Slashdot Mirror

← Back to Stories (view on slashdot.org)

Can We Abandon Confidentiality For Google Apps?

Posted by kdawson on from the what-price-convenience dept.

An anonymous reader writes "I provide IT services for medium-sized medical and law practices. Lately I have been getting a lot of feedback from doctors and lawyers who use gmail at home and believe that they can run a significant portion of their practice IT on Google Apps. From a support standpoint, I'd be happy to chuck mail/calendar service management into the bin and let them run with gmail, but for these businesses, there is significant legal liability associated with the confidentiality of their communications and records (e.g., HIPAA). For those with high-profile celebrity clients, simply telling them 'Google employees can read your stuff' will usually end the conversation right there. But for smaller practices, I often get a lot of push-back in the form of 'What's wrong with trusting Google?' and 'Google's not interested in our email/calendar.' Weighing what they see as a tiny legal risk against the promise of Free IT Stuff(TM) becomes increasingly lopsided given the clear functionality / usability / ubiquity that they experience when using Google at home. So my question to the Slashdot community is: Are they right? Is it time for me to remove the Tin Foil Hat on the subject of confidentiality and stop resisting the juggernaut that is Google? If not, what is the best way to clarify the confidentiality issues for these clients?"

17 of 480 comments (clear)

  1. yes.. by Anonymous Coward · · Score: 5, Informative

    ..the google apps contract is fine. IAAL and i use google apps for all my stuff. i DO maintain a separate backup but everything goes on google. the bar is also fine with it.

    1. Re:yes.. by TheMMaster · · Score: 5, Informative

      If you had read the entire article you would've seen that it is written by "Brett Burney is principal of Burney Consultants, based in Cleveland." Finding his website, it turns out that mr Burney is not a lawyer, he provides some legal services FOR lawyers.

      So, that article is just some guy saying how convenient those tools are. Not some sort of legal analysis of the use of web-based applications for sharing private data.

      Here in Europe using stuff like that is absolutely not allowed for sensitive data, doctors, lawyers and governments are most certainly NOT allowed to use a hosted app like that.

      --
      Fighting for peace is like fucking for virginity
    2. Re:yes.. by jonnyj · · Score: 5, Informative

      I can't give a legal answer for US companies, but its my job to consider questions like this for a UK based financial services business. Google's applications are essentially the same as any other outsourced services, and UK law is based on the premise that you can outsource activity but you can't outsource responsibility.

      What this essentially means is that a UK business is expected both to have a legally enforceable set of data protection contract terms and to have conducted a risk assessment supported, where appropriate, by a detailed appraisal of the outsourcer's policies, procedures and practices. FWIW, the conclusion that I've drawn is that Google apps are completely unuitable for any UK business that processes customer data, as there is no guarantee that the data will remain in the EEA (European Economic Area) or another country that has equivalent data protection principles enshrined in law. UK business are not allowed to process personal data in the USA without express customer consent because its data protection laws fall short of ours.

  2. No by gweihir · · Score: 3, Informative

    Confidentiality is very, very important to businesses and individuals, even more so in the Internet age. One of the reasons to continue to operate your own infrastructure, no matter what the current hype is.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  3. por que? by Em+Emalb · · Score: 3, Informative

    From here: http://docs.google.com/support/bin/answer.py?answer=82366&ctx=sibling

    "
    Privacy and security: Understanding section 11.1 of our Terms of Service
    Print
    We've received questions over time about the meaning of section 11.1 of our Terms of Service. We realize that for those not familiar with legal agreements for services that use the Internet, these terms can look confusing, or even frightening.

    The first thing to understand is that this language doesn't give Google ownership rights to your data. You, and you alone, own your content. Whether you wish to keep your content totally private, or share it with the world, that's your choice.

    However, in order to honor this choice, Google Docs needs permission to display your content as you see fit. This is what we mean by a "license to reproduce." We need to ensure that when you click the "Publish document" button, or use the "Invite collaborators" option, we have the license to carry out your wishes. It is this agreement, between Google Docs and you, the user, that section 11.1 of our Terms of Service reflects."

    Why would you even chance it? That's their EXISTING terms of service, but as always, those terms are subject to change without notice.

    I can't imagine that HIPAA would allow this.

    --
    Sent from your iPad.
  4. Tricky HIPPA... by Annwvyn · · Score: 4, Informative

    As a Paramedic, I can say that HIPPA is extremely strict and will, if violated, force your license to be questioned as well as cause fines to be pushed your way. Honestly, doing ANYTHING outside of a secured network or a patient care medium (i.e. Pyxis, Temsis) with privileged, confidential information will plant a bullseye on your back. It is just not worth risking it. I can guarantee that an expert data thief is going to be more skilled and knowledgeable at computers and networking than any physician I know.

  5. Can I find out the names of the doctors you work f by Anonymous Coward · · Score: 3, Informative

    I'd like to report them to the regulatory commission that enforces HIPAA rules.

    Seriously, read up on HIPAA and get them to follow HIPAA rules, otherwise huge fines could be coming their way.

    Just because a doctor hands out those privacy pamphlets doesn't give them the green light to ignore or circumvent the privacy and security rules. Claiming ignorance is not an option.

    Get them off of gmail and google apps and put them on systems and networks that you can effectively apply controls too.
    You have no control over the security and privacy controls in place within google apps thus you can't effectively satisfy the HIPAA rules.If they do not want to do an internal networks with servers, outsource it all to a data center that is HIPAA compliant and where you control the servers both physically and logically.

    Good luck and hire yourself a partner or subcontractor that does HIPAA and SOX regulatory consulting. You could hire me but I'm $350/hr.

  6. An idea to make this work by MarkWatson · · Score: 4, Informative

    Amazon published a white paper about using their AWS platform with HIPAA compient applications: basic idea is to keep data encrypted until it is in memory, and encrypt it again before writing to persistent storage.

    For Google Apps, how about using rich clients that decrypt data for viewing/editing, and encrypt it again before storing back on big table, etc.

    Perhaps Google themselves would implement this as browser plugins?

  7. What does the fed do? by ljaszcza · · Score: 4, Informative

    We are a contractor for the Veterans administration. The VA insists that we comply with privacy issues strictly. Any communications that have patient information must be sent on encrypted secure systems. No open email servers/hotmail/gmail/whatever is allowed. Failure to comply with the privacy (detailed in the out of control HIPAA set of rules and standards) is punishable both financially and by being banned from contracting with the US federal government. As an administrator, I have to remind physicians that if they are caught transmitting identifiable information of our patients over unsecured channels, it may cost us our contract and may result in their being banned from seeing medicare/medicaid patients. Anyhow, that's my two cents on utilizing gmail or such for sensitive information.

  8. Re:Google appliance in the office? by Anonymous Coward · · Score: 3, Informative

    The Google Mini (http://www.google.com/enterprise/search/index.html) is a search appliance. It will not run mail/apps.

  9. Re:Give them fair warning by GMFTatsujin · · Score: 3, Informative

    That's one way to frame the argument, and it's a good one.

    I'd stress to them that HIPAA PHI standards require the company -- AKA your bosses -- to be able to vouch for the security of the entire pipeline of information flow. It's not an issue of "they're not interested" or "the chances are low." It's an issue of minimizing the holes in the pipeline.

    Google does not offer anything like PHI-compatible security. They are a big hole in the secuirty, whatever the chances or interest are. One could argue that the world's largest indexer of information, who makes the results of those indexes freely available to the public, is the antithesis of security.

    If your bosses are serious about health care, they're not going to be idiots about it. (They may chose to be idiots about other things. Probably not this.)

  10. Re:The bottom line by EdIII · · Score: 4, Informative

    Not only did you not read TFA, but you did not even read the summary. Laziness has nothing to do with this at all. He is getting a lot of friction from his clients that don't understand HIS reservations about doing business with Google in this manner. He is concerned for their legal liability. Sounds like an IT guy that actually cares.

    His question being posed to the /. community, is whether or not his clients have a point. Can we really trust Google with data that must remain confidential. Can he recommend Google services to his clients without fearing for liability later down the road.

    Yeah, that sounds lazy to me....

  11. Re:Ever read a EULA? by Tynin · · Score: 4, Informative

    I dislike MS as much as the next /.er but if your company allows your Exchange server to call home to Microsoft, for anything other than patching, your network admin needs to be fired.

  12. No physical security by pentalive · · Score: 5, Informative

    No matter how ironclad the agreement or how draconian the penalties your data will still be public. Sue Google into non existence and well your data is still public.

    Without physical security there is no security.
    If you don't own the box and control access yourself there is no physical security.

  13. Re:HIPAA compliance is no joke. by DragonWriter · · Score: 4, Informative

    As far as I know, NO ONE HAS SUCCESFULLY SUED FOR HIPAA VIOLATIONS.

    Since HIPAA doesn't create a private cause of action for violations, only the federal government can enforce HIPAA rules generally (sometimes, under state laws, the fact that a disclosure is in violation of a federal law like HIPAA, or of a assurance or agreement mandated by HIPAA, may, with other factors, meet the standard for some private cause of action under state law, but the action won't be for a HIPAA violation, per se.) To date, AFAIK, none of the HIPAA complaints received by the Department of Health and Human Services' Office of Civil Rights (which enforces HIPAA) have resulted in monetary penalties being assessed, but most of them do result in OCR requiring business practice changes on the part of the entity against whom the complaint was lodged. A few do get referred to the Department of Justice for criminal prosecution, though I believe that, to date, no prosecutions have been made on HIPAA charges alone (sometimes HIPAA charges have been part of a broader criminal complaint.)

    But they are allowed to send your information to third parties to help "manage your health" or "process billing" or "collect payments" or all sorts of things.

    These third parties ARE NOT REQUIRED to follow HIPAA, as they are considered non-covered entities. . This means once your info goes to billing for processing, your privacy is based on contracts with your provider and social embarrassment.

    There was a time when that was at least generally true (where a business associate of a HIPAA covered entity might not be liable the way a covered entity was if it was not itself a covered entity), however, the recently passed HITECH Act (part of the American Recovery and Reinvestment Act of 2009 [ARRA], Pub.L. 111-5) both added additional security requirements that apply to HIPAA covered entities and extended both the existing and new security requirements on HIPAA covered entities, including the civil and criminal penalties for violations, to apply to those entities' business associates to the same extent as to covered entities themselves. (see ARRA, Title XIII, Subtitle D, Sec. 13401; codified at 42 U.S.C. Sec. 17931.)

  14. Re:No by Chyeld · · Score: 4, Informative

    SAS 70 Type II for Google Apps
    Tuesday, November 04, 2008 at 3:46 PM
    Posted by Eran Feigenbaum, Director of Security, Google Apps

    Ever since the first Gmail users began trusting Google with their private information, keeping people's data safe has been one of our top priorities. Today, more than a million businesses, plus thousands of schools and organizations using Google Apps rely on us to safeguard their critical information.

    We've published some of the ways we keep sensitive information where it belongs, but we wanted to go farther and have external independent security specialists audit our systems and procedures. Here's the outcome: an independent public accounting firm has verified the effectiveness of our technical processes and controls for Google Apps, and Google Apps has satisfactorily completed a SAS 70 Type II audit.

    Our commitment to keeping customer information safe - whether they're consumer users or our largest enterprise customers - is part of our DNA, and we protect this information as rigorously as we protect our own sensitive corporate information. In fact, we use the very same services that we offer to our users for our own email, documents, project team sites and calendars.

    which leads to

    Statement on Auditing Standards No. 70: Service Organizations

    Statement on Auditing Standards No. 70: Service Organizations, commonly abbreviated as SAS 70 and available full-text by permission of the AICPA, is an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA), officially titled "Reports on the Processing of Transactions by Service Organizations". SAS 70 defines the professional standards used by a service auditor to assess the internal controls of a service organization and issue a service auditor's report. Service organizations are typically entities that provide outsourcing services that impact the control environment of their customers. Examples of service organizations are insurance and medical claims processors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations and clearinghouses.

    There are two types of service auditor reports. A Type I service auditor's report includes the service auditor's opinion on the fairness of the presentation of the service organization's description of controls that had been placed in operation and the suitability of the design of the controls to achieve the specified control objectives. A Type II service auditor's report includes the information contained in a Type I service auditor's report and also includes the service auditor's opinion on whether the specific controls were operating effectively during the period under review

  15. Re:No by jon3k · · Score: 3, Informative

    HIPAA requires ePHI to be protected both in transit and at rest (on disk). Google will tell you flat out that your data is not sufficiently protected (eg encrypted) at rest to qualify as being HIPAA compliant. Obviously you can use SSL during transit but that doesn't solve the whole equation. Google apps, flat out, are not HIPAA compliant, and google will be the first to tell you that.