This. Severely limit attachment sizes. Or, if worse comes to worst, look into a secure email option such as Virtru. My last job purchased it, and my boss was able to configure it so that it could look for keywords or phrases in the email body (for example, SSN or other easily-identifiable PII patterns would flag on Virtru). It has a log of config settings available, and allows the admin to force all email to be encrypted, or just attachments, or a number of other settings. It has an extension for Outlook, as well as a Chrome extension if you're like my old work place and use G Suite services.
HIPAA doesn't protect you from having your information shared once identification information is stripped.
> In order to strip personally identifiable information (PII), HIPAA requires organizations to use a process called de-identification. De-identified information must have names, dates, numbers and other PHI listed above removed, along with any other information that might expose the patient’s identity. Once that information has been removed, the data can be used outside of treatment.
Unless you wrote something like "because 383 W Addison, Chicago is a shitty place to raise a child" your reason could likely be shared without your consent -- in isolation from other personal details.
Alright, a question and a feature suggestion (which you should feel free to ignore, it's unsolicited).
Are you guys going to switch up the TV/YouTube ads some time soon? I haven't seen many, which means y'all understood that the "Here's to Change" commercials weren't working.
I feel like the flagship One lineup lends itself well to emotional commercials, like the iPad Air ones. Maybe slightly less intense-- a couple dancing to music playing from the phone in the rain, a man taking a Zoe of his kids dancing in the moonlight, maybe a guy taking a 360 panorama in some beautiful starscape, something like that.
Believe it or not, that wasn't even my suggestion! Online privacy is a big thing now; have you guys ever considered doing email encryption (similar to what Virtru and a few other companies do)?
Hi Trai. I've tried doing research on EasyCrypt, but haven't found much. There's no information I can find on the owners/developers, for example. Knowing the owners' names and the company address/registration info might help with trust.
EasyCrypt seems practically identical to a US service called Virtru, though Virtru now focuses on biz email protection. They offer a free consumer version for gmail only. (I believe they used to offer a broader consumer version.)
Perhaps they are a partner using the Virtru tech? Virtru does work with partners, and it would make sense to have the service operate out of Switzerland instead of the US.
u/EasyCrypt could you provide this information? Your service sounds compelling, but it's hard to trust just anyone.
Yea. Why would they only encrypt traffic one way?
>Dropbox encryption uses 256-bit AES keys to protect files at rest, and encrypts data in motion with 128-bit AES SSL/TLS encryption or better. Google Drive encryption is similar; files in motion are protected using 256-bit SSL/TLS encryption, while those at rest are encrypted with 128-bit AES keys.
If its a google account to a google account, this is encrypted so not a major worry, but if it goes out side there network, it will depend on the receiving email server i think.
I use https://www.virtru.com/ on a Google Workspace account and it works really well, im not sure if it works for normal Gmail accounts but you could try.
Read the following for more
Is Gmail fully encrypted?
Google's standard method of Gmail encryption is something called TLS, or Transport Layer Security. As long as the person with whom you're emailing is also using a mail service that also supports TLS — which most major mail providers do — all messages you send through Gmail will be encrypted in this manner.
https://www.computerworld.com/article/3322497/gmail-encryption.html
It is an addon but id suggest using https://www.virtru.com/ - have been using it for the last few months without a hassle and works really well :)
If the other user does not have it they do require a pin but that's better than phone numbers I feel
> Only you and your recipients will have the keys.
This is actually a straight out lie. From their Government Surveillance FAQ
> However, you’re entrusting us to help you maintain your privacy; you should know how we will respond if the government asks us for access to your encryption keys. The government would need those keys if it wanted to read any encrypted files it does obtain. Without them, the files are useless
Therefore, Virtru has your encryption keys. How long they keep them, under what situations they divulge them, what security exists around those keys, are all open questions. Considering that their How it Works Page has a flat out lie in the second sentence:
> Only you and your recipients will have the keys
I would assume that anything else they say is also bullshit.
Depends mostly on your definition of the word “Secure” and your definition of “sensitive information”.
Some companies don’t like the idea of cloud file storage unless everything is encrypted and ONLY they hold the decryption keys. This is sometimes known as “Zero knowledge” or “host-proof” storage.
Google Drive, by default, is not this level of private storage since Google still holds ac decryption hey for your files. There are, however, ways to fully encrypt Google Drive contents.
Google has client-side encryption available: https://support.google.com/docs/answer/10519333?hl=en
There are also third-party tools : https://www.virtru.com/google-drive-encryption/
That makes sense and I'll look into it. I recently stumbled upon Virtru that seems to be compliant with CMMC and other compliance solutions like ITAR and it is FedRAMP moderate already.
But now it comes back to with a great solution like this, is it now okay to send CUI via email through a solution like this? I feel like I may be at the information overload stage at the moment.
Hey, thanks for the reply! I think you are confusing Google's native encryption (S/MIME) with Virtru's software as a service. Virtru is a third party and is completely separate from Google. Google has an S/MIME encryption offering in their enterprise SKU, which is the article you sent over. That would require you to upload certificates and provide access to Google to keys, but to clarify that doesn't have any affiliation with Virtru that is a completely native solution to Google. Our key management will prevent any third party, including both Google and Virtru, from accessing content you share. If you want to learn more about our key management, which is fully hosted, you can learn more about that at the link below. https://www.virtru.com/encryption-key-management/
I did take a look at e-faxing a tad bit. we have faxes coming in nonstop I can probably tell you on a given day we between ONLY our analog faxes we get about 200 faxes. some of these faxes are shared between departments and providers. The good thing about the analog is that even when our net went down (Windstream fucked up somewhere) we were still able to get the job done with the analog lines and that's why I was looking at this 4g solution.
HIPAA regulations are outdated as fuck. I have implemented Virtu ( https://www.virtru.com/ ) into our establishment and hell with what it offers still better than fax and more secure.
I did take a look at e-faxing a tad bit. we have faxes coming in nonstop I can probably tell you on a given day we between ONLY our analog faxes we get about 200 faxes. some of these faxes are shared between departments and providers. The good thing about the analog is that even when our net went down (Windstream fucked up somewhere) we were still able to get the job done with the analog lines and that's why I was looking at this 4g solution.
HIPAA regulations are outdated as fuck. I have implemented Virtu ( https://www.virtru.com/ ) into our establishment and hell with what it offers still better than fax and more secure.
> Android by default encrypt its data
Android encryption is not enabled by default on newer phones, but activating it is very simple. First, enable a PIN by going to Settings → Security → Screen lock → PIN, and choosing a number you can remember (alternately, you can use a pattern or password to unlock your phone).
The thing is, releasing such information is done all the time when there are measles cases. You will see things like "Be aware of any symptoms if you were LOCATIOn at TIME." None of this is [protected health information under HIPAA or personally identifiable information in general](https://www.virtru.com/blog/personally-identifiable-information-hipaa/)
At a minimum they should be telling people the major locations people with the virus have visited in the week before they became symptomatic.
Wow, you really downplayed the issue so hard here.
Encrypting emails is not a thing that your average Joe will do with a personal computer, and his personal email. Now this average Joe wil lencrypt the email of his work Mac and his work email. Encrypting emails is a thing in the corporate world, whether that’s a native solution like what Apple has, or with a third party service like Virtru.
My company doesn’t use Apple Mail for encryption, so I’m not worried, but I can imagine any IT team who do have departments using Apple Mail cursing at Apple
Sensitive personal information should be protected.
https://www.virtru.com/blog/personally-identifiable-information-hipaa/
> HIPAA uses the term Protected Health Information (PHI) to refer to protected data, but the concept is very similar to the term Personally Identifiable Information (PII), which is used in other compliance regimes. Understanding how PII and PHI overlap can help organizations unify compliance efforts across regimes, reducing the risk, cost and complexity of keeping data safe.
The stuff in this article sounds so unethical, like, beyond illegal. How on earth did identifying information get into this spreadsheet? Who requested it, who wrote the specification?
You might also have seen this already, but thought I'd share just in case. Our CTO wrote this blog post which hopefully answers some of your questions or concerns https://www.virtru.com/blog/introducing-developer-hub/. If not I'd be happy to receive them, take them back to the team and discuss how we can improve our communication.
here's a catch 22, Google Education customers are not allowed access to the Enterprise function which include compliance rule and S/MIME encryption. The company Virtru does have a solution but since they have no servers in the EU and are not on Privacy Shield they can't be used either. Their other software solutions but many require more logins to use, if we make it complicated for the end users it makes it difficult to implement. What are schools in the EU to do on this?
Essentially any data leaving the network via email is encrypted with rules which determine to decrypt upon arrival. Meaning that in transit the information is secure.
Each service varies slightly but that's the overall jist. Virtru sums it up best on their site. Their service is the best imo.
Look into Virtru.
I'm not sure that your client will want to use email in this way as it's a hassle for everyone outside of their organization. But this will do exactly what you're asking.
Virtru has the ability to set an expiration date on a message, or immediately revoke a message if it was sent erroneously.
The reason it's such a hassle is that people will need to verify they are the owner of their email account before they will be allowed to view the contents of a message that is sent using Virtru.
If a recipient installs the Virtru plugin (assuming they receive a lot of email via Virtru) then they don't have to keep on proving that they own the account. But this is not something most recipients will understand how to do.
Without the Virtru plugin this will be a hassle for the people who don't normally receive messages via Virtru.
Also, it can confuse recipients who have never received an encrypted message. They get an email that says they must sign in to view the contents of the message. They don't understand what the email is telling them to do. So they might just ignore the email or delete it.
Virtru does have the ability to only be turned on when the sender wants it on though. So if senders only used it for sensitive data, that would be an ideal use case.
> I'm not planning to do anything remotely illegal, just hate that private companies are trying to collect everything we do online.
Your digital shadow follows you through your whole life, and could have consequences for your job seeking, your job promotions, your bank loans, your visa applications, your border crossings, online prices (airplane tickets, hotel rooms, etc.)... there is nothing wrong or illegal to minimize your digital shadow
> https://www.virtru.com/blog/online-privacy/
Google has a partnership with ZixCorp to provide integrated message encryption, but I have no first-hand experience with the solution. Otherwise, I've seen Virtru recommended, which you are already familiar with.
Well if people were encrypting there 'Linux ISOs' on bitcasa they were were dumbasses... lol It's one thing to encrypt your nudes, but these ass clowns uploading 40tb media collections to ACD and G Drive with encfs or rclone crypt cause they dont want to get their ish deleted are gonna kill the golden goose for everyone since they will make it so cost ineffective for the providers.
"To their credit, both Dropbox and Google Drive protect user files with encryption"
Not saying the security is good enough to be trusted for important things (newdz) but it's certainly good enough to keep google from deleting your account for an extensive collection of FedoraCore Pawnography
+1 for Virtru. They also have a HIPAA Compliance Rule Pack, which allows you to configure encryption rules/automatic warnings when messages contain specific content types: https://www.virtru.com/resources/hipaa-compliance-rule-pack/