Slashdot Mirror

← Back to Stories (view on slashdot.org)

Delving Into Google Health's Privacy Concerns

Posted by Soulskill on from the you-can-trust-us dept.

SecureThroughObscure writes "Security researcher Robert 'RSnake' Hansen discusses numerous concerns with Google's new Google Health application, which aims to integrate user's medical records online. We discussed Google Health's opening to the public earlier this week. RSnake mentions that Google has found a loophole allowing them to provide this service without having to follow HIPAA regulations, which, combined with Google's track record of having numerous flaws leading to private information disclosure, draws serious concern. Security researcher Nate McFeters of ZDNet's Zero-Day Security Blog also commented on the article, mentioning several past vulnerabilities: ownership of content issues, Google Docs theft, a cross-domain hole, Google XSS, and a Google Picasa protocol handler issue leading to the theft of user images. He and fellow researcher Billy Rios disclosed these issues to Google, including the ability to steal GMail contact list information. McFeters says it's likely that similar unpatched bugs would allow an attacker to view medical records if a user was also using Google Health. Both McFeters and Hansen tend to agree that Google's vulnerability disclosure/notification is non-existent and really needs to be improved. Currently, Google does not report vulnerabilities it has fixed to its user base, for the obvious reason of trying to hide the fact that user data could have been stolen."

7 of 121 comments (clear)

  1. Not me by strikeleader · · Score: 5, Insightful

    Why would anyone want to put their health info anywhere if HIPAA does not apply. I know that HIPPA is not perfect, but it at least has recourse if info is released or stolen.

    1. Re:Not me by Chicken04GTO · · Score: 4, Insightful

      Because people are dumb.

    2. Re:Not me by MrMarket · · Score: 5, Insightful

      My Sentiment exactly. First off I don't know who would want to look at my medical record and second, I don't really care if someone does. Here are two types of organizations that would be very interested in you and your family's medical history:
      1) Insurance companies: "Thank you for choosing Overabarrel Insurance, Co. Your policy is enclosed. Because your father and uncle had colon cancer, your monthly premium will be $10,000/month."
      2) Employers: "You're a great programmer, but we can't bring you on full-time. Your records show that your father and uncle had colon cancer, and we can't afford to take on the risk of our insurance premiums going through the roof if you get it."

      Essentially, health status can be a significant driver of discrimination in many different forms. The less someone knows about your health status (or your relatives health status), the hard it is for them to discriminate against you.
  2. Microsoft's HealthVault.com policies comparison by Anonymous Coward · · Score: 5, Insightful

    Does Microsoft's HealthVault.com, which came before Google Health, receive the same amount of critique?

    Let's examine Microsoft's HealthVault.com policies and how they compare to Google Health.

  3. Oh Geeze...stop hyperventilating by Danathar · · Score: 3, Insightful

    If you are afraid of your data getting stolen, DON'T USE IT.

    Quite frankly I'm tired of people complaining on my behalf. Especially when I don't use whatever is being complained about and when the people complaining don't use it either.

    Also..it IS a BETA (test). Once they are out of BETA they might actually have to apply HIPPA.

  4. Re:Safe Now With Windoze? by TerranFury · · Score: 3, Insightful

    It's basically common knowledge, what GP is saying. I clearly remember watching both what my dentist's and my GP's secretaries used to type in my data, and it was obviously a client running on a Windows box. In the case of my dentist, there's a whole Windows dental information suite that he runs, which shows him x-rays and everything. He has multiple rooms with dentist's chairs, and each contains an apparently-identical computer; he can view x-rays and records at any of them, so they are obviously networked. How likely is it that this network is separated from the Internet by anything more than a consumer-grade router? Not very.

    How much of a threat really is this, relative to tapes left in cars overnight, or the sloppy (or malicious) use of thumb drives? My gut says, "not a huge one," but I don't really know.

  5. The necessary results of a fragmented system by Zamfir · · Score: 3, Insightful

    The real problem here is that your health care data is scattered across many processing and medical records systems from all the insurers and care givers that you have ever been involved with. This results in doctors not having the needed information, costly redundant care, misdiagnoses, etc. Couple that with the growing trend to have people/patients manage their health care costs, and it becomes clear that solutions like Microsoft's and Google's are necessary and the potential benefit outweighs the privacy risk (trust me: no one cares about your anal fissures) This is far less of a problem in more centralized models where a longitudinal view of a patient is much more readily available (kind of like how the IRS has your tax history).