Are Chromebooks HIPAA compliant? If you're a medical practice, you're probably tempted to give Chromebooks a try. They're cheaper than a traditional Windows or Mac computer, and they're a lot easier and cheaper to maintain.
But are Chromebooks appropriate for a medical company? Can they be used to handle medical data?
We think they are, and we have clients that are using Chromebooks successfully.
And, yes, they're saving quite a bit of time and money over using traditional laptops or desktops.
You need to proceed carefully. Chromebooks are not right for every company. And you should test them extensively before deciding whether Chromebooks are HIPAA compliant AND right for your company.
In this article, we'll walk you through:
Chromebooks are a type of computer invented by Google. They're great at doing any task that you can do online -- checking your email, browsing the Internet, and accessing a cloud-based EMR. And when you use them with Google's Google Workspace, you can do word processing (like Microsoft Word), spreadsheets (like Microsoft Excel), and presentations (like Microsoft PowerPoint).
They can also do most of the things that other computers can do -- you can use your own monitor, your own mouse, connect it to your printer, etc.
Because of how they're built, they are MUCH safer than a traditional Mac or Windows computer. But more on that later.
Chromebooks are a LOT cheaper than traditional computers.
You can get a new one like this on Amazon for less than $200.
Even fancier Chromebooks like this one are less than $500.
Also, while "Chromebook" is the most common term that people use to find these computers, they're not just limited to laptop form.
You can also buy a "Chrome Box," which is more like a traditional computer...
Or even a "Chromebase," which is an all-in-one computer with a monitor that you can even use as a touchscreen kiosk.
There are lots of options. As we'll discuss later, though, these Chrome devices might not be appropriate for all businesses. Read on for more information.
Our apologies in advance -- this part gets a little technical. Also, a quick disclaimer: We aren't lawyers, and this isn't meant to be legal advice. If you're sailing into uncharted waters, you might want to review this with a qualified HIPAA or privacy compliance attorney.
Chromebooks are built (and work) very differently from typical Windows or Mac computers.
In our opinion, how they are built makes them much safer out-of-the-box than a traditional Windows or Mac computer.
And IF they're configured properly, we believe they are one of the safest ways to handle medical data.
Let's explore why, and how this relates to HIPAA...
If you've spent any time looking at HIPAA requirements for computers, you've definitely come across the requirement that all computers that handle PHI should be encrypted.
Here's how Google explains the way Chromebooks handle encryption:
When using web apps on a Chromebook, all important data is stored safely in the cloud. Certain kinds of files, like downloads, cookies, and browser cache files, may still be present on the computer. The Chromebook encrypts this data using tamper-resistant hardware, making it very difficult for anyone to access those files.
This is a pretty big deal. Your patient data and PHI is never stored on the actual Chromebook! It's all stored encrypted in the cloud. It's encrypted at rest and encrypted in transit (the two big requirements).
This means if your Chromebook is ever lost or stolen (and everything is set up the right way), you don't have to worry about someone else getting into your PHI.
Whether you have a Mac or a Windows computer, you'd better be using a good antivirus product.
In fact, most companies now use TWO antivirus products. There are so many pieces of malware out there, no one security company can keep up anymore.
Here's the thing -- you don't need antivirus on a Chromebook. This is because of the way they are built.
Chromebooks use something called "sandboxing," which basically means that even if you got an infected web page, the infection can't spread.
Here's how Google explains sandboxing:
On a Chromebook, each web page and application runs in a restricted environment called a "sandbox." If the Chromebook is directed to an infected page, it can’t affect the other tabs or apps on the computer, or anything else on the machine. The threat is contained.
Furthermore, even if some malware does manage to find a way to sneak onto the machine, Chrome uses a process called "Verified Boot" to put things back the way they should be. If it detects any changes to the system, it will automatically repair itself.
Talk to any IT company that sells Windows computers, and you'll get an earful about the "proper" way that computers need to be configured.
They'll throw around phrases like "Active Directory" and "Group Policy Objects" that control things like:
The great thing about HIPAA Compliant Chromebooks? All of these settings are built in, and can be updated from the cloud. The next time a user logs in, it automatically picks up the newest settings.
Another big part of making computers other than Chromebooks HIPAA compliant is making sure that you don't have any vulnerabilities that hackers can use to steal your PHI.
The typical approach to this is:
Again, HIPAA compliant Chromebooks make all of this work go away. Here's what Google says about updates:
The most effective way to protect against malware is to ensure all software is up-to-date and has the latest security fixes. This can be difficult to manage on traditional operating systems with many software components from many vendors all with different update mechanisms and user interfaces. Chromebooks manage updates automatically so Chromebooks are always running the latest and most secure version.
It's important to back your data up in case your computers are lost, stolen, or infected with ransomware.
With Chromebooks, all of your data is stored in the cloud. Backups are automatic, and real-time.
Lost or stolen computers are a very common cause of HIPAA data breaches.
As mentioned above, your computer needs to be encrypted.
The other requirement you need to meet is to make sure you have a way to break the connection between the lost/stolen computer and your PHI.
When you connect a Chromebook to your enterprise account, you get the use of their "mobile device management" software.
This means if a computer is ever lost or stolen, you can log into the cloud and sever the connection between your data and the device.
The person with the computer won't be able to get to your data.
Based on this list, we believe that they are. Your data is encrypted at all times. You have robust ways to control each endpoint. Everything is backed up. Everything is automatically updated, and viruses are self-corrected.
We believe that Chromebooks are SAFER than traditional Windows and Mac computers.
When compared to traditional Windows and Mac computers, Chromebooks will save you money.
Not only are they cheaper to buy, but they eliminate a lot of the management and maintenance costs that go along with typical computers.
Here are some examples:
|Typical Windows Computer||Chromebook|
|Have a way to set computer policies||Buy an Active Directory Server||Included, free|
|Have a way to share files between users||Buy a File Sharing Server||Included (with Google Workspace)|
|Send and receive HIPAA compliant emails||Buy an Exchange Server and Secure Email Software||Included (with Google Workspace and our HIPAA-compliant setup)|
|Antivirus||Buy 1-2 antivirus programs||Not needed|
|Patches and vulnerabilities||Buy a patching program and a vulnerability scanner||Included, free|
|Backups||Buy a backup service||Included, free|
|Handling lost/stolen devices||Buy a "mobile device management" service||Included with Google Workspace|
As you can see, this adds up to a LOT of monthly savings compared to a traditional computer.
And best of all, you don't need to have a server sitting around in your office.
As we mentioned above, Chromebooks aren't a good fit for every business.
Even if your company isn't a 100% match for Chromebooks, consider a hybrid model. We have some clients who took this path and still saved a lot of time and money.
In a hybrid deployment, most staff members use Chromebooks, and a small group of people (usually executives and office staff) still use a traditional computer. That way, you get the best of both worlds.
If you have a slow Internet connection, or if your Internet connection regularly goes down, Chromebooks probably aren't the best fit for your business. You can work offline on some things (mostly in Google Workspace), but it's best if your Internet connection is always on.
One thing we'd recommend is getting a backup Internet connection in case of an outage. You can buy it from a different Internet service provider (ISP), or maybe even consider mobile hotspots to use in an emergency.
Chromebooks do a fine job of printing, and if you're printing to a local computer (a printer attached to your computer), you should be HIPAA compliant.
If you're printing to a shared printer (like a big multifunction device in the office), you might need to use Google Cloud Print. Unfortunately, as of this writing, Google Cloud Print is NOT HIPAA-compliant. So if you need to do a lot of printing, Chromebooks might not be best for you.
However, this might be a good time to move towards being a paperless office. You can train people to print files out to a PDF file, and then you can store and share them using Google Drive.
Most of the practices that we meet are doing their charting, billing, and other EMR-related tasks in a cloud-hosted EMR. These work great on Chromebooks! Unfortunately, if you have your EMR installed locally (like on a server in your office or on a local computer), it probably won't work with Chromebooks.
There are some ways to run older pieces of software and still access them through a Chromebook, but they're kind of clunky.
Again, remember that if any of these three items describe your business, you still might be able to get value out of using Chromebooks! You just might need to keep one or two traditional computers around for specific functions.
Critical: be sure to test all of your applications on a Chromebook before you roll them out to your staff!
Search online or visit popular social network sites like Reddit and you'll see a lot of uninformed opinions about Chromebooks and HIPAA.
Here's one comment from a supposed "IT expert" on the topic:
First, buddy, it's spelled "HIPAA" and not "HIPPA."
Moreover, this is 100% false.
Most IT firms will give you this kind of answer. We think they're wrong.
Why are they giving you incorrect answers?
Traditional IT firms make money when you buy more.
The more computers and servers they can sell you (and the more software it takes to make those computers safe and HIPAA-compliant), the better it is for their bottom line.
See that table above? The one that lists a bunch of things that you need to make a traditional computer safe and HIPAA-compliant? That's what the traditional IT firm wants to sell you as part of their standard package.
That's easy - we can help.
You need to be very careful about how you configure Google Workspace and Chromebooks to make sure that they're HIPAA compliant. Setting up a company is not a simple task, and we've done many HIPAA-compliant Google Workspace and Chromebook implementations.
If you're interested in talking through whether HIPAA-compliant Chromebooks are right for your business, call us at 888-646-1616 or schedule a time to talk here.