Is Gmail secure? Let's walk through the security features they have, and think about how they work in the real world.
Hackers use "phishing" attacks to either steal your data or get control of your computer. They'll send you an email with either a link or an attachment. If you open it, they'll have access to your computer.
In our tests, Gmail is much better than Microsoft365 or Yahoo Mail at stopping spam and phishing emails. While Microsoft365 has announced some better spam and phishing detection, we've been very happy with the long term performance of Gmail.
Google built "the first computer program to ever beat a professional player at the game of Go." These "machine learning" programs are also great at spotting bad emails.
When it comes to spotting phishing, we think Gmail is the best game in town.
Hackers can listen in on your web traffic. You're especially vulnerable if you're using wifi in a public place like an airport or a coffee shop.
In 2014, Gmail started forcing all traffic to use HTTPS. This stops hackers from listening in on your email on insecure wifi networks.
You can tell if you're using HTTPS by looking at this lock in the address bar of your browser:
Another way that attackers can use to get into your account is to try to guess your password. Gmail keeps you safe from these attacks in three ways:
a) 2 Factor Authentication. We HIGHLY recommend you use this. When it's turned on, you'll need to use an app or a text message on your phone to get into your account.
Gmail has done a better job of 2 Factor Authentication than other companies. It's easy to use. It also only asks for your code if you're doing something weird (like logging on from a new computer).
If you don't have access to your app, it also lets you get codes via text message...
And they'll give you some backup codes you can use if you don't have your phone handy...
b) Password guessing. If someone tries to log in to your account over and over, Google will lock them out. People call this a "brute force attack."
c) Activity on this account. We love this -- with the click of a button, it's super easy to see exactly where your account is being used. You can also click a button to lock out other sessions.
Our HIPAA compliance customers get help in setting up two-factor authentication (and everything else) properly.
To us, this is one of the most important features of security.
You can have all the security in the world, but if it's hard to use, people won't use it.
Gmail has done a nice job of making security easy to use.
The best example is a step-by-step checklist that you can follow to make sure that your security is up to snuff.
It covers everything from strong passwords...
To double-checking that you're using legit devices...
To making sure that outside apps are allowed...
And more. We make sure these are all set up properly for our customers.
Gmail has great apps that run on Android or iOS and make it easy to sync your email to your phone. Or, if you prefer, you can use the default mail apps.
The connection between your phone and Gmail uses SSL encryption. This means that a hacker using sniffing can't see your email, even if you're on a public wifi network.
While the connection to Gmail is secure, you need to do a few more things to make sure your mobile phone is secure:
With news about warrants to access email, many people wonder if the government can access Gmail.
The answer is yes, though this is true of all US-based email providers. If the police or FBI can get approval from a judge, they can compel Google (or other email providers) to turn over emails.
In fact, this is true in most countries.
We like the level of transparency that Google provides into this process. On their site, you can see a country-by-country graph that shows law enforcement requests.
While there are email providers that claim to not give access to law enforcement, we don't recommend using them. Gmail has almost a billion users, and only 69,000 of them have been the subject of a warrant. Which means that Gmail is a great fit for the 99.9999% of us that have nothing to worry about.
Gmail is a great tool, and overall we recommend it to small and medium-sized practices. But if you want to send Protected Health Information (PHI) over email, you need to make sure the data is encrypted. When using Gmail, about 90% of the emails sent or received are already encrypted. But what about the rest?
You'll need a third-party tool to make sure every email you send is encrypted and secure. We've reviewed 7 of those tools and picked the best.
Here’s a disclaimer that many private practice “influencers” miss: signing a BAA with Google does not make your Google Workspace HIPAA compliant.
Seriously – Google CLEARLY says
“Customers are responsible for … ensuring that they use Google services in compliance with HIPAA.”
“PHI is allowed only in a subset of Google services.”
“These Google covered services … must be configured by IT administrators to help ensure that PHI is properly protected."
So yes, Google Workspace CAN be HIPAA compliant, but it’s not compliant right out of the box.
You need to make sure your account is secure.