Delving Into Google Health's Privacy Concerns

SecureThroughObscure writes "Security researcher Robert 'RSnake' Hansen discusses numerous concerns with Google's new Google Health application, which aims to integrate user's medical records online. We discussed Google Health's opening to the public earlier this week. RSnake mentions that Google has found a loophole allowing them to provide this service without having to follow HIPAA regulations, which, combined with Google's track record of having numerous flaws leading to private information disclosure, draws serious concern. Security researcher Nate McFeters of ZDNet's Zero-Day Security Blog also commented on the article, mentioning several past vulnerabilities: ownership of content issues, Google Docs theft, a cross-domain hole, Google XSS, and a Google Picasa protocol handler issue leading to the theft of user images. He and fellow researcher Billy Rios disclosed these issues to Google, including the ability to steal GMail contact list information. McFeters says it's likely that similar unpatched bugs would allow an attacker to view medical records if a user was also using Google Health. Both McFeters and Hansen tend to agree that Google's vulnerability disclosure/notification is non-existent and really needs to be improved. Currently, Google does not report vulnerabilities it has fixed to its user base, for the obvious reason of trying to hide the fact that user data could have been stolen."

Re:Loophole?

[funnyguy]

Well, not so much a loophole as HIPAA was not designed to protect data at healthcare record storage companies chosen by the patient. I don't think google "found" this as it has always been known to all of the healthcare community (at least security professionals). You are only covered by HIPAA if you are a "Covered Entity" (CE) which includes health plans (insurance), healthcare providers (doctors) or a healthcare clearinghouse (converts non-standard healthcare data into standardized healthcare formats like X12 format).

If Google or any healthcare records storage comapany is being used by a CE and has a contract with that CE, they are a Business Associate. BAs of CEs are subject to the HIPAA Security Rule (the section of HIPAA that is in question and largely referred to about protecting healthcare data).

Re:Microsoft's HealthVault.com policies comparison

[jeiler]

Does Microsoft's HealthVault.com, which came before Google Health, receive the same amount of critique?

Yes [slashdot.org], and for much the same reasons.

What's all the fuss?

[asdavis]

Seriously, I really don't understand all of the fuss people are making here about Google Health. Perhaps I have a different perspective as I have worked in the Healthcare IT space for a major HIPAA Covered Entity and built their HIPAA Security program. Let me clear up any illusions you may have... HIPAA Covered Entity != Secure. HIPAA is designed to address the privacy and security of Protected Health Information, aka "PHI", as it relates to treatment (This is a generalization, but is fairly accurate). Since Google is not involved in the treatment of patients, HIPAA does not apply. You would be astounded to who has access to your electronic medical records during the course of treatment. Even something as routine as a blood test would have electronic PHI (ePHI) transmitted between many organizations: Hospitals, Clinical Laboratories, Health Plans, VANs, Independent Physician Associations, and Physicians. Do you honestly think that the IT practices of your local Physician with a $600 Dell PC running Vista Home, no virus protection and a DSL line is protecting your data in a more sophisticated manner than Google? Why do people lose their senses when operating in an electronic world? Allow Google to store your ePHI is no different than asking a friend to hold onto your paper medical records. Your friend isn't bound by HIPAA either. If you don't want your friend to peer at your records, then don't let him hold onto them. Google is offering a convenience service. Like all convenience services, it comes with risks. If the risks are too high for you, don't take them. Google hasn't done anything wrong and they certainly have not found a loophole. Healthcare organizations deal with non-covered entities all of the time. Do you think that the company that prints the invoices for your local doctor, hospital or laboratory is a covered entity? I will admit there is one difference however, since the patient is the one making the request for the records to be transferred, there is no "Business Associates" agreement (another HIPAA term) between Google and the covered entity. Quite honestly, these aren't work the paper they are printed on anyway.

I for one will not be using Google Health for my own records, but that's just me.

Re:Safe Now With Windoze?

[Anonymous Coward]

The healthcare org I work at the machines with Impact (amazingly enough) are very much locked down through ScriptLogic, so they relock themselves each time someone logs into them. We believe them to be secure and as far as I'm aware we haven't had security problems with them (at least in the past 3 years)

Also we are currently testing out the Microsoft solution for this, as Electronic Health Record stuff is getting to be a very big deal and we don't want to be left behind...

More and more vendors are doing IE apps instead of thick, much easier to maintain, and normally less chance of conflicts with other apps (except the evil Java...)

Re:Microsoft's HealthVault.com policies comparison

[Sporkinum]

This is an email exchange I had with Microsoft on this very subject.

From: HSG Privacy [mailto:hsg-priv@microsoft.com]
Sent: Wednesday, December 19, 2007 4:22 PM
To: XXXXXXXXX
Subject: RE: Health Vault Privacy

  Dear Mr. XXXXX,

Our sincere apologies for the long delay in providing you a response to your inquiry.

Because HIPAA applies to organizations and not products, HealthVault and HealthVault Search do not fall under its purview. Microsoft is not waiting for regulations to define our privacy and security practices. Microsoft made the decision early on to set rigorous privacy policies for these products.

Health information technology is evolving rapidly and privacy remains a central concern. Core to Microsoft's privacy principles is our belief that health information is most effectively protected when consumer are at the center of the healthcare system and in control of their information.

Microsoft supports a comprehensive federal approach to privacy legislation. We believe federal privacy legislation should include four key elements to help protect consumer privacy, and to support businesses' privacy policies and compliance efforts. First, there should be a uniform baseline standard that applies across all organizations and industries. Second, any legislation must increase the transparency regarding collection, use and disclosure of personal information. Third, individuals must have meaningful control over the use and disclosure of personal information. Finally, we believe there should be minimum-security requirements around the storage and transit of personal information.

Best regards,

HSG Privacy Team

From: XXXXXXXXXXXX
Sent: Thursday, October 04, 2007 10:36 AM
To: HSG Privacy
Subject: Health Vault Privacy

I noticed while going through the privacy statement there was no reference to HIPAA. With something as personal as one's medical records, HIPAA compliance is a must! http://www.hhs.gov/ocr/hipaa/ [hhs.gov]

Also, I would not be surprised to see a company offer some sort of beneficial tracking program, and then use the data they get through authorization to deny insurance or raise premiums. With advertising being the primary reason for the service, the probability of misuse would be relatively high, I would think.

Re:What's all the fuss?

[N1ck0]

I agree with you 100% on the entire HIPAA != security aspect. I work managing datacenters for a large healthcare transcription and medical records technology company, and trust me HIPAA leaks happen pretty often (we of course follow the protocol and log and inform the hospitals of such events, but its not that uncommon).

And then there is a large portion of the industry which no one really looks at anyway. Right now a good portion of medical records are shipped to part-time home workers to transcribe audio recording into your actual medical records. And a majority of these people work from home on personal machines, loaded with everything from kids games to malware, hooked directly to cable modems...and their concept of security is having a password on their windows XP account.

Also paper is still rampant at offices, who often distribute records by fax, email, etc...and trust me health care providers are notorious for entering some random company's email address or fax number into a system by accident (The worst I've heard is an automated billing system sending copies of hundreds of patents records to a local Kinko's by mistake).

To be honest I would trust google's security over some of the home users, clinics, and random small medical service organizations that many hospitals use any day of the week. While they are more 'visible' to the populace they probably have less frequent security breaches then what exists now.