Healthcare Technology Vendor News

Is Google Calendar HIPAA Compliant?

Is Google Calendar HIPAA compliant? Can the time management and calendar scheduling service be used by healthcare organizations or would use of the service be considered a violation of HIPAA Rules? This post explores whether Google supports HIPAA compliance for the Google Calendar service.  

Google Calendar was launched in 2006 and is part of Google’s G Suite of products and services. Google Calendar could potentially be used for scheduling appointments, which may require protected health information to be added.

Uploading any protected health information to the cloud is not permitted by the HIPAA Privacy Rule unless certain HIPAA requirements have first been satisfied.

A risk analysis must be conducted to assess potential risks to the confidentiality, integrity, and availability of ePHI. Risks must be subjected to a HIPAA-compliant risk management process and reduced to an acceptable level. Access controls must be implemented to ensure that ePHI can only be viewed by authorized individuals, appropriate security controls must be in place to prevent unauthorized disclosures, and an audit trail must be maintained.

Further, healthcare organizations covered by HIPAA Rules are required to enter into a HIPAA-compliant business associate agreement with any vendor before any electronic protected health information is disclosed, even if the service provider says it does not access customer data.

Google has appropriate security controls in place to protect data uploaded to Google Calendar and access and audit controls can be configured, so Google Calendar HIPAA compliance hinges on whether Google is willing to enter into a business associate agreement with HIPAA-covered entities or their business associates.

Google’s Business Associate Agreement

Google is willing to sign a business associate agreement with healthcare organizations for its paid services, but not for any of its free services. The business associate agreement covers the use of G Suite, and includes Google Calendar, Google Drive, the chat messaging feature of Google Hangouts, Hangouts Meet, Google Keep, Google Cloud Search, Google Sites, Jamboard, and Google Vault services.

HIPAA-covered entities must enter into a BAA with Google prior to any of the above services being used with ePHI. Once a signed BAA has been obtained the services can be used, although it is the responsibility of the covered entity to ensure that the services are used in a manner compliant with HIPAA Rules. Google provides a HIPAA-compliant service, but it is still possible for organizations and employees to violate HIPAA Rules using its services.

Is Google Calendar HIPAA Compliant?

So, is Google Calendar HIPAA compliant? Provided a BAA has been obtained, Google Calendar can be considered a HIPAA compliant time management and calendar scheduling service.

The post Is Google Calendar HIPAA Compliant? appeared first on HIPAA Journal.

SpamTitan v7.00 Release Sees Bitdefender Used as Primary AV Engine

TitanHQ has announced the release of a new version of its leading spam filtering solution SpamTitan. SpamTitan v7.00 includes several important updates to better protect users from malicious emails and known threats, including patches for recently discovered vulnerabilities in the ClamAV anti-virus engine.

One of the notable changes in the new version is a change to the primary anti-virus engine. SpamTitan v7.00 now offers award-winning anti-malware and ransomware protection through Bitdefender.

The change to the Romanian-based antivirus company is part of a growing strategic relationship with the firm that will see further collaboration over the coming weeks and months. The secondary AV engine will continue to be provided by ClamAV. TitanHQ has confirmed that support for Kaspersky AV – the primary AV engine on previous releases of SpamTitan – will stop from May 1, 2018.

TitanHQ said its mission is “to provide secure, reliable and affordable security solutions to our partners and customers. Our team continually develops our product suite, implementing customer feedback and feature requests into new product releases.”

All new customers signing up for spam and phishing protection with SpamTitan will be protected by SpamTitan v7.00. The updated version has also been pushed out to existing customers that have prefetch of system updates enabled. The new version will appear in the list of available updates. If the prefetch option is disabled, users must manually check for available updates via their user interface.

TitanHQ has also announced that support for versions 4 and 5 of SpamTitan will stop on May 1, 2018, giving users less than two months to upgrade to the new version; however, users should update to the latest version as soon as possible for the best level of protection.

The latest version addresses 7 known vulnerabilities in ClamAV – CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377, CVE-2017-12378, CVE-2017-12379, and CVE-2017-12380 and also includes security updates for packages including openssl, openssh, php, and wget. ClamAV has also been updated to version 0.99.3 which resolves potential DoS attacks.

Existing customers should read all release notes that apply to versions of SpamTitan later than the current installation prior to installation. TitanHQ notes that prior to upgrading to v7.00 users must first upgrade to SpamTitan v6.15. Cluster installations require the patch to be applied to all notes in the cluster.

The update will take approximately 10-20 minutes to complete during which time appliances should not be rebooted.

The post SpamTitan v7.00 Release Sees Bitdefender Used as Primary AV Engine appeared first on HIPAA Journal.

PhishMe Rebrands as Cofense and Announces Acquisition by Private Equity Syndicate

PhishMe, the leading provider of human phishing defense solutions, has announced that from February 26, 2018, the firm will be known as Cofense. Along with the name change, the firm has announced it has been acquired by a private equity syndicate, which valued the firm at $400 million.

PhishMe was formed in 2007 with the aim of developing products and services to tackle the growing threat from phishing. Employees have long been viewed as the weakest link in security, yet the human element of security defenses was often neglected. Over the years, PhishMe developed its products and services to help companies improve their last line of defense and turn security liabilities into security assets.

PhishMe has helped thousands of organizations improve their defenses against phishing through training and phishing simulations. The firm has also developed a range of associated products and services including a reporting platform that has now been adopted by more than 2 million users, as well as incident response and threat intelligence services.

While phishing defense is still at the heart of the, the name change reflects the more comprehensive range of products and services now being offered and future plans for expansion of its enterprise-wide attack detection, response, and orchestration solutions.

The acquisition will help in that regard. With the backing of the private equity syndicate, the company’s finances have been secured and the firm is planning to expand and enhance its products and services and increase its global reach.

“This acquisition further strengthens the alignment between our management team, employees, and investors as we focus on building an enduring company,” explained Cofense co-founder and CEO Rohyt Belani. “With cybersecurity a top priority for organizations everywhere, our goal is to continue bringing innovative products to markets around the globe to help stop active attacks faster than ever.”

The post PhishMe Rebrands as Cofense and Announces Acquisition by Private Equity Syndicate appeared first on HIPAA Journal.