encrypt fill in .pdf form

Mike Davis

@scottalanmiller said:

I use encrypted PDF all the time and don't even have any Adobe products at all. On Linux, Encrypted PDFs open natively. I know that my CPA uses them and they don't have issues with clients opening them or responding in them.

On Linux, I can fill in a form and return it encrypted, I believe, just by default.

Searching on the web it seems that on a Mac there is native support, but not on Windows...

Dashrender

@Mike-Davis said:

@scottalanmiller said:

I use encrypted PDF all the time and don't even have any Adobe products at all. On Linux, Encrypted PDFs open natively. I know that my CPA uses them and they don't have issues with clients opening them or responding in them.

On Linux, I can fill in a form and return it encrypted, I believe, just by default.

Searching on the web it seems that on a Mac there is native support, but not on Windows...

Windows 10 natively supports PDFs inside Edge now. It's not perfect, but it is usable.

As for Scott's use, I'm guessing his use is what you were talking about. Pre encrypted, password shared through a different channel.

Dashrender

Maybe a secure online form for those that want to fill out online, and a PDF for printing and mailing. Keep the process simple and separate.

scottalanmiller

I think that probably PDF is just the wrong tool in this use case. Having people fill things out offline adds some serious complications.

Mike Davis

Would a google doc form be a viable alternative? I'm in the process of helping them sign up for Google Docs for Non Profits.

Jason

@Mike-Davis said:

Would a google doc form be a viable alternative? I'm in the process of helping them sign up for Google Docs for Non Profits.

If you had a need for it to be encrypted I don't think Google would be the right choice.

Mike Davis

@Jason I'm just looking for a secure way to get their SSN across the internet.

Jason

@Mike-Davis said:

@Jason I'm just looking for a secure way to get their SSN across the internet.

Google is not the place you want to have SSNs going..

Also you really need something both encrypted in transit and at rest.

Dashrender

@Jason said:

@Mike-Davis said:

Would a google doc form be a viable alternative? I'm in the process of helping them sign up for Google Docs for Non Profits.

If you had a need for it to be encrypted I don't think Google would be the right choice.

it might be if you can limit who has read access to the saved data. I know you can create a form that saves the data into a sheet that the rest of the world can't see.

Jason

@Dashrender said:

@Jason said:

@Mike-Davis said:

Would a google doc form be a viable alternative? I'm in the process of helping them sign up for Google Docs for Non Profits.

If you had a need for it to be encrypted I don't think Google would be the right choice.

it might be if you can limit who has read access to the saved data. I know you can create a form that saves the data into a sheet that the rest of the world can't see.

Depeding on where this is there are many laws that will block that. This isn't a secure method of storing Sensitive data anyway. If something happens a court will no doubt find you negligent.

scottalanmiller

This is a case where a simple custom app might be incredibly powerful and simple. But would be complex if you tried to address offline use as well.

Dashrender

@Jason said:

@Dashrender said:

@Jason said:

@Mike-Davis said:

Would a google doc form be a viable alternative? I'm in the process of helping them sign up for Google Docs for Non Profits.

If you had a need for it to be encrypted I don't think Google would be the right choice.

it might be if you can limit who has read access to the saved data. I know you can create a form that saves the data into a sheet that the rest of the world can't see.

Depeding on where this is there are many laws that will block that. This isn't a secure method of storing Sensitive data anyway. If something happens a court will no doubt find you negligent.

For my own education - what's not secure about it?

Google will sign a BAA for HIPAA for example, just like MS will.
https://support.google.com/a/answer/3407054?hl=en

So while their willingness to sign a BAA itself isn't proof that they are secure, I really can't see them being willing to get sued over this and not be at least as secure as required, and probably a whole lot more so.

I'm not sure who it is that keeps posting around here that they can't use hosted email because the of the sensitivity of their environment, but those customers are much more far and wide compared to healthcare customers which themselves are far and wide compared to non healthcare customers when it comes to these regulations.

Jason

@Dashrender said:

So while their willingness to sign a BAA itself isn't proof that they are secure, I really can't see them being willing to get sued over this and not be at least as secure as required, and probably a whole lot more so.

HIPAA isn't about keeping data secure.. it does the opposite.

BRRABill

@Dashrender said:

I'm not sure who it is that keeps posting around here that they can't use hosted email because the of the sensitivity of their environment, but those customers are much more far and wide compared to healthcare customers which themselves are far and wide compared to non healthcare customers when it comes to these regulations.

It's amazing how insecure the healthcare field really is.

I think the thing to remember is that if you aren't bound by regulations (for example with HIPAA, if you aren't a covered entity) just the concept of security applies to you, not the law itself.

scottalanmiller

@Jason said:

@Dashrender said:

So while their willingness to sign a BAA itself isn't proof that they are secure, I really can't see them being willing to get sued over this and not be at least as secure as required, and probably a whole lot more so.

HIPAA isn't about keeping data secure.. it does the opposite.

It doesn't exactly force the opposite, just encourages it. HIPAA is more an excuse for not being secure than an encouragement to actually be secure. I definitely mostly run into HIPAA as "well HIPAA doesn't stop me from being insecure so I'm not worried about" rather than "oh man, I have to do extra secure because of HIPAA."

scottalanmiller

@BRRABill said:

@Dashrender said:

I'm not sure who it is that keeps posting around here that they can't use hosted email because the of the sensitivity of their environment, but those customers are much more far and wide compared to healthcare customers which themselves are far and wide compared to non healthcare customers when it comes to these regulations.

It's amazing how insecure the healthcare field really is.

I think the thing to remember is that if you aren't bound by regulations (for example with HIPAA, if you aren't a covered entity) just the concept of security applies to you, not the law itself.

Actually, HIPAA provides a defence against litigation that previously would have been more viable. It doesn't completely block litigation but it is a very, very strong tool used by healthcare to protect itself from needing to meet the standards of the world in general.

scottalanmiller

@Dashrender said:

Google will sign a BAA for HIPAA for example, just like MS will.
https://support.google.com/a/answer/3407054?hl=en

That implies that they do certain things, but only so much. The question here was about protecting the data which goes farther than HIPAA would go. Google wouldn't be able to be sued usefully in a breach as long as they were HIPAA compliant.

Dashrender

That link does list other ISO certifications they have.

None the less, I don't consider them an insecure platform - if you do, why do you?

BRRABill

@scottalanmiller said:

That implies that they do certain things, but only so much. The question here was about protecting the data which goes farther than HIPAA would go. Google wouldn't be able to be sued usefully in a breach as long as they were HIPAA compliant.

Right.

The second you use a weak password, or someone else has access to the data, it may not be compliant.

Jason

The common consensus for level 1 data (SSNs etc). It not to store them on Google Cloud, DropBox etc. Don't store them on laptops, desktops or any mobile device.

They should be encrypted at rest and in transit, and usually need a password to open at the file level.

Going against this and storing them in files online rather than a specific service meant for this is asking to be held liable if something happens.