by the Amazon Privacy Notice, which states, “We receive and store any information you enter on our Web site or give us in any other way.”

While Amazon tells us they are recording your “Hey, Alexa” commands, the Terms of Use and Privacy Notice are a bit more ambiguous. Neither document tells us that Amazon records only when listing and processing commands. Nor do the policies limit Amazon’s recording to those commands. We do not know, for sure, when Amazon is not recording what it hears on your Echo.

Better Safe Than Sorry

When speaking about sensitive or protected information, stay away from your “smart speaker” or manually mute the device.


One more thought:  Ever notice how after certain conversations, you see ads on Facebook related to the topic discussed?  Unless you turn off microphone access, Facebook is using your phone to listen to your conversations, analyze what you say, and profile you. Letting Facebook listen is another potential HIPAA and PII breach.


 

Email Encryption is Not Compliance

Security Key
While providing a reasonable level of protection from inappropriate access to your data, the built-in encryption is not sufficient to meet information privacy regulations. Laws such as the Health Information Portability and Accountability Act (“HIPAA”), and industry regulations including the Personal Card Information (“PCI”) standards require more than data encryption.

Privacy laws and regulations typically include three components:

  1. Policies and procedures that, when followed, provide appropriate data protections
  2. A means to monitor compliance, with the ability to detect and mitigate potential violations of the policies and procedures
  3. A defined response and resolution procedure in the event of a breach

As explained in our eBook, Email Encryption in Google Apps, Technology can support the implementation of these three components, but does not offer a full solution on its own.


Contact us to assess your email encryption needs and to define an affordable solution.


 

Expanding HIPAA Accountability

HIPAA Logo
As more businesses provide health care coverage, or assist employees in obtaining coverage, under the Affordable Care Act, we find ourselves possessing and managing even more sensitive personal information about our employees.  And, while we are not working with medical records, per se, we are often exposed to insurance account and activity information that cannot be disclosed.

Communications with your insurance broker or carrier should be secure — from end to end.

The good news is that you have options.

  • Policy-Based TLS Encryption
    • If your broker or carrier is willing to share some technical info, you can setup policy-based TLS encryption that will forcibly encrypt all emails between your email service and theirs.
    • They will likely need you to prove, or certify, that you encrypt data from your email service to your end users on every platform.
    • Policy-Based TLS Encryption is part of Google Apps, but not every email service is capable.
    • This is the lowest cost, but most technical solution.
  • Manual Encryption Tools
    • Third party apps, like Virtru, let users encrypt email messages before they are sent.
    • They are inexpensive and easy to use, and can also track when messages are opened or forwarded.
    • They are NOT foolproof, as they depend on users knowing what must be encrypted and remembering to do so — every time.
    • This is the lowest cost solution, but most susceptible to an accidental breach.
  • Automated Encryption Tools
    • Integrated email encryption solutions, like Zixmail, give users the ability to flag messages for encryption.
    • They also use heuristics to scan all email traffic, identifying those that should be encrypted and doing so automatically.
    • While slightly more expensive, these tools effectively monitor policy compliance and mitigate your risks.

Select the type of encryption solution you need, based on how your business operates and who is responsible for keeping information private.


 

Unlike many providers, we offer each type of email encryption service on a per-user basis. Most businesses have a limited number of staff working with sensitive information; we can provide these users with encryption services. Our approach provides the protection you need and respects your budget and priorities. Contact us to learn more.


 

4 Questions to Ask When Selecting an Email Encryption Solution

Email Lock
Once you determine who within your organization should be using email encryption to secure sensitive and protected information, you need to select from sea of vendors all claiming to be the “leading” provider.

Here are four (4) questions to ask when selecting an email encryption solution

1) Does the solution include a hosted, shared email encryption network?

Encrypting every email is hard, expensive, and does not accommodate the way most of us work. Using passwords and accessing portals are extra steps that take time and can create frustration. A shared email encryption network ensures that 100% of emails sent within the network are secured without any additional actions required by the sender or the recipient.

2) Does the solution offer policy-based encryption filters?

Most encryption solutions relying on users to trigger encryption by clicking a button or putting a tag into the subject line.  Even if users understand every scenario that warrants encryption, they are likely to miss a few along the way. Solutions with policy-based encryption filters scan and automatically encrypt messages that contain sensitive information. The best solutions provide standard heuristics for common regulatory requirements and let you create custom policies to meet your business’ specific needs.

3) Is the solution easy to use?

Email is a business tool, and email encryption is no different. Ideally, the solution should be easy to use for sender and recipient. Difficult processes result in mistakes, compliance breaches, lost productivity, and users circumventing the system. Easy to use solutions foster adoption and compliance by automatically encrypting message, decrypting inbound messages at the gateway, and ensuring that replies and forwards get encrypted as well.

4) Is the solution provider awesome?

Choosing an email encryption provider is a long-term commitment and the lowest price is not always the best deal. Make sure your provider is trusted by others in your industry. Check to ensure their infrastructure has certifications and accreditations, such as SysTrust/SOC 3 or PCI Level 1. Make sure the solution can be deployed quickly and that your provider supports your deployment technically and with user training. Verify that your provider will support you on an on-going basis and minimize the resources required from you and your team.

 


 We offer multiple email encryption solutions. Contact us to discuss your needs and explore the solution best for you and your business.


 

HIPAA Compliance with Google Apps Just Got Easier

HIPAA Logo
One of the challenges using any IT service are external requirements for data use and privacy.  Among the most restrictive are those imposed by the Healthcare Insurance Portability and Accountability Act (HIPAA).  HIPAA regulations intend to ensure data is private and protected from accidental or intentional breach, and is only shared as needed to ensure appropriate medical care.

One aspect of HIPAA requires entities to execute a Business Associate Agreement (BAA) with any organization with which Protected Health Information (PHI) is shared.  Sharing not only includes data provided to other medical professionals, sharing includes data stored on systems or managed by services.  The BAA defines each party’s roles and responsibilities with respect to data protection and privacy, and accountability in the event of any inappropriate breech or release.

For organizations using Google Apps for Business, Education, or Government, documenting HIPAA compliance just became easier.

Google Apps administrators may now complete and execute a BAA with Google covering key services in Google Apps, specifically:

  • Gmail
  • Calendar
  • Drive
  • Google Apps Vault

The BAA does not cover other services within Google Apps, nor does it cover third-party or marketplace applications.  As such, signing the BAA and implementing Google Apps as part of a HIPAA compliant infrastructure still requires planning, policies and procedures, and an examination of other systems and applications.

Contact us to learn more.