No, Gmail is not HIPAA-compliant

Google has made a big deal out of sell­ing Google Apps as a way for health-care providers to secure­ly store patients’ med­ical records. As of this writ­ing Google will sign Busi­ness Asso­ciate Agree­ments for their Google Apps for Busi­ness cus­tomers — about five dol­lars per month.

This is great. While I can’t vouch for Google’s secu­ri­ty prac­tices first­hand, I assume that they keep their net­works pret­ty well tied down. I’m not sure how appro­pri­ate Google Apps are for the pur­pos­es of health-care providers, and of course hav­ing a web-app provider that can be trust­ed is just one part of any sys­tem of pri­vate infor­ma­tion stor­age. Any­one count­ing on a signed BAA to call them­selves com­pli­ant is kid­ding them­selves. As put so well at the Tame Your Prac­tice blog, prac­ti­cioners’ stan­dards and prac­tices have to be com­pli­ant — apps them­selves are not.

What ought be much clear­er is that Google offers no form of secure email for com­mu­ni­ca­tion between health-care providers and clients, or between any­one and any­one else, for that mat­ter. Even if you pay Google and they sign your BAA, mes­sages sent by Gmail are not encrypt­ed en route between Google’s servers and some­one else’s. They try, but they sim­ply don’t con­trol the whole mes­sage from end to end. Google Apps may secure your doc­u­ments in a man­ner com­pat­i­ble with HIPAA-com­pli­ant prac­tices, but Google will not secure your email mes­sages. The only ways to meet the HIPAA require­ments would be to get your clients to sign a Con­sent for Non­se­cure Com­mu­ni­ca­tions waiv­er or to use a third-par­ty ser­vice or soft­ware to encrypt your email messages.

The Con­sent for Non­se­cure Com­mu­ni­ca­tions might cov­er your pos­te­ri­or legal­ly, but it does NOT pro­tect any­one’s privacy.

The bad news is a good thing

Frankly, it’s good that Gmail is ter­ri­bly inse­cure. Gmail is just email. While Google has cooked up their own way of access­ing email, they have not replaced or rein­vent­ed the glob­al email net­work. While my hopes that Google+ might some­day be some­thing oth­er than anoth­er walled gar­den did­n’t pan out, Google has nev­er pre­tend­ed that they own email. They are com­pet­ing in a field for which there is glob­al infra­struc­ture and appar­ent­ly doing a very good job of it.

The bad thing is bigger than Google

So if it is good that one enti­ty has­n’t achieved elec­tron­ic-mes­sage hege­mo­ny, that still leaves us with the prob­lem: email is fun­da­men­tal­ly inse­cure. As has been point­ed out for decades, it is much like putting all your com­mu­ni­ca­tions on post­cards with­out envelopes. It does­n’t mat­ter how many armed guards you have car­ry­ing that post­card to the mail­box, any­one and every­one can read it while it is en route.1

What’s nec­es­sary is to encrypt the mes­sage before it gets sent in a way in which it can’t be read by any­one except the des­ig­nat­ed recip­i­ent. The prob­lem with that? It’s slight­ly inconvenient.

Uh oh

Yeah, that’s right. And there is no way around it. It should­n’t be sur­pris­ing, either. If you want to give some­one else access to your car, house, mail­box, or stor­age unit you usu­al­ly have to give them a fun­ny-shaped piece of met­al with unique grooves and ridges that per­mits the rota­tion of a mech­a­nism that unlocks what­ev­er it is that you locked up. These items are known col­lo­qui­al­ly as keys.

To send mes­sages that only the intend­ed recip­i­ent can read, you also need keys. Instead of bits of met­al, these keys are made of… well, bits. Just like the old-fash­ioned kind of key, cryp­to­graph­ic keys are funny-looking:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.5
Comment: Hostname: pgp.mit.edu

mQINBFGutp8BEADDCBH0pwZS8XLYTWRvOPTJ47nLrwTHF2F2VBJ/PeZGK8EUiCPCzBdlPs8M
C10m1bKRmNewfxlB8D36GSx2RASeFGsWm7BeBIOFqDKxLY78m1x4hvZKldk6qd511Np62mHN
eicdHh0t/oUzieiV3izeBG8PDkSq3PvWmQbYcbCiUOOzo984bKyo4wZnTLMZTgx6179NaSpY
Brm243AArhMTbWmeXTKQwQb+0z9+bup+SEnoWdHsAwOymsP9hWssR9PuPT93StBoZE4xr7/f

That’s not the entire key;2 it actu­al­ly goes on for quite a ways like that. But you should­n’t actu­al­ly ever have to look at it more than once or twice, and maybe not at all.

It gets a lit­tle bit more com­pli­cat­ed. Explain­ing the ins and outs of encryp­tion is beyond the scope of this post (and ulti­mate­ly beyond my abil­i­ty) but here is the cool part: the key that locks the mes­sage is not the one that unlocks it. Thanks to some very clever math devel­oped back in the ’70s, you get to have a «mas­ter» key that unlocks all the rooms in your own cryp­to­graph­ic house, and give oth­er peo­ple a key they can use for send­ing you a mes­sage, but which they can’t actu­al­ly open any doors with. The anal­o­gy is already stretch­ing thin, but you can think of it as hand­ing out keys to a mail slot in your door; you need the house key to get in to read the let­ters.

Wait, did you say the ’70s?

Yeah. The com­mon imple­men­ta­tion, PGP, was released in 1991 by Phil Zim­mer­mann. But the math he based it on was already decades-old. Don’t wor­ry, so is the math that goes into the con­struc­tion of air­planes, bridges, and automobiles.

PGP (or GnuPG, or any oth­er imple­men­ta­tion of the OpenPGP stan­dard) isn’t the only way to do this kind of encryp­tion, called pub­lic-key or asym­met­ric encryp­tion, or even the only way to do it in email. In fact, this tech­nol­o­gy is in use almost every­where on the Inter­net. It’s in use when­ev­er you see the lit­tle green lock in your browser’s URL bar, and it secures the con­nec­tion between your mail client (if you don’t use web-based email) and your mail serv­er. It’s used in bank trans­ac­tions and some instant/text mes­sage protocols.

So why won’t that work with email? Because those tech­nolo­gies don’t know who you are. They just know who they are talk­ing to. Your brows­er does­n’t care whether it’s you or some­one who stole your lap­top; it just makes sure that no one else can lis­ten in. When email makes hops from one serv­er to anoth­er, only those two servers are hav­ing the encrypt­ed con­ver­sa­tion. The recip­i­ent and the next serv­er along the way have a com­plete­ly dif­fer­ent encrypt­ed con­ver­sa­tion. Even if the trans­mis­sion of the mes­sage is encrypt­ed at every stage of the process, each and every serv­er that takes part in the deliv­ery has to decrypt the mes­sage in order to send it on to the next one.

How­ev­er, using per­son­al encryp­tion a mes­sage can be packed up so that it can only be read by the per­son it is intend­ed for. Then you send that mes­sage by email, and it gets sent from serv­er to serv­er but what each serv­er along the way is look­ing at is a mes­sage that is already encrypt­ed. It might seem like a belt-and-sus­penders solu­tion to do both, but so far few peo­ple use end-to-end encryp­tion. Encrypt­ing the com­mu­ni­ca­tion between servers is at least bet­ter than nothing.

Wasn’t this about doctors?

It’s a big­ger prob­lem than just com­mu­ni­ca­tion between med­ical pro­fes­sion­als and patients, but it’s a good exam­ple of the kind of sit­u­a­tion in which pri­va­cy is expect­ed, but where peo­ple also want the con­ve­nience of email. To those who say that peo­ple with noth­ing to hide don’t need encryp­tion haven’t thought through the basic idea of pri­va­cy. There are good rea­sons why doc­tors and patients, attor­neys and clients, cler­gy and laity, par­ents and chil­dren, hus­bands and wives, employ­ers and employ­ees, and any num­ber of oth­er com­bi­na­tions of peo­ple who con­verse do so in private.

In the Unit­ed States we have a set of laws col­lec­tive­ly known as HIPAA which include a set of stan­dards for pri­va­cy and secu­ri­ty. Health­care providers are right­ly con­cerned about pro­vid­ing their clients with the con­ve­nience that con­sumers have come to expect when doing busi­ness, but have a high­er respon­si­bil­i­ty for main­tain­ing pri­va­cy than, say, an online book­store does.

The need for pri­va­cy in com­mu­ni­ca­tion with health­care pro­fes­sion­als is just one use-case, but it’s the use-case where there are cur­rent­ly a lot of pro­fes­sion­als who are strong­ly moti­vat­ed to find a solution.

Unfor­tu­nate­ly, the «sign the waiv­er that says you don’t care if our com­mu­ni­ca­tion is inse­cure» solu­tion real­ly isn’t a solu­tion. What’s need­ed are gen­er­al solu­tions that can be used for all cases.

Sad­ly, we’re back to encryp­tion being slight­ly incon­ve­nient and sort of hard for peo­ple to real­ly under­stand. Imple­men­ta­tions are a lit­tle clum­sy, but one of the biggest hur­dles should­n’t be a hur­dle. I don’t real­ly under­stand pub­lic-key encryp­tion. I’m up on most of the gen­er­al con­cepts but most of the maths are way out of my league. First-year cal­cu­lus was more than twen­ty-five years ago, and that was the last time I stud­ied maths.

I also don’t know much more than the basics about how the lap­top I’m using works, but that does­n’t stop me from typing.

But if encryp­tion is going to become com­mon­place in email (and I think that it must) those of us who are com­fort­able using it are going to have to be gen­er­ous with our time to help those who find it over­whelm­ing. There’s a lot of infor­ma­tion out there about how pub­lic key cryp­tog­ra­phy works, but very lit­tle of it is geared toward those who are just start­ing. Per­haps that’s a project wor­thy of future col­umn-inch­es in Mono­chro­mat­ic Out­look but for the moment, I’ll throw out a few options:

PGP/OpenPGP/GnuPG

This is the strongest option, but it has a few draw­backs. There aren’t a lot of mail clients with built-in sup­port for PGP. There are a num­ber of add-ons and plug-ins avail­able, but get­ting up and run­ning with PGP gen­er­al­ly means jump­ing through some hoops. Also, while this is strong encryp­tion, there is no cen­tral author­i­ty for val­i­dat­ing keys. Users are expect­ed to con­firm the keys direct­ly with the peo­ple they com­mu­ni­cate with. Again, this makes for bet­ter secu­ri­ty, but requires more atten­tion. GnuPG is the best place for most folks to start.

S/MIME

Cryp­to­graph­i­cal­ly S/MIME is sim­i­lar to PGP.3 The dif­fer­ence is that S/MIME email encryp­tion uses cen­tral cer­tifi­cate author­i­ties, like web browsers do. This means that when you receive an S/MIME encrypt­ed mes­sage, you have some indi­ca­tion that it was sent by who it claims it was sent by. The prob­lem with that is that you have to trust the cer­tifi­cate author­i­ties. It also means that you have to buy the cer­tifi­cates from the author­i­ties, though there are a num­ber of places to get free cer­tifi­cates for per­son­al use. It’s a set of valid trade-offs. Although I pre­fer PGP, I do also use S/MIME. S/MIME has much wider email client support.

Third-party solutions

These may be the most con­ve­nient, but are my least favorite. My doc­tor uses Virtru which seems to work well, but it means open­ing up a brows­er win­dow in order to read or sent email to him. Also, I have to sim­ply trust that this third-par­ty is real­ly on the lev­el. Pre­sum­ably they have signed the nice BAA, but ulti­mate­ly I think it’s a bad idea to count on a third-par­ty for pri­va­cy.4

That said, Virtru does seem to have some kind of inte­gra­tion with Google Apps for Work.

Special note about Gmail

The title of the post men­tions Gmail, so I ought to wrap up with this. End-to-end encryp­tion is very dif­fi­cult with web-based appli­ca­tions. That’s unfor­tu­nate but it is true. There are brows­er plu­g­ins like Mail­ve­lope (reviewed on Life­Hack­er) if you use Fire­fox or Chrome, but that does­n’t help MSIE users. And you have to trust the brows­er itself. Sure, they’re open-source, but who com­piles their own bina­ries. Still bet­ter than nothing.

Oth­er than by using a brows­er plu­g­in, your only Gmail option is to use a third-par­ty ser­vice, man­u­al­ly encrypt each mes­sage, or use a stand­alone mail appli­ca­tion.5

Things are look­ing up for encryp­tion. Between all the Snow­den hype mak­ing encryp­tion sexy (or at least adork­able) and the push for secure email by health­care providers (and their cus­tomers, even if the cus­tomers don’t real­ly know that’s what they are demand­ing) we may final­ly be see­ing the begin­ning of the adop­tion of secure email stan­dards and practices.

What stands in the way? Web-based email. That isn’t going away, but wher­ev­er there are prob­lems, if there is enough desire to over­come them, solu­tions even­tu­al­ly present them­selves. It’s just up to us to see those solu­tions and use them.


  1. An imper­fect metaphor per­haps. Pre­sum­ably the Post Office has cus­tody over the post­card the whole time, but let­ter-car­ri­ers often have bins full of mail in plain sight in pub­lic. If your post­card is at the top of that bin, any pass­er-by might see it. With email your mes­sage may be hand­ed from serv­er to serv­er, and the pack­ets mak­ing up the mes­sage could con­ceiv­ably trav­el all around the world through servers owned by (and this list is not exhaus­tive) big cor­po­ra­tions who hope they can get away with that kind of data-min­ing, spam­mers, agen­cies of the Unit­ed States gov­ern­ment, agents of for­eign gov­ern­ments, orga­nized crime, pri­vate inves­ti­ga­tors, and ama­teur hack­ers. 
  2. The whole thing can be found at the MIT pub­lic key­serv­er 
  3. Ok, tech­ni­cal­ly, I think S/MIME refers only to the way in which the encrypt­ed mes­sage is encod­ed in an email. How­ev­er, in prac­tice it refers to a broad­er set of key-man­age­ment prac­tices and… oth­er stuff. 
  4. There is an old say­ing: three can keep a secret if two are dead. 
  5. In case it was­n’t clear, you can use almost any stand­alone email appli­ca­tion with Gmail, and do your encryp­tion through the client. That’s how I do it. When I refer to Gmail here, I have meant using web-based Gmail. 

Leave a Reply