Slashdot Mirror

← Back to Stories (view on slashdot.org)

Delving Into Google Health's Privacy Concerns

Posted by Soulskill on from the you-can-trust-us dept.

SecureThroughObscure writes "Security researcher Robert 'RSnake' Hansen discusses numerous concerns with Google's new Google Health application, which aims to integrate user's medical records online. We discussed Google Health's opening to the public earlier this week. RSnake mentions that Google has found a loophole allowing them to provide this service without having to follow HIPAA regulations, which, combined with Google's track record of having numerous flaws leading to private information disclosure, draws serious concern. Security researcher Nate McFeters of ZDNet's Zero-Day Security Blog also commented on the article, mentioning several past vulnerabilities: ownership of content issues, Google Docs theft, a cross-domain hole, Google XSS, and a Google Picasa protocol handler issue leading to the theft of user images. He and fellow researcher Billy Rios disclosed these issues to Google, including the ability to steal GMail contact list information. McFeters says it's likely that similar unpatched bugs would allow an attacker to view medical records if a user was also using Google Health. Both McFeters and Hansen tend to agree that Google's vulnerability disclosure/notification is non-existent and really needs to be improved. Currently, Google does not report vulnerabilities it has fixed to its user base, for the obvious reason of trying to hide the fact that user data could have been stolen."

8 of 121 comments (clear)

  1. Not me by strikeleader · · Score: 5, Insightful

    Why would anyone want to put their health info anywhere if HIPAA does not apply. I know that HIPPA is not perfect, but it at least has recourse if info is released or stolen.

    1. Re:Not me by Chicken04GTO · · Score: 4, Insightful

      Because people are dumb.

    2. Re:Not me by MrMarket · · Score: 5, Insightful

      My Sentiment exactly. First off I don't know who would want to look at my medical record and second, I don't really care if someone does. Here are two types of organizations that would be very interested in you and your family's medical history:
      1) Insurance companies: "Thank you for choosing Overabarrel Insurance, Co. Your policy is enclosed. Because your father and uncle had colon cancer, your monthly premium will be $10,000/month."
      2) Employers: "You're a great programmer, but we can't bring you on full-time. Your records show that your father and uncle had colon cancer, and we can't afford to take on the risk of our insurance premiums going through the roof if you get it."

      Essentially, health status can be a significant driver of discrimination in many different forms. The less someone knows about your health status (or your relatives health status), the hard it is for them to discriminate against you.
  2. But think of the benefits... by Anonymous Coward · · Score: 5, Funny

    When you get syphilis all the websites you visit will be carrying convenient advertisements for the necessary treatments.

  3. Microsoft's HealthVault.com policies comparison by Anonymous Coward · · Score: 5, Insightful

    Does Microsoft's HealthVault.com, which came before Google Health, receive the same amount of critique?

    Let's examine Microsoft's HealthVault.com policies and how they compare to Google Health.

  4. Loophole? by jeiler · · Score: 5, Funny

    Google has found a loophole allowing them to provide this service without having to follow HIPAA regulations

    So the only thing protecting personal health information at Google Health is internal policy and "Don't be evil"? I guess that means they'll protect your PHI--as long as you're not a dissident in China.

    --

    If you haven't been down-modded lately, you aren't trying.

    Sacred cows make the best hamburger.

    1. Re:Loophole? by funnyguy · · Score: 5, Informative

      Well, not so much a loophole as HIPAA was not designed to protect data at healthcare record storage companies chosen by the patient. I don't think google "found" this as it has always been known to all of the healthcare community (at least security professionals). You are only covered by HIPAA if you are a "Covered Entity" (CE) which includes health plans (insurance), healthcare providers (doctors) or a healthcare clearinghouse (converts non-standard healthcare data into standardized healthcare formats like X12 format).

      If Google or any healthcare records storage comapany is being used by a CE and has a contract with that CE, they are a Business Associate. BAs of CEs are subject to the HIPAA Security Rule (the section of HIPAA that is in question and largely referred to about protecting healthcare data).

  5. What's all the fuss? by asdavis · · Score: 4, Informative

    Seriously, I really don't understand all of the fuss people are making here about Google Health. Perhaps I have a different perspective as I have worked in the Healthcare IT space for a major HIPAA Covered Entity and built their HIPAA Security program. Let me clear up any illusions you may have... HIPAA Covered Entity != Secure. HIPAA is designed to address the privacy and security of Protected Health Information, aka "PHI", as it relates to treatment (This is a generalization, but is fairly accurate). Since Google is not involved in the treatment of patients, HIPAA does not apply. You would be astounded to who has access to your electronic medical records during the course of treatment. Even something as routine as a blood test would have electronic PHI (ePHI) transmitted between many organizations: Hospitals, Clinical Laboratories, Health Plans, VANs, Independent Physician Associations, and Physicians. Do you honestly think that the IT practices of your local Physician with a $600 Dell PC running Vista Home, no virus protection and a DSL line is protecting your data in a more sophisticated manner than Google? Why do people lose their senses when operating in an electronic world? Allow Google to store your ePHI is no different than asking a friend to hold onto your paper medical records. Your friend isn't bound by HIPAA either. If you don't want your friend to peer at your records, then don't let him hold onto them. Google is offering a convenience service. Like all convenience services, it comes with risks. If the risks are too high for you, don't take them. Google hasn't done anything wrong and they certainly have not found a loophole. Healthcare organizations deal with non-covered entities all of the time. Do you think that the company that prints the invoices for your local doctor, hospital or laboratory is a covered entity? I will admit there is one difference however, since the patient is the one making the request for the records to be transferred, there is no "Business Associates" agreement (another HIPAA term) between Google and the covered entity. Quite honestly, these aren't work the paper they are printed on anyway.

    I for one will not be using Google Health for my own records, but that's just me.

    --
    TECMATIC - Intelligent Technology News