Slashdot Mirror
Can We Abandon Confidentiality For Google Apps?
An anonymous reader writes "I provide IT services for medium-sized medical and law practices. Lately I have been getting a lot of feedback from doctors and lawyers who use gmail at home and believe that they can run a significant portion of their practice IT on Google Apps. From a support standpoint, I'd be happy to chuck mail/calendar service management into the bin and let them run with gmail, but for these businesses, there is significant legal liability associated with the confidentiality of their communications and records (e.g., HIPAA). For those with high-profile celebrity clients, simply telling them 'Google employees can read your stuff' will usually end the conversation right there. But for smaller practices, I often get a lot of push-back in the form of 'What's wrong with trusting Google?' and 'Google's not interested in our email/calendar.' Weighing what they see as a tiny legal risk against the promise of Free IT Stuff(TM) becomes increasingly lopsided given the clear functionality / usability / ubiquity that they experience when using Google at home. So my question to the Slashdot community is: Are they right? Is it time for me to remove the Tin Foil Hat on the subject of confidentiality and stop resisting the juggernaut that is Google? If not, what is the best way to clarify the confidentiality issues for these clients?"
No, keep the hat, and demand better.
..the google apps contract is fine. IAAL and i use google apps for all my stuff. i DO maintain a separate backup but everything goes on google. the bar is also fine with it.
If you are in an industry where your internal communications/documents/etc should or must remain confidential, than you cannot trust Google Apps as your free platform for email/document creation/document storage.
If you don't mind the possibility that the world may get your data, then by all means feel free to use Google, or any other SaaS type offering.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Confidentiality is very, very important to businesses and individuals, even more so in the Internet age. One of the reasons to continue to operate your own infrastructure, no matter what the current hype is.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
immediately squelch any such thoughts.
"I don't know, therefore Aliens" Wafflebox1
From here: http://docs.google.com/support/bin/answer.py?answer=82366&ctx=sibling
"
Privacy and security: Understanding section 11.1 of our Terms of Service
Print
We've received questions over time about the meaning of section 11.1 of our Terms of Service. We realize that for those not familiar with legal agreements for services that use the Internet, these terms can look confusing, or even frightening.
The first thing to understand is that this language doesn't give Google ownership rights to your data. You, and you alone, own your content. Whether you wish to keep your content totally private, or share it with the world, that's your choice.
However, in order to honor this choice, Google Docs needs permission to display your content as you see fit. This is what we mean by a "license to reproduce." We need to ensure that when you click the "Publish document" button, or use the "Invite collaborators" option, we have the license to carry out your wishes. It is this agreement, between Google Docs and you, the user, that section 11.1 of our Terms of Service reflects."
Why would you even chance it? That's their EXISTING terms of service, but as always, those terms are subject to change without notice.
I can't imagine that HIPAA would allow this.
Sent from your iPad.
It might be an acceptable compromise. The same clients considering Google Apps are 99.999% likely to have a non-existent or ineffective backup/archiving system, lack the expertise/cash for sysadmining Microsoft enterprise apps and would probably benefit from being able to log in on multiple machines to access their data. All strategies involve risk - if you veto Google, they may be missing out on the best compromise solution. YMMV.
I think the YRO section always has the red border, just like games always has the blue/purple border.
This is slashdot, not legaldot.
That being said, your writeup sounds like you're a contractor/have your own company. If that's the case, the best you can do (Outside of telling your customers you aren't going to and being fired) is make very clear, in writing, what your opinion is, and get them to sign off, in writing, that they are responsible and/or have another way for handling confidential info, etc.
I'm not sure if that's enough to cover your butt or not. See first sentence about this is slashdot, not legaldot. I would consult with a lawyer, preferably one that is not one of your customers.
Why does the story header appear *red* instead of the usual green? (Firefox 3.5 on Vista)
It does that when the story is brand spanking new, I think. It means you're getting the freshest of slashdot's offerings, rejoice!
You can't take the sky from me...
If web apps are ever farmed out to foreign servers, you can kiss your privacy goodbye. If the government requests any data off the servers and weasels around the usual search warrant limitations, you're on your own.
Tell them about what could happen, and that the risk may be low but not zero. Because data have been exposed through sloppiness before, not only through malice.
Then make sure YOU are not liable if they violate HIPPA or something similar. Either don't support their Google stuff or make sure you have documented that they use Google SAS against your advice.
C - the footgun of programming languages
If they wanna do it, they gotta get a lawyer--a lawyer who knows HIPAA. HIPAA compliance is a pain--and noncompliance can be very expensive.
Lawyer costs may even outweigh the Google savings
As a Paramedic, I can say that HIPPA is extremely strict and will, if violated, force your license to be questioned as well as cause fines to be pushed your way. Honestly, doing ANYTHING outside of a secured network or a patient care medium (i.e. Pyxis, Temsis) with privileged, confidential information will plant a bullseye on your back. It is just not worth risking it. I can guarantee that an expert data thief is going to be more skilled and knowledgeable at computers and networking than any physician I know.
Your role, as a qualified member of the IT staff, is to make the higher-ups aware of the risks. Do your due-diligence, tell them the data isn't secure (in person, in e-mail, and maybe even on paper), and remind them from time-to-time (using creative new analogies whenever possible). That's it, you've done your job.
The fact of the matter is, regardless what the policy is, and regardless what they all "agree" on, they're going to put sensitive information on the Web. You'd have to take away their Internet access and portable devices to prevent it, and even then, they'd just go home and use that.
Accept that the best you can do is educate them and provide alternatives.
I'd like to report them to the regulatory commission that enforces HIPAA rules.
Seriously, read up on HIPAA and get them to follow HIPAA rules, otherwise huge fines could be coming their way.
Just because a doctor hands out those privacy pamphlets doesn't give them the green light to ignore or circumvent the privacy and security rules. Claiming ignorance is not an option.
Get them off of gmail and google apps and put them on systems and networks that you can effectively apply controls too.
You have no control over the security and privacy controls in place within google apps thus you can't effectively satisfy the HIPAA rules.If they do not want to do an internal networks with servers, outsource it all to a data center that is HIPAA compliant and where you control the servers both physically and logically.
Good luck and hire yourself a partner or subcontractor that does HIPAA and SOX regulatory consulting. You could hire me but I'm $350/hr.
Amazon published a white paper about using their AWS platform with HIPAA compient applications: basic idea is to keep data encrypted until it is in memory, and encrypt it again before writing to persistent storage.
For Google Apps, how about using rich clients that decrypt data for viewing/editing, and encrypt it again before storing back on big table, etc.
Perhaps Google themselves would implement this as browser plugins?
Far as I know the Google Mini Enterprise comes with all of the apps you need.
And since it's a local server, I suspect it'd still qualify for your confidentiality needs the same way any other local server would.
Question: Is Google Apps HIPAA compliant?
http://www.google.com/support/forum/p/Apps%20Partner/thread?tid=4d6f74d03de056c7&hl=en
Some interesting points raised.
Of course, it may have been you who originally asked this question Google in the first place...
If at first you don't succeed, so much for skydiving.
No lawyer can legitimately use Google-hosted services, unless they're doing work for Google. It would be a huge violation of confidentiality.
In Silicon Valley, where many lawyers are doing work adverse to Google, absolutely no way would this be tolerated. Even Microsoft Windows Update makes some lawyers nervous.
That's a better question.
Their policy suggests not.
Perhaps a Google engineer somewhere can "read your stuff" but only in the same sense that you could as the person administering your clients mail. Is that a worry? I'd expect Google have a lot more to lose if such a privacy breach happened than you, their whole apps hosting business would evaporate.
That said, if there are specific legal requirements for your industry you'd need to evaluate on those specific requirements not on what a random guy on Slashdot thinks.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
When you click "Accept" on many EULA's you give up rights to privacy of your data to that company. What's the difference if it's hosted or not. Microsoft can just as easily have Exchange phone home with data as Google employees can read your mail. There's no difference. You just have to decide which company you trust most.
If an officer ever threatens to taze you, say you have a pacemaker.
Typed "Google Apps HIPAA compliance" into Google and found your response from Google: Is Google Apps HIPAA compliant? The answer is of course, "it depends".
Precisely, that's why my healthcare providers only use it to notify me that a message has been received. I have to log in to their site via SSL if I actually want to read the information. There are still risks, but with a properly secured DNS server and the appropriate measures to make sure it isn't a forgery, it's as secure as you can get.
We are a contractor for the Veterans administration. The VA insists that we comply with privacy issues strictly. Any communications that have patient information must be sent on encrypted secure systems. No open email servers/hotmail/gmail/whatever is allowed. Failure to comply with the privacy (detailed in the out of control HIPAA set of rules and standards) is punishable both financially and by being banned from contracting with the US federal government. As an administrator, I have to remind physicians that if they are caught transmitting identifiable information of our patients over unsecured channels, it may cost us our contract and may result in their being banned from seeing medicare/medicaid patients. Anyhow, that's my two cents on utilizing gmail or such for sensitive information.
I just had another thought on this.
Assuming you cover yourself properly from legal liability, do whatever your clients want... Then turn them all into the HIPAA police (I know there aren't HIPAA police... I have no idea who does the enforcement actions; you get the idea) for some sort of reward.
It is not your job to educate them on their professional responsibilities. Odds are very good that you aren't competent to advise them on it, and it would arguably be a violation of their canons of ethics to take advice from you. Lawyers and doctors have ethics committees to field questions like these: refer your users to them.
In the interim, stand by your guns. If your users say they'll go to the ethics committee and they're sure they'll be exonerated, propose this as a hypothetical question: if you give privileged documents to an uninvolved third party, is the veil of privilege pierced? Yes or no? (The answer is usually "yes"; exceptions are rare.) So, if you give privileged documents to Google, is the veil of privilege pierced?
Don't give advice. Just ask questions, and whatever you do, don't give in.
Google, is that the same Google that lost a lot of data a couple years back? I'm not really suggesting that they're not to be trusted, but they have lost data in the past, and as unlikely as it might be, it could happen again. Not to mention the fact that they allow access through insecure methods to the data.
I'd have to agree with this. The minute people start to use non-internal staff & resources to provide information infrastructure you're implicitly trusting that the company as a whole will protect your data.
I'd just as well trust Google with my mail data & docs than yet another consultancy that provides core IT services.
The bottom line is who do you trust. The best option in my opinion, which has been mentioned plenty before, is let your clients know what you think, give them the (quantified) risks and what (if any) violations of policy it would entail and let them decide. Then make sure its in a signed agreement.
Proper legal advice would also be the order of the day when you've done as much research that you can on your own (i.e., stuff like this)
jaymz
Some stories are red to show that they were posted by a communist.
signature is pants
Totally off-topic, I know. But it irks me that when we bring up a display issue, our reflex is to mention our browser AND our operating system.
Just goes to show that we are nowhere near any kind of usable standards for browsers like the kind that's been envisioned for a decade (or more!).
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
I think there are three classes of company for the purposes of this discussion:
If you trust shared hosting providers; you shouldn't care about the Google employees who can access your data
If you trust managed hosting providers like Rackspace, particularly if they're hosting virtualised servers for you; you probably shouln't care about Google employees with access to your data.
If you don't trust managed hosting providers; well you're probably not reading this from the office, and Google Apps doesn't get a look in.
I'd say most companies fall into the second.
Until Google Apps can FLAWLESSLY import and export files with Microsoft Office (doc / xls / ppt) no company is going to use it. For good or ill, those are the file formats the world runs on. If Google fixes that issue (and that's a big if), then we can tackle the privacy question.
I don't understand what "possibility" has to do with it. Your data could "possibly" be exposed if you have your own infrastructure.
A more relevant question is probability. Is there additional exposure through using Google? Are Google internal security practices likely to be better than yours? If you are a small shop outsourcing your IT services anyway then why is Google worse than some other party?
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Source: http://www.google.com/support/forum/p/Apps%20Partner/thread?tid=4d6f74d03de056c7&hl=en
Answer to your question.:
PeteGriffin@Google (Google Employee) + 3 other people say this answers the question:
From a sales standpoint, I would recommend turning the question around and asking them what steps they are currently taking to be compliant with the relevant compliance-acronym (HIPAA, SOX, FERPA, PCI, etc). Understand what steps they currently take to be compliant, and what their current solution is. You'll be able to quickly discover if it's a real showstopping requirement and be able to move on, if it's something that can be addressed by Google Apps... or if they are horribly un-compliant and they're hoping that Google Apps will solve all of their problems (and more!).
No solution by itself is going to be the silver bullet; organizations (especially small and medium businesses) have extremely varied IT infrastructure and policies, with information flowing in different ways for different reasons. Google doesn't certify or identify Google Apps as being compliant with any specific set of regulations. It's really up to the organization to determine if a solution meets their compliance needs for their specific situation.
Google Apps has a very impressive set of features that are extremely helpful when dealing with prospects with compliance needs. The Postini component of Google Apps (referred to as Google Message Security) allows for very granular control of email content (in and out). There are additional email archiving and retention components available. Google Apps is SAS 70 Type II certified. We have also made a good deal of information available about Google's security policies when it comes to our network of data centers through a hefty white paper.
If anyone has experiences dealing with situations like this, please feel free to share your thoughts. Tony Safoian over at SADA Systems has some good thoughts around this:
http://www.google.com/support/forum/p/Apps+Partner/thread?tid=2ce6b0904f65ac44&hl=en
don't even THINK about outsourcing that.
yes, giving it to google is outsourcing. what, you thought.....
you didn't think.
THINK.
keep the network OFF your medical (etc) files. sheesh! this is 101 level, people. come on.
let me be very clear; you do not want to put medical, legal or ANY sensitive info 'in the cloud'. anyone's cloud.
got it?
its very simple.
--
"It is now safe to switch off your computer."
But google is. They place ads based on the content of your emails (i.e. I get SVN commit messages, and lo and behold ads for SVN related stuff on the side bar). So at a bare minimum they have automated processes reading all your emails, extracting meaning from them and displaying ads to you.
if it were a service the lawyer/doctors/etc were paying them for, how would this be different than say a lawyer's office contracting their IT work to a tech firm?
FreeBSD for the impatient.
Sure, explain the risks, and recommend they run the idea past their lawyers.
It's their risk to take, and look at it from their perspective; they're already trusting you with their data. Why should they trust Google, with it's nigh infinitely deep and sueable pockets, less than they trust you?
The question, then, is not one of "needing to trust Google". The question is, "Is Google more or less trustworthy than the current solution?" There is a fair argument that a large, multi-billion dollar company has a lot more to lose should things go sideways than a contractor. There is also a fair argument that they probably have 1000x more people with access to the data than an independent contractor.
This, of course, ignores any legal requirements like HIPAA, PCI DSS, etc. etc. But I think my point is still valid: If the client has already contracted out management and/or hosting of their data, they have already made the decision to trust an outsider. Going with Google or not is just a question of "which outsider do we trust"
Because it is a RED ALERT. You are supposed to have your shields up and you need to report ready at general quarters. Hurry up - and shut off that damned noise!
Don't believe anything they say - Google is a publically traded corporation. The job of the directors is not to make a profit, it is to maximize profits. The example the founders set will only go so far. How much attention do other companies pay to their corporate slogans? How many of you can name the slogans of AT&T, IBM, Facebook, or other companies? And how much attention do the employees of these corps pay to their slogan? Does the Goldman Sachs slogan really drive its employees?
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
The fact is that if Google Apps is not secure enough for you, then neither is any network data that also shares a connection to the internet. Lets be honest, any network connection is a pathway to your data. If you really want security, close the loop. Otherwise, Google Apps is perhaps an appropriate reminder that you're ultimately vulnerable. If hackers can get onto the Google Apps Servers, then they're not going to be stopped by your internet security either. At least, not for long....Buggy browsers, malware, users, and Windows will eventually leave you naked. Google Apps is appropriate for many and is more secure than a Trojan bot key logger root kit polymorphic virus windows IE beta orgy toolbar macro, like most small business systems that I encounter.
HIPPA is the law, and organizations with a duty to protect patient confidentiality don't have the option of basing their security policies on wishful thinking.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
>Is it time for me to remove the Tin Foil Hat on the subject of confidentiality and stop resisting the juggernaut that is Google?
Is the information you are posting confidential? That's not a question you can answer by yourself: It's a combination of the business deciding, and whatever laws apply in your country. With the higher level being the decision. Medical and Law? Surely the answer is an obvious No.
Open Source Drum Kit, LPLC deve board - mjhdesigns.com
If I found out that any lawyer or physician working for me had put any of my confidential documents up on Google I would immediately terminate the relationship and file an ethics complaint.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Twitter docs hack exploits stupidity vuln
As someone who works in the medical industry (a recent change of pace, I'll admit), let me say that if anyone in my company transmitted confidential information over a web mail service like Gmail or Yahoo!, they would be instantly terminated and possibly indited. Non-secure transmission of confidential patient information (even as simple as an insurance subscriber ID) is precisely the reason laws like the HIPAA protections exist. If these providers are your clients, it would be wise to make it very clear to them how illegal what they are doing really is, and how severe the repercussions are for their actions.
Think of it this way: Do you want Google indexing and/or caching your SSN, your policy number, or even your name as it relates to the results of your most recent colonoscopy? Didn't think so, and neither does anyone else in their right mind. I won't advise you to be a tattle-tale to any regulatory agency, but I'm surely tempted.
CAn'T CompreHend SARcaSm?
To expand a little:
Remember that email is unencrypted and is sent through random routers across the internet. Someone sniffing at an intermediate router can intercept your communications. So you should not send sensitive material via email.
Some argue that it's unlikely someone can get all of your email, citing the needle/haystack argument. This is true, but the router risk is highest at your facility and the recipient's facility, where it would be much easier to sort.
The greatest risk, though, is whoever is running the recipient's mail system, be it google, yahoo, microsoft, or some minimum wage IT guy.
And don't forget, if you're an AT&T customer on the west coast, the NSA has a room sniffing/storing EVERY PACKET going through AT&T's data center. So it's pretty much guaranteed that at least they see your emails.
So logically speaking, if you don't encrypt your email and use email for communication, then Google Apps is fine for similar information storage.
passetspike!
Maybe they are, and maybe they aren't. But here's the thing: you are being paid as an IT consultant, not a legal adviser or a compliance consultant. You need to ask what their requirements for security, privacy, etc., are, and, if they ask about using Google Apps to meet those needs, you should give your professional advice as to whether that service meets the requirements they have articulated to you. But you probably aren't qualified to tell them what their requirements are under HIPAA (not HIPPA) requirements, or any of the myriad of other specialized, domain-specific, privacy laws and regulations, or even to tell them which of those laws and regulations apply to them, and, if you aren't, you shouldn't hold yourself out as someone who can answer those questions for them.
Have your lawyer write up a legal letter which says that for any confidentiality-bound practice like lawyers or doctors, you recommend they do not use Google Apps as they are likely in breach of their own privacy-related responsibilities. Have the end user sign the document before you will do business with them. If they won't, then walk.
That way, when they get busted to the tune of millions of dollars for the sake of a couple of hundred bucks of office software, you can't take the fall.
Whilst this doesn't apply for internal emails and documents, and I realise there is a difference in storing archives insecurely on Google's servers than simply transmitting insecurely, I do find it interesting that many people are concerned about Google reading the contents of their email/documents, when they have been sending and receiving emails/documents for years in plain text, over routers and servers they know nothing about.
Email could be confidential if people would use encryption.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Put this in your email signature:
She was let off easy...
CAn'T CompreHend SARcaSm?
You have made the facts clear to your clients that google or other service providers can read potentially confidential communications. Aside from that, you have probably informed them as to the pros and cons with respect to reliability and usability of the online apps. At this point, you have fulfilled your duties.
Whether it is ethical for these individuals/entities to use web apps is a question for lawyers and as a cautionary note, you opining upon the ethics of using these services is border line practice of law.
As a lawyer, I often wonder about these things myself. Many small offices and sole practitioners rely upon hotmail/gmail for email services. Even those who set up a domain name and custom email addresses often still rely upon a third party to manage their servers, like GoDaddy.
I was developing an online application to manage client billing, but abandoned it due to privacy/ethical concerns.
But like I said, my original point is that your role is to merely inform the facts and determining whether it is ethical to use those services in light of those facts is up to the lawyers.
No matter how ironclad the agreement or how draconian the penalties your data will still be public. Sue Google into non existence and well your data is still public.
Without physical security there is no security.
If you don't own the box and control access yourself there is no physical security.
It seems to me that this should be underscored. The heck with gmail, EMAIL is not guaranteed to be sent encrypted or in any way secure. If you're sending credit card info, passwords, personal health information, or ANY info you can't afford to have random strangers read, you SHOULDN'T be using email for it, PERIOD.
No lawyer can legitimately use Google-hosted services, unless they're doing work for Google. It would be a huge violation of confidentiality.
No it wouldn't.
If Microsoft applications started "backing up" documents by sending them to Redmond it would be detected (If only by increased bandwidth at the main router) and the hue and cry would be deafening.
A sudden change in in or outgoing mail traffic will also be noticed.
I can't imaging google is hipaa certified as a storage provider for medical information.
-- Programming with boost is like building a house with lego. It's a cool but I wouldn't want to live in it
Once something is on Google, the up side is: any computer with internet access can log in and access it. The down side is the same: any computer with internet access can log in and access it.
If something is on your internal network, that already puts a bit of a limit on who can access those files. It's not bulletproof, and you can still get rooted, but it's a limit. The average Tom, Dick and Harry are as good as physically separated from that data, even if they can guess your password.
Once that stuff is on Google, essentially anyone who can guess your password is good to go.
For example, you only need one employee who uses the same password everywhere (it happens more often than you'd think) and has ever shared their home email password with their spouse, or their WoW account with the chinese guy who power-levelled it, or whatever. Or they only need the same password somewhere where you need to guess their mother's maiden name to get that password. (Again, you'd be surprised how many put the real maiden name there.)
Or some passwords are that easy to find out, because they're weak. People use their nickname, or pet's name, or whatnot as passwords all the time.
Some passwords aren't even kept secret. I know the logins for a local hospital _and_ the emergency medical service, without ever having worked there, just because the former was taped to the monitor and the latter was spoken out loud while I was there. And yes, apparently veryone there used the same. So every ex-employee knows those too. Plus any patient who can read or has ears.
So, ok, now you know a name and password for the hospital computers. Now what?
In a traditional IT scenario, they're only accessible from the internal network. Sure, you can try to sneak into a room and use their computer, but you can be caught, so most people won't. Sure, you can try to get them rooted somehow, but again most people wouldn't even know how.
Now move those files on Google, and you have a real extra problem. If that hospital ever moves its data to Google, every single patient who ever read the post-it on a monitor, can try it from their own home. No having to sneak anywhere, no risking that someone walks in on you, no l33t haxxx0r skillz needed. Just point your browser at Google, log in as a doctor, and read the medical data of everyone who ever used that hospital.
A polar bear is a cartesian bear after a coordinate transform.
seatbeltless cars, guardless chainsaws, helmetless bicycles and police free cities will all help this 21st century civilization embrace the anarchy that makes it more productive!
Good people go to bed earlier.
I can't imagine google is hipaa certified as a storage provider for medical information.
-- Programming with boost is like building a house with lego. It's a cool but I wouldn't want to live in it
People are evil. Corporations are not people, but people hide within their edifice in order to control others. Self interest is always abundant in our economy and society; and corporate greed is just a vehicle for that objective. Google, like Soylent Green, is people. If Google "Does No Evil" is that the same thing as "doing the right thing?" Perhaps its a start, but corporations don't deserve human rights, and people don't deserve a corporate domination of society and power. Our institutions need to be as accountable to society as our citizens - and its time we expect more from our people. Bottom lines despise human beings - and corporations would prefer no payroll or human interaction. Shareholders want profit, and it is a dehumanizing influence on the people who decide to lay off workers and rip off their customers. Incentives on the bottom line ignore other people's quality of life.
If they even so much as continue to talk about using Google, or any other insecure third party application, for sensitive patient data. There is no possible way to use Google without breaching HIPAA unless all the doctors and patients interested in using it are capable of successfully encrypting and decrypting all communications; which they are not.
Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
SMIME could be the answer. With free personal email certificates available from places like Thawte, it's trivial to enable end-to-end encryption with mail clients like Apple Mail.
I use Google Apps for my business and anything that's sensitive, I will encrypt. In Apple Mail, once you have imported your freemail certificates into your keychain, a couple of buttons appear in the Compose Mail window - one to sign and one - provided you have the recepient's public certificate in your keychain too - to encrypt. In order to get someone's public certificate in your keychain, all you need to to is send them a signed email, to which they can reply with a signed email and you will have each other's public certificates.
Since moving to Google Apps, I've saved power (by not needing a machine on 24/7 just to handle incoming and outgoing email) I've got email syncronised between my laptop, my desktop and my iPhone by using IMAP, I've got a great webmail interface that's powerful and easy to use and I don't need to worry about administering my own email server.
Reliability has been very good so far and I've moved a couple of my clients over to Google Apps as it makes sense for them to outsource their email hosting rather than handle it themselves, or pay per email address through their ISP and have very limited storage space and POP access.
Security is the least of my concerns - and I would consider myself a security conscious person. With email, even sent from your own server, it travels over so many insecure links from it leaving my server to arriving at it's destination that I don't believe outsourcing my email to a 3rd party like Google is any less secure.
As I mentioned initially, if security is a concern, and this applies even if you're running your own email server, use encryption.
Specialist Mac support for creative pros, Melbourne
Here, read it. You'll be surprised.
http://www.rdmc.org/cmhc/reports/HIPAA_Security_4.pdf
They are not really standards, just vague suggestions. For example:
"Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity."
Ummm, how long? Is a week alright?
"Implement policies and procedures to protect electronic protected health information from improper alteration or destruction."
and my favorite:
"Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate."
And so on.
Hard to take these "standards" too seriously. Very subjective, vague, open to interpretation. Not really standards. Simply saying: "require passwords" or "have a backup plan" is not useful.
Explain the risks (and benefits) clearly to them, in writing, with proof you did it. Storing medical info is particularly sensitive.
If your customers are willing to take the risk, it's their choice, and their responsibility, as long as you've been clear with them.
I think they'll back down when you come to them with a waiver to sign to clarify that they are responsible, not you.
The Cloud - because you don't care if your apps and data are up in the air.
Outsourcing the handling of confidential data can be ok if and only if you
a) Qualify the provider by doing a thorough investigation
b) Get them to sign (by a corporate officer, not a salesman) an ironclad
contract with indemnification and hold-harmless clauses.
It'll be cheaper to hire staff and do it yourself (and there's no way you'll get that contract out of Google).
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
It would be a massive risk of confidentiality breaches. I would rather only have to trust the people working for the law firm to prevent a data leak than have to trust them and the thousands upon thousands of IT workers at Google. Legal files could easily become high-profile overnight, especially if there are special interests who think they can them as a case-in-point for whatever agenda they have; an IT worker at Google might be paid off to leak some files, and with so many IT workers, the chances of finding one who is corrupt or desperately needs money are fairly good.
Palm trees and 8
While email rarely is encrypted it certainly can be.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Users are accepting of system outages when it's their personal stuff, and even then, only barely. When your clients start asking for "Free IT Stuff", remind them that nothing is free, and that when Gmail goes down, there is nothing you, as their support staff, can do about it. And yes, confidentiality is important, and no, Google doesn't provide it.
As long as Google will sign a business associate contract -- which they very well maybe willing to do -- then they can legally store information on gmail.
"Google employees can read your stuff" is not accurate.
Google just doesn't trust internal people; the security folk there are very savvy, and they know that incidents from inside are a serious risk. Which isn't to say they are HIPAA compliant; until they are, your doctors don't belong there. But it isn't fair to Google to imply that internal people there have unauthorized access to your mail. Are there people who might be able to read your email without authorization? Perhaps. But I think Google has controls to mitigate the risk of it happening, and make it so that it cannot happen without an audit trail.
If not, you doctor friends are committing a federal crime as it is, punishable up to jail time.
If they are, then its a non issue.
---- Booth was a patriot ----
Given that Google already sell a search appliance, I've wondered before why they don't sell a Google Apps appliance. I'm pretty sure I could resell a bunch of these no problem!
Alternatively, would it be possible to have the Google Apps front-end use storage elsewhere?
http://www.renalandurologynews.com/Staff-Nurse-Faces-Jail-Time-for-HIPAA-Violations/article/119854/ http://www.healthcareguy.com/index.php/archives/483 http://www.healthdatamanagement.com/news/HIPAA-38694-1.html Go ahead... take the time and spend the money to get a license to practice. Then go mess around with private information. See what happens.
So which is more likely to happen: A google employee reading your hosted email and using that information in nefarious ways, or if self hosted the sysadmin you now have to have on the payroll doing the same thing? The farther away from and less familiar any person is with your business the less likely that person will consider the possibility of messing with your business. I would rather put my faith on being a fish among thousands in a lake rather than being the only fish in a bucket.
'Google employees can read your stuff'
Even if these clients are currently running their own e-mail server, employees at the local ISP could use DPI to read their stuff. Anything you send on the internet that isn't encrypted can be read by lots of different people at lots of different points. Unless the clients are currently encrypting their e-mails, I don't see any privacy reason not to use gmail.
there's a for-pay version of google apps which can be delivered over SSL. i don't know if the license terms are any different, or if the server-side storage is at all secure, but i'm willing to bet someone working for google could answer that question for you.
Who's more likely to do something damaging with your data: one of the few Google employees who has direct access to it as part of a sea of data belonging to millions, or the disgruntled tech in your own company who has access to the server room?
I'm not saying that you should outsource without a second thought, but if you have a contract with clear terms for how your data should be handled, with an explicit lack of disclaimer of liability for damage to your business in case they mess up, and you outsource to a company with a track record of managing their systems at least as well as your own staff, you're probably at less of a risk of malicious disclosure with your data in the hands of a reputable disinterested party.
On the other hand, if the outsourcing provider wants you to sign away all your rights (and many do), they don't have much of an incentive to adhere to the terms of the contract, so you should stay away.
There's no failure quite as dissatisfying as a complete and total solution to the wrong problem.
I think your fall back position is HIPPA. Unless Google is going to follow that (and I seriously doubt they would), keep the tin foil hat on. You could always say that in every Google building there is a screen that shows the latest search phrases. They scroll by constantly and can be seen from the outside of the buildings in some places. Do your employers really want to open themselves to that?
Dude (et al 8-),
Your clients are at the "hey this free stuff is great" stage. Good. But there isn't really any value to having the ap be far away on a web server.
A decent and easy-to-accomplish setup of local Open Source stuff will do exactly the same job at the same price point, but without the questions of PRIVACY you mention nor the questions of RETENTION you didn't.
Google really _isn't_ on the hook to be there with these services or all your data in two years time etc.
So for privacy and retention reasons you cannot really ever use the web-application model to a remote company without many potential problems.
Again, local is mandatory, but Microsoft isn't. Everything you can find on Google Apps can be found for free use on/with any large-scale linux distribution pretty much for the cost of playing point-and-click in the software installer/chooser/whatever.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
Email should be confidential, the fact that it is not does not change the matter.
Postal mail is considered confidential so of course it's electronic equivelent gets the same line of thinking.
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
Having done a fair amount IT architecture work in the healthcare realm for the past 10 years, I can truthfully say that doctors are really cheap and look for ways to cut a dollar now at the risk of tens of thousands later. They are also early adopters of technology yet are basically clueless on how it works.
The cost of keeping an internal server plus vpn access for laptop use on an annual basis is a few hundred dollars. The cost of not having access to their records because of a fiber-seeking backhoe attack on their buildings access is hundreds per hour.
What _is_ the customer support number for Google if your Google Apps data goes missing? The doctors have your cell number and probably your home phone as well.
To Google, their account is one of thousands. To you, they are a car payment and maybe a few nights at the pub every month. Who is going to take care of them better, not cheaper.
The old mechanics saying comes to mind: "We do things 3 ways - right, cheap and fast. You get to choose two".
I just got here and haven't read the other responses, but . . . if you are seriously asking that question, obviously you are not familiar with your compliance requirements.
cjacobs001
Should keep in mind that, once something goes on the Internet, it is on the Internet forever.
Double goes for porn.
Comment removed based on user account deletion
Strange reasoning. All files get send over the internet with e-mails, in essence, every document created ends up being sent electronically somewhere, as snail mail is just not an option anywhere. If you worry about Google reading your e-mails, than also your ISP, hosting your imap-server, the ISP of your client, the IT guy maintaining your and his computer system, etc. So the security of a google document ends up in the same insecure risk category as every e-mail you send. However, the reputational risk for google when documents get leaked from their server is extremely high, while the risk for your local IT guy or local ISP is probably lower than the price they can get for selling the documents.
sam
There's one critical thing that a lot of people are missing here, and that's that this isn't a question of who has the documents, per se, but what can be done with those documents.
Some people are saying that if you hand your documents to a third party, it's the same, because they still need a subpoena. The problem is that they CAN get it with a subpoena from the third party. If you had kept them to yourselves, then (in some cases) they wouldn't. They could be protected by the attorney-client priviledge. It's not just a question of physical security, it's a question of confidentiality, and once you voluntarily surrender that, it's gone. And that nice document your client wrote you explaining what REALLY happened is no longer just a letter to an attorney, but an admission against interest. If the client does it, that's stupid. If an attorney does it, that's malpractice. Leave aside any objections about how dumb it is for such a document to exist. The fact that it could, and that your policy would result in a disaster of that scale, is enough of a cautionary tale to dissuade someone from taking the risk.
Really, sharing the information with google (you're surrendering confidentiality by agreeing to let them look at all), you're probably committing malpractice. This is a really, really serious deal.
I've actually done some HIPAA compliance work, and while the rules are slightly more loose, I seriously doubt that the doctor and google are going to be collaborating on a treatment plan, or that google is supervising the doctor's work. The same problems remain.
Not too many years ago, as the IT offshoring was really picking up steam, it turned out that a number of records transcription shops were farming out their work to subs who turned around and passed the work to offshore typing pools.
And, the doctors and patients were none the wiser until a Pakistani typist felt she was getting screwed by her job shop, and passed the threat upstream that she'd selling or post her data on-line if she didn't get paid. This turned into a major HIPAA-related Federal case for the responsible parties (doctors, IT shops) in the US.
My health provider has offshored a lot of its application dev. This reminds me to do some more research into what they're doing with my data. My dentist is self-employed, and I'll need to remind him resist any temptation he's having to use Google Apps for my dental data. If I find out he does it anyway, I won't hesitate a second to drop a dime on him.
Luke, help me take this mask off
Nobody mentioned twitter?
http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/
LOTS of lead-in on that. Long story short: Password recovery email sent to abandoned and thus recycled and avaiable hotmail account. Register hotmail account, send recovery email. Use gmail account to do password resets all over the damn place.
Google docs & everything Google was done on the first step.
How would it make you feel if your doctor stored your medical records in Google Apps?
Privacy regulations -- HIPPA, SEC, S/OX, FINRA, and RIA -- present very specific requirements. Google Apps Standard Edition (free version) does not meet these standards. Google Apps Premier Edition, with full SSL encryption enabled, meets these requirements for information access and storage. If you use Google Message Discovery, part of Google Postini Services, your historical archives are also compliant. With respect to HIPPA and some privacy laws (such as MA 201 CMR 17.00), emails should be scanned for personal information and blocked or encrypted. As such, full compliance would require adding a service such as Zix. Allen Falcon
You can call parent troll, but the phone companies recently admitted that they were spying on its customers as instructed by the CIA. What if Google provides the same service -- used as a tool to spy on all citizens? When it comes to something very, very important (to the patients), such as health records, security is paramount, and these cheap, fucking doctors should pony up the money to have a private network to maintain privacy of patient records rather than hand it over to an information hoarder, like Google.
I don't know how many of you have seen what passes for "IT" in many small medical offices - it's frighteningly insecure. I've seen more than one office where they were networked with cheap consumer wireless equipment - with the default passwords still in place and no encryption. Just pull up in the parking lot and turn on your notebook and they'll helpfully give you a DHCP address and access to their systems. I've gone through a few of these offices and locked things down better but they're still not exactly military grade security.
So how does the security of Google Apps compare with this? At least with the Google product the risks are well defined. Trusting the security of your doctor's network might not be a good idea - and the risks here are largely unknown. The people snooping on these offices are usually after credit card info, not medical records.
Think I'm kidding? Go check it out at your local multiple-physician office complex - then try to talk them into letting you secure their systems for them.
As they have explained it to me, anything you give to Google can be subpoenaed. Google is currently one of the most-frequently-served companies in the world, and Google gives full and enthusiastic cooperation with lawfully issued subpoenas.
The challenge is simple, and sweet:
1) Identify any law firm or privileged entity that uses Google docs.
2) Sue them, or perform some court action that would justify a subpoena.
3) Use the subpoena to retrieve all (or a significant number of) privileged docs from the priv entity.
It's a simple social engineering attack that might require the help of a cooperative law firm and some digging. Anybody listening?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I get the same requesets from my clients. And it's not just GMail they want to use. It's the word processor, spreadsheet, etc as well.
I try to tell them that the security is an issue and they look at me like I just said that "Elvis enjoys tacos". It's startling how unconcerned they are about the risk to their confidential client work product especially in light of the fact that if it were to leak out they could potentially lose thier license to practice.
But...but...it's free, they say, with confused puppy eyes. As if free somehow obviates any need for security.
-B-
I don't understand that anti-google "hype", which probably was started by Ballmer :-)
There are many hosted mail solutions, every ISP has their own mail service, blackberry does have one too. There's a load of hosted Exchange solutions. Etc, etc, and businesses USE it. If a google employee can read email, why an ISP employee can't? Because it's in their terms of service? ha!
Rolling your own solution is damn expensive and you need a guy who actually knows something about it, that's why most companies are more than happy to outsource it.
I think you're absolutely correct. Telcos, ISP's, Comcast, Google, Yahoo, and MSN are all PUBLIC. Cloud apps/data systems information are like the Signs posted on an interstate highway. To place all medical or proprietary info on google apps is a very convenient excuse for insurance companies to steal unauthorized access to that data. Even if congress limits or prohibits their use of medical history to exclude coverage (due to preexisting conditions) you can be sure they want that data anyway. Without a doubt, those who want that information the most, will find and get it first, right from the "cloud" or the airwaves. Digitizing the actual records will enable it's unbridled transmission, sooner or later. Even if your files are "sealed", the medical billing contains detailed coding and prices. This data is in a wide area networks of health care administration, credit bureaus, billing & collection services, and accountants data systems....so they have bits and pieces. Meanwhile, lets try not to make the process so easy for them (insurance) - make 'em pay, make 'em pay.
If you use Google's servers just as a means of getting something sent via SMTP and received via POP - you can configure your email client to use a digital certificate and encrypt all your correspondence.
Even if Google keeps everything in their archive, it is still encrypted.
Sounds like a good compromise to me. Before you say "getting a certificate from CA costs money", remember that you can set up your own CA, or get a certificate for free.
The saddest poem
Look at where breaches actually occur in practice: disgruntled employees, P2P, server vulnerabilities, corporate espionage, carelessness, etc. Your in-house IT staff is a much more likely source of data leaks and corporate espionage than an organization like Google or Microsoft.
Or, to look at it another way, your "in house" IT staff is really all a collection of third parties as well, and they often have much less of a track record and much less to lose than Google.
I'm not saying you're fully wrong, but I think the discussion here is assuming that the alternative to google docs is a hardened computer, in a secure facility, surrounded with armed guards, razor wire, etc. And thats not the case. Speaking about small and medium legal and medical settings, the typical alternative is a poorly backed up, poorly secured, office computer, connected to the Internet, filled with viruses and backdoors, and enthusiastically contributing to the botnet du jour. Small businesses, in general, do not take the time to understand their IT security. Most lawyers do not understand technology, and unless a practice is very large, its not going to have a dedicated IT guy. So when you consider the risk of data loss, or breech, and compare that typical scenario with google docs, then suddenly google docs doesn't look so bad. Without education there is no security; and there isn't much chance of your average lawyer becoming tech savvy enough to secure their network any time soon - so maybe outsourcing aspects of this problem is an improvement.
My answer would be, no.
You cannot trust corporations without contracts. No matter how trustworthy the current leadership seems, the time will come when they will be replaced by persons unknown.
I would only use services where you are paying for it and a contract guaranteeing confidentiality exists. I believe that Google offers that on some services, but, if they don't, there are others that do. As for whether or not some service is HPAA compliant, ask your lawyer, not Slashdot.
You know, with all the responses saying that Google Apps are not good enough to comply with HIPPA PHI regulations, it makes me wonder - why wouldn't Google set up a tiered for-fee service that is compliant? Change the terms of service to guarantee the privacy of data, encrypt it on the server-side so that it can only be retrieved by the owner with the proper key (to prevent snooping google employees), prohibit the public viewing of documents (the publish feature), and charge a doller per month per gig, or something. Google is ideally placed to offer such a service, and - if they can meet the legal hurdles - would make bank.
Never underestimate the potential of Human stupidity. -Heinlein
Good idea. But why do you need a certificate? Why can't you just use public key (pgp, gpg)? That provides authentication and signing as well as encryption.
1: The suits will ignore IT's warnings. "What do geeks know about running a business?" ..
2: The suits will ignore Legal's warnings. "The money we save far outweighs the minimal risks."
3: A significant amount of time passes. The suits pat themselves on the back for padding the bottom line. Stock options are cashed in.
4: A medical datastore gets hacked into, probably from a PC belonging to one of the suits. (You know; the one with the password pasted to the monitor.) Data subsequently gets auctioned on a blackhat site. Men in Black pay a friendly visit. Ambulance Chasers descend.
5: The suits panic, look for scapegoat, invariably select IT. "But we didn't KNOW our IT department was putting records on Google!" Non-suit heads roll.
6: Organization is crushed by civil fines and lawsuits. Suits move on, soon finding other firms to trash. Balance of staff find themselves on the street.
7: PC Magazine finally gets around to publishing an article on how stupid it is to put HIPAA documents on Google et al. Loyal readership (CEOs in airport lobbies) panics, head back to own firms were non-suit heads subsequently roll.
8: Suits proceed on to the next insanity.
.
Lesson: Scott Adams is an optimist.
Regards;
It's amazing to me how people seem to think the internet brings in a whole new world where nothing old applies.
If I have a legal responsibility and I wish to use a product/service that might affect that responsibility, then I would:
-get a contract detailing things
-get insurance to protect me
-audit the other party to make sure they will adhere to certain rules
Doctors, engineers, lawyers... have all dealt with this for a long time.
If I had a legal responsibility, would I trust Google with my data? Nope. At least not for their current free apps.
This is one case where they could most certainly offer a 'premium account'. You can speak to live person to handle issues should they come up. An SLA with privacy guarantees... Then I'd consider it.
Otherwise, I could rightfully be sued for negligence. Here I am a doctor or lawyer making 250k/year and I'm too cheap to spend a few hundred dollars to guarantee the privacy and security of my data. Sounds like negligence to me.
Unfortunately responsibility and accountability costs money. It's not a free lunch for you or Google.
The only main issue with SAS 70 audits is that the company/process being audited defines the scope of the audit. You can choose to not report processes, systems, or users involved, and the auditing company will only cover the scope you've set forth. IMHO SAS 70 is nowhere close to a comprehensive auditing tool for SOx or HIPAA compliance.
Thanks, and I wasn't really trolling.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
HIPAA isn't directly about privacy. It's about being able to hold someone accountable for accessing information. Anyone in security knows that breaches happen all the time. What matters is containment.
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
Yes, it's a red flag alerting those looking to make frist psot.
But, I wanted socialized health insurance!
Or not: under HIPAA, anyone that a covered entity contracts with to handle PHI must be covered by a Business Associate Agreement, and under the HITECH Act passed earlier this year, HIPAA security noncompliance sanctions, including civil and criminal penalties available under HIPAA, apply to parties under BAA's exactly as they do to the covered entities themselves.
June - Cloud Computing
July - Risks of Cloud Computing
There are so many viruses and trojans lurking around that being inside the OS possibly even more dangerous.
By the way, what is inside OS? Who knows it? It is all compiled.
There. Answered it all for you.
Besides, if you take applications on the web more serious than to use them for your spam or some irrelevant stuff, then you seriously need to see a shrink.
Web apps are the SUVs of software. Except that they are as safe as a Yugo Nowhere. Slow, expensive, insecure, ugly, SLOW, shaky, INSECURE, pointless.
It's all of the "good" of the inner platform anti-pattern, all of the insecurity of a web connection, all of the slowness of scripting, and a whole lot of "made by the biggest web advertiser on the planet". ^^
Any sufficiently advanced intelligence is indistinguishable from stupidity.
Confidentiality is maintained if the documents are encrypted prior to upload.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.