Can We Abandon Confidentiality For Google Apps?

An anonymous reader writes "I provide IT services for medium-sized medical and law practices. Lately I have been getting a lot of feedback from doctors and lawyers who use gmail at home and believe that they can run a significant portion of their practice IT on Google Apps. From a support standpoint, I'd be happy to chuck mail/calendar service management into the bin and let them run with gmail, but for these businesses, there is significant legal liability associated with the confidentiality of their communications and records (e.g., HIPAA). For those with high-profile celebrity clients, simply telling them 'Google employees can read your stuff' will usually end the conversation right there. But for smaller practices, I often get a lot of push-back in the form of 'What's wrong with trusting Google?' and 'Google's not interested in our email/calendar.' Weighing what they see as a tiny legal risk against the promise of Free IT Stuff(TM) becomes increasingly lopsided given the clear functionality / usability / ubiquity that they experience when using Google at home. So my question to the Slashdot community is: Are they right? Is it time for me to remove the Tin Foil Hat on the subject of confidentiality and stop resisting the juggernaut that is Google? If not, what is the best way to clarify the confidentiality issues for these clients?"

yes..

..the google apps contract is fine. IAAL and i use google apps for all my stuff. i DO maintain a separate backup but everything goes on google. the bar is also fine with it.

Re:yes..

[TheMMaster]

If you had read the entire article you would've seen that it is written by "Brett Burney is principal of Burney Consultants, based in Cleveland." Finding his website, it turns out that mr Burney is not a lawyer, he provides some legal services FOR lawyers.

So, that article is just some guy saying how convenient those tools are. Not some sort of legal analysis of the use of web-based applications for sharing private data.

Here in Europe using stuff like that is absolutely not allowed for sensitive data, doctors, lawyers and governments are most certainly NOT allowed to use a hosted app like that.

Re:yes..

[jonnyj]

I can't give a legal answer for US companies, but its my job to consider questions like this for a UK based financial services business. Google's applications are essentially the same as any other outsourced services, and UK law is based on the premise that you can outsource activity but you can't outsource responsibility.

What this essentially means is that a UK business is expected both to have a legally enforceable set of data protection contract terms and to have conducted a risk assessment supported, where appropriate, by a detailed appraisal of the outsourcer's policies, procedures and practices. FWIW, the conclusion that I've drawn is that Google apps are completely unuitable for any UK business that processes customer data, as there is no guarantee that the data will remain in the EEA (European Economic Area) or another country that has equivalent data protection principles enshrined in law. UK business are not allowed to process personal data in the USA without express customer consent because its data protection laws fall short of ours.

Re:yes..

[demonlapin]

IANAL, but reasonable expectation of privacy is a legal term of art that bears strikingly little resemblance to the average person's comprehension thereof. A potentially relevant case to this is that called-number logs are considered not private because, originally, you had to tell the operator which number you wanted to call - so you voluntarily gave up the privacy of who you called, even though the content was private. A good friend of mine who IS a lawyer mentioned in explaining the whole thing that you have no reasonable expectation of privacy in another person's home, even if they're not there.

Re:yes..

What your lawyer parents forgot to tell you is that lawyers use the services of all sorts of third party services, who agree and are duty bound to maintain the confidentiality of the information the lawyers entrust to them. My law firm's entire network is administered by a third party IT company. If you think there is something legally wrong with that, you need to talk to your parents again. We send out sensitive documents for copying, 40,000 pages at a time. You think any law firm on the face of the planet handles that in-house? You think the reprographics companies, who are intensely competitive for law firm business, are sitting around reading the documents? I tried a trade secrets case where the key trade secrets evidence consisted of dozens of over-sized engineering drawings. Not many law firms can reproduce those in-house. We hire scientific and accounting experts to review confidential information and serve as consultants. I use Verizon wireless, and clients leave voice-mail on Verizon's network. None of that waives attorney-client privilege or work product protections. Its not even a close call.

You also might want to tell your parents about the Stored Communications Act and the Computer Fraud and Abuse Act, both federal laws. (There is also a very broad California statute that I'm certain applies to Google.) Among other things, the Stored Communications Act makes it unlawful for a company to turn over your e-mail pursuant to a civil subpeona. In fact, there's a federal case out there that says you can sue a lawyer who serves a subpoena in blatant violation of this law. I was surprised by that case myself, so your parents should be wary if they are still practicing. On the other hand, your G-mail can be subpoenaed by law enforcement in a criminal case. But that is much less likely to happen, since those are not handed out like candy the way civil supeonas are. But then, those same criminal subpeonas can be sent to ISPs, phone companies, the list goes on.

Ultimately, all documents no matter where they are stored are discoverable unless they are subject to a specific privilege. And if they are privileged, using the services of a trusted third party who obligated to maintain confidentiality does not waive the privilege. And if someone tries to subpeona that information, the law requires notice and an opportunity to object.

Re:yes..

[julesh]

Hmmm Virgin Media must have updated their T&Cs recently without notifying me.
They announced they're outsourcing all email to google.

"G. Your details and how we look after them
7. By having our services activated in your home and/or by using them you consent to our transferring your information to countries which do not provide the same level of data protection as the UK if necessary for providing the services. If we do make such a transfer, we will put a contract in place to ensure your information is protected."

(Virgin's T&Cs)

No

[gweihir]

Confidentiality is very, very important to businesses and individuals, even more so in the Internet age. One of the reasons to continue to operate your own infrastructure, no matter what the current hype is.

por que?

[Em+Emalb]

From here: http://docs.google.com/support/bin/answer.py?answer=82366&ctx=sibling

"
Privacy and security: Understanding section 11.1 of our Terms of Service
Print
We've received questions over time about the meaning of section 11.1 of our Terms of Service. We realize that for those not familiar with legal agreements for services that use the Internet, these terms can look confusing, or even frightening.

The first thing to understand is that this language doesn't give Google ownership rights to your data. You, and you alone, own your content. Whether you wish to keep your content totally private, or share it with the world, that's your choice.

However, in order to honor this choice, Google Docs needs permission to display your content as you see fit. This is what we mean by a "license to reproduce." We need to ensure that when you click the "Publish document" button, or use the "Invite collaborators" option, we have the license to carry out your wishes. It is this agreement, between Google Docs and you, the user, that section 11.1 of our Terms of Service reflects."

Why would you even chance it? That's their EXISTING terms of service, but as always, those terms are subject to change without notice.

I can't imagine that HIPAA would allow this.

Re:por que?

[DragonWriter]

you can use google apps without google docs. HIPAA is fine with it.

Maybe, maybe not. The HITECH Act (which is really part of the recent federal stimulus law, the American REcovery and Reinvestment Act) and the Guidance issued under the HITECH Act requires that for HIPAA protected health information (PHI) to not be considered "unsecured", information in motion must be protected under appropriate FIPS 140-2 approved standards (for use of TLS, that's NIST Special Publication 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations), which (as well as restricting which of the avaialable cipher suites for TLS are acceptable--notably, not RC4) also provides for the use of client certificates for authentication and states that server implementations should not accept connections without them, rather than falling back on alternative authentication mechanisms like username/password. The HITECH Act requirements, and the specific standards referred to in the guidance, are rather new as specific mandates with regard to HIPPA PHI, and I am rather suspicious of anyone who, without presenting any analysis, simply says that HIPAA raises no problems with Google Apps being used for HIPAA PHI.

Haha!

If web apps are ever farmed out to foreign servers, you can kiss your privacy goodbye. If the government requests any data off the servers and weasels around the usual search warrant limitations, you're on your own.

Tricky HIPPA...

[Annwvyn]

As a Paramedic, I can say that HIPPA is extremely strict and will, if violated, force your license to be questioned as well as cause fines to be pushed your way. Honestly, doing ANYTHING outside of a secured network or a patient care medium (i.e. Pyxis, Temsis) with privileged, confidential information will plant a bullseye on your back. It is just not worth risking it. I can guarantee that an expert data thief is going to be more skilled and knowledgeable at computers and networking than any physician I know.

Can I find out the names of the doctors you work f

I'd like to report them to the regulatory commission that enforces HIPAA rules.

Seriously, read up on HIPAA and get them to follow HIPAA rules, otherwise huge fines could be coming their way.

Just because a doctor hands out those privacy pamphlets doesn't give them the green light to ignore or circumvent the privacy and security rules. Claiming ignorance is not an option.

Get them off of gmail and google apps and put them on systems and networks that you can effectively apply controls too.
You have no control over the security and privacy controls in place within google apps thus you can't effectively satisfy the HIPAA rules.If they do not want to do an internal networks with servers, outsource it all to a data center that is HIPAA compliant and where you control the servers both physically and logically.

Good luck and hire yourself a partner or subcontractor that does HIPAA and SOX regulatory consulting. You could hire me but I'm $350/hr.

An idea to make this work

[MarkWatson]

Amazon published a white paper about using their AWS platform with HIPAA compient applications: basic idea is to keep data encrypted until it is in memory, and encrypt it again before writing to persistent storage.

For Google Apps, how about using rich clients that decrypt data for viewing/editing, and encrypt it again before storing back on big table, etc.

Perhaps Google themselves would implement this as browser plugins?

Ever read a EULA?

[porkThreeWays]

When you click "Accept" on many EULA's you give up rights to privacy of your data to that company. What's the difference if it's hosted or not. Microsoft can just as easily have Exchange phone home with data as Google employees can read your mail. There's no difference. You just have to decide which company you trust most.

Re:Ever read a EULA?

[Tynin]

I dislike MS as much as the next /.er but if your company allows your Exchange server to call home to Microsoft, for anything other than patching, your network admin needs to be fired.

What does the fed do?

[ljaszcza]

We are a contractor for the Veterans administration. The VA insists that we comply with privacy issues strictly. Any communications that have patient information must be sent on encrypted secure systems. No open email servers/hotmail/gmail/whatever is allowed. Failure to comply with the privacy (detailed in the out of control HIPAA set of rules and standards) is punishable both financially and by being banned from contracting with the US federal government. As an administrator, I have to remind physicians that if they are caught transmitting identifiable information of our patients over unsecured channels, it may cost us our contract and may result in their being banned from seeing medicare/medicaid patients. Anyhow, that's my two cents on utilizing gmail or such for sensitive information.

Re:Google appliance in the office?

The Google Mini (http://www.google.com/enterprise/search/index.html) is a search appliance. It will not run mail/apps.

Re:Can I find out the names of the doctors you wor

[Proudrooster]

Source: http://www.google.com/support/forum/p/Apps%20Partner/thread?tid=4d6f74d03de056c7&hl=en

Answer to your question.:
  PeteGriffin@Google (Google Employee) + 3 other people say this answers the question:
From a sales standpoint, I would recommend turning the question around and asking them what steps they are currently taking to be compliant with the relevant compliance-acronym (HIPAA, SOX, FERPA, PCI, etc). Understand what steps they currently take to be compliant, and what their current solution is. You'll be able to quickly discover if it's a real showstopping requirement and be able to move on, if it's something that can be addressed by Google Apps... or if they are horribly un-compliant and they're hoping that Google Apps will solve all of their problems (and more!).

No solution by itself is going to be the silver bullet; organizations (especially small and medium businesses) have extremely varied IT infrastructure and policies, with information flowing in different ways for different reasons. Google doesn't certify or identify Google Apps as being compliant with any specific set of regulations. It's really up to the organization to determine if a solution meets their compliance needs for their specific situation.

Google Apps has a very impressive set of features that are extremely helpful when dealing with prospects with compliance needs. The Postini component of Google Apps (referred to as Google Message Security) allows for very granular control of email content (in and out). There are additional email archiving and retention components available. Google Apps is SAS 70 Type II certified. We have also made a good deal of information available about Google's security policies when it comes to our network of data centers through a hefty white paper.

If anyone has experiences dealing with situations like this, please feel free to share your thoughts. Tony Safoian over at SADA Systems has some good thoughts around this:
http://www.google.com/support/forum/p/Apps+Partner/thread?tid=2ce6b0904f65ac44&hl=en

Re:Give them fair warning

[GMFTatsujin]

That's one way to frame the argument, and it's a good one.

I'd stress to them that HIPAA PHI standards require the company -- AKA your bosses -- to be able to vouch for the security of the entire pipeline of information flow. It's not an issue of "they're not interested" or "the chances are low." It's an issue of minimizing the holes in the pipeline.

Google does not offer anything like PHI-compatible security. They are a big hole in the secuirty, whatever the chances or interest are. One could argue that the world's largest indexer of information, who makes the results of those indexes freely available to the public, is the antithesis of security.

If your bosses are serious about health care, they're not going to be idiots about it. (They may chose to be idiots about other things. Probably not this.)

Re:The bottom line

[EdIII]

Not only did you not read TFA, but you did not even read the summary. Laziness has nothing to do with this at all. He is getting a lot of friction from his clients that don't understand HIS reservations about doing business with Google in this manner. He is concerned for their legal liability. Sounds like an IT guy that actually cares.

His question being posed to the /. community, is whether or not his clients have a point. Can we really trust Google with data that must remain confidential. Can he recommend Google services to his clients without fearing for liability later down the road.

Yeah, that sounds lazy to me....

No physical security

[pentalive]

No matter how ironclad the agreement or how draconian the penalties your data will still be public. Sue Google into non existence and well your data is still public.

Without physical security there is no security.
If you don't own the box and control access yourself there is no physical security.

Re:HIPAA compliance is no joke.

[DragonWriter]

As far as I know, NO ONE HAS SUCCESFULLY SUED FOR HIPAA VIOLATIONS.

Since HIPAA doesn't create a private cause of action for violations, only the federal government can enforce HIPAA rules generally (sometimes, under state laws, the fact that a disclosure is in violation of a federal law like HIPAA, or of a assurance or agreement mandated by HIPAA, may, with other factors, meet the standard for some private cause of action under state law, but the action won't be for a HIPAA violation, per se.) To date, AFAIK, none of the HIPAA complaints received by the Department of Health and Human Services' Office of Civil Rights (which enforces HIPAA) have resulted in monetary penalties being assessed, but most of them do result in OCR requiring business practice changes on the part of the entity against whom the complaint was lodged. A few do get referred to the Department of Justice for criminal prosecution, though I believe that, to date, no prosecutions have been made on HIPAA charges alone (sometimes HIPAA charges have been part of a broader criminal complaint.)

But they are allowed to send your information to third parties to help "manage your health" or "process billing" or "collect payments" or all sorts of things.

These third parties ARE NOT REQUIRED to follow HIPAA, as they are considered non-covered entities. . This means once your info goes to billing for processing, your privacy is based on contracts with your provider and social embarrassment.

There was a time when that was at least generally true (where a business associate of a HIPAA covered entity might not be liable the way a covered entity was if it was not itself a covered entity), however, the recently passed HITECH Act (part of the American Recovery and Reinvestment Act of 2009 [ARRA], Pub.L. 111-5) both added additional security requirements that apply to HIPAA covered entities and extended both the existing and new security requirements on HIPAA covered entities, including the civil and criminal penalties for violations, to apply to those entities' business associates to the same extent as to covered entities themselves. (see ARRA, Title XIII, Subtitle D, Sec. 13401; codified at 42 U.S.C. Sec. 17931.)

Re:No

[Chyeld]

SAS 70 Type II for Google Apps
Tuesday, November 04, 2008 at 3:46 PM
Posted by Eran Feigenbaum, Director of Security, Google Apps

Ever since the first Gmail users began trusting Google with their private information, keeping people's data safe has been one of our top priorities. Today, more than a million businesses, plus thousands of schools and organizations using Google Apps rely on us to safeguard their critical information.

We've published some of the ways we keep sensitive information where it belongs, but we wanted to go farther and have external independent security specialists audit our systems and procedures. Here's the outcome: an independent public accounting firm has verified the effectiveness of our technical processes and controls for Google Apps, and Google Apps has satisfactorily completed a SAS 70 Type II audit.

Our commitment to keeping customer information safe - whether they're consumer users or our largest enterprise customers - is part of our DNA, and we protect this information as rigorously as we protect our own sensitive corporate information. In fact, we use the very same services that we offer to our users for our own email, documents, project team sites and calendars.

which leads to

Statement on Auditing Standards No. 70: Service Organizations

Statement on Auditing Standards No. 70: Service Organizations, commonly abbreviated as SAS 70 and available full-text by permission of the AICPA, is an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA), officially titled "Reports on the Processing of Transactions by Service Organizations". SAS 70 defines the professional standards used by a service auditor to assess the internal controls of a service organization and issue a service auditor's report. Service organizations are typically entities that provide outsourcing services that impact the control environment of their customers. Examples of service organizations are insurance and medical claims processors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations and clearinghouses.

There are two types of service auditor reports. A Type I service auditor's report includes the service auditor's opinion on the fairness of the presentation of the service organization's description of controls that had been placed in operation and the suitability of the design of the controls to achieve the specified control objectives. A Type II service auditor's report includes the information contained in a Type I service auditor's report and also includes the service auditor's opinion on whether the specific controls were operating effectively during the period under review

Re:The bottom line

Actually he is not the one that wants to use the Apps it's his customers. He is doing do diligence and asking a panel of questionably attentive people what their opinion is. Please pay more attention to detail.

Re:No

[jon3k]

You have classified and unclassified networks. Classified networks don't touch the Internet, ever, in any way.

Re:No

[jon3k]

HIPAA requires ePHI to be protected both in transit and at rest (on disk). Google will tell you flat out that your data is not sufficiently protected (eg encrypted) at rest to qualify as being HIPAA compliant. Obviously you can use SSL during transit but that doesn't solve the whole equation. Google apps, flat out, are not HIPAA compliant, and google will be the first to tell you that.

Re:The bottom line

[Boomerang+Fish]

Having worked as consultant helping companies prepare for Sarbanes and HIPPA compliance, I can tell you that both require regular reports and testing to be performed by management ensuring that their controls are in place to prevent (preferred) and/or identify an IT guy who leaks such data. With Sarbanes-Oxley, an external auditor also performs the testing and the results are sent tot he SEC and included in any public inquiry about the financial status of your company. I assume something similar is done WRT to HIPPA, but so far I haven't actually had to work on the final reports, just the initial testing we perform to help the company figure out what they have to do to become compliant.

With proper controls in place, said IT guy would be prevented (ideal) or detected during such a disclosure, even if not immediately. Impossible for IT to get around? No, but damn difficult to do with leaving a trace, assuming proper controls concerning segregation of duties, isolation of production data from development teams, and proper system reporting.

Adding Google Apps brings in a whole separate entity for which you can employ NO controls, and who have publicly stated they won't guarantee the safety of your data. There are outsourcing companies that meet the requirements for SOX and HIPPA, and they can provide documentation (SAS70 comes to mind, but others exist too) generated by outside federally licensed auditors reporting on their status regarding such controls over their access to YOUR data and access to YOUR sensitive information. From Google's public stance on your data security, I sincerely doubt that they have undergone such auditing (or if they have, failed miserably).

So, if you trust Google more than your IT staff, then it's clear you've never undergone an external audit.

That said, if you have undergone an audit and failed it in any significant way, then the risk may be similar. But properly controlled environments are VERY difficult to steal or leak data from without leaving some sort of trail.

The audits aren't perfect but they're a hell of lot better than what Google has so far provided.

--
I drank what?