0

I want to listen to my voicemails in a secure but convenient fashion. I plan do this by having my PBX encrypt the voicemail using openssl aes 256 cbc with salt and a single static password. The voicemail would be emailed to my Gmail address where I am creating an chrome app to decrypt it using the established static password and play it.

What are the security implications of establishing such a system or is there a better recommended encryption setup? Also, as a side note, would this setup be considered HIPAA compliant?

SILENT
  • 166
  • 5
  • 1
    Whether something is HIPAA compliant sounds like a question for lawyers. One question the lawyers would probably ask is what kinds of measures you take to keep your gmail mailbox confidential. Do you use 2-factor auth with gmail? If you do and your second factor is a smart-phone, can theft of the phone allow access to the mailbox via a stored password in your phone's mail app? What kind of protections do you have for your regular voicemail service? – Mike Samuel Jun 21 '14 at 13:10
  • @MikeSamuel I did take security measures with gmail but it may not be (not exactly sure) considered HIPAA compliant due to having no established business associates agreement. However, as far as I understand, any medical info (including voicemails) is considered HIPAA compliant as long as its properly encrypted and the password is limited to proper personal. I just wanted to verify my implementation is secure. – SILENT Jun 21 '14 at 13:46

1 Answers1

1

Good news! It looks like Gmail is HIPPA-compliant IF you are using a Google Apps domain and have requested a BAA from Google. A BAA is required for you to use external companies for such services for HIPPA compliance. Normal Gmail addresses are not HIPPA compliant AFAIK.

Your setup sounds OK - I would rather see some kind of changing password, which would at least offer protection against someone finding one password and having all voicemails.

If I were you, I'd rather create a HTTPS website to check your voicemail that can only be accessed via a VPN. While HTTPS is secure, if you put the information on a public web server, you open it up to other methods of attacks. If you have it available on your network only, then VPN into your network, someone will have to perform several attacks to get to the data you are trying to protect.

-- I'm sure you know how much the fines are for HIPPA failures. Make sure that you only use a Google Apps Gmail address with a BAA. It's worth the $50 per year for one account if you don't have it.

Mat Carlson
  • 386
  • 1
  • 4