Skip to content

HIPAA Compliance in the Cloud: Tips for Keeping Your Business Safe

4 minute read

General Google Apps Green

For today’s post, we’re joined by James Ferreira from Ignite Synergy and Michael Herrick from HIPAA.HOST to discuss several security features of Google Apps for Work, and how you can keep your business safe and in compliance with security regulations.  

Do you know which industry is the number one target of cybercrime, data breaches, and identity theft? It’s not retail or finance. According to the Identity Theft Resource Center, data breaches have impacted healthcare more than any other business sector.

Healthcare practices and IT consultants who ignore their cybersecurity obligations could be risking enormous fines for HIPAA violations. A small cardiology practice in Phoenix paid a $100,000 HIPAA fine over an unsecured online calendar. Last year, an IT consultant paid a $90,000 fine for losing an unencrypted laptop full of a client’s healthcare data.

Google offers robust technologies that can help healthcare practices—especially small practices—manage risk, improve cybersecurity, and ensure HIPAA compliance. Here are some tips for leveraging the power of cloud computing in a secure and HIPAA-compliant manner:

Do a checkup on your paperwork

Sign a business associate agreement. Before you can hand patient data over to a consultant or to a cloud hosting provider—yes, this includes Google—HIPAA requires you to execute a special written contract known as a business associate agreement (BAA). The BAA requires the vendor to put safeguards in place to protect healthcare data and lower the risk of a breach.

Document everything in a written risk assessment. A proactive, enterprise-wide, written risk assessment is the foundation of HIPAA compliance. Your risk assessment has to document and describe the safeguards you have implemented to protect data in the cloud. If you don’t have that document, you’re not HIPAA-compliant, period!

Lock the front door

Enable two-factor authentication. This is the single most important cybersecurity control you can implement. Nothing will do more to protect you from cyber threats to patient privacy, including the most serious threat: social engineering. Google makes it easy to register your smartphone as an easy and effective two-factor control.

Secure documents that need to leave the domain

Document watermarking and password protection. Google has a simple and very effective way to share documents to other Google users, but sadly not everyone is on Google. In the case of document review between non-Google users, there’s a solution that provides security while also giving non-Google users access to important information. Watermark for Drive is a new App that works from the right-click option in the Drive files list and gives the user expanded capabilities. Watermarking allows several controls. First, there is a need to allow reviews for documents to be marked as Draft and such, so there is no question about the nature of the review. A watermark that utilizes a control number or person’s email address—if found in the wrong hands—could be traced back to the source of the data leak, even if the document is printed. Taking it a step further, password protection adds a level of security once the document leaves Google and is emailed or saved on a flash drive. Finally, by using Google’s “Disable options to download, print, and copy for commenters and viewers” feature, a user can apply a password, then publicly share a document and grant access to anyone, even non-Google users, with the password to access the document while still maintaining granular control. Here’s a video on using Watermark for Drive and installing Watermark for Drive.     

Don’t let it get out in the first place

For Google Apps Unlimited customers, Google Data Loss Prevention (DLP) gives businesses the ability to detect emails that contain sensitive information like credit card and bank account numbers. These checks don’t just apply to email text, but also to content inside common attachment types. The built in detectors are a good start, but creating a truly robust DLP system will take some effort. Google does give us this ability in the form of custom detectors, which can be written as Regular Expressions. These Regex statements are tricky to write and require a thorough review of the data that should be prevented from leaving the organization. Ignite Synergy and work together especially well when it comes to DLP for healthcare by coupling solid data analytics with great code writing. (And if you’d like to run audits detecting confidential data on your domain and then automate remediation actions, BetterCloud can help you do that—click here to learn more.)

Done right, cloud services can get cybersecurity risks off your network and out of your office.

James Ferreira imageJames Ferreira, previously the CIO at the New Mexico Attorney General’s Office, is a Google Developers Expert and O’Reilly author who has published two books about Google Apps Script. Currently James is a managing partner at Ignite Synergy, helping businesses with their integration into the cloud through education, consulting, and custom software development.
Michael HerrickMichael Herrick is the founder of, strategic risk management for healthcare. guides healthcare practices and IT vendors through the complexities of cybersecurity strategy and HIPAA compliance.


Sign up for our newsletter