encrypt fill in .pdf form
-
@Mike-Davis said:
Would a google doc form be a viable alternative? I'm in the process of helping them sign up for Google Docs for Non Profits.
If you had a need for it to be encrypted I don't think Google would be the right choice.
-
@Jason I'm just looking for a secure way to get their SSN across the internet.
-
@Mike-Davis said:
@Jason I'm just looking for a secure way to get their SSN across the internet.
Google is not the place you want to have SSNs going..
Also you really need something both encrypted in transit and at rest.
-
@Jason said:
@Mike-Davis said:
Would a google doc form be a viable alternative? I'm in the process of helping them sign up for Google Docs for Non Profits.
If you had a need for it to be encrypted I don't think Google would be the right choice.
it might be if you can limit who has read access to the saved data. I know you can create a form that saves the data into a sheet that the rest of the world can't see.
-
@Dashrender said:
@Jason said:
@Mike-Davis said:
Would a google doc form be a viable alternative? I'm in the process of helping them sign up for Google Docs for Non Profits.
If you had a need for it to be encrypted I don't think Google would be the right choice.
it might be if you can limit who has read access to the saved data. I know you can create a form that saves the data into a sheet that the rest of the world can't see.
Depeding on where this is there are many laws that will block that. This isn't a secure method of storing Sensitive data anyway. If something happens a court will no doubt find you negligent.
-
This is a case where a simple custom app might be incredibly powerful and simple. But would be complex if you tried to address offline use as well.
-
@Jason said:
@Dashrender said:
@Jason said:
@Mike-Davis said:
Would a google doc form be a viable alternative? I'm in the process of helping them sign up for Google Docs for Non Profits.
If you had a need for it to be encrypted I don't think Google would be the right choice.
it might be if you can limit who has read access to the saved data. I know you can create a form that saves the data into a sheet that the rest of the world can't see.
Depeding on where this is there are many laws that will block that. This isn't a secure method of storing Sensitive data anyway. If something happens a court will no doubt find you negligent.
For my own education - what's not secure about it?
Google will sign a BAA for HIPAA for example, just like MS will.
https://support.google.com/a/answer/3407054?hl=enSo while their willingness to sign a BAA itself isn't proof that they are secure, I really can't see them being willing to get sued over this and not be at least as secure as required, and probably a whole lot more so.
I'm not sure who it is that keeps posting around here that they can't use hosted email because the of the sensitivity of their environment, but those customers are much more far and wide compared to healthcare customers which themselves are far and wide compared to non healthcare customers when it comes to these regulations.
-
@Dashrender said:
So while their willingness to sign a BAA itself isn't proof that they are secure, I really can't see them being willing to get sued over this and not be at least as secure as required, and probably a whole lot more so.
HIPAA isn't about keeping data secure.. it does the opposite.
-
@Dashrender said:
I'm not sure who it is that keeps posting around here that they can't use hosted email because the of the sensitivity of their environment, but those customers are much more far and wide compared to healthcare customers which themselves are far and wide compared to non healthcare customers when it comes to these regulations.
It's amazing how insecure the healthcare field really is.
I think the thing to remember is that if you aren't bound by regulations (for example with HIPAA, if you aren't a covered entity) just the concept of security applies to you, not the law itself.
-
@Jason said:
@Dashrender said:
So while their willingness to sign a BAA itself isn't proof that they are secure, I really can't see them being willing to get sued over this and not be at least as secure as required, and probably a whole lot more so.
HIPAA isn't about keeping data secure.. it does the opposite.
It doesn't exactly force the opposite, just encourages it. HIPAA is more an excuse for not being secure than an encouragement to actually be secure. I definitely mostly run into HIPAA as "well HIPAA doesn't stop me from being insecure so I'm not worried about" rather than "oh man, I have to do extra secure because of HIPAA."
-
@BRRABill said:
@Dashrender said:
I'm not sure who it is that keeps posting around here that they can't use hosted email because the of the sensitivity of their environment, but those customers are much more far and wide compared to healthcare customers which themselves are far and wide compared to non healthcare customers when it comes to these regulations.
It's amazing how insecure the healthcare field really is.
I think the thing to remember is that if you aren't bound by regulations (for example with HIPAA, if you aren't a covered entity) just the concept of security applies to you, not the law itself.
Actually, HIPAA provides a defence against litigation that previously would have been more viable. It doesn't completely block litigation but it is a very, very strong tool used by healthcare to protect itself from needing to meet the standards of the world in general.
-
@Dashrender said:
Google will sign a BAA for HIPAA for example, just like MS will.
https://support.google.com/a/answer/3407054?hl=enThat implies that they do certain things, but only so much. The question here was about protecting the data which goes farther than HIPAA would go. Google wouldn't be able to be sued usefully in a breach as long as they were HIPAA compliant.
-
That link does list other ISO certifications they have.
None the less, I don't consider them an insecure platform - if you do, why do you?
-
@scottalanmiller said:
That implies that they do certain things, but only so much. The question here was about protecting the data which goes farther than HIPAA would go. Google wouldn't be able to be sued usefully in a breach as long as they were HIPAA compliant.
Right.
The second you use a weak password, or someone else has access to the data, it may not be compliant.
-
The common consensus for level 1 data (SSNs etc). It not to store them on Google Cloud, DropBox etc. Don't store them on laptops, desktops or any mobile device.
They should be encrypted at rest and in transit, and usually need a password to open at the file level.
Going against this and storing them in files online rather than a specific service meant for this is asking to be held liable if something happens.
-
At the very least, you'd want them in a database that has no "download as a complete set" function. Anything stored in a file system like Google Docs is going to have a lot of exposure to "any breach is a full breach."
-
@scottalanmiller said:
At the very least, you'd want them in a database that has no "download as a complete set" function. Anything stored in a file system like Google Docs is going to have a lot of exposure to "any breach is a full breach."
And encrypted in the databases. this is the way it would be done if you got it from some kind of service.
A file is how all those people who left there laptops on plans got records of employees stolen years ago.
-
@Jason said:
And encrypted in the databases. this is the way it would be done if you got it from some kind of service.
This is a benefit of systems like MS SQL Server. Database encryption. You can encrypt the storage that the database is on instead, but you want encryption in the database ideally if you are on a shared service.
-
So if the form is submitted and then the receiver prints it out and deletes it, the information moves across the internet and is protected by SSL, but the data isn't sitting in a google account that can get hacked. (forcing 2 factor would be even better)
-
@Mike-Davis said:
So if the form is submitted and then the receiver prints it out and deletes it, the information moves across the internet and is protected by SSL, but the data isn't sitting in a google account that can get hacked. (forcing 2 factor would be even better)
it's still in Google until you delete it though. Granted that may be a small window, but it's still a window.
