Slashdot Mirror

← Back to Stories (view on slashdot.org)

Can We Abandon Confidentiality For Google Apps?

Posted by kdawson on from the what-price-convenience dept.

An anonymous reader writes "I provide IT services for medium-sized medical and law practices. Lately I have been getting a lot of feedback from doctors and lawyers who use gmail at home and believe that they can run a significant portion of their practice IT on Google Apps. From a support standpoint, I'd be happy to chuck mail/calendar service management into the bin and let them run with gmail, but for these businesses, there is significant legal liability associated with the confidentiality of their communications and records (e.g., HIPAA). For those with high-profile celebrity clients, simply telling them 'Google employees can read your stuff' will usually end the conversation right there. But for smaller practices, I often get a lot of push-back in the form of 'What's wrong with trusting Google?' and 'Google's not interested in our email/calendar.' Weighing what they see as a tiny legal risk against the promise of Free IT Stuff(TM) becomes increasingly lopsided given the clear functionality / usability / ubiquity that they experience when using Google at home. So my question to the Slashdot community is: Are they right? Is it time for me to remove the Tin Foil Hat on the subject of confidentiality and stop resisting the juggernaut that is Google? If not, what is the best way to clarify the confidentiality issues for these clients?"

11 of 480 comments (clear)

  1. yes.. by Anonymous Coward · · Score: 5, Informative

    ..the google apps contract is fine. IAAL and i use google apps for all my stuff. i DO maintain a separate backup but everything goes on google. the bar is also fine with it.

    1. Re:yes.. by TheMMaster · · Score: 5, Informative

      If you had read the entire article you would've seen that it is written by "Brett Burney is principal of Burney Consultants, based in Cleveland." Finding his website, it turns out that mr Burney is not a lawyer, he provides some legal services FOR lawyers.

      So, that article is just some guy saying how convenient those tools are. Not some sort of legal analysis of the use of web-based applications for sharing private data.

      Here in Europe using stuff like that is absolutely not allowed for sensitive data, doctors, lawyers and governments are most certainly NOT allowed to use a hosted app like that.

      --
      Fighting for peace is like fucking for virginity
    2. Re:yes.. by jonnyj · · Score: 5, Informative

      I can't give a legal answer for US companies, but its my job to consider questions like this for a UK based financial services business. Google's applications are essentially the same as any other outsourced services, and UK law is based on the premise that you can outsource activity but you can't outsource responsibility.

      What this essentially means is that a UK business is expected both to have a legally enforceable set of data protection contract terms and to have conducted a risk assessment supported, where appropriate, by a detailed appraisal of the outsourcer's policies, procedures and practices. FWIW, the conclusion that I've drawn is that Google apps are completely unuitable for any UK business that processes customer data, as there is no guarantee that the data will remain in the EEA (European Economic Area) or another country that has equivalent data protection principles enshrined in law. UK business are not allowed to process personal data in the USA without express customer consent because its data protection laws fall short of ours.

  2. Tricky HIPPA... by Annwvyn · · Score: 4, Informative

    As a Paramedic, I can say that HIPPA is extremely strict and will, if violated, force your license to be questioned as well as cause fines to be pushed your way. Honestly, doing ANYTHING outside of a secured network or a patient care medium (i.e. Pyxis, Temsis) with privileged, confidential information will plant a bullseye on your back. It is just not worth risking it. I can guarantee that an expert data thief is going to be more skilled and knowledgeable at computers and networking than any physician I know.

  3. An idea to make this work by MarkWatson · · Score: 4, Informative

    Amazon published a white paper about using their AWS platform with HIPAA compient applications: basic idea is to keep data encrypted until it is in memory, and encrypt it again before writing to persistent storage.

    For Google Apps, how about using rich clients that decrypt data for viewing/editing, and encrypt it again before storing back on big table, etc.

    Perhaps Google themselves would implement this as browser plugins?

  4. What does the fed do? by ljaszcza · · Score: 4, Informative

    We are a contractor for the Veterans administration. The VA insists that we comply with privacy issues strictly. Any communications that have patient information must be sent on encrypted secure systems. No open email servers/hotmail/gmail/whatever is allowed. Failure to comply with the privacy (detailed in the out of control HIPAA set of rules and standards) is punishable both financially and by being banned from contracting with the US federal government. As an administrator, I have to remind physicians that if they are caught transmitting identifiable information of our patients over unsecured channels, it may cost us our contract and may result in their being banned from seeing medicare/medicaid patients. Anyhow, that's my two cents on utilizing gmail or such for sensitive information.

  5. Re:The bottom line by EdIII · · Score: 4, Informative

    Not only did you not read TFA, but you did not even read the summary. Laziness has nothing to do with this at all. He is getting a lot of friction from his clients that don't understand HIS reservations about doing business with Google in this manner. He is concerned for their legal liability. Sounds like an IT guy that actually cares.

    His question being posed to the /. community, is whether or not his clients have a point. Can we really trust Google with data that must remain confidential. Can he recommend Google services to his clients without fearing for liability later down the road.

    Yeah, that sounds lazy to me....

  6. Re:Ever read a EULA? by Tynin · · Score: 4, Informative

    I dislike MS as much as the next /.er but if your company allows your Exchange server to call home to Microsoft, for anything other than patching, your network admin needs to be fired.

  7. No physical security by pentalive · · Score: 5, Informative

    No matter how ironclad the agreement or how draconian the penalties your data will still be public. Sue Google into non existence and well your data is still public.

    Without physical security there is no security.
    If you don't own the box and control access yourself there is no physical security.

  8. Re:HIPAA compliance is no joke. by DragonWriter · · Score: 4, Informative

    As far as I know, NO ONE HAS SUCCESFULLY SUED FOR HIPAA VIOLATIONS.

    Since HIPAA doesn't create a private cause of action for violations, only the federal government can enforce HIPAA rules generally (sometimes, under state laws, the fact that a disclosure is in violation of a federal law like HIPAA, or of a assurance or agreement mandated by HIPAA, may, with other factors, meet the standard for some private cause of action under state law, but the action won't be for a HIPAA violation, per se.) To date, AFAIK, none of the HIPAA complaints received by the Department of Health and Human Services' Office of Civil Rights (which enforces HIPAA) have resulted in monetary penalties being assessed, but most of them do result in OCR requiring business practice changes on the part of the entity against whom the complaint was lodged. A few do get referred to the Department of Justice for criminal prosecution, though I believe that, to date, no prosecutions have been made on HIPAA charges alone (sometimes HIPAA charges have been part of a broader criminal complaint.)

    But they are allowed to send your information to third parties to help "manage your health" or "process billing" or "collect payments" or all sorts of things.

    These third parties ARE NOT REQUIRED to follow HIPAA, as they are considered non-covered entities. . This means once your info goes to billing for processing, your privacy is based on contracts with your provider and social embarrassment.

    There was a time when that was at least generally true (where a business associate of a HIPAA covered entity might not be liable the way a covered entity was if it was not itself a covered entity), however, the recently passed HITECH Act (part of the American Recovery and Reinvestment Act of 2009 [ARRA], Pub.L. 111-5) both added additional security requirements that apply to HIPAA covered entities and extended both the existing and new security requirements on HIPAA covered entities, including the civil and criminal penalties for violations, to apply to those entities' business associates to the same extent as to covered entities themselves. (see ARRA, Title XIII, Subtitle D, Sec. 13401; codified at 42 U.S.C. Sec. 17931.)

  9. Re:No by Chyeld · · Score: 4, Informative

    SAS 70 Type II for Google Apps
    Tuesday, November 04, 2008 at 3:46 PM
    Posted by Eran Feigenbaum, Director of Security, Google Apps

    Ever since the first Gmail users began trusting Google with their private information, keeping people's data safe has been one of our top priorities. Today, more than a million businesses, plus thousands of schools and organizations using Google Apps rely on us to safeguard their critical information.

    We've published some of the ways we keep sensitive information where it belongs, but we wanted to go farther and have external independent security specialists audit our systems and procedures. Here's the outcome: an independent public accounting firm has verified the effectiveness of our technical processes and controls for Google Apps, and Google Apps has satisfactorily completed a SAS 70 Type II audit.

    Our commitment to keeping customer information safe - whether they're consumer users or our largest enterprise customers - is part of our DNA, and we protect this information as rigorously as we protect our own sensitive corporate information. In fact, we use the very same services that we offer to our users for our own email, documents, project team sites and calendars.

    which leads to

    Statement on Auditing Standards No. 70: Service Organizations

    Statement on Auditing Standards No. 70: Service Organizations, commonly abbreviated as SAS 70 and available full-text by permission of the AICPA, is an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA), officially titled "Reports on the Processing of Transactions by Service Organizations". SAS 70 defines the professional standards used by a service auditor to assess the internal controls of a service organization and issue a service auditor's report. Service organizations are typically entities that provide outsourcing services that impact the control environment of their customers. Examples of service organizations are insurance and medical claims processors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations and clearinghouses.

    There are two types of service auditor reports. A Type I service auditor's report includes the service auditor's opinion on the fairness of the presentation of the service organization's description of controls that had been placed in operation and the suitability of the design of the controls to achieve the specified control objectives. A Type II service auditor's report includes the information contained in a Type I service auditor's report and also includes the service auditor's opinion on whether the specific controls were operating effectively during the period under review