by Ryan Ozawa
Article filed in
Is FortiMail a HIPAA Compliant Email Host?
by Ryan Ozawa
When designing your company’s digital strategy, including choosing which tools to use for different business operations, you might look for an all-in-one solution, a service provider that does everything you need and more.
As appealing as a “one stop shop” might be, however, you could be looking for a unicorn if your organization is a covered entity subject to HIPAA. Even if a company understands HIPAA requirements, safeguarding protected health information (PHI) across integrated systems is difficult and may lead to a HIPAA violation.
It may not be possible to use a single company for phone service, marketing, online forms, a HIPAA compliant website, and HIPAA compliant email. But if any company could check off most of those business services boxes, Fortinet probably could.
What is Fortinet?
Based in Sunnyvale, California, Fortinet is a sprawling, multinational corporation offering a huge array of products and services.
The company was founded in 2000 by two brothers, Ken and Michael Xie, and started out selling FortiGate, a hardware firewall. After securing more than $90 million in venture funding, the Xie brothers widened their scope, first adding more hardware like wireless access points, and then expanding into enterprise networking and software solutions.
Fortinet went public in 2009, its initial public offering raising $156 million. By this time, the company had grown to be an industry leader in cybersecurity solutions, with a menu that included both hardware, software, and cloud services.
Does Fortinet offer email services?
Fortinet has an entire product line called FortiMail. Broadly, FortiMail is a secure email gateway that can be operated in four different ways: an on-premise hardware appliance, a remotely managed virtual machine, a hosted service, or a pure cloud offering.
Because the vast majority of businesses and healthcare organizations we work with are small- to medium-sized enterprises that rely on managed cloud services, we’ll focus on FortiMail Cloud. FortiMail Cloud security features include:
- Anti-spam features with sender, connection and content-level inspection
- Outbreak protection, anti-malware with emulation, unpacking, and click protection
- URL detection for phishing, malware and adult content URLs
- Impersonation analysis and other techniques to thwart business email compromise (BEC)
That sounds like quite a lot of protection. But is it enough?
What does Fortinet say about HIPAA?
Fortinet certainly doesn’t shy away from compliance questions.
The company has a page dedicated to its Regulatory Compliance Solutions, which explains HIPAA and the fact that “covered entities must ensure patient information is kept safe while in storage and transit.”
Fortinet has a page dedicated to healthcare cybersecurity, talking about the overall threats and key challenges. The company has even published a whitepaper titled, “Secure Patient Care Starts with Fortinet,” in which HIPAA is mentioned twice on the first page.
“Fortinet offers a complete ecosystem of security products that can meet the needs of the smallest doctor’s office or the largest health insurer’s data center,” the whitepaper declares. “Our solutions span today’s most data-intensive industries, including government, healthcare, financial services, and education.”
But does this make Fortinet’s email service FortiMail HIPAA compliant? It’s not clear.
The company does say FortiMail “stops volume-based and targeted cyber threats to help secure your dynamic attack surface, prevent the loss of sensitive data, and help maintain compliance with regulations.” As part of its data loss prevention (DLP) features, Fortimail has “pre-defined HIPAA, SOX, and GLB lexical dictionaries [to] automatically enforce privacy policies with PHI content scanning.”
Fortinet also provides a tutorial on how to generate HIPAA compliance reports with its FortiDB product, which can connect to FortiMail.
And to add another layer of complexity, FortiMail, FortiDB and FortiGuard are just a few of the many different tools that can be managed with something called FortiCloud. It’s not just a portal, but a portal of portals.
Despite all of this, there appears to be no mention of Fortinet’s ability to sign a business associate agreement (BAA), a basic component required to affirm that a vendor is providing HIPAA compliant services.
Is FortiMail HIPAA compliant?
Fortinet does seem to cover all the cybersecurity bases across its massive product line. But our research demonstrates that Fortinet’s offerings, including FortiMail, are very complex to implement. This makes sense, as the company got its start helping businesses manage their own IT.
FortiMail also seems to require more than a few different Fortinet components working in tandem to accomplish everything the company promises.
Assuming that Fortinet will indeed sign a BAA (even though we could find no mention of one on its website), Fortinet and FortiMail can probably be HIPAA compliant, but it takes a lot of expertise and time to achieve and maintain that status.
How we can help
In contrast, Paubox Email Suite guarantees simple, seamless HIPAA compliant email, giving you critical protection without the need for extra logins, passwords, or portals.
With our HITRUST CSF certified solution, all emails are encrypted by default and can be sent directly from your existing email platform (such as Microsoft 365 and Google Workspace), with no change in user behavior.
The experience is equally simple for your patients, as they receive your emails directly to their inboxes, no passwords or portals required.
New customers can be up and running, sending HIPAA compliant email within half an hour of signing up on our website.