Slashdot Mirror
Can We Abandon Confidentiality For Google Apps?
An anonymous reader writes "I provide IT services for medium-sized medical and law practices. Lately I have been getting a lot of feedback from doctors and lawyers who use gmail at home and believe that they can run a significant portion of their practice IT on Google Apps. From a support standpoint, I'd be happy to chuck mail/calendar service management into the bin and let them run with gmail, but for these businesses, there is significant legal liability associated with the confidentiality of their communications and records (e.g., HIPAA). For those with high-profile celebrity clients, simply telling them 'Google employees can read your stuff' will usually end the conversation right there. But for smaller practices, I often get a lot of push-back in the form of 'What's wrong with trusting Google?' and 'Google's not interested in our email/calendar.' Weighing what they see as a tiny legal risk against the promise of Free IT Stuff(TM) becomes increasingly lopsided given the clear functionality / usability / ubiquity that they experience when using Google at home. So my question to the Slashdot community is: Are they right? Is it time for me to remove the Tin Foil Hat on the subject of confidentiality and stop resisting the juggernaut that is Google? If not, what is the best way to clarify the confidentiality issues for these clients?"
No, keep the hat, and demand better.
..the google apps contract is fine. IAAL and i use google apps for all my stuff. i DO maintain a separate backup but everything goes on google. the bar is also fine with it.
If you are in an industry where your internal communications/documents/etc should or must remain confidential, than you cannot trust Google Apps as your free platform for email/document creation/document storage.
If you don't mind the possibility that the world may get your data, then by all means feel free to use Google, or any other SaaS type offering.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Why does the story header appear *red* instead of the usual green? (Firefox 3.5 on Vista)
Le français vous intéresse?
Confidentiality is very, very important to businesses and individuals, even more so in the Internet age. One of the reasons to continue to operate your own infrastructure, no matter what the current hype is.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Well, I can. But not the idiots screaming 1984.
I would think Google apps is fine.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
immediately squelch any such thoughts.
"I don't know, therefore Aliens" Wafflebox1
From here: http://docs.google.com/support/bin/answer.py?answer=82366&ctx=sibling
"
Privacy and security: Understanding section 11.1 of our Terms of Service
Print
We've received questions over time about the meaning of section 11.1 of our Terms of Service. We realize that for those not familiar with legal agreements for services that use the Internet, these terms can look confusing, or even frightening.
The first thing to understand is that this language doesn't give Google ownership rights to your data. You, and you alone, own your content. Whether you wish to keep your content totally private, or share it with the world, that's your choice.
However, in order to honor this choice, Google Docs needs permission to display your content as you see fit. This is what we mean by a "license to reproduce." We need to ensure that when you click the "Publish document" button, or use the "Invite collaborators" option, we have the license to carry out your wishes. It is this agreement, between Google Docs and you, the user, that section 11.1 of our Terms of Service reflects."
Why would you even chance it? That's their EXISTING terms of service, but as always, those terms are subject to change without notice.
I can't imagine that HIPAA would allow this.
Sent from your iPad.
It might be an acceptable compromise. The same clients considering Google Apps are 99.999% likely to have a non-existent or ineffective backup/archiving system, lack the expertise/cash for sysadmining Microsoft enterprise apps and would probably benefit from being able to log in on multiple machines to access their data. All strategies involve risk - if you veto Google, they may be missing out on the best compromise solution. YMMV.
This is slashdot, not legaldot.
That being said, your writeup sounds like you're a contractor/have your own company. If that's the case, the best you can do (Outside of telling your customers you aren't going to and being fired) is make very clear, in writing, what your opinion is, and get them to sign off, in writing, that they are responsible and/or have another way for handling confidential info, etc.
I'm not sure if that's enough to cover your butt or not. See first sentence about this is slashdot, not legaldot. I would consult with a lawyer, preferably one that is not one of your customers.
If web apps are ever farmed out to foreign servers, you can kiss your privacy goodbye. If the government requests any data off the servers and weasels around the usual search warrant limitations, you're on your own.
Tell them about what could happen, and that the risk may be low but not zero. Because data have been exposed through sloppiness before, not only through malice.
Then make sure YOU are not liable if they violate HIPPA or something similar. Either don't support their Google stuff or make sure you have documented that they use Google SAS against your advice.
C - the footgun of programming languages
If they wanna do it, they gotta get a lawyer--a lawyer who knows HIPAA. HIPAA compliance is a pain--and noncompliance can be very expensive.
Lawyer costs may even outweigh the Google savings
As a Paramedic, I can say that HIPPA is extremely strict and will, if violated, force your license to be questioned as well as cause fines to be pushed your way. Honestly, doing ANYTHING outside of a secured network or a patient care medium (i.e. Pyxis, Temsis) with privileged, confidential information will plant a bullseye on your back. It is just not worth risking it. I can guarantee that an expert data thief is going to be more skilled and knowledgeable at computers and networking than any physician I know.
Your role, as a qualified member of the IT staff, is to make the higher-ups aware of the risks. Do your due-diligence, tell them the data isn't secure (in person, in e-mail, and maybe even on paper), and remind them from time-to-time (using creative new analogies whenever possible). That's it, you've done your job.
The fact of the matter is, regardless what the policy is, and regardless what they all "agree" on, they're going to put sensitive information on the Web. You'd have to take away their Internet access and portable devices to prevent it, and even then, they'd just go home and use that.
Accept that the best you can do is educate them and provide alternatives.
You don't use email for confidential information.
That is the biggest problem is that users think that email SHOULD be confidential. it is not.
I'd like to report them to the regulatory commission that enforces HIPAA rules.
Seriously, read up on HIPAA and get them to follow HIPAA rules, otherwise huge fines could be coming their way.
Just because a doctor hands out those privacy pamphlets doesn't give them the green light to ignore or circumvent the privacy and security rules. Claiming ignorance is not an option.
Get them off of gmail and google apps and put them on systems and networks that you can effectively apply controls too.
You have no control over the security and privacy controls in place within google apps thus you can't effectively satisfy the HIPAA rules.If they do not want to do an internal networks with servers, outsource it all to a data center that is HIPAA compliant and where you control the servers both physically and logically.
Good luck and hire yourself a partner or subcontractor that does HIPAA and SOX regulatory consulting. You could hire me but I'm $350/hr.
Frankly there is very little difference between individual employees at Google having access, and individual employees of a firm's IT consultant (or employees of the firm itself) having access. Yes, you might not, as a firm, know the identities of the relevant individuals at Google, but you probably don't know the identity of everyone who works at your IT consultant either. Oh, and Google has much, much more to lose if it becomes apparent that confidentiality has been compromised.
The bottom line is, Google doesn't have to provide an absolute assurance of confidentiality. It just has to be at least as good as what firms get now. In my view, that's not a particularly high bar.
You're gonna give up HIPAA info to the cloud? Sounds like a great way to end up in jail.
For corporate business I might be fine with using google apps, but I would never mess around with HIPAA-sensitive data... both for moral and for legal reasons.
What is missing in todays solutions is encryption on the client side so that the mail/calendar/photo/storage site cannot access the users own data. Question is, what will the "free it" providers gain by implementing that? I believe this can best be pushed by political means, forcing these kinds of requirements upon the providers.
Amazon published a white paper about using their AWS platform with HIPAA compient applications: basic idea is to keep data encrypted until it is in memory, and encrypt it again before writing to persistent storage.
For Google Apps, how about using rich clients that decrypt data for viewing/editing, and encrypt it again before storing back on big table, etc.
Perhaps Google themselves would implement this as browser plugins?
Far as I know the Google Mini Enterprise comes with all of the apps you need.
And since it's a local server, I suspect it'd still qualify for your confidentiality needs the same way any other local server would.
Question: Is Google Apps HIPAA compliant?
http://www.google.com/support/forum/p/Apps%20Partner/thread?tid=4d6f74d03de056c7&hl=en
Some interesting points raised.
Of course, it may have been you who originally asked this question Google in the first place...
If at first you don't succeed, so much for skydiving.
No lawyer can legitimately use Google-hosted services, unless they're doing work for Google. It would be a huge violation of confidentiality.
In Silicon Valley, where many lawyers are doing work adverse to Google, absolutely no way would this be tolerated. Even Microsoft Windows Update makes some lawyers nervous.
That's a better question.
Their policy suggests not.
Perhaps a Google engineer somewhere can "read your stuff" but only in the same sense that you could as the person administering your clients mail. Is that a worry? I'd expect Google have a lot more to lose if such a privacy breach happened than you, their whole apps hosting business would evaporate.
That said, if there are specific legal requirements for your industry you'd need to evaluate on those specific requirements not on what a random guy on Slashdot thinks.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
When you click "Accept" on many EULA's you give up rights to privacy of your data to that company. What's the difference if it's hosted or not. Microsoft can just as easily have Exchange phone home with data as Google employees can read your mail. There's no difference. You just have to decide which company you trust most.
If an officer ever threatens to taze you, say you have a pacemaker.
Typed "Google Apps HIPAA compliance" into Google and found your response from Google: Is Google Apps HIPAA compliant? The answer is of course, "it depends".
We are a contractor for the Veterans administration. The VA insists that we comply with privacy issues strictly. Any communications that have patient information must be sent on encrypted secure systems. No open email servers/hotmail/gmail/whatever is allowed. Failure to comply with the privacy (detailed in the out of control HIPAA set of rules and standards) is punishable both financially and by being banned from contracting with the US federal government. As an administrator, I have to remind physicians that if they are caught transmitting identifiable information of our patients over unsecured channels, it may cost us our contract and may result in their being banned from seeing medicare/medicaid patients. Anyhow, that's my two cents on utilizing gmail or such for sensitive information.
I just had another thought on this.
Assuming you cover yourself properly from legal liability, do whatever your clients want... Then turn them all into the HIPAA police (I know there aren't HIPAA police... I have no idea who does the enforcement actions; you get the idea) for some sort of reward.
It is not your job to educate them on their professional responsibilities. Odds are very good that you aren't competent to advise them on it, and it would arguably be a violation of their canons of ethics to take advice from you. Lawyers and doctors have ethics committees to field questions like these: refer your users to them.
In the interim, stand by your guns. If your users say they'll go to the ethics committee and they're sure they'll be exonerated, propose this as a hypothetical question: if you give privileged documents to an uninvolved third party, is the veil of privilege pierced? Yes or no? (The answer is usually "yes"; exceptions are rare.) So, if you give privileged documents to Google, is the veil of privilege pierced?
Don't give advice. Just ask questions, and whatever you do, don't give in.
http://www.google.com/support/forum/p/Apps%20Partner/thread?tid=4d6f74d03de056c7&hl=en
Unless you & your customers are encrypting all your communications then your email is already available to be intercepted & read. Aside from which, it's probably more likely that someone internal will be the one to leak emails, rather than some big bad corp. Do you expend the effort on security that google or other providers do?
Personally I think IT guys need to stop thinking that they're the hub of the business. If you're in the legal business IT is not your core business, it's an enabler. So whatever you can do to make that simpler/cheaper is a good thing as long as it meets your other requirements. Rather than a free service, you should look at paid services where there are contracts in place with SLA's. It doesn't change anything, but gives you a "you sue us, we sue them" position in the event something does go wrong. Make sure you're able to take backups locally so that you always hold a copy of your data & you're good to go.
I think there are three classes of company for the purposes of this discussion:
If you trust shared hosting providers; you shouldn't care about the Google employees who can access your data
If you trust managed hosting providers like Rackspace, particularly if they're hosting virtualised servers for you; you probably shouln't care about Google employees with access to your data.
If you don't trust managed hosting providers; well you're probably not reading this from the office, and Google Apps doesn't get a look in.
I'd say most companies fall into the second.
Until Google Apps can FLAWLESSLY import and export files with Microsoft Office (doc / xls / ppt) no company is going to use it. For good or ill, those are the file formats the world runs on. If Google fixes that issue (and that's a big if), then we can tackle the privacy question.
I don't understand what "possibility" has to do with it. Your data could "possibly" be exposed if you have your own infrastructure.
A more relevant question is probability. Is there additional exposure through using Google? Are Google internal security practices likely to be better than yours? If you are a small shop outsourcing your IT services anyway then why is Google worse than some other party?
Boffoonery - downloadable Comedy Benefit for Bletchley Park
If you think about it. We buy this closed software from a vendor and place it in our homes, businesses, schools and so forth. We then enter the most confidential data and undertake highly sensitive transaction and such and all the time MS are the only ones who know the inner working of this beast. Can we trust that MS are not accessing our data? Do they (or their selected partners) have a back door? Are they able to read our data?
This software is in govt depts around the world and in formats that they control - why should Google be any different?
Source: http://www.google.com/support/forum/p/Apps%20Partner/thread?tid=4d6f74d03de056c7&hl=en
Answer to your question.:
PeteGriffin@Google (Google Employee) + 3 other people say this answers the question:
From a sales standpoint, I would recommend turning the question around and asking them what steps they are currently taking to be compliant with the relevant compliance-acronym (HIPAA, SOX, FERPA, PCI, etc). Understand what steps they currently take to be compliant, and what their current solution is. You'll be able to quickly discover if it's a real showstopping requirement and be able to move on, if it's something that can be addressed by Google Apps... or if they are horribly un-compliant and they're hoping that Google Apps will solve all of their problems (and more!).
No solution by itself is going to be the silver bullet; organizations (especially small and medium businesses) have extremely varied IT infrastructure and policies, with information flowing in different ways for different reasons. Google doesn't certify or identify Google Apps as being compliant with any specific set of regulations. It's really up to the organization to determine if a solution meets their compliance needs for their specific situation.
Google Apps has a very impressive set of features that are extremely helpful when dealing with prospects with compliance needs. The Postini component of Google Apps (referred to as Google Message Security) allows for very granular control of email content (in and out). There are additional email archiving and retention components available. Google Apps is SAS 70 Type II certified. We have also made a good deal of information available about Google's security policies when it comes to our network of data centers through a hefty white paper.
If anyone has experiences dealing with situations like this, please feel free to share your thoughts. Tony Safoian over at SADA Systems has some good thoughts around this:
http://www.google.com/support/forum/p/Apps+Partner/thread?tid=2ce6b0904f65ac44&hl=en
don't even THINK about outsourcing that.
yes, giving it to google is outsourcing. what, you thought.....
you didn't think.
THINK.
keep the network OFF your medical (etc) files. sheesh! this is 101 level, people. come on.
let me be very clear; you do not want to put medical, legal or ANY sensitive info 'in the cloud'. anyone's cloud.
got it?
its very simple.
--
"It is now safe to switch off your computer."
But google is. They place ads based on the content of your emails (i.e. I get SVN commit messages, and lo and behold ads for SVN related stuff on the side bar). So at a bare minimum they have automated processes reading all your emails, extracting meaning from them and displaying ads to you.
if it were a service the lawyer/doctors/etc were paying them for, how would this be different than say a lawyer's office contracting their IT work to a tech firm?
FreeBSD for the impatient.
Sure, explain the risks, and recommend they run the idea past their lawyers.
It's their risk to take, and look at it from their perspective; they're already trusting you with their data. Why should they trust Google, with it's nigh infinitely deep and sueable pockets, less than they trust you?
What do you care more about, laws or Google's success? That's what I thought. Take the easy road./sarcasm
It's HIPAA, by the way, not HIPPA.
The question, then, is not one of "needing to trust Google". The question is, "Is Google more or less trustworthy than the current solution?" There is a fair argument that a large, multi-billion dollar company has a lot more to lose should things go sideways than a contractor. There is also a fair argument that they probably have 1000x more people with access to the data than an independent contractor.
This, of course, ignores any legal requirements like HIPAA, PCI DSS, etc. etc. But I think my point is still valid: If the client has already contracted out management and/or hosting of their data, they have already made the decision to trust an outsider. Going with Google or not is just a question of "which outsider do we trust"
Don't believe anything they say - Google is a publically traded corporation. The job of the directors is not to make a profit, it is to maximize profits. The example the founders set will only go so far. How much attention do other companies pay to their corporate slogans? How many of you can name the slogans of AT&T, IBM, Facebook, or other companies? And how much attention do the employees of these corps pay to their slogan? Does the Goldman Sachs slogan really drive its employees?
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
The fact is that if Google Apps is not secure enough for you, then neither is any network data that also shares a connection to the internet. Lets be honest, any network connection is a pathway to your data. If you really want security, close the loop. Otherwise, Google Apps is perhaps an appropriate reminder that you're ultimately vulnerable. If hackers can get onto the Google Apps Servers, then they're not going to be stopped by your internet security either. At least, not for long....Buggy browsers, malware, users, and Windows will eventually leave you naked. Google Apps is appropriate for many and is more secure than a Trojan bot key logger root kit polymorphic virus windows IE beta orgy toolbar macro, like most small business systems that I encounter.
HIPPA is the law, and organizations with a duty to protect patient confidentiality don't have the option of basing their security policies on wishful thinking.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
>Is it time for me to remove the Tin Foil Hat on the subject of confidentiality and stop resisting the juggernaut that is Google?
Is the information you are posting confidential? That's not a question you can answer by yourself: It's a combination of the business deciding, and whatever laws apply in your country. With the higher level being the decision. Medical and Law? Surely the answer is an obvious No.
Open Source Drum Kit, LPLC deve board - mjhdesigns.com
If I found out that any lawyer or physician working for me had put any of my confidential documents up on Google I would immediately terminate the relationship and file an ethics complaint.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
After all, Google will Do No Evil(TM)
What's wrong with trusting Google?
A better question is "Why are our records private?" Is there any real reason your company would need to protect this information? If not, then I guess it's fine to put the info up on the internet. If your company needs to keep some secrets, then you keep them within the company.
Twitter docs hack exploits stupidity vuln
As someone who works in the medical industry (a recent change of pace, I'll admit), let me say that if anyone in my company transmitted confidential information over a web mail service like Gmail or Yahoo!, they would be instantly terminated and possibly indited. Non-secure transmission of confidential patient information (even as simple as an insurance subscriber ID) is precisely the reason laws like the HIPAA protections exist. If these providers are your clients, it would be wise to make it very clear to them how illegal what they are doing really is, and how severe the repercussions are for their actions.
Think of it this way: Do you want Google indexing and/or caching your SSN, your policy number, or even your name as it relates to the results of your most recent colonoscopy? Didn't think so, and neither does anyone else in their right mind. I won't advise you to be a tattle-tale to any regulatory agency, but I'm surely tempted.
CAn'T CompreHend SARcaSm?
Maybe they are, and maybe they aren't. But here's the thing: you are being paid as an IT consultant, not a legal adviser or a compliance consultant. You need to ask what their requirements for security, privacy, etc., are, and, if they ask about using Google Apps to meet those needs, you should give your professional advice as to whether that service meets the requirements they have articulated to you. But you probably aren't qualified to tell them what their requirements are under HIPAA (not HIPPA) requirements, or any of the myriad of other specialized, domain-specific, privacy laws and regulations, or even to tell them which of those laws and regulations apply to them, and, if you aren't, you shouldn't hold yourself out as someone who can answer those questions for them.
Have your lawyer write up a legal letter which says that for any confidentiality-bound practice like lawyers or doctors, you recommend they do not use Google Apps as they are likely in breach of their own privacy-related responsibilities. Have the end user sign the document before you will do business with them. If they won't, then walk.
That way, when they get busted to the tune of millions of dollars for the sake of a couple of hundred bucks of office software, you can't take the fall.
Whilst this doesn't apply for internal emails and documents, and I realise there is a difference in storing archives insecurely on Google's servers than simply transmitting insecurely, I do find it interesting that many people are concerned about Google reading the contents of their email/documents, when they have been sending and receiving emails/documents for years in plain text, over routers and servers they know nothing about.
Put this in your email signature:
She was let off easy...
CAn'T CompreHend SARcaSm?
You have made the facts clear to your clients that google or other service providers can read potentially confidential communications. Aside from that, you have probably informed them as to the pros and cons with respect to reliability and usability of the online apps. At this point, you have fulfilled your duties.
Whether it is ethical for these individuals/entities to use web apps is a question for lawyers and as a cautionary note, you opining upon the ethics of using these services is border line practice of law.
As a lawyer, I often wonder about these things myself. Many small offices and sole practitioners rely upon hotmail/gmail for email services. Even those who set up a domain name and custom email addresses often still rely upon a third party to manage their servers, like GoDaddy.
I was developing an online application to manage client billing, but abandoned it due to privacy/ethical concerns.
But like I said, my original point is that your role is to merely inform the facts and determining whether it is ethical to use those services in light of those facts is up to the lawyers.
Good luck with that. We are not talking about postini. His OP was that his clients were using the free google apps products which is in the cloud utilizing applications, servers, networks that he cannot effectively ensure that controls are being applied to.
Plus Postini only gives you the assurance that transmission of data is potentially secure between the covered entity and the third parties. It is still up to the covered entity to ensure that they are compliant with all HIPAA rules both required and addressable. And addressable doesn't mean "optional" btw. As I tell most of my clients, as long as they have the risk analysis done, publish documentation, policies, procedures, and administrative, privacy, and security/technical controls are in place, they should be good to go. To be sure, they should get an external audit done. Remember once the doctor signs off that he is compliant, he's liable. And if he marks YOU down as his Security Officer, you become liable.
I'm going to assume, by the fact that the doctors are using the free apps to run their business on the cloud , that they have not done anything else to ensure HIPAA compliance.
Lawyers are another topic I could delve into but won't. I'm shocked your lawyer clients are actually using this. Client-Attorney Privilege, etc could be compromised. The lawyers I work with at the corp level would eat these guys for lunch by killing them with discovery.
I am not a lawyer, just a HIPAA & Sox consultant that works with Lawyers specializing in regulatory issues. My ultimate suggestion for the OP is to have their client talk to a lawyer specializing in HIPAA. Lawyers are another topic like I said.
No matter how ironclad the agreement or how draconian the penalties your data will still be public. Sue Google into non existence and well your data is still public.
Without physical security there is no security.
If you don't own the box and control access yourself there is no physical security.
No lawyer can legitimately use Google-hosted services, unless they're doing work for Google. It would be a huge violation of confidentiality.
No it wouldn't.
If Microsoft applications started "backing up" documents by sending them to Redmond it would be detected (If only by increased bandwidth at the main router) and the hue and cry would be deafening.
A sudden change in in or outgoing mail traffic will also be noticed.
AFIK, nobody has ever actually been prosecuted for violating HIPA.
I can't imaging google is hipaa certified as a storage provider for medical information.
-- Programming with boost is like building a house with lego. It's a cool but I wouldn't want to live in it
If I found out my legal info or personal medical records were being transmitted (likely in plain text) through gmail and other google services I would sue the crap out of everyone involved.
And I would win.
Once something is on Google, the up side is: any computer with internet access can log in and access it. The down side is the same: any computer with internet access can log in and access it.
If something is on your internal network, that already puts a bit of a limit on who can access those files. It's not bulletproof, and you can still get rooted, but it's a limit. The average Tom, Dick and Harry are as good as physically separated from that data, even if they can guess your password.
Once that stuff is on Google, essentially anyone who can guess your password is good to go.
For example, you only need one employee who uses the same password everywhere (it happens more often than you'd think) and has ever shared their home email password with their spouse, or their WoW account with the chinese guy who power-levelled it, or whatever. Or they only need the same password somewhere where you need to guess their mother's maiden name to get that password. (Again, you'd be surprised how many put the real maiden name there.)
Or some passwords are that easy to find out, because they're weak. People use their nickname, or pet's name, or whatnot as passwords all the time.
Some passwords aren't even kept secret. I know the logins for a local hospital _and_ the emergency medical service, without ever having worked there, just because the former was taped to the monitor and the latter was spoken out loud while I was there. And yes, apparently veryone there used the same. So every ex-employee knows those too. Plus any patient who can read or has ears.
So, ok, now you know a name and password for the hospital computers. Now what?
In a traditional IT scenario, they're only accessible from the internal network. Sure, you can try to sneak into a room and use their computer, but you can be caught, so most people won't. Sure, you can try to get them rooted somehow, but again most people wouldn't even know how.
Now move those files on Google, and you have a real extra problem. If that hospital ever moves its data to Google, every single patient who ever read the post-it on a monitor, can try it from their own home. No having to sneak anywhere, no risking that someone walks in on you, no l33t haxxx0r skillz needed. Just point your browser at Google, log in as a doctor, and read the medical data of everyone who ever used that hospital.
A polar bear is a cartesian bear after a coordinate transform.
seatbeltless cars, guardless chainsaws, helmetless bicycles and police free cities will all help this 21st century civilization embrace the anarchy that makes it more productive!
Good people go to bed earlier.
Use it, but remember to encrypt all of your documents on Google Apps/etc. Once done, you have significantly less worries.
As for Online apps having significantly higher fees than an old copy of MS Office 97? Uhmm.. I didn't know Google charged me anything for its services.
I can't imagine google is hipaa certified as a storage provider for medical information.
-- Programming with boost is like building a house with lego. It's a cool but I wouldn't want to live in it
People are evil. Corporations are not people, but people hide within their edifice in order to control others. Self interest is always abundant in our economy and society; and corporate greed is just a vehicle for that objective. Google, like Soylent Green, is people. If Google "Does No Evil" is that the same thing as "doing the right thing?" Perhaps its a start, but corporations don't deserve human rights, and people don't deserve a corporate domination of society and power. Our institutions need to be as accountable to society as our citizens - and its time we expect more from our people. Bottom lines despise human beings - and corporations would prefer no payroll or human interaction. Shareholders want profit, and it is a dehumanizing influence on the people who decide to lay off workers and rip off their customers. Incentives on the bottom line ignore other people's quality of life.
If they even so much as continue to talk about using Google, or any other insecure third party application, for sensitive patient data. There is no possible way to use Google without breaching HIPAA unless all the doctors and patients interested in using it are capable of successfully encrypting and decrypting all communications; which they are not.
Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
SMIME could be the answer. With free personal email certificates available from places like Thawte, it's trivial to enable end-to-end encryption with mail clients like Apple Mail.
I use Google Apps for my business and anything that's sensitive, I will encrypt. In Apple Mail, once you have imported your freemail certificates into your keychain, a couple of buttons appear in the Compose Mail window - one to sign and one - provided you have the recepient's public certificate in your keychain too - to encrypt. In order to get someone's public certificate in your keychain, all you need to to is send them a signed email, to which they can reply with a signed email and you will have each other's public certificates.
Since moving to Google Apps, I've saved power (by not needing a machine on 24/7 just to handle incoming and outgoing email) I've got email syncronised between my laptop, my desktop and my iPhone by using IMAP, I've got a great webmail interface that's powerful and easy to use and I don't need to worry about administering my own email server.
Reliability has been very good so far and I've moved a couple of my clients over to Google Apps as it makes sense for them to outsource their email hosting rather than handle it themselves, or pay per email address through their ISP and have very limited storage space and POP access.
Security is the least of my concerns - and I would consider myself a security conscious person. With email, even sent from your own server, it travels over so many insecure links from it leaving my server to arriving at it's destination that I don't believe outsourcing my email to a 3rd party like Google is any less secure.
As I mentioned initially, if security is a concern, and this applies even if you're running your own email server, use encryption.
Specialist Mac support for creative pros, Melbourne
Seyfarth:
http://www.seyfarth.com/index.cfm/fuseaction/publications.publications_detail/object_id/9275a22b-3998-494c-84d8-7d234e503d82/IssuesRelatedToCloudComputingArrangements.cfm
This is about "cloud computing", but google-anything is cloudy.
Doesn't everyone know that google is an advertising company? What do you think they do with every piece of data they get their hands on? They dig and search and categorize and correlate **all** data to sell you and other people stuff and services.
NEVER expect anything to be private with google.
Here, read it. You'll be surprised.
http://www.rdmc.org/cmhc/reports/HIPAA_Security_4.pdf
They are not really standards, just vague suggestions. For example:
"Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity."
Ummm, how long? Is a week alright?
"Implement policies and procedures to protect electronic protected health information from improper alteration or destruction."
and my favorite:
"Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate."
And so on.
Hard to take these "standards" too seriously. Very subjective, vague, open to interpretation. Not really standards. Simply saying: "require passwords" or "have a backup plan" is not useful.
Explain the risks (and benefits) clearly to them, in writing, with proof you did it. Storing medical info is particularly sensitive.
If your customers are willing to take the risk, it's their choice, and their responsibility, as long as you've been clear with them.
I think they'll back down when you come to them with a waiver to sign to clarify that they are responsible, not you.
The Cloud - because you don't care if your apps and data are up in the air.
It would be a massive risk of confidentiality breaches. I would rather only have to trust the people working for the law firm to prevent a data leak than have to trust them and the thousands upon thousands of IT workers at Google. Legal files could easily become high-profile overnight, especially if there are special interests who think they can them as a case-in-point for whatever agenda they have; an IT worker at Google might be paid off to leak some files, and with so many IT workers, the chances of finding one who is corrupt or desperately needs money are fairly good.
Palm trees and 8
Users are accepting of system outages when it's their personal stuff, and even then, only barely. When your clients start asking for "Free IT Stuff", remind them that nothing is free, and that when Gmail goes down, there is nothing you, as their support staff, can do about it. And yes, confidentiality is important, and no, Google doesn't provide it.
As long as Google will sign a business associate contract -- which they very well maybe willing to do -- then they can legally store information on gmail.
"Google employees can read your stuff" is not accurate.
Google just doesn't trust internal people; the security folk there are very savvy, and they know that incidents from inside are a serious risk. Which isn't to say they are HIPAA compliant; until they are, your doctors don't belong there. But it isn't fair to Google to imply that internal people there have unauthorized access to your mail. Are there people who might be able to read your email without authorization? Perhaps. But I think Google has controls to mitigate the risk of it happening, and make it so that it cannot happen without an audit trail.
If not, you doctor friends are committing a federal crime as it is, punishable up to jail time.
If they are, then its a non issue.
---- Booth was a patriot ----
Given that Google already sell a search appliance, I've wondered before why they don't sell a Google Apps appliance. I'm pretty sure I could resell a bunch of these no problem!
Alternatively, would it be possible to have the Google Apps front-end use storage elsewhere?
http://www.renalandurologynews.com/Staff-Nurse-Faces-Jail-Time-for-HIPAA-Violations/article/119854/ http://www.healthcareguy.com/index.php/archives/483 http://www.healthdatamanagement.com/news/HIPAA-38694-1.html Go ahead... take the time and spend the money to get a license to practice. Then go mess around with private information. See what happens.
Why not trust them? Why trust you? How many server admins read the mail of their bosses?
What if Google offered free radiology services? Or free bloodwork? Would they feel comfortable using it? Would they consider it meeting a "standard of care"? Trying to come up with a comparable situation could help you and the doctors get closer to the root issues.
So which is more likely to happen: A google employee reading your hosted email and using that information in nefarious ways, or if self hosted the sysadmin you now have to have on the payroll doing the same thing? The farther away from and less familiar any person is with your business the less likely that person will consider the possibility of messing with your business. I would rather put my faith on being a fish among thousands in a lake rather than being the only fish in a bucket.
'Google employees can read your stuff'
Even if these clients are currently running their own e-mail server, employees at the local ISP could use DPI to read their stuff. Anything you send on the internet that isn't encrypted can be read by lots of different people at lots of different points. Unless the clients are currently encrypting their e-mails, I don't see any privacy reason not to use gmail.
there's a for-pay version of google apps which can be delivered over SSL. i don't know if the license terms are any different, or if the server-side storage is at all secure, but i'm willing to bet someone working for google could answer that question for you.
Who's more likely to do something damaging with your data: one of the few Google employees who has direct access to it as part of a sea of data belonging to millions, or the disgruntled tech in your own company who has access to the server room?
I'm not saying that you should outsource without a second thought, but if you have a contract with clear terms for how your data should be handled, with an explicit lack of disclaimer of liability for damage to your business in case they mess up, and you outsource to a company with a track record of managing their systems at least as well as your own staff, you're probably at less of a risk of malicious disclosure with your data in the hands of a reputable disinterested party.
On the other hand, if the outsourcing provider wants you to sign away all your rights (and many do), they don't have much of an incentive to adhere to the terms of the contract, so you should stay away.
There's no failure quite as dissatisfying as a complete and total solution to the wrong problem.
I think your fall back position is HIPPA. Unless Google is going to follow that (and I seriously doubt they would), keep the tin foil hat on. You could always say that in every Google building there is a screen that shows the latest search phrases. They scroll by constantly and can be seen from the outside of the buildings in some places. Do your employers really want to open themselves to that?
Dude (et al 8-),
Your clients are at the "hey this free stuff is great" stage. Good. But there isn't really any value to having the ap be far away on a web server.
A decent and easy-to-accomplish setup of local Open Source stuff will do exactly the same job at the same price point, but without the questions of PRIVACY you mention nor the questions of RETENTION you didn't.
Google really _isn't_ on the hook to be there with these services or all your data in two years time etc.
So for privacy and retention reasons you cannot really ever use the web-application model to a remote company without many potential problems.
Again, local is mandatory, but Microsoft isn't. Everything you can find on Google Apps can be found for free use on/with any large-scale linux distribution pretty much for the cost of playing point-and-click in the software installer/chooser/whatever.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
Having done a fair amount IT architecture work in the healthcare realm for the past 10 years, I can truthfully say that doctors are really cheap and look for ways to cut a dollar now at the risk of tens of thousands later. They are also early adopters of technology yet are basically clueless on how it works.
The cost of keeping an internal server plus vpn access for laptop use on an annual basis is a few hundred dollars. The cost of not having access to their records because of a fiber-seeking backhoe attack on their buildings access is hundreds per hour.
What _is_ the customer support number for Google if your Google Apps data goes missing? The doctors have your cell number and probably your home phone as well.
To Google, their account is one of thousands. To you, they are a car payment and maybe a few nights at the pub every month. Who is going to take care of them better, not cheaper.
The old mechanics saying comes to mind: "We do things 3 ways - right, cheap and fast. You get to choose two".
I just got here and haven't read the other responses, but . . . if you are seriously asking that question, obviously you are not familiar with your compliance requirements.
cjacobs001
Should keep in mind that, once something goes on the Internet, it is on the Internet forever.
Double goes for porn.
Comment removed based on user account deletion
Strange reasoning. All files get send over the internet with e-mails, in essence, every document created ends up being sent electronically somewhere, as snail mail is just not an option anywhere. If you worry about Google reading your e-mails, than also your ISP, hosting your imap-server, the ISP of your client, the IT guy maintaining your and his computer system, etc. So the security of a google document ends up in the same insecure risk category as every e-mail you send. However, the reputational risk for google when documents get leaked from their server is extremely high, while the risk for your local IT guy or local ISP is probably lower than the price they can get for selling the documents.
sam
There's one critical thing that a lot of people are missing here, and that's that this isn't a question of who has the documents, per se, but what can be done with those documents.
Some people are saying that if you hand your documents to a third party, it's the same, because they still need a subpoena. The problem is that they CAN get it with a subpoena from the third party. If you had kept them to yourselves, then (in some cases) they wouldn't. They could be protected by the attorney-client priviledge. It's not just a question of physical security, it's a question of confidentiality, and once you voluntarily surrender that, it's gone. And that nice document your client wrote you explaining what REALLY happened is no longer just a letter to an attorney, but an admission against interest. If the client does it, that's stupid. If an attorney does it, that's malpractice. Leave aside any objections about how dumb it is for such a document to exist. The fact that it could, and that your policy would result in a disaster of that scale, is enough of a cautionary tale to dissuade someone from taking the risk.
Really, sharing the information with google (you're surrendering confidentiality by agreeing to let them look at all), you're probably committing malpractice. This is a really, really serious deal.
I've actually done some HIPAA compliance work, and while the rules are slightly more loose, I seriously doubt that the doctor and google are going to be collaborating on a treatment plan, or that google is supervising the doctor's work. The same problems remain.
To pretend that owning your own servers makes your email secure ignores the fact that your email still travels across the internet. http://www.eff.org/issues/nsa-spying
The following works on Google mail and once set it also works for the calendar. GOOGLE DOCUMENTS however will still go over http
To enable this feature in Gmail:
Sign in to Gmail.
Click Settings at the top of any Gmail page.
Set 'Browser Connection' to 'Always use https.'
Click Save Changes.
Reload Gmail.
Not too many years ago, as the IT offshoring was really picking up steam, it turned out that a number of records transcription shops were farming out their work to subs who turned around and passed the work to offshore typing pools.
And, the doctors and patients were none the wiser until a Pakistani typist felt she was getting screwed by her job shop, and passed the threat upstream that she'd selling or post her data on-line if she didn't get paid. This turned into a major HIPAA-related Federal case for the responsible parties (doctors, IT shops) in the US.
My health provider has offshored a lot of its application dev. This reminds me to do some more research into what they're doing with my data. My dentist is self-employed, and I'll need to remind him resist any temptation he's having to use Google Apps for my dental data. If I find out he does it anyway, I won't hesitate a second to drop a dime on him.
Luke, help me take this mask off
Nobody mentioned twitter?
http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/
LOTS of lead-in on that. Long story short: Password recovery email sent to abandoned and thus recycled and avaiable hotmail account. Register hotmail account, send recovery email. Use gmail account to do password resets all over the damn place.
Google docs & everything Google was done on the first step.
Well the security paper should make you feel better
http://www.google.com/a/help/intl/en/admins/pdf/ds_gsa_apps_whitepaper_0207.pdf
Passsed SAS 70 Type II audit - http://www.google.com/support/a/bin/answer.py?hl=en&answer=138340
Google uses Google Apps themselves and we all know they have secretes that people want to steal.
The twitter thing is pointless as it was a comprimised password that would expose anybodies data if there email was accessible anywhere accept the main office.
And no don't forget when you send email from your mail server to another mail server from another company it goes in plain clear text. That means you have to trust every router in between.
With all that said, for most companies Google Apps will probably be more secure than some admin jocky and his Exchange server and no independent security audits.
I think the answer is very simple. Asking the professionals is the wrong perpsective to take. Get them to ask their CLIENTS if they want their personal information on google and I can guarantee it doesn't matter how safe or secure it is, people go to such professionals for confidentiality.
The question then becomes... "In the event that information *somehow* gets out, would the professionals take responsibility for it getting out and pay their clients for the breach in security?"
I think when asked to put their money where there mouth is they would err on the side of caution
How would it make you feel if your doctor stored your medical records in Google Apps?
Privacy regulations -- HIPPA, SEC, S/OX, FINRA, and RIA -- present very specific requirements. Google Apps Standard Edition (free version) does not meet these standards. Google Apps Premier Edition, with full SSL encryption enabled, meets these requirements for information access and storage. If you use Google Message Discovery, part of Google Postini Services, your historical archives are also compliant. With respect to HIPPA and some privacy laws (such as MA 201 CMR 17.00), emails should be scanned for personal information and blocked or encrypted. As such, full compliance would require adding a service such as Zix. Allen Falcon
You can call parent troll, but the phone companies recently admitted that they were spying on its customers as instructed by the CIA. What if Google provides the same service -- used as a tool to spy on all citizens? When it comes to something very, very important (to the patients), such as health records, security is paramount, and these cheap, fucking doctors should pony up the money to have a private network to maintain privacy of patient records rather than hand it over to an information hoarder, like Google.
I don't know how many of you have seen what passes for "IT" in many small medical offices - it's frighteningly insecure. I've seen more than one office where they were networked with cheap consumer wireless equipment - with the default passwords still in place and no encryption. Just pull up in the parking lot and turn on your notebook and they'll helpfully give you a DHCP address and access to their systems. I've gone through a few of these offices and locked things down better but they're still not exactly military grade security.
So how does the security of Google Apps compare with this? At least with the Google product the risks are well defined. Trusting the security of your doctor's network might not be a good idea - and the risks here are largely unknown. The people snooping on these offices are usually after credit card info, not medical records.
Think I'm kidding? Go check it out at your local multiple-physician office complex - then try to talk them into letting you secure their systems for them.
Boom, average-colored slashdot story.
No one who is concerned with confidentiality or privacy will (or should) use online apps or Gmail! No matter what they say, YOU have no control whatsoever about who has access to your documents/data. And by the time you find out that there has been a breach, its too late. YOUR documents/data is all over the internet for anyone who wants it. Anyone is crazy to think that they can expect to put data/documents online and expect to have any privacy or confidentiality. At the very least, the IT people who support have access to you data/documents. All it takes is one rotten apple in the IT dept.
As they have explained it to me, anything you give to Google can be subpoenaed. Google is currently one of the most-frequently-served companies in the world, and Google gives full and enthusiastic cooperation with lawfully issued subpoenas.
The challenge is simple, and sweet:
1) Identify any law firm or privileged entity that uses Google docs.
2) Sue them, or perform some court action that would justify a subpoena.
3) Use the subpoena to retrieve all (or a significant number of) privileged docs from the priv entity.
It's a simple social engineering attack that might require the help of a cooperative law firm and some digging. Anybody listening?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
It strikes me that this is a bit of collective FUD. Why aren't folks up and arms that doctors, lawyers, and politicians use blackberries to communicate (oh no, a third party handled the e-mail communications, so the fuck what)?
Really?!?
Are you nuts?
Does your malpractice insurance know about this?
Does your Bar Assoc?
You have just blown a major whole in all you attorney-client privileges.
Do you have your clients waive this in your engagement letter?
I hope you got someones written legal opinion that this is OK.
I get the same requesets from my clients. And it's not just GMail they want to use. It's the word processor, spreadsheet, etc as well.
I try to tell them that the security is an issue and they look at me like I just said that "Elvis enjoys tacos". It's startling how unconcerned they are about the risk to their confidential client work product especially in light of the fact that if it were to leak out they could potentially lose thier license to practice.
But...but...it's free, they say, with confused puppy eyes. As if free somehow obviates any need for security.
-B-
I don't understand that anti-google "hype", which probably was started by Ballmer :-)
There are many hosted mail solutions, every ISP has their own mail service, blackberry does have one too. There's a load of hosted Exchange solutions. Etc, etc, and businesses USE it. If a google employee can read email, why an ISP employee can't? Because it's in their terms of service? ha!
Rolling your own solution is damn expensive and you need a guy who actually knows something about it, that's why most companies are more than happy to outsource it.
Do you also tell them that the systems administrators on their in house email and records systems can read their mail, records, etc?
I think you're absolutely correct. Telcos, ISP's, Comcast, Google, Yahoo, and MSN are all PUBLIC. Cloud apps/data systems information are like the Signs posted on an interstate highway. To place all medical or proprietary info on google apps is a very convenient excuse for insurance companies to steal unauthorized access to that data. Even if congress limits or prohibits their use of medical history to exclude coverage (due to preexisting conditions) you can be sure they want that data anyway. Without a doubt, those who want that information the most, will find and get it first, right from the "cloud" or the airwaves. Digitizing the actual records will enable it's unbridled transmission, sooner or later. Even if your files are "sealed", the medical billing contains detailed coding and prices. This data is in a wide area networks of health care administration, credit bureaus, billing & collection services, and accountants data systems....so they have bits and pieces. Meanwhile, lets try not to make the process so easy for them (insurance) - make 'em pay, make 'em pay.
If you use Google's servers just as a means of getting something sent via SMTP and received via POP - you can configure your email client to use a digital certificate and encrypt all your correspondence.
Even if Google keeps everything in their archive, it is still encrypted.
Sounds like a good compromise to me. Before you say "getting a certificate from CA costs money", remember that you can set up your own CA, or get a certificate for free.
The saddest poem
Look at where breaches actually occur in practice: disgruntled employees, P2P, server vulnerabilities, corporate espionage, carelessness, etc. Your in-house IT staff is a much more likely source of data leaks and corporate espionage than an organization like Google or Microsoft.
Or, to look at it another way, your "in house" IT staff is really all a collection of third parties as well, and they often have much less of a track record and much less to lose than Google.
I recall reading something a while ago about servers sold by google, hosting google apps for professional businesses. This is not free, but it does mean you will be able to use the google apps while also being in control of that data and you'll not have to worry about confidentiality and google employees or hackers snooping through your data.
It may be very expensive, and it may be overkill for your needs, but it's worth looking into.
I'm not saying you're fully wrong, but I think the discussion here is assuming that the alternative to google docs is a hardened computer, in a secure facility, surrounded with armed guards, razor wire, etc. And thats not the case. Speaking about small and medium legal and medical settings, the typical alternative is a poorly backed up, poorly secured, office computer, connected to the Internet, filled with viruses and backdoors, and enthusiastically contributing to the botnet du jour. Small businesses, in general, do not take the time to understand their IT security. Most lawyers do not understand technology, and unless a practice is very large, its not going to have a dedicated IT guy. So when you consider the risk of data loss, or breech, and compare that typical scenario with google docs, then suddenly google docs doesn't look so bad. Without education there is no security; and there isn't much chance of your average lawyer becoming tech savvy enough to secure their network any time soon - so maybe outsourcing aspects of this problem is an improvement.
My answer would be, no.
You cannot trust corporations without contracts. No matter how trustworthy the current leadership seems, the time will come when they will be replaced by persons unknown.
I would only use services where you are paying for it and a contract guaranteeing confidentiality exists. I believe that Google offers that on some services, but, if they don't, there are others that do. As for whether or not some service is HPAA compliant, ask your lawyer, not Slashdot.
It's not paranoia. Keeping records in Google apps and certainly in Google mail is a lot less secure than keeping them on a local server or PC. If you know Google employees have access to the data you are acting in a reckless manner.
You're a lawyer. Don't make me laugh.
result in their being banned from seeing medicare/medicaid patients.
Wouldn't most physicians desire an exemption from having to deal with zero/negative-profit Medicare/Medicaid?
You know, with all the responses saying that Google Apps are not good enough to comply with HIPPA PHI regulations, it makes me wonder - why wouldn't Google set up a tiered for-fee service that is compliant? Change the terms of service to guarantee the privacy of data, encrypt it on the server-side so that it can only be retrieved by the owner with the proper key (to prevent snooping google employees), prohibit the public viewing of documents (the publish feature), and charge a doller per month per gig, or something. Google is ideally placed to offer such a service, and - if they can meet the legal hurdles - would make bank.
Never underestimate the potential of Human stupidity. -Heinlein
Good idea. But why do you need a certificate? Why can't you just use public key (pgp, gpg)? That provides authentication and signing as well as encryption.
1: The suits will ignore IT's warnings. "What do geeks know about running a business?" ..
2: The suits will ignore Legal's warnings. "The money we save far outweighs the minimal risks."
3: A significant amount of time passes. The suits pat themselves on the back for padding the bottom line. Stock options are cashed in.
4: A medical datastore gets hacked into, probably from a PC belonging to one of the suits. (You know; the one with the password pasted to the monitor.) Data subsequently gets auctioned on a blackhat site. Men in Black pay a friendly visit. Ambulance Chasers descend.
5: The suits panic, look for scapegoat, invariably select IT. "But we didn't KNOW our IT department was putting records on Google!" Non-suit heads roll.
6: Organization is crushed by civil fines and lawsuits. Suits move on, soon finding other firms to trash. Balance of staff find themselves on the street.
7: PC Magazine finally gets around to publishing an article on how stupid it is to put HIPAA documents on Google et al. Loyal readership (CEOs in airport lobbies) panics, head back to own firms were non-suit heads subsequently roll.
8: Suits proceed on to the next insanity.
.
Lesson: Scott Adams is an optimist.
Regards;
It's amazing to me how people seem to think the internet brings in a whole new world where nothing old applies.
If I have a legal responsibility and I wish to use a product/service that might affect that responsibility, then I would:
-get a contract detailing things
-get insurance to protect me
-audit the other party to make sure they will adhere to certain rules
Doctors, engineers, lawyers... have all dealt with this for a long time.
If I had a legal responsibility, would I trust Google with my data? Nope. At least not for their current free apps.
This is one case where they could most certainly offer a 'premium account'. You can speak to live person to handle issues should they come up. An SLA with privacy guarantees... Then I'd consider it.
Otherwise, I could rightfully be sued for negligence. Here I am a doctor or lawyer making 250k/year and I'm too cheap to spend a few hundred dollars to guarantee the privacy and security of my data. Sounds like negligence to me.
Unfortunately responsibility and accountability costs money. It's not a free lunch for you or Google.
The only main issue with SAS 70 audits is that the company/process being audited defines the scope of the audit. You can choose to not report processes, systems, or users involved, and the auditing company will only cover the scope you've set forth. IMHO SAS 70 is nowhere close to a comprehensive auditing tool for SOx or HIPAA compliance.
HIPAA allows providers to share PHI over unencrypted email. Read the FAQ: http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/safeguards.pdf
From the comments on here you would think that HIPAA requires you to safeguard your data like they are nuclear secrets.
If you store HIPAA data on a Linux server you are trusting that the Linux community has built a secure product. It's the same with a Microsoft or IBM box and the same with a Google service. If you are running your own you are also trusting that every one of your IT people are upstanding and highly competent. Personally, I trust Google to run a much more secure network than one I could build with a batch of admins that I hired. Whether Google is putting a guarantee in writing or not, the ramifications to Google if GMail, Google Apps, Appengine, Wave, etc. are not secure are huge.
That meets my definition of the HIPAA requirement for a "reasonable safeguard" but IANAL.
HIPAA isn't directly about privacy. It's about being able to hold someone accountable for accessing information. Anyone in security knows that breaches happen all the time. What matters is containment.
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
For those with high-profile celebrity clients, simply telling them 'Google employees can read your stuff' will usually end the conversation right there.
This, and lots of other replies to this article are very, very misleading. It's not like this data is just lying around, waiting to be accessed by anyone who happens to work for Google. I'm willing to bet they have much, much tighter restrictions on accessing this data than almost any company anyone here works for. It's probably one or two engineers somewhere who could theoretically look into the database and pull some raw information out, and I imagine any such access would require authentication from another person and be heavily logged.
Considering the crap security that most companies have, I'd trust Google way more than a homegrown solution.
Tell them read the law or get a legal opinion. If the practice uses Google Apps and those apps violate HIPAA, they are breaking the law. No gray areas here. Why is it even a question? I certainly do not want my physician using non-HIPAA compliant communications with MY personal medical info. They need to get over it or take the risk themselves.
Or not: under HIPAA, anyone that a covered entity contracts with to handle PHI must be covered by a Business Associate Agreement, and under the HITECH Act passed earlier this year, HIPAA security noncompliance sanctions, including civil and criminal penalties available under HIPAA, apply to parties under BAA's exactly as they do to the covered entities themselves.
I really wish google would sell google apps like it sold their search appliances. I think alot of companies would jump on board, heck if the entry point was lower enough, I'd get one for myself. Would it be much worse than maintaining an exchange server? Perhaps and that may be why it doesn't exist yet. An alternative might be to allow you to host your own data (rather than hosting the apps and data) that way you still somewhat control the actual content. (though I can see headaches ensuring that your data box remains connected to the google cloud.
June - Cloud Computing
July - Risks of Cloud Computing
There are so many viruses and trojans lurking around that being inside the OS possibly even more dangerous.
By the way, what is inside OS? Who knows it? It is all compiled.
There. Answered it all for you.
Besides, if you take applications on the web more serious than to use them for your spam or some irrelevant stuff, then you seriously need to see a shrink.
Web apps are the SUVs of software. Except that they are as safe as a Yugo Nowhere. Slow, expensive, insecure, ugly, SLOW, shaky, INSECURE, pointless.
It's all of the "good" of the inner platform anti-pattern, all of the insecurity of a web connection, all of the slowness of scripting, and a whole lot of "made by the biggest web advertiser on the planet". ^^
Any sufficiently advanced intelligence is indistinguishable from stupidity.
Confidentiality is maintained if the documents are encrypted prior to upload.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
So you do not consider your ISP to be a third party? All of your e-mail passes through their hands before it gets sent out to Teh Internets. Your ISP may not have access to your local address book and calender, but once you send an e-mail, your ISP can read it fully, as can certain people sitting between your ISP and the e-mail's destination. And, unless you are using encryption for your SMTP connection (which Google does), the same goes for someone sitting between you and your ISP.