Slashdot Banner
Stories
Slash Boxes
Comments
typodupeerror delete not in
  • Preferences

Book Reviews

Recent reviews from Slashdot readers:

Submitting a review for consideration is easy; please first read Slashdot's book review guidelines. Updated: 2008114 by samzenpus

Comments: 121 +-   Delving Into Google Health's Privacy Concerns on Friday May 23 2008, @07:13AM

Posted by Soulskill on Friday May 23 2008, @07:13AM
from the you-can-trust-us dept.
medicine
business
google
privacy
security
internet
SecureThroughObscure writes "Security researcher Robert 'RSnake' Hansen discusses numerous concerns with Google's new Google Health application, which aims to integrate user's medical records online. We discussed Google Health's opening to the public earlier this week. RSnake mentions that Google has found a loophole allowing them to provide this service without having to follow HIPAA regulations, which, combined with Google's track record of having numerous flaws leading to private information disclosure, draws serious concern. Security researcher Nate McFeters of ZDNet's Zero-Day Security Blog also commented on the article, mentioning several past vulnerabilities: ownership of content issues, Google Docs theft, a cross-domain hole, Google XSS, and a Google Picasa protocol handler issue leading to the theft of user images. He and fellow researcher Billy Rios disclosed these issues to Google, including the ability to steal GMail contact list information. McFeters says it's likely that similar unpatched bugs would allow an attacker to view medical records if a user was also using Google Health. Both McFeters and Hansen tend to agree that Google's vulnerability disclosure/notification is non-existent and really needs to be improved. Currently, Google does not report vulnerabilities it has fixed to its user base, for the obvious reason of trying to hide the fact that user data could have been stolen."
story

Related Stories

Submission: Google Health app draws fire for privacy concerns by SecureThroughObscure (1282782)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Delving Into Google Health's Privacy Concerns 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Not me (Score:5, Insightful)

    by strikeleader (937501) on Friday May 23 2008, @07:18AM (#23515862)
    Why would anyone want to put their health info anywhere if HIPAA does not apply. I know that HIPPA is not perfect, but it at least has recourse if info is released or stolen.

    • Re:Not me (Score:4, Insightful)

      by Chicken04GTO (957041) on Friday May 23 2008, @07:25AM (#23515888)
      Because people are dumb.
        • Do you have proof of this or are you just saying this because you do not like Windows? How do you know the computers not locked down where the users can not surf the web? Where is the proof?

          • Re: (Score:2, Informative)

            by Anonymous Coward
            The healthcare org I work at the machines with Impact (amazingly enough) are very much locked down through ScriptLogic, so they relock themselves each time someone logs into them. We believe them to be secure and as far as I'm aware we haven't had security problems with them (at least in the past 3 years)

            Also we are currently testing out the Microsoft solution for this, as Electronic Health Record stuff is getting to be a very big deal and we don't want to be left behind...

            More and more vendors are doing IE

          • Re:Safe Now With Windoze? (Score:4, Insightful)

            by TerranFury (726743) on Friday May 23 2008, @08:56AM (#23516652)

            It's basically common knowledge, what GP is saying. I clearly remember watching both what my dentist's and my GP's secretaries used to type in my data, and it was obviously a client running on a Windows box. In the case of my dentist, there's a whole Windows dental information suite that he runs, which shows him x-rays and everything. He has multiple rooms with dentist's chairs, and each contains an apparently-identical computer; he can view x-rays and records at any of them, so they are obviously networked. How likely is it that this network is separated from the Internet by anything more than a consumer-grade router? Not very.

            How much of a threat really is this, relative to tapes left in cars overnight, or the sloppy (or malicious) use of thumb drives? My gut says, "not a huge one," but I don't really know.

            • Re: (Score:2, Insightful)

              by Schlage (195535)
              Of course, your insecurely networked dentist only has access to a small portion of your medical records, while Google Health would (presumably) eventually be caching your entire medical history.

              Security concern becomes of a whole different order of magnitude when dental, medical, and mental health information all get chunked into the same system, then it becomes kind of like a Real ID for health; convenient one-stop shopping for all your privacy-invading needs.
    • Why do people think anyone cares about their health info? Worst case scenario is someone finds out you have VD, well sorry to inform you an overwhelming percentage of the planet don't care about you or your STD's.

      • Re:Not me (Score:4, Interesting)

        by hal9000(jr) (316943) on Friday May 23 2008, @08:18AM (#23516234)
        Google isn't doing this out of the goodness of their hearts. They want to monetize it, so how will they do that? Sell ads? Ok, where and when will they show up? Only when you are searching your health information or whenever you happen to be searching?

        what about selling health information to other entities. Maybe they don't sell the identifying bits, but even regional data can have an enormous impact on your ability to get health and life insurance, the premiums you pay, etc. Insurance carriers already track regional trends, but more data means better predictions.

        Look, corporate entities, and never, ever forget that Google is a corporate entity, have to make money and think about how they will do that.
        • I doubt they'll sell your health information to other people. It'll be more like "If someone has a history of back problems, show them an ad for my pain relief drug." Of course, I've been wrong before... I personally have no intention of using Google Health, but I wouldn't particularly mind that kind of thing.

      • Why do people think anyone cares about their health info?
        Because they do.
        • Says the guy posting under a fake name, not revealing his email address.

        • Re:Not me (Score:5, Insightful)

          by MrMarket (983874) on Friday May 23 2008, @08:50AM (#23516580) Journal

          My Sentiment exactly. First off I don't know who would want to look at my medical record and second, I don't really care if someone does.
          Here are two types of organizations that would be very interested in you and your family's medical history:
          1) Insurance companies: "Thank you for choosing Overabarrel Insurance, Co. Your policy is enclosed. Because your father and uncle had colon cancer, your monthly premium will be $10,000/month."
          2) Employers: "You're a great programmer, but we can't bring you on full-time. Your records show that your father and uncle had colon cancer, and we can't afford to take on the risk of our insurance premiums going through the roof if you get it."

          Essentially, health status can be a significant driver of discrimination in many different forms. The less someone knows about your health status (or your relatives health status), the hard it is for them to discriminate against you.
          • Exactly. Not to mention there could be more targeted spam, via email, flyers or phone calls. Someone sees you got burnt years back, call you up with the newest of the new plastic surgery techniques. Woman has breast cancer, gets an email from an implants company. Kid loses leg, gets a call, and multiple emails about cheeta prostetics and such. The list goes on. Someone will have a cure for anything they can find wrong with you. Not to mention targeted Google ads?

          • Re:Not me (Score:4, Interesting)

            by ShieldW0lf (601553) on Friday May 23 2008, @09:13AM (#23516870) Journal
            You don't understand insurance in the slightest, or you wouldn't make statements like that.

            1) When you get insurance as an individual, if you have a previously existing medical condition, and you manage to conceal it, they won't dig hard. They'll just take your money. When it comes time to make a claim, it WILL come out then, and they will refuse to cover you, even though they took your money. Transparency in medical records will protect people from doing this to themselves.

            2) When you get group insurance, personal medical records don't come into it at all. Not at all. They calculate the risks based on the probability that any employee will require treatment based entirely on their demographic. That is what makes group insurance plans so appealing in the first place.

            I used to sell the stuff for a brief period of time, until I learned how it really worked and realized I wouldn't be able to look myself in the mirror if I didn't get out of that industry. I know what I'm talking about.
              • When it comes time to make a claim, it WILL come out then

                How will they prove it was preexisting if it was never documented anywhere (e.g. MIB, Google's big brother database, or what have you)?

                Because the medical records are there, and have always been there. They aren't actually hard to find, it just takes time, so they don't bother to do it when you apply. They wait till they've gotten 10,000 of your money and are going to have to pay out 1,000,000 to care for you, then they pay someone to spend
              • It doesn't work like that.

                If you open a hair salon with 20 hair stylists, they don't assess the 20 stylists for risk.

                What they do is consult their actuary tables and determine the likelihood that someone will become ill or die based on their records for all hair stylists from all companies they have done business with in that industry over the last hundred years.

                That is how they determine risk in groups. It doesn't have anything to do with the individual group, but on the demographic of the group.
              • 1) If you have a family medical history, you are required to divulge it. If you don't divulge it, and it comes up later, they will refuse to honour your coverage because your application was fraudulent, despite having taken your money. So, you're wrong.

                2) In my experience, that is an outright falsehood. Cite a source.

          • Re: (Score:2, Insightful)

            by Archimagus (978734)
            A lot of you seem to be assuming that Google is trying to make your health information freely available to the public. That is not the case. This article talks about the possibility of your information getting STOLEN from google. Which, last I checked is illigal. So if your insurance compay got there hands on your information they would be contributing to illigal activities and run the risk of being shut down or at least sued to Hell and back. Right from the Google Health Web site.

            Google stores your information securely and privately. We will never sell your data. You are in control, you choose what you want to share and what you want to keep private.

            Also it is not like g

    • Enough with the HIPAA scare. Most of these PHR vendors privacy policies are STRONGER than HIPAA and are governed by the FTC which is (from what I understand) MUCH stronger than HIPAA rights.

      Also, I believe an organization which changes a policy must ask their members to re-accept their policies under FTC regs.
    • Why would anyone want to put their health info anywhere? I think most people would simply write down "uhh... healthy?".
      Do people really have so many diseases it takes a computer program to organize them? :D

      Unless you're really old, in which case you probably don't even own a computer. Would you need one to write down "don't forget take your blood pressure pills" or "remember to check your pee for diabetes"?
      Or maybe you had a weird accident, in which case you would write "healthy, except for that nasty missi
    • Because currently health information of regular people is not accessable for research or analysis. If I had a range of odd, undiagnosed symptoms, I would want to share that and be able to read others' accounts of similar symptoms. The fact that there are probably 500 people in this country sharing some rare ailment means none of them will ever find a doctor who knows anything about it. If just 10 of them didn't care about their own privacy as much as getting their problem fixed, they could compare notes a

  • But think of the benefits... (Score:5, Funny)

    by Anonymous Coward on Friday May 23 2008, @07:20AM (#23515872)
    When you get syphilis all the websites you visit will be carrying convenient advertisements for the necessary treatments.

  • Microsoft's HealthVault.com policies comparison (Score:5, Insightful)

    by Anonymous Coward on Friday May 23 2008, @07:21AM (#23515876)
    Does Microsoft's HealthVault.com, which came before Google Health, receive the same amount of critique?

    Let's examine Microsoft's HealthVault.com policies and how they compare to Google Health.

    • Re: (Score:3, Informative)

      by jeiler (1106393)

      Does Microsoft's HealthVault.com, which came before Google Health, receive the same amount of critique?
      Yes [slashdot.org], and for much the same reasons.

    • Re:Microsoft's HealthVault.com policies comparison (Score:4, Informative)

      by Sporkinum (655143) on Friday May 23 2008, @09:28AM (#23517146)
      This is an email exchange I had with Microsoft on this very subject.

      From: HSG Privacy [mailto:hsg-priv@microsoft.com]
      Sent: Wednesday, December 19, 2007 4:22 PM
      To: XXXXXXXXX
      Subject: RE: Health Vault Privacy

        Dear Mr. XXXXX,

      Our sincere apologies for the long delay in providing you a response to your inquiry.

      Because HIPAA applies to organizations and not products, HealthVault and HealthVault Search do not fall under its purview. Microsoft is not waiting for regulations to define our privacy and security practices. Microsoft made the decision early on to set rigorous privacy policies for these products.

      Health information technology is evolving rapidly and privacy remains a central concern. Core to Microsoft's privacy principles is our belief that health information is most effectively protected when consumer are at the center of the healthcare system and in control of their information.

      Microsoft supports a comprehensive federal approach to privacy legislation. We believe federal privacy legislation should include four key elements to help protect consumer privacy, and to support businesses' privacy policies and compliance efforts. First, there should be a uniform baseline standard that applies across all organizations and industries. Second, any legislation must increase the transparency regarding collection, use and disclosure of personal information. Third, individuals must have meaningful control over the use and disclosure of personal information. Finally, we believe there should be minimum-security requirements around the storage and transit of personal information.

      Best regards,

      HSG Privacy Team

      From: XXXXXXXXXXXX
      Sent: Thursday, October 04, 2007 10:36 AM
      To: HSG Privacy
      Subject: Health Vault Privacy

      I noticed while going through the privacy statement there was no reference to HIPAA. With something as personal as one's medical records, HIPAA compliance is a must! http://www.hhs.gov/ocr/hipaa/ [hhs.gov]

      Also, I would not be surprised to see a company offer some sort of beneficial tracking program, and then use the data they get through authorization to deny insurance or raise premiums. With advertising being the primary reason for the service, the probability of misuse would be relatively high, I would think.
      • IANAL, but CFR 164.104(3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter and the comments to CFR 160, 162, and 164, indicate otherwise.

        Both Google and Microsoft are engaged in transmitting healthcare information.

  • Google has found a loophole allowing them to provide this service without having to follow HIPAA regulations

    So the only thing protecting personal health information at Google Health is internal policy and "Don't be evil"? I guess that means they'll protect your PHI--as long as you're not a dissident in China.

    • Re: (Score:3, Interesting)

      by ShieldW0lf (601553)
      This is good. Game-changing type of good.

      By the time this has all panned out, there won't be any illusions of privacy, only an ever increasing number of people getting their information bought and sold and revealed all over the place until they finally demand to be in on the "knowing whats going on" like everyone else and demand a social order that doesn't revolve around secrets and leverage.

      Go Google! Gather it all and screw up keeping control like you usually do!

      • Re: (Score:3, Insightful)

        by Dekortage (697532)

        ...an ever increasing number of people getting their information bought and sold and revealed all over the place until they finally demand to be in on the "knowing whats going on" like everyone else...

        And then they will have to buy their own information just to find out what it is. Doesn't matter that you gave it up for free; if you want to know how it is being used or presented, it will cost you.

        It will be kind of like the credit bureaus: you can get a free credit report from them (once a year) but if y

    • Re:Loophole? (Score:5, Informative)

      by funnyguy (28876) on Friday May 23 2008, @07:45AM (#23515998)
      Well, not so much a loophole as HIPAA was not designed to protect data at healthcare record storage companies chosen by the patient. I don't think google "found" this as it has always been known to all of the healthcare community (at least security professionals). You are only covered by HIPAA if you are a "Covered Entity" (CE) which includes health plans (insurance), healthcare providers (doctors) or a healthcare clearinghouse (converts non-standard healthcare data into standardized healthcare formats like X12 format).

      If Google or any healthcare records storage comapany is being used by a CE and has a contract with that CE, they are a Business Associate. BAs of CEs are subject to the HIPAA Security Rule (the section of HIPAA that is in question and largely referred to about protecting healthcare data).

    • Re: (Score:3, Insightful)

      by Hoplite3 (671379)
      "Don't be Evil" is localized to the local value of evil.

      (It's not funny, it's pretty much how Google operates.)
  • I think I found a information disclosure problem with Google Calendar, but after a trying to contact Google twice I have given up.

    If anyone is interested please read: http://bramp.net/blog/google-calendar-exploit [bramp.net]

    and hopefully if this is a bug it can get passed on to Google.

  • Rough Analog (Score:3, Insightful)

    by FurtiveGlancer (1274746) <furtiveglancer@@@aol...com> on Friday May 23 2008, @07:35AM (#23515948) Journal

    To me, this would be akin to plastering my personal medical records on a bulletin board in a busy public place with a single coversheet on each item that says "Private Medical Information: Please don't read this."

    Thanks to the military, I had an introduction to very early "on-line" medical records. Yes, you guessed correctly. Those records are "no longer available." Fortunately, I requested copies of every contact and kept those in a personal copy of my medical records.

  • Oh Geeze...stop hyperventilating (Score:3, Insightful)

    by Danathar (267989) on Friday May 23 2008, @07:40AM (#23515980) Journal
    If you are afraid of your data getting stolen, DON'T USE IT.

    Quite frankly I'm tired of people complaining on my behalf. Especially when I don't use whatever is being complained about and when the people complaining don't use it either.

    Also..it IS a BETA (test). Once they are out of BETA they might actually have to apply HIPPA.

    • Also..it IS a BETA (test). Once they are out of BETA they might actually have to apply HIPPA.
      Gmail, google maps, and google talk are still in beta but that hasn't stopped people from widely using them.

      I think your first piece of advice is the best piece there blue canary. If you are worried, then don't use it. I personally want as few people as possible handling my medical records.
    • Slashdot is pathetic. Google will never come under hipaa -- please look it up at wiki to learn what is a covered entity.

      Besides, see my other 2 posts on this page explaing why HIPAA doesn't matter anyway.

      My goodness, you were modded insightful with such mis-information?? way to go mods! :)

    • Also..it IS a BETA (test). Once they are out of BETA they might actually have to apply HIPPA.

      Whatever factors may conflate to determine whether or not Google Health legally falls under the purview of HIPAA, I assure you that whether the product has a "Beta" in its name is not one of them.

  • I tend to tune out any argument that uses the word "theft" to describe unauthorized access. Did the Google Docs flaw deprive the owner of the document any access to the document, while keeping it for themselves? Did the Picasa flaw deprive the owner of the image any access to the image, while letting others have it? I suspect the answer in both cases is NO, the original owner had plenty of access to their own copies, and thus the inaccurate use of the word "theft" seems crafted to shock or mislead or co

  • Google managing my medical records? (Score:3, Funny)

    by prxp (1023979) on Friday May 23 2008, @08:14AM (#23516180)
    I'd rather die.

  • What's all the fuss? (Score:4, Informative)

    by asdavis (24671) on Friday May 23 2008, @08:16AM (#23516212)
    Seriously, I really don't understand all of the fuss people are making here about Google Health. Perhaps I have a different perspective as I have worked in the Healthcare IT space for a major HIPAA Covered Entity and built their HIPAA Security program. Let me clear up any illusions you may have... HIPAA Covered Entity != Secure. HIPAA is designed to address the privacy and security of Protected Health Information, aka "PHI", as it relates to treatment (This is a generalization, but is fairly accurate). Since Google is not involved in the treatment of patients, HIPAA does not apply. You would be astounded to who has access to your electronic medical records during the course of treatment. Even something as routine as a blood test would have electronic PHI (ePHI) transmitted between many organizations: Hospitals, Clinical Laboratories, Health Plans, VANs, Independent Physician Associations, and Physicians. Do you honestly think that the IT practices of your local Physician with a $600 Dell PC running Vista Home, no virus protection and a DSL line is protecting your data in a more sophisticated manner than Google? Why do people lose their senses when operating in an electronic world? Allow Google to store your ePHI is no different than asking a friend to hold onto your paper medical records. Your friend isn't bound by HIPAA either. If you don't want your friend to peer at your records, then don't let him hold onto them. Google is offering a convenience service. Like all convenience services, it comes with risks. If the risks are too high for you, don't take them. Google hasn't done anything wrong and they certainly have not found a loophole. Healthcare organizations deal with non-covered entities all of the time. Do you think that the company that prints the invoices for your local doctor, hospital or laboratory is a covered entity? I will admit there is one difference however, since the patient is the one making the request for the records to be transferred, there is no "Business Associates" agreement (another HIPAA term) between Google and the covered entity. Quite honestly, these aren't work the paper they are printed on anyway.

    I for one will not be using Google Health for my own records, but that's just me.
    • Great response. Most of the people responding do not work in health IT and have absolutely no idea what they are talking about related to what HIPAA actually does -- which is about NOTHING since it just made all the lawyers money.

      I responded above how actually the word is now that these PHRS and their privacy policies are under FTC regulations. My understanding is that the FTC regulations recourses are actually stronger than the HIPAA ones anyway. All the PHR vendors have privacy and data use policies tha

    • You would be astounded to who has access to your electronic medical records during the course of treatment.

      Or not. The whole idea is to make the records available to anyone who needs them, such as emergency personnel in the distant town you're visiting when you're unconscious. (I'm not making that one up; it's one of the favorite selling points for these access-anywhere databases.)

      It's a great idea, but of course it only works if every EMT on the planet has access to your records. You can calculate

    • Great post!

      >> Allow Google to store your ePHI is no different than asking a friend to hold onto your paper medical records.

      I keep a list of my wifes allergies and medications in my wallet in case of an emergency. Yeah on a piece of paper in my wallet. So having them available online is just convienent. So I guess someone could steal my wallet too.

      Also, as if a gave a crap who knows my medical history. You people have 12 deadbolts on your doors too? Paraniod much???

    • Re: (Score:3, Informative)

      by N1ck0 (803359)
      I agree with you 100% on the entire HIPAA != security aspect. I work managing datacenters for a large healthcare transcription and medical records technology company, and trust me HIPAA leaks happen pretty often (we of course follow the protocol and log and inform the hospitals of such events, but its not that uncommon).

      And then there is a large portion of the industry which no one really looks at anyway. Right now a good portion of medical records are shipped to part-time home workers to transcribe audio

  • Google and Do Evil (Score:3, Interesting)

    by Stormcrow309 (590240) on Friday May 23 2008, @08:19AM (#23516242) Homepage Journal

    I always had a problem with a company with the value statement of 'Do no evil' who doesn't spell out what that means in detail. I was listening to Stafford's Entrepreneurial Thought Leaders series this weekend and Google.org was discussing using their engineering talent to recognize epidemics before anyone else. My guess is this is how Google plans to do it. It is clear Google intends to use this data, but I think has done a poor job defining exactly how. Add in the fact that Google has bowed to governments for information on their citizens and I end up with a cold chill. Working in the health care industry, I see the value of patient records that are easy to transfer for the patient, but I am not sure this is the way. The little security analyst in me is screaming bloody murder.

  • Want access to thousands of Google accounts? (Score:2, Insightful)

    by Anonymous Coward
    Do you want to access people's google accounts without even needing to come up with an attack?

    1. Start a website requiring users to sign up with email addresses and passwords
    2. Go through your DB and get a list of all the gmail ones
    3. Try logging in with the gmail usernames and the passwords they gave your site
    4. Over half of them will probably work
    5. PROFIT!!!!!!

    Last time I tried this, I picked about 10 at random. Six worked. I have thousands of gmail accounts in my users table. Lucky I'm not a black hat.

    S
  • who gets access to all this health data on people? doctors? lawyers? potential employers?

    we're sorry Mr. JoeSixpack we Googled your health record and shows you are not qualified for the position and we already filled the position with a sterilized android...

  • The necessary results of a fragmented system (Score:3, Insightful)

    by Zamfir (585994) on Friday May 23 2008, @09:00AM (#23516718)
    The real problem here is that your health care data is scattered across many processing and medical records systems from all the insurers and care givers that you have ever been involved with. This results in doctors not having the needed information, costly redundant care, misdiagnoses, etc. Couple that with the growing trend to have people/patients manage their health care costs, and it becomes clear that solutions like Microsoft's and Google's are necessary and the potential benefit outweighs the privacy risk (trust me: no one cares about your anal fissures) This is far less of a problem in more centralized models where a longitudinal view of a patient is much more readily available (kind of like how the IRS has your tax history).
Search
It's gonna be alright, It's almost midnight, And I've got two more bottles of wine.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.