Delving Into Google Health's Privacy Concerns

SecureThroughObscure writes "Security researcher Robert 'RSnake' Hansen discusses numerous concerns with Google's new Google Health application, which aims to integrate user's medical records online. We discussed Google Health's opening to the public earlier this week. RSnake mentions that Google has found a loophole allowing them to provide this service without having to follow HIPAA regulations, which, combined with Google's track record of having numerous flaws leading to private information disclosure, draws serious concern. Security researcher Nate McFeters of ZDNet's Zero-Day Security Blog also commented on the article, mentioning several past vulnerabilities: ownership of content issues, Google Docs theft, a cross-domain hole, Google XSS, and a Google Picasa protocol handler issue leading to the theft of user images. He and fellow researcher Billy Rios disclosed these issues to Google, including the ability to steal GMail contact list information. McFeters says it's likely that similar unpatched bugs would allow an attacker to view medical records if a user was also using Google Health. Both McFeters and Hansen tend to agree that Google's vulnerability disclosure/notification is non-existent and really needs to be improved. Currently, Google does not report vulnerabilities it has fixed to its user base, for the obvious reason of trying to hide the fact that user data could have been stolen."

Not me

[strikeleader]

Why would anyone want to put their health info anywhere if HIPAA does not apply. I know that HIPPA is not perfect, but it at least has recourse if info is released or stolen.

Re:Not me

[Chicken04GTO]

Because people are dumb.

Re:Not me

[D'Sphitz]

Why do people think anyone cares about their health info? Worst case scenario is someone finds out you have VD, well sorry to inform you an overwhelming percentage of the planet don't care about you or your STD's.

Re:Not me

[Archimagus]

My Sentiment exactly. First off I don't know who would want to look at my medical record and second, I don't really care if someone does.

Re:Not me

[hal9000(jr)]

Google isn't doing this out of the goodness of their hearts. They want to monetize it, so how will they do that? Sell ads? Ok, where and when will they show up? Only when you are searching your health information or whenever you happen to be searching?

what about selling health information to other entities. Maybe they don't sell the identifying bits, but even regional data can have an enormous impact on your ability to get health and life insurance, the premiums you pay, etc. Insurance carriers already track regional trends, but more data means better predictions.

Look, corporate entities, and never, ever forget that Google is a corporate entity, have to make money and think about how they will do that.

Re:Not me

[eggstasy]

Why would anyone want to put their health info anywhere? I think most people would simply write down "uhh... healthy?".
Do people really have so many diseases it takes a computer program to organize them? :D

Unless you're really old, in which case you probably don't even own a computer. Would you need one to write down "don't forget take your blood pressure pills" or "remember to check your pee for diabetes"?
Or maybe you had a weird accident, in which case you would write "healthy, except for that nasty missing hand thing".
Or maybe you suffer from some rare hereditary or congenital thing... *shrug*
Aside from those, what are the odds of you EVER becoming ill in modern society?

To be quite honest, and having lost a large portion of my family in recent years, I get the idea that people these days are relatively healthy until they get something fatal like heart attacks, strokes and cancer.

Most infectious diseases have been wiped out. At least in the western, computer-using world?
I get a cold once a year, I eat something bad once in a blue moon, but I don't need a doctor or pills for it.
I really don't know anyone who would need to use something like this. Maybe I'm just lucky!

Re:Not me

[larry+bagina]

Says the guy posting under a fake name, not revealing his email address.

Re:Not me

[bberens]

I doubt they'll sell your health information to other people. It'll be more like "If someone has a history of back problems, show them an ad for my pain relief drug." Of course, I've been wrong before... I personally have no intention of using Google Health, but I wouldn't particularly mind that kind of thing.

Re:Not me

[MrMarket]

My Sentiment exactly. First off I don't know who would want to look at my medical record and second, I don't really care if someone does. Here are two types of organizations that would be very interested in you and your family's medical history:
1) Insurance companies: "Thank you for choosing Overabarrel Insurance, Co. Your policy is enclosed. Because your father and uncle had colon cancer, your monthly premium will be $10,000/month."
2) Employers: "You're a great programmer, but we can't bring you on full-time. Your records show that your father and uncle had colon cancer, and we can't afford to take on the risk of our insurance premiums going through the roof if you get it."

Essentially, health status can be a significant driver of discrimination in many different forms. The less someone knows about your health status (or your relatives health status), the hard it is for them to discriminate against you.

Re:Not me

Disclosing certain genetic conditions might preclude someone from ever getting insurance.

Certain conditions might warrant someone being put on the list of undesirables and queue them for liquidation.

Re:Not me

[asdavis]

I'm sorry, but you are not correct on this. First of all, HIPAA is the Health Insurance Portability and Accountability Act. Please notice the single "P" and double "A"s. Secondly, please attempt to count successful HIPAA prosecutions on a single hand. I bet you have a lot of fingers left. I'd also wager you'd be surprised to know that the budget for governmental HIPAA surveillance is approaching nil. Your recourse with most things healthcare are the civil courts, not HIPAA.

Re:Not me

[OverlordsShadow]

Exactly. Not to mention there could be more targeted spam, via email, flyers or phone calls. Someone sees you got burnt years back, call you up with the newest of the new plastic surgery techniques. Woman has breast cancer, gets an email from an implants company. Kid loses leg, gets a call, and multiple emails about cheeta prostetics and such. The list goes on. Someone will have a cure for anything they can find wrong with you. Not to mention targeted Google ads?

Re:Not me

[ShieldW0lf]

You don't understand insurance in the slightest, or you wouldn't make statements like that.

1) When you get insurance as an individual, if you have a previously existing medical condition, and you manage to conceal it, they won't dig hard. They'll just take your money. When it comes time to make a claim, it WILL come out then, and they will refuse to cover you, even though they took your money. Transparency in medical records will protect people from doing this to themselves.

2) When you get group insurance, personal medical records don't come into it at all. Not at all. They calculate the risks based on the probability that any employee will require treatment based entirely on their demographic. That is what makes group insurance plans so appealing in the first place.

I used to sell the stuff for a brief period of time, until I learned how it really worked and realized I wouldn't be able to look myself in the mirror if I didn't get out of that industry. I know what I'm talking about.

Re:Not me

[CrashPoint]

Why do people think anyone cares about their health info?

Because they do.

Re:Not me

[EMeta]

Because currently health information of regular people is not accessable for research or analysis. If I had a range of odd, undiagnosed symptoms, I would want to share that and be able to read others' accounts of similar symptoms. The fact that there are probably 500 people in this country sharing some rare ailment means none of them will ever find a doctor who knows anything about it. If just 10 of them didn't care about their own privacy as much as getting their problem fixed, they could compare notes and get better treatment.

Right now to do large scale medical studies, researches have to pay $100's per person involved. There will never be million-person studies on diseases that affect 0.1% of the population. Even accounting for the inaccuracies of self-reporting, the amount of medical discovery from such a database would rival germ theory's discovery.

And this can take only volunteers and still be fabulously useful.

Re:Not me

[base3]

When it comes time to make a claim, it WILL come out then

How will they prove it was preexisting if it was never documented anywhere (e.g. MIB, Google's big brother database, or what have you)?

Re:Not me

[ShieldW0lf]

When it comes time to make a claim, it WILL come out then

How will they prove it was preexisting if it was never documented anywhere (e.g. MIB, Google's big brother database, or what have you)?

Because the medical records are there, and have always been there. They aren't actually hard to find, it just takes time, so they don't bother to do it when you apply. They wait till they've gotten 10,000 of your money and are going to have to pay out 1,000,000 to care for you, then they pay someone to spend a few weeks digging for a way to refuse. That's the way the system works, and why it's such a cash cow.

Re:Not me

[MrMarket]

Then, you would know that most group contracts are up for renewal every year or so. If a group had a big bump in claims in a given year, the next time the contract is up for renewal the premiums will increase. This is particularly a problem for small companies where risk cannot be spread widely -- if one person in a ten-person group has a catastrophic episode and files $1,000,000+ in claims, the company's premiums will sky-rocket. If the company has an ASO contract (like GM for example), the company underwrites the risk themselves and the insurance company manages claims and negotiates provider costs. In either case -- the health status of employees has a direct correlation with how much a business pays out in benefits. For this reason, companies would have a big financial incentive to discriminate against people with high-cost hereditary medical conditions in their families.

Re:Not me

[ShieldW0lf]

It doesn't work like that.

If you open a hair salon with 20 hair stylists, they don't assess the 20 stylists for risk.

What they do is consult their actuary tables and determine the likelihood that someone will become ill or die based on their records for all hair stylists from all companies they have done business with in that industry over the last hundred years.

That is how they determine risk in groups. It doesn't have anything to do with the individual group, but on the demographic of the group.

Re:Not me

[Crazyswedishguy]

I bet your insurance company would be interested.

We're slowly approaching an age where genetic profiling is becoming more widely available. I have a family member who got his genetic information mapped, and it's possible that this is going to become common practice within ten years.
At that point, your doctor will be aware of your genetic profile and will be able to better assess your risk of contracting specific diseases, which would improve your ability to prevent them. This is something we could all benefit from.

However, imagine if your insurance company got its greedy hands on your genetic information, and found out you were 50% more likely to get a specific kind of cancer. Think they'd give you the same insurance rates?

This being said, I believe laws have already been proposed to prevent this type of profiling.

Also, I'm not sure that girl you met the other day at a party would still be up for going on a date if a Google search of your name brings up "did you mean gonorrhea?".

Re:Not me

[Crazyswedishguy]

1. If they can prove you knowingly had colon cancer when you signed up for insurance, they'll refuse to cover you. You're right about that. But if you were healthy at the time you signed up, they're under a contractual obligation to cover you.
However, several factors go into calculating your "risk" from which your insurance rate is derived: race, age, sex, are the basic ones. Any factor, including family history (not only your personal medical history) if available, will affect this rate. So if they accept to cover you when you're healthy, they have to take abide by that. But if they know both your father and grandfather had a specific type of cancer, they will give you a higher rate. So you're wrong.

2. Companies who provide insurance to their employees (through an insurance company) are subject to random tests, where only a sample of employees are given blood tests. The result of these tests will affect the rates. So you're wrong again.

Re:Not me

[ShieldW0lf]

1) If you have a family medical history, you are required to divulge it. If you don't divulge it, and it comes up later, they will refuse to honour your coverage because your application was fraudulent, despite having taken your money. So, you're wrong.

2) In my experience, that is an outright falsehood. Cite a source.

Re:Not me

[tkohler]

HIPAA applies to providers and insurance companies. If YOU give out your information, than too bad. Most hospitals have you sign a form that allows them to transmit much of your info anyway, which is often preferable (like from XRay tech to Radiologist to your doctor) than having to sign four different releases. Also, while much of HIPAA is about privacy, remember the "P" stands for portability, not privacy. The right to obtain your records. Google, MS and others are providing a place for you to keep them. Time will tell if that is a good idea or not.

Re:Not me

[MrMarket]

It is how it works.
After a long bout with emphysema an employee at Varney's, a family-owned business in Manhattan, Kan., died several years ago. But for Varney's health insurer, her legacy lived on.
The next year, 2002, the insurer raised Varne's premiums by 28 percent â" even though most of the other three dozen employees were significantly younger and healthier than their departed colleague, who had been in her mid-70â(TM)s. And Varney's premiums continued to climb.
âoeIt was as if her medical history stayed on the books for an additional three years,â said Jeff Levin, 46, who runs Varney's with his younger brother. âoeHow can you justify projecting those costs forward?â

Re:Not me

[ShieldW0lf]

Ugly. I stand corrected. Sucks to be American, I guess... it doesn't work that way in Canada.

Re:Not me

[Crazyswedishguy]

I can only speak for the US, so if you're in another country, this whole argument may be pointless.

1. I've been looking for evidence of this, but so far I haven't seen anything that says you have to disclose family history. What you have to disclose is medical history and pre-existing conditions for yourself and whoever is covered under your policy, but unless your parents and grandparents are under your policy, I have seen nothing that requires you to share their medical history. This might be in some providers' contracts, but I'm not even sure they're allowed to require it. Show me where it says that health care providers are allowed to require it (even though they may ask for it), and I'll be proven wrong.

2. In my experience... Our company has coverage with Harvard Pilgrim, and just 4 months ago, 3 employees (randomly selected) from our company had to take blood tests for insurance purposes (rates affected by these tests). I just talked to one of them to confirm. So yeah, I know first hand that this is true.

Re:Not me

[base3]

Ah--but it *does* have to be documented, then. So if someone manages to find out they were, say, diabetic or HIV positive through an anonymous test (don't know if this is even possible) but kept it under their hat until insured, and was never treated for the condition before having become insured, the insurance company still gets to pay. I was thinking that it might be possible for them to make the argument that the illness had to have been present before the date of insurance, even if they couldn't find documentation.

Surprised there isn't a significant market for anonymous, fee for service medical treatment or at least testing given the possibility of being blackballed for a showstopper illness.

Re:Not me

[Crazyswedishguy]

On another note, but related to tfa, in the news:
Bush signs genetic discrimination bill

Not a huge surprise.

Re:Not me

[gnupun]

Why do people think anyone cares about their health info? Worst case scenario is someone finds out you have VD, well sorry to inform you an overwhelming percentage of the planet don't care about you or your STD's.

Bullshit, why don't you post your and your family's medical history on this site right now? You can't have a free society without privacy. We sure as fuck don't want everyone's medical history in a government database (aka Google database).

Re:Not me

[gnupun]

I really don't know anyone who would need to use something like this.

Some recording may be useful, but vast majority of the info is useless... to the patients. Call me paranoid but I'm sick of Big Brother invading my privacy everyday, and this info is to be used for tracking individuals or some other nefarious activity in the future.

Re:Not me

No, they can also argue that the disease was present prior to your insurance coverage even if it isn't documented. This is why (at least in part) continuity of coverage is so important -- usually if you are covered continuously, you effectively get an out.

Re:Not me

"In my experience... Our company has coverage with Harvard Pilgrim, and just 4 months ago, 3 employees (randomly selected) from our company had to take blood tests for insurance purposes (rates affected by these tests). I just talked to one of them to confirm. So yeah, I know first hand that this is true."

There's almost nothing related to the OP that you could learn from these tests besides cholesterol levels -- and that's entirely reasonable, but a lot of private / individual insurers require you to submit to a cholesterol test anyway as a precondition of coverage.

"I've been looking for evidence of this, but so far I haven't seen anything that says you have to disclose family history."

Where you are wrong:

Have you ever applied for personal health coverage not through your employer? I just went through this in New York State. I applied for three kinds of coverage. The highest priced one required no additional information beyond the aforementioned cholesterol test and a signed statement saying I had not used a tobacco product more than twice in the previous twelve months. The other two sent out detailed questionnaires (9 and 15 pages) which asked about my families medical history.

I'm looking at the questionaire right now; a representative question is "do you or anybody else in your family have a history of any kind of cancer?" with a box for "If yes, please describe." At the beginning of the questionnaire (in the "definitions" section) "family" is defined as "you, any other individuals insured under this policy, and persons related to you biologically by not more than two degrees of separation" (that would include parents, siblings, grandparents, aunts and uncles but not cousins).

Where you are right:
The genetic non-discrimination act just signed into law prohibits such questions, but it won't take effect until 2009.

So in sum: you will be right -- in another year or so.

But think of the benefits...

When you get syphilis all the websites you visit will be carrying convenient advertisements for the necessary treatments.

Re:But think of the benefits...

"When" I get syphilis?!? I'm asexual you insensitive clod!

Re:But think of the benefits...

hey wow, a funny comment copied from the original site. Clever...

Microsoft's HealthVault.com policies comparison

Does Microsoft's HealthVault.com, which came before Google Health, receive the same amount of critique?

Let's examine Microsoft's HealthVault.com policies and how they compare to Google Health.

Re:Microsoft's HealthVault.com policies comparison

[jeiler]

Does Microsoft's HealthVault.com, which came before Google Health, receive the same amount of critique?

Yes, and for much the same reasons.

Re:Microsoft's HealthVault.com policies comparison

[Sporkinum]

This is an email exchange I had with Microsoft on this very subject.

From: HSG Privacy [mailto:hsg-priv@microsoft.com]
Sent: Wednesday, December 19, 2007 4:22 PM
To: XXXXXXXXX
Subject: RE: Health Vault Privacy

  Dear Mr. XXXXX,

Our sincere apologies for the long delay in providing you a response to your inquiry.

Because HIPAA applies to organizations and not products, HealthVault and HealthVault Search do not fall under its purview. Microsoft is not waiting for regulations to define our privacy and security practices. Microsoft made the decision early on to set rigorous privacy policies for these products.

Health information technology is evolving rapidly and privacy remains a central concern. Core to Microsoft's privacy principles is our belief that health information is most effectively protected when consumer are at the center of the healthcare system and in control of their information.

Microsoft supports a comprehensive federal approach to privacy legislation. We believe federal privacy legislation should include four key elements to help protect consumer privacy, and to support businesses' privacy policies and compliance efforts. First, there should be a uniform baseline standard that applies across all organizations and industries. Second, any legislation must increase the transparency regarding collection, use and disclosure of personal information. Third, individuals must have meaningful control over the use and disclosure of personal information. Finally, we believe there should be minimum-security requirements around the storage and transit of personal information.

Best regards,

HSG Privacy Team

From: XXXXXXXXXXXX
Sent: Thursday, October 04, 2007 10:36 AM
To: HSG Privacy
Subject: Health Vault Privacy

I noticed while going through the privacy statement there was no reference to HIPAA. With something as personal as one's medical records, HIPAA compliance is a must! http://www.hhs.gov/ocr/hipaa/

Also, I would not be surprised to see a company offer some sort of beneficial tracking program, and then use the data they get through authorization to deny insurance or raise premiums. With advertising being the primary reason for the service, the probability of misuse would be relatively high, I would think.

Re:Microsoft's HealthVault.com policies comparison

[hal9000(jr)]

IANAL, but CFR 164.104(3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter and the comments to CFR 160, 162, and 164, indicate otherwise.

Both Google and Microsoft are engaged in transmitting healthcare information.

Re:Microsoft's HealthVault.com policies comparison

[gatekeep]

But neither is 'A health care provider'

Re:Microsoft's HealthVault.com policies comparison

[hal9000(jr)]

Good point. It also applies to an entity that is a business associate of a covered entity. It also applies to "healthcare clearing house."

Both seem to apply here.

Loophole?

[jeiler]

Google has found a loophole allowing them to provide this service without having to follow HIPAA regulations

So the only thing protecting personal health information at Google Health is internal policy and "Don't be evil"? I guess that means they'll protect your PHI--as long as you're not a dissident in China.

Re:Loophole?

[ShieldW0lf]

This is good. Game-changing type of good.

By the time this has all panned out, there won't be any illusions of privacy, only an ever increasing number of people getting their information bought and sold and revealed all over the place until they finally demand to be in on the "knowing whats going on" like everyone else and demand a social order that doesn't revolve around secrets and leverage.

Go Google! Gather it all and screw up keeping control like you usually do!

Re:Loophole?

[funnyguy]

Well, not so much a loophole as HIPAA was not designed to protect data at healthcare record storage companies chosen by the patient. I don't think google "found" this as it has always been known to all of the healthcare community (at least security professionals). You are only covered by HIPAA if you are a "Covered Entity" (CE) which includes health plans (insurance), healthcare providers (doctors) or a healthcare clearinghouse (converts non-standard healthcare data into standardized healthcare formats like X12 format).

If Google or any healthcare records storage comapany is being used by a CE and has a contract with that CE, they are a Business Associate. BAs of CEs are subject to the HIPAA Security Rule (the section of HIPAA that is in question and largely referred to about protecting healthcare data).

Re:Loophole?

[Hoplite3]

"Don't be Evil" is localized to the local value of evil.

(It's not funny, it's pretty much how Google operates.)

Re:Loophole?

[Dekortage]

...an ever increasing number of people getting their information bought and sold and revealed all over the place until they finally demand to be in on the "knowing whats going on" like everyone else...

And then they will have to buy their own information just to find out what it is. Doesn't matter that you gave it up for free; if you want to know how it is being used or presented, it will cost you.

It will be kind of like the credit bureaus: you can get a free credit report from them (once a year) but if you want your All-Powerful Credit Score, you gotta pay. Sure, it's not a lot of money, but it's still You Paying For Your Own Info.

Re:Loophole?

Thank you for pointing this out. It is definately misleading to say that "Google has found a loophole allowing them to provide this service without having to follow HIPAA regulations." The regulations do not directly cover Google, whether it wants them to or not. Google could elect to follow the provisions of the privacy and security rule, but they still wouldn't be subject to government regulation or penalties if they failed to uphold the law.

Re:Loophole?

[Trojan35]

Hmmm.. so if you're a dissident in China, they can now easily check if you have working Kidneys for sale?

Google Calendar exploit?

[bramp]

I think I found a information disclosure problem with Google Calendar, but after a trying to contact Google twice I have given up.

If anyone is interested please read: http://bramp.net/blog/google-calendar-exploit

and hopefully if this is a bug it can get passed on to Google.

Re:Google Calendar exploit?

[Shadow-isoHunt]

Publish it on milw0rm, or post it to bugtraq. It'll get fixed.

Do evil

[kbg]

Well given that Google can be pressured by evil governments or evil companies into doing evil things, as history has shown. I think it is given that they will use this information for evil purposes, maybe they are planning to sell this information to insurance companies.

Rough Analog

[FurtiveGlancer]

To me, this would be akin to plastering my personal medical records on a bulletin board in a busy public place with a single coversheet on each item that says "Private Medical Information: Please don't read this."

Thanks to the military, I had an introduction to very early "on-line" medical records. Yes, you guessed correctly. Those records are "no longer available." Fortunately, I requested copies of every contact and kept those in a personal copy of my medical records.

Safe Now With Windoze?

[Erris]

Most hospitals now use some form of Windoze client like Impact. The staff surf the web with IE on the same machines. Do you think HIPA means anything in an environment like that? You might as well let Google serve records to people's home PCs because there's no difference between home and hospital now.

Re:Safe Now With Windoze?

[BlowHole666]

Do you have proof of this or are you just saying this because you do not like Windows? How do you know the computers not locked down where the users can not surf the web? Where is the proof?

Re:Safe Now With Windoze?

The healthcare org I work at the machines with Impact (amazingly enough) are very much locked down through ScriptLogic, so they relock themselves each time someone logs into them. We believe them to be secure and as far as I'm aware we haven't had security problems with them (at least in the past 3 years)

Also we are currently testing out the Microsoft solution for this, as Electronic Health Record stuff is getting to be a very big deal and we don't want to be left behind...

More and more vendors are doing IE apps instead of thick, much easier to maintain, and normally less chance of conflicts with other apps (except the evil Java...)

Re:Safe Now With Windoze?

I second that notion. I have to deal directly with software installed on hospital workstations, and more often than not if I RDP (or ToMyPC or Webex) to someone's workstation they have at least their Hotmail/Yahoo open.

While I find the managers and IT are generally good about it, it's the minions that are dealing more directly with the patients records and they seem to be the worst offenders.

I don't necessarily dislike Windows (if properly secured,) but I do dislike IE...

Re:Safe Now With Windoze?

[TerranFury]

It's basically common knowledge, what GP is saying. I clearly remember watching both what my dentist's and my GP's secretaries used to type in my data, and it was obviously a client running on a Windows box. In the case of my dentist, there's a whole Windows dental information suite that he runs, which shows him x-rays and everything. He has multiple rooms with dentist's chairs, and each contains an apparently-identical computer; he can view x-rays and records at any of them, so they are obviously networked. How likely is it that this network is separated from the Internet by anything more than a consumer-grade router? Not very.

How much of a threat really is this, relative to tapes left in cars overnight, or the sloppy (or malicious) use of thumb drives? My gut says, "not a huge one," but I don't really know.

Re:Safe Now With Windoze?

[Schlage]

Of course, your insecurely networked dentist only has access to a small portion of your medical records, while Google Health would (presumably) eventually be caching your entire medical history.

Security concern becomes of a whole different order of magnitude when dental, medical, and mental health information all get chunked into the same system, then it becomes kind of like a Real ID for health; convenient one-stop shopping for all your privacy-invading needs.

Re:Safe Now With Windoze?

It's very likely NOT connected to the internet at all. My dds has a similar setup, including a service tech who comes in once a month to apply patches to the system because it's disconnected from the internet. Doctors don't fuck around when it comes to HIPAA.

Re:Safe Now With Windoze?

"windoze", god that's so passe. People like you are so annoying, you can't make a point without insulting someone or something you dislike. No better than children with petty complaints.

You would think after all these years we can call them Microsoft instead of Micro$oft and Windows instead of Windoze or Winblows. You'd probably soil yourself if I called GNU/Linux LINSUX, wouldn't you.

Besides, your point has nothing to do with what was being discussed on this thread. You were obviously just looking for an opening to do this dumb thing you do.

Dunno, just having a bad morning I guess. But I dislike people like you very much.

Re:Safe Now With Windoze?

[dedazo]

It's basically common knowledge, what GP is saying.

No, it's not "common knowledge" at all. My company did a HIPAA-compliant solution for a large provider in 2004-2006 (think Kaiser Permanente-level scale). I wasn't in charge of the client side (which were rich client apps) but I know the developers had a hell of a time trying to get everything to work because the terminals were so locked down. For starters, they didn't have a connection to the internet, and IE wasn't even available. The login provider was replaced by a custom GINA DLL and the desktop was basically the company logo. The start menu had nothing but links to the URLs that pointed to the provider applications. Ctrl+Alt+Del did nothing, you couldn't run a task or bring up a console, nothing. The terminals themselves had a BIOS-level on boot encryption password from PGP (even though no data was stored on them) and they had no floppy, CD-ROM or USB ports. The keyboards had an integrated trackball and the cable essentially went into the chassis so it could not be disconnected, so no PS2 ports either.

And you should have seen the process for getting data backups offsite to Iron Mountain. It involved an Arthur Andersen auditor, a security box, witnesses, signed statements and an armored car.

If your healthcare provider is browsing their Facebook account in IE while fiddling with your medical records, I suggest you report them.

twitter here is doing the usual "Windoze" thing with his sockpuppets because he feels that Microsoft are to blame for the irresponsibility of companies who use their operating system for things like HIPAA-compliant systems. Not like it's rocket science to secure a Windows box by pushing a piddly policy script off of a domain controller.

Re:Safe Now With Windoze?

[TerranFury]

Mod up! Good info here. I'm curious about this now; I wonder if small doctors' offices like the ones I was talking about maintain a similar level of security? I'm sure they hadn't modified the hardware (as different from your case); the computers I've seen each time I've looked have clearly just been vanilla Dell models. I wonder if they at least leave them off the internet as AC suggested? There are hints that they don't, but now I need to investigate this more to know for sure.

Re:Safe Now With Windoze?

[dedazo]

I really don't know what the guidelines are for small providers. I would think they are the same, though probabl not implemented with the same zeal. But I was serious in my recommendation to report them if you see things like that happening. After all, it's your medical records that are on the line.

Oh Geeze...stop hyperventilating

[Danathar]

If you are afraid of your data getting stolen, DON'T USE IT.

Quite frankly I'm tired of people complaining on my behalf. Especially when I don't use whatever is being complained about and when the people complaining don't use it either.

Also..it IS a BETA (test). Once they are out of BETA they might actually have to apply HIPPA.

Re:Oh Geeze...stop hyperventilating

[techpawn]

Also..it IS a BETA (test). Once they are out of BETA they might actually have to apply HIPPA.

Gmail, google maps, and google talk are still in beta but that hasn't stopped people from widely using them.

I think your first piece of advice is the best piece there blue canary. If you are worried, then don't use it. I personally want as few people as possible handling my medical records.

Re:Oh Geeze...stop hyperventilating

When everything you have is beta, nothing is really. Google uses BETA as a way to get around having to fix things.

Re:Oh Geeze...stop hyperventilating

As a complaint, I would have agreed that this article would have been annoying. I, however, thought it was more of an advocation of scrutiny to help inform potential GH users of some risks they might not have been aware of. That's never a bad thing.

Re:Oh Geeze...stop hyperventilating

[Niten]

Also..it IS a BETA (test). Once they are out of BETA they might actually have to apply HIPPA.

Whatever factors may conflate to determine whether or not Google Health legally falls under the purview of HIPAA, I assure you that whether the product has a "Beta" in its name is not one of them.

Re:Oh Geeze...stop hyperventilating

While there is an element of truth in what you say about people overreacting to problems like this, it is, also, important to publicize shortcomings in initiatives like this before they become accepted as standard practice. "What do you mean that you don't have your medical records on Google Health, I'm sorry, we only accept patients who have their records in a centralized data base." That quote I made up is a bit hyperbolic, but that sort of thing happens.

But what about black clap?

I want to now now

document and image "theft"?

[Speare]

I tend to tune out any argument that uses the word "theft" to describe unauthorized access. Did the Google Docs flaw deprive the owner of the document any access to the document, while keeping it for themselves? Did the Picasa flaw deprive the owner of the image any access to the image, while letting others have it? I suspect the answer in both cases is NO, the original owner had plenty of access to their own copies, and thus the inaccurate use of the word "theft" seems crafted to shock or mislead or conflate the actual issues.

Talking heads

[twistah]

I love when people regurgitate common knowledge and try to sell it as something new and interesting in order to bolster their popularity.

Google managing my medical records?

[prxp]

I'd rather die.

Re:Google managing my medical records?

[cparker15]

Let me get this straight... the options are:

1. Have Google manage your medical records
2. Die

You choose #2?

Have fun with that. I'm sure Google won't hesitate to include you as a statistic somewhere as a result.

Re:Google managing my medical records?

[networkconsultant]

In soviet Canada free (cough taxes cough) health-care fix you!

Re:Google managing my medical records?

[gnupun]

It won't be modded funny ten years from now.

What's all the fuss?

[asdavis]

Seriously, I really don't understand all of the fuss people are making here about Google Health. Perhaps I have a different perspective as I have worked in the Healthcare IT space for a major HIPAA Covered Entity and built their HIPAA Security program. Let me clear up any illusions you may have... HIPAA Covered Entity != Secure. HIPAA is designed to address the privacy and security of Protected Health Information, aka "PHI", as it relates to treatment (This is a generalization, but is fairly accurate). Since Google is not involved in the treatment of patients, HIPAA does not apply. You would be astounded to who has access to your electronic medical records during the course of treatment. Even something as routine as a blood test would have electronic PHI (ePHI) transmitted between many organizations: Hospitals, Clinical Laboratories, Health Plans, VANs, Independent Physician Associations, and Physicians. Do you honestly think that the IT practices of your local Physician with a $600 Dell PC running Vista Home, no virus protection and a DSL line is protecting your data in a more sophisticated manner than Google? Why do people lose their senses when operating in an electronic world? Allow Google to store your ePHI is no different than asking a friend to hold onto your paper medical records. Your friend isn't bound by HIPAA either. If you don't want your friend to peer at your records, then don't let him hold onto them. Google is offering a convenience service. Like all convenience services, it comes with risks. If the risks are too high for you, don't take them. Google hasn't done anything wrong and they certainly have not found a loophole. Healthcare organizations deal with non-covered entities all of the time. Do you think that the company that prints the invoices for your local doctor, hospital or laboratory is a covered entity? I will admit there is one difference however, since the patient is the one making the request for the records to be transferred, there is no "Business Associates" agreement (another HIPAA term) between Google and the covered entity. Quite honestly, these aren't work the paper they are printed on anyway.

I for one will not be using Google Health for my own records, but that's just me.

Re:What's all the fuss?

[overshoot]

You would be astounded to who has access to your electronic medical records during the course of treatment.

Or not. The whole idea is to make the records available to anyone who needs them, such as emergency personnel in the distant town you're visiting when you're unconscious. (I'm not making that one up; it's one of the favorite selling points for these access-anywhere databases.)

It's a great idea, but of course it only works if every EMT on the planet has access to your records. You can calculate the privacy implications.

Re:What's all the fuss?

> Since Google is not involved in the treatment of patients, HIPAA does not apply.

Not exactly true. Not everyone who treats patients is covered by HIPAA and lots of entities that don't treat patients are covered.

For better or worse, congress pegged HIPAA to electronic data, and it covers anyone who treats or is involved in the billing for treatment - AND who transmits that data electronically. Your local primary care MD who never converted to electronic records is not bound by HIPAA and can store your file in the waiting room if s/he wants.

HIPAA is no panacea, but it does provided pretty straightforward guidance on minimal standards of data protection. Most large healthcare providers now require that their vendors be HIPAA compliant, so outsourced laboratory, billing, dictation transcription etc are managed in a way that meets HIPAA standards.

The big concern here is that Google is unable to state that they meet HIPAA standards, even if they aren't a covered entity. They should, and if they don't MS or someone else will and use it to hammer them with in the market.

All that said, the poster is totally correct that Google is not abusing a loophole. The law was written this way very deliberately, and if consumer's want to entrust their data to an organization that doesn't meet industry standards for safeguarding their data thats their choice. I won't be using it either, even though the hospital where I work as an MD and get my own care is partner.

Re:What's all the fuss?

[N1ck0]

I agree with you 100% on the entire HIPAA != security aspect. I work managing datacenters for a large healthcare transcription and medical records technology company, and trust me HIPAA leaks happen pretty often (we of course follow the protocol and log and inform the hospitals of such events, but its not that uncommon).

And then there is a large portion of the industry which no one really looks at anyway. Right now a good portion of medical records are shipped to part-time home workers to transcribe audio recording into your actual medical records. And a majority of these people work from home on personal machines, loaded with everything from kids games to malware, hooked directly to cable modems...and their concept of security is having a password on their windows XP account.

Also paper is still rampant at offices, who often distribute records by fax, email, etc...and trust me health care providers are notorious for entering some random company's email address or fax number into a system by accident (The worst I've heard is an automated billing system sending copies of hundreds of patents records to a local Kinko's by mistake).

To be honest I would trust google's security over some of the home users, clinics, and random small medical service organizations that many hospitals use any day of the week. While they are more 'visible' to the populace they probably have less frequent security breaches then what exists now.

Re:What's all the fuss?

[filthpickle]

Agree with the point about the practices of your local doctor.

I work for a clearinghouse, my job is to assist them in getting set up to use us. I handle mostly UNIX based systems, you would be astounded at how quickly they will give up their root password. So quickly that I can't help but think that they would tell anyone that called and asked.

I probably say "you really shouldn't do that, it's a HIPAA violation" 5-6 times a day. Also, everyone so quick to champion the HIPPA laws probably doesn't realize that there is really no enforcement arm (although I hear this is about to change).

I would say that the only time you can be sure, or at least feel confident, that your data is protected is while it's being transmitted between the doctor and the clearinghouse(if used), and then the clearinghouse and the insurance company. Just about every clearinghouse/payer is large enough to have an IT staff dedicated to securing the data. Just about every doctor's office is not.

I can say that one thing HIPPA has done is at least put it into the minds of Docotors/Billers that security is an issue. If they know what they need to do, or are willing to spend the money is another issue.

Re:What's all the fuss?

[Raenex]

Paragraphs are your friends.

Google and Do Evil

[Stormcrow309]

I always had a problem with a company with the value statement of 'Do no evil' who doesn't spell out what that means in detail. I was listening to Stafford's Entrepreneurial Thought Leaders series this weekend and Google.org was discussing using their engineering talent to recognize epidemics before anyone else. My guess is this is how Google plans to do it. It is clear Google intends to use this data, but I think has done a poor job defining exactly how. Add in the fact that Google has bowed to governments for information on their citizens and I end up with a cold chill. Working in the health care industry, I see the value of patient records that are easy to transfer for the patient, but I am not sure this is the way. The little security analyst in me is screaming bloody murder.

Re:Google and Do Evil

Having worked as a software engineer in the health care industry for many years, I can attest that maintaining consistently enforced privacy measures is a never ending battle. There are so many points at which staff or systems can fail and expose private health information. HIPAA is a step in the right direction, but the bottom line is that once medical information has been disclosed, it cannot be taken back. This is already a problem when an individual's health information is accidentally/maliciously shared by a single health provider. Now scale this issue up to an international scope in the case of Google, who may have a profit motive to share this information with third parties such as insurers and will most likely store this information indefinitely.

A person participating in Google Health who is receiving treatment for a socially unacceptable health issue such as an STD or mental illness or has a family history of disease may find that they are eventually unfairly discriminated against.

Re:Google and Do Evil

[Stormcrow309]

I would agree with you. I am surprised that HIMSS hasn't raised unholy hell over this. I think that I am safe to recommend that users do not trust this service and not use it. I think that an electronic way of moving data between places is a good thing, but with a requirement that every data move transaction requires patent consent. Without patent consent, which is the best standard of how we should do things in health care, then data should not be shared, with a check for consent per instance of use. In addition, data access should be logged for 20 years, with unauthorized access with a hefty fine for a Google type corporation per instance with a 100 times multiplier for not disclosing immediately upon discover.

In other words, these centralized storage concepts should have a significant risk for any venture.

Health

[certel]

If you need Google to list all of the health records, you should be worried about more than just someone finding out some information...

Want access to thousands of Google accounts?

Do you want to access people's google accounts without even needing to come up with an attack?

1. Start a website requiring users to sign up with email addresses and passwords
2. Go through your DB and get a list of all the gmail ones
3. Try logging in with the gmail usernames and the passwords they gave your site
4. Over half of them will probably work
5. PROFIT!!!!!!

Last time I tried this, I picked about 10 at random. Six worked. I have thousands of gmail accounts in my users table. Lucky I'm not a black hat.

Security? What's security? People just don't think about it or take even the most basic precautions. This Health Records service seems like a very bad idea from a "what could possibly go wrong" perspective but I don't know if Google is to blame for that ...

Re:Want access to thousands of Google accounts?

Wow. What "security conscious" programmer stores plaintext passwords in a database?

Re:Want access to thousands of Google accounts?

someone building a website for the explicit purpose of farming passwords and checking for re-use, dumbass. It's not going to work well if you only save salted hashes.

Re:Want access to thousands of Google accounts?

Wow. What "security conscious" programmer stores plaintext passwords in a database? Slashdot? Myspace? Every other website that wants to offer users the ability to send their password to their email account?

On the site I was talking about (I'm the OP) they are not stored inline with the rest of the user data anyway. They are encrypted on another server and accessible only by a challenge-response web service request with a constantly changing key that's never stored on disk and only for a millisecond in memory. It would require total ownership of multiple servers, and the ability to change our running code, to get at the passwords - at which point they could just inject their own password sniffer anyway, which would probably be easier. Since I'd be emphatically out of a job by that point anyway, I'm not too worried : )

I'm not totally convinced salting/hashing the passwords is a good idea security-wise anyway. Sure, it helps the security of the database - but encouraging users to change their passwords a lot does nothing but ensure their passwords are weak, in my experience. Encouraging users to set a really secure password, then giving them the option to get reminded of it, seems an equally valuable step to take security-wise. All too often, I get the feeling that programmers automatically choosing the salt/hash system are just trying to make security easy for themselves rather than considering what the users really need.

Anyway, that's offtopic - either way, a great many websites store passwords in plaintext, including this one (or at least it used to ...).

Re:Want access to thousands of Google accounts?

[cparker15]

I'd like my hash without salt, please. And I like my eggs scrambled, with cheese. Thanks.

FTC regulations cover them which is likely better

[Blahbooboo3]

Enough with the HIPAA scare. Most of these PHR vendors privacy policies are STRONGER than HIPAA and are governed by the FTC which is (from what I understand) MUCH stronger than HIPAA rights.

Also, I believe an organization which changes a policy must ask their members to re-accept their policies under FTC regs.

who where when

[FudRucker]

who gets access to all this health data on people? doctors? lawyers? potential employers?

we're sorry Mr. JoeSixpack we Googled your health record and shows you are not qualified for the position and we already filled the position with a sterilized android...

Re:who where when

[safXmal]

Close to what I'm worrying about to. What if prospective employers start asking access to your health records. They do the same with your credit ratings.

I understand that you want to own your information but there should be limits to whom you can give access to.

The same as you're not allowed to give up your rights you shouldn't be allowed to give up certain private information.

I already don't like that your health information is given to health insurance companies so why should i want to give it to Google

Thanks for a real and EDUCATED response!

[Blahbooboo3]

Great response. Most of the people responding do not work in health IT and have absolutely no idea what they are talking about related to what HIPAA actually does -- which is about NOTHING since it just made all the lawyers money.

I responded above how actually the word is now that these PHRS and their privacy policies are under FTC regulations. My understanding is that the FTC regulations recourses are actually stronger than the HIPAA ones anyway. All the PHR vendors have privacy and data use policies that are STRONGER than HIPAA anyway.

Slashdot users are funny in how they think they know everything. I bet most here had to look up how to spell HIPAA.

Re:Thanks for a real and EDUCATED response!

what HIPAA actually does -- which is about NOTHING Hmm Jerry Seinfeld must be behind all this.

Oh boy another person with no idea

[Blahbooboo3]

Slashdot is pathetic. Google will never come under hipaa -- please look it up at wiki to learn what is a covered entity.

Besides, see my other 2 posts on this page explaing why HIPAA doesn't matter anyway.

My goodness, you were modded insightful with such mis-information?? way to go mods! :)

The necessary results of a fragmented system

[Zamfir]

The real problem here is that your health care data is scattered across many processing and medical records systems from all the insurers and care givers that you have ever been involved with. This results in doctors not having the needed information, costly redundant care, misdiagnoses, etc. Couple that with the growing trend to have people/patients manage their health care costs, and it becomes clear that solutions like Microsoft's and Google's are necessary and the potential benefit outweighs the privacy risk (trust me: no one cares about your anal fissures) This is far less of a problem in more centralized models where a longitudinal view of a patient is much more readily available (kind of like how the IRS has your tax history).

Re:The necessary results of a fragmented system

[Raenex]

it becomes clear that solutions like Microsoft's and Google's are necessary and the potential benefit outweighs the privacy risk There's no reason why HIPAA shouldn't apply to any such solution.

trust me: no one cares Potential employers certainly care. Financial background checks are now becoming common. You really don't want your health information sold on an open market, trust me.

I would

HIPAA only applies to the US. Health is a much bigger issue. Google Health just doesn't go far enough with what kind of information you can enter and what partners one can get information from.

I'm Your Insurance Company

[fast+turtle]

and we see that you have a pre-existing medical condition that we will never cover. We also see that you tend to engage in risky behavior (smoking/STD's) so we are now terminating all insurance policies as we don't want people who increase our risk of loosing money. Goodbye

I'm sorry Joe but based upon your Google Health Records, we have to let you go. We simply can't afford the loss of insurance coverage for everyone else in the company. No hard feelings.

That's just a couple of reasons for HIPPA. Do you really want to loose your job because the insurance company can deny you coverage and enforce it through employers? How about having a diabetic child, spouse, autism, other disability. Each and everyone of them could then be listed as a pre-existing medical condition and legally denied coverage for.

I know damn well that here in the states that unless we get a universal medical care (EU/Canada/UK) this is a piss poor idea though now that someone has figured out a loophole to HIPPA it looks like the insurance companies are going to push to kill it as fast as they can.

Re:I'm Your Insurance Company

[Archimagus]

A lot of you seem to be assuming that Google is trying to make your health information freely available to the public. That is not the case. This article talks about the possibility of your information getting STOLEN from google. Which, last I checked is illigal. So if your insurance compay got there hands on your information they would be contributing to illigal activities and run the risk of being shut down or at least sued to Hell and back. Right from the Google Health Web site.

Google stores your information securely and privately. We will never sell your data. You are in control, you choose what you want to share and what you want to keep private. Also it is not like google is going out and digging up all of your records, you have to manualy upload your records to their servers. If there is something you absolutely can not have get out then don't up load it, then it's not there to be stolen.

Re:I'm Your Insurance Company

[MrMarket]

No, we are arguing that the security of this information affects peoples' livelihoods and that users should be aware that the information in Google Health does not fall under the legal protections that HIPAA provides for privacy and security when deciding to use it.

idiot.

[redxxx]

Yeah seriously. I don't need privacy. I don't have anything to hide. I'm a healthy, white, male, heterosexual, non-terrorist, US citizen.

People that worry about privacy are either stupid or hiding something.

Madness

[Vengance+Daemon]

Those of you that comfortably have health insurance provided by your employer should be aware that the day comes later in your career when you might be forced to get your own health insurance through the "Single-Payer" system.

You would have to be stark-staring insane to put or allow ANY of your medical information on a system like this. The health insurance companies would love this, and would use it against you. In the Single Payer system, you are REQUIRED to give them access to EVERY bit of medical information that exists about you in order to even be considered for coverage.

You are MUCH better off to have changed doctors periodically, and have your medical information dispersed and much more difficult to find.

Never give doctors offices or pharmacies your correct Social Security Number either.

The health care system in the United States is a HUGE mess; they want your money, all of it, and if you don't have employer-provided health insurance or can't afford expensive medical care on your own, you just shouldn't get sick.

Re:Madness

[jbailey999]

Why on earth would you ever give a doctor your social security number?

When anyone other than my employer or my bank asks me if they can have my SSN, the answer is "no".

They don't care

If you would have read the WSJ and NYT articles, you would see people in the pilot were NOT concerned about others seeing their medical information. For them, the benefits outweighed the risks. It is THEIR decision, and it doesn't jive with yours, you're not forced to use it.

Correct Citation

[hal9000(jr)]

Sorry, that was CFR 160.102 and CFR 160.103. You can view it here.

Exactly! Medical Records in my Wallet!

[AmigaHeretic]

Great post!

>> Allow Google to store your ePHI is no different than asking a friend to hold onto your paper medical records.

I keep a list of my wifes allergies and medications in my wallet in case of an emergency. Yeah on a piece of paper in my wallet. So having them available online is just convienent. So I guess someone could steal my wallet too.

Also, as if a gave a crap who knows my medical history. You people have 12 deadbolts on your doors too? Paraniod much???

You people are paraniod!!

[AmigaHeretic]

I keep a list of mine and my wifes allergies and medications on a PIECE OF WHITE PAPER in my WALLET!!!

Oh my god!!

And, No I don't have a built in 100,000volt security system around my ass incase sometries to steal it.

The Obscurity of Security

Currently, Google does not report vulnerabilities it has fixed to its user base, for the obvious reason of trying to hide the fact that user data could have been stolen.

This sounds like the exact same way Apple handles their security. And Firefox. And Linux.

It's obviously worked out really horribly for all of them, huh?

Windoze, haha. twitter evangelism

Any moment now the gaggle of sockpuppets is going to descend on this thread to argue the merits of creative spelling and make lame jokes. Brace yourselves for an onslaught of righteous evangelism.

The use case for online health records

[Beryllium+Sphere(tm)]

If you live long enough, or if you get cancer early, you'll find yourself dealing with multiple medical professionals who aren't very good at sharing records with each other. Being able to point one doctor to the test results from another doctor can at the least save time and money and at best improve quality of care.

There's also the issue of the sorts of things people use MedicAlert bracelets for. I knew someone who was short on clotting factors and went to the hospital with chest pains. They told him something usually appropriate for a heart attack: they told him to take aspirin. Oops. Shared, readily accessible records could have prevented this accident.

That's the upside, the downside is obvious.

Limits of HIPAA

[Beryllium+Sphere(tm)]

Not only that, HIPAA doesn't give you recourse to the civil courts. There's no private right of action under HIPAA. There's been one attempt to sue for negligence on the theory that HIPAA sets a standard of care: dunno how that turned out.

(My doctor's office has documents with labels that say "HIPPA". I've given up on ever having it spelled correctly.)

Re:FTC regulations cover them which is likely bett

Yes, HIPAA is full of loopholes that make it the ENEMY of privacy. Under HIPAA, the "covered entity" is free to use your data as long as the purpose is "treatment, planning, or healthcare operations." You can imagine how easy it would be for a HIPAA-covered entity to sell your data and call it "operations."

It would be a mistake to regulate Google Health under HIPAA, unless HIPAA were to be reformed.

Google Health is right. Security guy is wrong.

[tr0tt3r]

Hi,
I have written extensively criticizing the HealthVault model. (which also applies to the Google Health model in some places)

However, in this case. Google is in the right. They are not and should not be covered by HIPAA. The purpose of HIPAA is to ensure that your healthcare providers to not abuse their information privileges (i.e. knowing you have AIDS before you do) by improperly disclosing that information.

Anything that Google Health does, is theoretically an extension of what you, the patient want to do with the data. The idea that the rules for both of these cases should be "HIPAA " is silly.

I have done a full analysis here

If you choose to reply, please read the whole article....

-FT

And?

What is the crisis? If people choose to personally and voluntarily upload their health information to some internet website it is their problem as to what happens next. Caveat emptor or some other Latin phrase so I look intelligent here ;p .

If it were doctors deciding to upload all their patient info without consent, THEN I'd be up in arms.

Re:And?

[gnupun]

Once enough idiots upload their info, it will become mandatory after several years, just like supermarket cameras led to public street cameras.

Don't be evil spelled out in details

[Per+Abrahamsen]

Here are the details.

What about an anonymous PHR?

The problem is not about HIPAA or not HIPAA. The problem is centralizing the medical information of millions of patients in a database. Do you know how much value has that database?

When you have a very valuable thing you need more and more efforts to protect the thing. But there is no 100% secure system.

As a family doctor I am really concerned about the privacy threats of the Personal Health Records.

I led a PHR project: http://www.keyose.com/

It is the first totally anonymous personal health record. No name, no email or other identification data required.

By providing a anonymous database we solve the privacy equation: not by rising the security costs but decreasing the potential value of our database for non-authorized intruders.

You may take a look...

"Confessors will not ask your name. Why do we?"