Slashdot Mirror

← Back to Stories (view on slashdot.org)

Can We Abandon Confidentiality For Google Apps?

Posted by kdawson on from the what-price-convenience dept.

An anonymous reader writes "I provide IT services for medium-sized medical and law practices. Lately I have been getting a lot of feedback from doctors and lawyers who use gmail at home and believe that they can run a significant portion of their practice IT on Google Apps. From a support standpoint, I'd be happy to chuck mail/calendar service management into the bin and let them run with gmail, but for these businesses, there is significant legal liability associated with the confidentiality of their communications and records (e.g., HIPAA). For those with high-profile celebrity clients, simply telling them 'Google employees can read your stuff' will usually end the conversation right there. But for smaller practices, I often get a lot of push-back in the form of 'What's wrong with trusting Google?' and 'Google's not interested in our email/calendar.' Weighing what they see as a tiny legal risk against the promise of Free IT Stuff(TM) becomes increasingly lopsided given the clear functionality / usability / ubiquity that they experience when using Google at home. So my question to the Slashdot community is: Are they right? Is it time for me to remove the Tin Foil Hat on the subject of confidentiality and stop resisting the juggernaut that is Google? If not, what is the best way to clarify the confidentiality issues for these clients?"

33 of 480 comments (clear)

  1. yes.. by Anonymous Coward · · Score: 5, Informative

    ..the google apps contract is fine. IAAL and i use google apps for all my stuff. i DO maintain a separate backup but everything goes on google. the bar is also fine with it.

    1. Re:yes.. by Anonymous Coward · · Score: 4, Insightful

      Good thing you posted anonymously. That means you won't lose clients and we don't have to take you seriously.

    2. Re:yes.. by TheMMaster · · Score: 5, Informative

      If you had read the entire article you would've seen that it is written by "Brett Burney is principal of Burney Consultants, based in Cleveland." Finding his website, it turns out that mr Burney is not a lawyer, he provides some legal services FOR lawyers.

      So, that article is just some guy saying how convenient those tools are. Not some sort of legal analysis of the use of web-based applications for sharing private data.

      Here in Europe using stuff like that is absolutely not allowed for sensitive data, doctors, lawyers and governments are most certainly NOT allowed to use a hosted app like that.

      --
      Fighting for peace is like fucking for virginity
    3. Re:yes.. by jonnyj · · Score: 5, Informative

      I can't give a legal answer for US companies, but its my job to consider questions like this for a UK based financial services business. Google's applications are essentially the same as any other outsourced services, and UK law is based on the premise that you can outsource activity but you can't outsource responsibility.

      What this essentially means is that a UK business is expected both to have a legally enforceable set of data protection contract terms and to have conducted a risk assessment supported, where appropriate, by a detailed appraisal of the outsourcer's policies, procedures and practices. FWIW, the conclusion that I've drawn is that Google apps are completely unuitable for any UK business that processes customer data, as there is no guarantee that the data will remain in the EEA (European Economic Area) or another country that has equivalent data protection principles enshrined in law. UK business are not allowed to process personal data in the USA without express customer consent because its data protection laws fall short of ours.

    4. Re:yes.. by nomadic · · Score: 4, Interesting

      IAAL too and I see nothing wrong with Google apps. Don't know about doctors, but lawyers are perfectly aware that nothing is foolproof once you get online, and we realize that some Google employee has access to our stuff. We're expected to maintain confidentiality in a reasonable matter, not approach it with the paranoia of a computer security expert.

    5. Re:yes.. by chadplusplus · · Score: 5, Interesting

      IAAL too, and I saw nothing in there relating to whether the various state bars have given this the thumbs up. I suspect this would depend greatly upon the relative progressiveness of the pertinent state bar. I'd be interested in seeing an ethics ruling concerning this if you have any citations. (Sorry, I'm not paying Lexis to do a search just to satisfy my curiosity.)

    6. Re:yes.. by michaelhood · · Score: 4, Insightful

      It doesn't take a "computer security expert" to know that you're unnecessarily risking your clients' confidentiality by sending your communications wholesale to a 3rd party.

    7. Re:yes.. by rjh · · Score: 5, Insightful

      IANAL. My only legal credential is that I come from a family of lawyers and judges who are absolutely adamant about their moral obligation to preserve privilege.

      As they have explained it to me, once you voluntarily hand information off to an uninvolved third party, the veil of privilege is breached and it can be discovered.

      As they have explained it to me, anything you give to Google can be subpoenaed. Google is currently one of the most-frequently-served companies in the world, and Google gives full and enthusiastic cooperation with lawfully issued subpoenas.

      If you really see nothing wrong with risking the privilege of your work product by putting it into the hands of a third party, and if you really see nothing wrong with making it discoverable via subpoena, then by all means use Google Docs. However, for my own sake, I refuse to deal with lawyers who use outsourced IT services.

    8. Re:yes.. by rjh · · Score: 4, Insightful

      Yes. When I was looking for a lawyer, I asked them how they contacted their clients, and where their email servers were located. The guy I eventually chose as my lawyer told me he contacts clients via email, phone and IM only to arrange face to face meetings, and then walked me down the hall to the server room. He introduced me to the sysadmin, and the law firm sysadmin answered more of my questions.

      Choosing a lawyer is a big deal. You should treat it like one. Any lawyer who is not willing to fully answer your questions is not worth your time or money.

  2. The bottom line by Samalie · · Score: 5, Insightful

    If you are in an industry where your internal communications/documents/etc should or must remain confidential, than you cannot trust Google Apps as your free platform for email/document creation/document storage.

    If you don't mind the possibility that the world may get your data, then by all means feel free to use Google, or any other SaaS type offering.

    --
    09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
    1. Re:The bottom line by eln · · Score: 5, Insightful

      If you are in an industry where your internal communications/documents/etc should or must remain confidential, than you cannot trust any Internet-based system as your free platform for email/document creation/document storage.

      FTFY. If your documents exist on the Internet, especially unencrypted, they won't be confidential for very long. Whether or not Google as a company is trustworthy or not is irrelevant. If anyone hacked into your Google account, they would have access to everything. If a random employee at Google decided to sell your stuff to a tabloid, there's nothing you could do to stop them until it was already too late. Without ironclad confidentiality agreements with real penalties for breaking said agreements, you shouldn't be trusting any third party with this stuff, and you certainly shouldn't have it on the Internet.

    2. Re:The bottom line by Shakrai · · Score: 4, Insightful

      and you can sue google without a eula type contract.

      You can sue the IT guy with a grudge too but that won't help you to recover your business reputation or lost clients after a data breach. Why the hell does everybody look at something and think that "we can sue them!" is some sort of plus anyway? I'd rather avoid being in the position of having to decide whether or not to file a lawsuit altogether, thank you very much.

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
    3. Re:The bottom line by jeffasselin · · Score: 4, Insightful

      Number of internal IT guys with systems access: 5
      Number of Google employees: 3 billions

      Chance to identify and sue the pants off the leaker if he's internal: 99%
      Chance to sue Google and not get ass-raped by their robotic lawyers with laser eyes: Infinitesimal

      --
      If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
    4. Re:The bottom line by spydabyte · · Score: 4, Interesting

      When you don't pay for something, you can't rely on it. Try winning a law suit against a patient because you didn't have the correct medical knowledge because your ISP couldn't resolve a Google DNS one day...

      I'd think this is a much greater issue than worrying about Google email snoops. That and unecrypted standards over wifi access. Doctors: Don't go mobile. Stay within your cellular-free hospitals.

    5. Re:The bottom line by EdIII · · Score: 4, Informative

      Not only did you not read TFA, but you did not even read the summary. Laziness has nothing to do with this at all. He is getting a lot of friction from his clients that don't understand HIS reservations about doing business with Google in this manner. He is concerned for their legal liability. Sounds like an IT guy that actually cares.

      His question being posed to the /. community, is whether or not his clients have a point. Can we really trust Google with data that must remain confidential. Can he recommend Google services to his clients without fearing for liability later down the road.

      Yeah, that sounds lazy to me....

  3. Need to assess more than one criteria by Anonymous Coward · · Score: 4, Insightful

    It might be an acceptable compromise. The same clients considering Google Apps are 99.999% likely to have a non-existent or ineffective backup/archiving system, lack the expertise/cash for sysadmining Microsoft enterprise apps and would probably benefit from being able to log in on multiple machines to access their data. All strategies involve risk - if you veto Google, they may be missing out on the best compromise solution. YMMV.

  4. Say hello to your lawyer by PolyDwarf · · Score: 4, Insightful

    This is slashdot, not legaldot.

    That being said, your writeup sounds like you're a contractor/have your own company. If that's the case, the best you can do (Outside of telling your customers you aren't going to and being fired) is make very clear, in writing, what your opinion is, and get them to sign off, in writing, that they are responsible and/or have another way for handling confidential info, etc.

    I'm not sure if that's enough to cover your butt or not. See first sentence about this is slashdot, not legaldot. I would consult with a lawyer, preferably one that is not one of your customers.

    1. Re:Say hello to your lawyer by Red+Flayer · · Score: 5, Insightful

      It's been said before:

      If you're response to an Ask Slashdot submission about $X is "Ask a lawyer about $X", then you should rewrite the Ask Slashdot question in your mind to "What should I know before I talk to a lawyer about $X?"

      Lawyers are expensive. Community knowledge can e very helpful in reducing the amount needing to be spend on legal fees, and I'm sure plenty of Slashdotters have good insight that can help the submitter.

      For my part, all I can say is that I wouldn't use a doctor if I knew they used Google Apps. There's too much risk that an employee at Google might let loose the secret of my debilitating suppurative penile encrustations.

      --
      "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
  5. HIPAA compliance is no joke. by MarkvW · · Score: 4, Insightful

    If they wanna do it, they gotta get a lawyer--a lawyer who knows HIPAA. HIPAA compliance is a pain--and noncompliance can be very expensive.

    Lawyer costs may even outweigh the Google savings

    1. Re:HIPAA compliance is no joke. by DragonWriter · · Score: 4, Informative

      As far as I know, NO ONE HAS SUCCESFULLY SUED FOR HIPAA VIOLATIONS.

      Since HIPAA doesn't create a private cause of action for violations, only the federal government can enforce HIPAA rules generally (sometimes, under state laws, the fact that a disclosure is in violation of a federal law like HIPAA, or of a assurance or agreement mandated by HIPAA, may, with other factors, meet the standard for some private cause of action under state law, but the action won't be for a HIPAA violation, per se.) To date, AFAIK, none of the HIPAA complaints received by the Department of Health and Human Services' Office of Civil Rights (which enforces HIPAA) have resulted in monetary penalties being assessed, but most of them do result in OCR requiring business practice changes on the part of the entity against whom the complaint was lodged. A few do get referred to the Department of Justice for criminal prosecution, though I believe that, to date, no prosecutions have been made on HIPAA charges alone (sometimes HIPAA charges have been part of a broader criminal complaint.)

      But they are allowed to send your information to third parties to help "manage your health" or "process billing" or "collect payments" or all sorts of things.

      These third parties ARE NOT REQUIRED to follow HIPAA, as they are considered non-covered entities. . This means once your info goes to billing for processing, your privacy is based on contracts with your provider and social embarrassment.

      There was a time when that was at least generally true (where a business associate of a HIPAA covered entity might not be liable the way a covered entity was if it was not itself a covered entity), however, the recently passed HITECH Act (part of the American Recovery and Reinvestment Act of 2009 [ARRA], Pub.L. 111-5) both added additional security requirements that apply to HIPAA covered entities and extended both the existing and new security requirements on HIPAA covered entities, including the civil and criminal penalties for violations, to apply to those entities' business associates to the same extent as to covered entities themselves. (see ARRA, Title XIII, Subtitle D, Sec. 13401; codified at 42 U.S.C. Sec. 17931.)

  6. Tricky HIPPA... by Annwvyn · · Score: 4, Informative

    As a Paramedic, I can say that HIPPA is extremely strict and will, if violated, force your license to be questioned as well as cause fines to be pushed your way. Honestly, doing ANYTHING outside of a secured network or a patient care medium (i.e. Pyxis, Temsis) with privileged, confidential information will plant a bullseye on your back. It is just not worth risking it. I can guarantee that an expert data thief is going to be more skilled and knowledgeable at computers and networking than any physician I know.

  7. Just accept it by scoile · · Score: 5, Insightful

    Your role, as a qualified member of the IT staff, is to make the higher-ups aware of the risks. Do your due-diligence, tell them the data isn't secure (in person, in e-mail, and maybe even on paper), and remind them from time-to-time (using creative new analogies whenever possible). That's it, you've done your job.

    The fact of the matter is, regardless what the policy is, and regardless what they all "agree" on, they're going to put sensitive information on the Web. You'd have to take away their Internet access and portable devices to prevent it, and even then, they'd just go home and use that.

    Accept that the best you can do is educate them and provide alternatives.

  8. An idea to make this work by MarkWatson · · Score: 4, Informative

    Amazon published a white paper about using their AWS platform with HIPAA compient applications: basic idea is to keep data encrypted until it is in memory, and encrypt it again before writing to persistent storage.

    For Google Apps, how about using rich clients that decrypt data for viewing/editing, and encrypt it again before storing back on big table, etc.

    Perhaps Google themselves would implement this as browser plugins?

  9. What does the fed do? by ljaszcza · · Score: 4, Informative

    We are a contractor for the Veterans administration. The VA insists that we comply with privacy issues strictly. Any communications that have patient information must be sent on encrypted secure systems. No open email servers/hotmail/gmail/whatever is allowed. Failure to comply with the privacy (detailed in the out of control HIPAA set of rules and standards) is punishable both financially and by being banned from contracting with the US federal government. As an administrator, I have to remind physicians that if they are caught transmitting identifiable information of our patients over unsecured channels, it may cost us our contract and may result in their being banned from seeing medicare/medicaid patients. Anyhow, that's my two cents on utilizing gmail or such for sensitive information.

  10. Hosting providers? by RichardJenkins · · Score: 4, Insightful

    I think there are three classes of company for the purposes of this discussion:

    If you trust shared hosting providers; you shouldn't care about the Google employees who can access your data

    If you trust managed hosting providers like Rackspace, particularly if they're hosting virtualised servers for you; you probably shouln't care about Google employees with access to your data.

    If you don't trust managed hosting providers; well you're probably not reading this from the office, and Google Apps doesn't get a look in.

    I'd say most companies fall into the second.

  11. Re:No by commodore64_love · · Score: 4, Insightful

    Agreed. Also online aps are more-expensive longterm. For example I purchased Microsoft Office 97, and I'm still using it 12 years later, which is an annual cost of just ~$12. Online aps have significantly higher fees than that.

    There's also the advantage of owning the software. If for example you develop a design, you can archive both the design and the tools so they can still be used 15-20 years from now and "resurrected" from the basement. You can't do that with online aps which are constantly updated with no way to "freeze" a tool at a certain point.

    --
    "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
  12. Re:Ever read a EULA? by Tynin · · Score: 4, Informative

    I dislike MS as much as the next /.er but if your company allows your Exchange server to call home to Microsoft, for anything other than patching, your network admin needs to be fired.

  13. No physical security by pentalive · · Score: 5, Informative

    No matter how ironclad the agreement or how draconian the penalties your data will still be public. Sue Google into non existence and well your data is still public.

    Without physical security there is no security.
    If you don't own the box and control access yourself there is no physical security.

  14. Re:No by alexburke · · Score: 4, Insightful

    Agreed. Also online aps are more-expensive longterm. For example I purchased Microsoft Office 97, and I'm still using it 12 years later, which is an annual cost of just ~$12. Online aps have significantly higher fees than that.

    .

    Do you really think it's wise or responsible to be using a piece of closed-source software (and one not known for its security, to say the least) so many years after the vendor has stopped supporting or releasing patches for it, and for which known exploits are in the wild?

    .

    In what way does, for example, Google Apps Standard Edition ($0/year), cost more -- either up-front or in the long term?

    .

    Do you not think using current tools at the time to produce a file, then ensuring the file is stored in an industry-standard open file format (such as ODF, RTF, plain text, HTML, TeX, or PDF -- or even better, more than one), is an acceptable archive, without needing to also archive a copy of (or later run) a dated (and bug-ridden and proprietary, in this case) application along with it -- which may not even run on machines "15 or 20 years" later, as you mention?

  15. Re:No by Chyeld · · Score: 4, Informative

    SAS 70 Type II for Google Apps
    Tuesday, November 04, 2008 at 3:46 PM
    Posted by Eran Feigenbaum, Director of Security, Google Apps

    Ever since the first Gmail users began trusting Google with their private information, keeping people's data safe has been one of our top priorities. Today, more than a million businesses, plus thousands of schools and organizations using Google Apps rely on us to safeguard their critical information.

    We've published some of the ways we keep sensitive information where it belongs, but we wanted to go farther and have external independent security specialists audit our systems and procedures. Here's the outcome: an independent public accounting firm has verified the effectiveness of our technical processes and controls for Google Apps, and Google Apps has satisfactorily completed a SAS 70 Type II audit.

    Our commitment to keeping customer information safe - whether they're consumer users or our largest enterprise customers - is part of our DNA, and we protect this information as rigorously as we protect our own sensitive corporate information. In fact, we use the very same services that we offer to our users for our own email, documents, project team sites and calendars.

    which leads to

    Statement on Auditing Standards No. 70: Service Organizations

    Statement on Auditing Standards No. 70: Service Organizations, commonly abbreviated as SAS 70 and available full-text by permission of the AICPA, is an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA), officially titled "Reports on the Processing of Transactions by Service Organizations". SAS 70 defines the professional standards used by a service auditor to assess the internal controls of a service organization and issue a service auditor's report. Service organizations are typically entities that provide outsourcing services that impact the control environment of their customers. Examples of service organizations are insurance and medical claims processors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations and clearinghouses.

    There are two types of service auditor reports. A Type I service auditor's report includes the service auditor's opinion on the fairness of the presentation of the service organization's description of controls that had been placed in operation and the suitability of the design of the controls to achieve the specified control objectives. A Type II service auditor's report includes the information contained in a Type I service auditor's report and also includes the service auditor's opinion on whether the specific controls were operating effectively during the period under review

  16. Re:No by s4m7 · · Score: 4, Insightful

    pgp is fine for a small practice to use between say the receptionist and the doctor. the problem with using pgp to obtain your confidentiality with respect to HIPAA is that emails sent from outside sources (e.g. patients) are subject to HIPAA as well, and unless you can convince all their customers to use pgp, that'll never work.

    My advice for the original asker is to take a firm stand with your clients. If there is any way that they can pin the liability on you for recommending use of google apps or other online services they will when the lawyers come knocking. I suggest you strongly recommend against it, in writing, and keep that recommendation on file.

    --
    This comment is fully compliant with RFC 527.
  17. Re:No by vux984 · · Score: 5, Insightful

    Do you really think it's wise or responsible to be using a piece of closed-source software (and one not known for its security, to say the least) so many years after the vendor has stopped supporting or releasing patches for it, and for which known exploits are in the wild?

    Word/Excel/Powerpoint? I really wouldn't worry about it, as long as they meet his needs. (Although, I'd consider giving OO.o a try.)

    Outlook - yeah, I'd suggest he pony up for a new copy, or switch to something else.

    In what way does, for example, Google Apps Standard Edition ($0/year), cost more -- either up-front or in the long term?

    Lost productivity.

    1) Lost productivity when the local ISP or some some intermediate router is down? Multiply by each user. (In a lot of places that's pretty significant. Lots of places suffer multiple hours of network down time / flaky internet every month.)

    2) Lost productivity as your employees are clicking on google ads and browsing online when they should be working on that spreadsheet or word document, or simply lost productivity as the ads become insufferably intrusive and distracting.

    Think about it... you are getting standard edition for "free". Google wouldn't do unless some non-trivial number of users is READING and CLICKING on those ads. If your secretary is working on a budget spreadsheet, and gets distracted by an google ad in the corner of her spreadsheet, gets distracted and clicks on it, and goes browsing for 20 minutes as a result... that costs you money. And THAT is PRECISELY what your beloved partner google is counting on. THAT is their entire business model. Give you the app for free, and then extract a profit by luring your staff to click ads instead of work.

    Now you might counter that google ads are unobtrusive and easily ignored. That's true to a point, but I find adds in my productivity apps VERY distracting; far more than I do on the web. I personally won't use ad supported software, but don't find them nearly so distracting on the web. Maybe its just me... But face facts google is a multi-billion dollar advertising company as direct result of people not ignoring those ads. So the ads =DO= work. Maybe YOU don't click them, but SOMEBODY is. And every time they work on someone in your company they cost you money.

    I don't object to google apps for home and noncommercial use, and their 'premium' stuff is ad free, as you are now paying them directly for service.

    But a business owner who gets his staff to use standard edition? Its idiotic... what's next? Will you switch to "free" printer toner from the Jehova's Witnesses, and in exchange they'll have witnesses wander around your office to spread the good news?

    Do you not think using current tools at the time to produce a file, then ensuring the file is stored in an industry-standard open file format (such as ODF, RTF, plain text, HTML, TeX, or PDF -- or even better, more than one), is an acceptable archive, without needing to also archive a copy of (or later run) a dated (and bug-ridden and proprietary, in this case) application along with it -- which may not even run on machines "15 or 20 years" later, as you mention?

    What makes you so confident ODF will be readable in 20 years by Google Apps, or that a google apps will even exist? All ODF being a standard ensures is that you WILL be able to write something that can read it 20 years from now, because the specification is documented and public. There is no gaurantee google apps or anything else will run it 20 years from now. And if you are looking to archive ODF, you should probably make a point of storing something that can actually read it too, ideally along with its source, unless you want to gamble on having to implement something yourself from scratch 20 years from now.

    Google apps doesn't enable you to avoid making your own backups, and if anything google apps, makes it slightly more complicated. Google apps could disappear tomorrow (unlikely in the immediate future, but possible, and who knows what the more distant future holds; companies have been shut off before), so not only do you need backups, but you should have some means of reading them too... because you can't rely on google apps being available or supporting the files.

  18. Re:No by Fallen+Seraph · · Score: 4, Insightful

    Lost productivity.

    1) Lost productivity when the local ISP or some some intermediate router is down? Multiply by each user. (In a lot of places that's pretty significant. Lots of places suffer multiple hours of network down time / flaky internet every month.)

    2) Lost productivity as your employees are clicking on google ads and browsing online when they should be working on that spreadsheet or word document, or simply lost productivity as the ads become insufferably intrusive and distracting.

    You forgot the other side of the coin:

    1. Lost productivity due to forgetting the thumb drive with your work at home
    2. Lost productivity due to your company's internal network going down
    3. Lost work due to a hard drive failure
    4. Lost work AND productivity due to computer theft
    5. Lost work AND productivity due to accidental overwrite of a shared file on a network drive
    6. Lost work AND productivity due to malicious code (viruses, trojans, et al)
    7. Lost productivity due to most software's inability to provide a decent collaborative environment

    Many people seem to believe that using something like Google Docs is just like using MS Office, but the reality is that it's fundamentally different in many ways. Nearly ubiquitous accessibility, collaborative tools, change history, backups, etc. The amount of productivity and work that saves alone is WAY more than any time you could lose due to advertising in my estimation. Your comparison is absurd and poorly thought out as well, because "getting toner from Jehovah's Witnesses does not give you any benefit other than getting it for free. Using cloud authoring software compared to personal software is COMPLETELY different for the reasons I listed above and others.

    The fact is that neither one is REALLY better than the other, it all depends on the task at hand, as both approches have their strengths and weaknesses. If I'm just writing a quick letter, then I'm going to use Word or OO, but if the file itself is going to be used over an extended period of time, and especially viewed or contributed to by others, I find it makes more sense to use Google Docs.

    Plus, I can't count how many times I've worked with a team on something and wound up using a Google Doc as what essentially amounts to a massive whiteboard to outline our plan of attack and add our ideas and solutions to the task at hand, as well as comment on others.