Call now for cybersecurity help: 888-646-1616
Is Gmail secure? Let's walk through the security features they have, and think about how they work in the real world.
Feature Download: FREE checklist about Gmail and Google Workspace HIPAA Compliance (Download Now)
Is Your Gmail HIPAA Compliant and Secure? Don’t Wait for a Breach, Start your cloud security journey with our comprehensive audit. Our specialists are committed to helping your business stay safe and seamlessly achieve HIPAA compliance.
Hackers use "phishing" attacks to either steal your data or get control of your computer. They'll send you an email with either a link or an attachment. If you open it, they'll have access to your computer.
In our tests, Gmail is much better than Microsoft365 or Yahoo Mail at stopping spam and phishing emails. While Microsoft 365 has announced some better spam and phishing detection, we've been very happy with the long-term performance of Gmail.
Google built "the first computer program to ever beat a professional player at the game of Go." These "machine learning" programs are also great at spotting bad emails.
When it comes to spotting phishing, we think Gmail is the best game in town.
Hackers can listen in on your web traffic. You're especially vulnerable if you're using wifi in a public place like an airport or a coffee shop.
In 2014, Gmail started forcing all traffic to use HTTPS. This stops hackers from listening in on your email on insecure wifi networks.
You can tell if you're using HTTPS by looking at this lock in the address bar of your browser:
HTTPS on:
HTTPS off:
What our clients say
Another way that attackers can use to get into your account is to try to guess your password. Gmail keeps you safe from these attacks in three ways:
a) 2 Factor Authentication. We HIGHLY recommend you use this. When it's turned on, you'll need to use an app or a text message on your phone to get into your account.
Gmail has done a better job of 2-factor authentication than other companies. It's easy to use. It also only asks for your code if you're doing something weird (like logging on from a new computer).
If you don't have access to your app, it also lets you get codes via text message...
And they'll give you some backup codes you can use if you don't have your phone handy...
b) Password guessing. If someone tries to log in to your account over and over, Google will lock them out. People call this a "brute force attack."
c) Activity on this account. We love this -- with the click of a button, it's super easy to see exactly where your account is being used. You can also click a button to lock out other sessions.
Our HIPAA compliance customers get help in setting up two-factor authentication (and everything else) properly.
To us, this is one of the most important features of security.
You can have all the security in the world, but if it's hard to use, people won't use it.
Gmail has done a nice job of making security easy to use.
The best example is a step-by-step checklist that you can follow to make sure that your security is up to snuff.
It covers everything from strong passwords...
To double-check that you're using legit devices...
To make sure that outside apps are allowed...
And more. We make sure these are all set up properly for our customers.
Gmail has great apps that run on Android or iOS and make it easy to sync your email to your phone. Or, if you prefer, you can use the default mail apps.
The connection between your phone and Gmail uses SSL encryption. This means that a hacker using sniffing can't see your email, even if you're on a public wifi network.
While the connection to Gmail is secure, you need to do a few more things to make sure your mobile phone is secure:
With news about warrants to access email, many people wonder if the government can access Gmail.
The answer is yes, though this is true of all US-based email providers. If the police or FBI can get approval from a judge, they can compel Google (or other email providers) to turn over emails.
In fact, this is true in most countries.
We like the level of transparency that Google provides in this process. On their site, you can see a country-by-country graph that shows law enforcement requests.
While there are email providers that claim to not give access to law enforcement, we don't recommend using them. Gmail has almost a billion users, and only 69,000 of them have been the subject of a warrant. This means that Gmail is a great fit for the 99.9999% of us who have nothing to worry about.
Gmail is a great tool, and overall we recommend it to small and medium-sized practices. But if you want to send Protected Health Information (PHI) over email, you need to make sure the email data is encrypted. When using Gmail, about 90% of the emails sent or received are already encrypted. But what about the rest?
You'll need a third-party tool to make sure every email you send is encrypted and secure. We've reviewed 7 of those tools and picked the best.
Here’s a disclaimer that many private practice “influencers” miss: signing a BAA with Google does not make your Google Workspace HIPAA compliant.
Seriously – Google CLEARLY says
“Customers are responsible for … ensuring that they use Google services in compliance with HIPAA.”
“PHI is allowed only in a subset of Google services.”
“These Google-covered services … must be configured by IT administrators to help ensure that PHI is properly protected."
So yes, Google Workspace CAN be HIPAA compliant, but it’s not compliant right out of the box.
You need to make sure your account is secure.
Gmail is relatively secure with features like phishing protection, HTTPS encryption, and two-factor authentication. However, it lacks end-to-end encryption and requires setup for HIPAA compliance. Additional tools may be needed to fully secure sensitive data.
Yes, Gmail uses HTTPS and SSL encryption for secure connections. Around 90% of emails are encrypted, You'll need a third-party tool to make sure every email you send is encrypted and secure
What our clients say
What about Google scanning you emails for advertising purposes?
Great question! According to this page on Google's site, "Google Cloud does not scan your data or email in Google Workspace Services for advertising purposes." My understanding is that this scanning only happens on free @gmail.com accounts, which aren't HIPAA compliant anyway.
I know it's been a while since the original post, but last year google announced (not too long after your question was asked..) they will no longer scan users' gmail messages for the purpose of serving ads -- which more aligns the consumer (free) version of gmail with the paid (Google Workspace) version: https://www.nytimes.com/2017/06/23/technology/gmail-ads.html
Plus, just yesterday, google gave us an overhaul of the UI, and in the "coming weeks" we'll get some very cool privacy and confidentiality features as well: http://www.latimes.com/business/technology/la-fi-tn-gmail-confidential-20180425-story.html
hope this helps--