Delving Into Google Health's Privacy Concerns

SecureThroughObscure writes "Security researcher Robert 'RSnake' Hansen discusses numerous concerns with Google's new Google Health application, which aims to integrate user's medical records online. We discussed Google Health's opening to the public earlier this week. RSnake mentions that Google has found a loophole allowing them to provide this service without having to follow HIPAA regulations, which, combined with Google's track record of having numerous flaws leading to private information disclosure, draws serious concern. Security researcher Nate McFeters of ZDNet's Zero-Day Security Blog also commented on the article, mentioning several past vulnerabilities: ownership of content issues, Google Docs theft, a cross-domain hole, Google XSS, and a Google Picasa protocol handler issue leading to the theft of user images. He and fellow researcher Billy Rios disclosed these issues to Google, including the ability to steal GMail contact list information. McFeters says it's likely that similar unpatched bugs would allow an attacker to view medical records if a user was also using Google Health. Both McFeters and Hansen tend to agree that Google's vulnerability disclosure/notification is non-existent and really needs to be improved. Currently, Google does not report vulnerabilities it has fixed to its user base, for the obvious reason of trying to hide the fact that user data could have been stolen."

Not me

[strikeleader]

Why would anyone want to put their health info anywhere if HIPAA does not apply. I know that HIPPA is not perfect, but it at least has recourse if info is released or stolen.

Microsoft's HealthVault.com policies comparison

[Anonymous Coward]

Does Microsoft's HealthVault.com, which came before Google Health, receive the same amount of critique?

Let's examine Microsoft's HealthVault.com policies and how they compare to Google Health.

Re:Not me

[Chicken04GTO]

Because people are dumb.

Rough Analog

[FurtiveGlancer]

To me, this would be akin to plastering my personal medical records on a bulletin board in a busy public place with a single coversheet on each item that says "Private Medical Information: Please don't read this."

Thanks to the military, I had an introduction to very early "on-line" medical records. Yes, you guessed correctly. Those records are "no longer available." Fortunately, I requested copies of every contact and kept those in a personal copy of my medical records.

Oh Geeze...stop hyperventilating

[Danathar]

If you are afraid of your data getting stolen, DON'T USE IT.

Quite frankly I'm tired of people complaining on my behalf. Especially when I don't use whatever is being complained about and when the people complaining don't use it either.

Also..it IS a BETA (test). Once they are out of BETA they might actually have to apply HIPPA.

Want access to thousands of Google accounts?

[Anonymous Coward]

Do you want to access people's google accounts without even needing to come up with an attack?

1. Start a website requiring users to sign up with email addresses and passwords
2. Go through your DB and get a list of all the gmail ones
3. Try logging in with the gmail usernames and the passwords they gave your site
4. Over half of them will probably work
5. PROFIT!!!!!!

Last time I tried this, I picked about 10 at random. Six worked. I have thousands of gmail accounts in my users table. Lucky I'm not a black hat.

Security? What's security? People just don't think about it or take even the most basic precautions. This Health Records service seems like a very bad idea from a "what could possibly go wrong" perspective but I don't know if Google is to blame for that ...

FTC regulations cover them which is likely better

[Blahbooboo3]

Enough with the HIPAA scare. Most of these PHR vendors privacy policies are STRONGER than HIPAA and are governed by the FTC which is (from what I understand) MUCH stronger than HIPAA rights.

Also, I believe an organization which changes a policy must ask their members to re-accept their policies under FTC regs.

Thanks for a real and EDUCATED response!

[Blahbooboo3]

Great response. Most of the people responding do not work in health IT and have absolutely no idea what they are talking about related to what HIPAA actually does -- which is about NOTHING since it just made all the lawyers money.

I responded above how actually the word is now that these PHRS and their privacy policies are under FTC regulations. My understanding is that the FTC regulations recourses are actually stronger than the HIPAA ones anyway. All the PHR vendors have privacy and data use policies that are STRONGER than HIPAA anyway.

Slashdot users are funny in how they think they know everything. I bet most here had to look up how to spell HIPAA.

Re:Not me

[MrMarket]

My Sentiment exactly. First off I don't know who would want to look at my medical record and second, I don't really care if someone does.

Here are two types of organizations that would be very interested in you and your family's medical history:
1) Insurance companies: "Thank you for choosing Overabarrel Insurance, Co. Your policy is enclosed. Because your father and uncle had colon cancer, your monthly premium will be $10,000/month."
2) Employers: "You're a great programmer, but we can't bring you on full-time. Your records show that your father and uncle had colon cancer, and we can't afford to take on the risk of our insurance premiums going through the roof if you get it."

Essentially, health status can be a significant driver of discrimination in many different forms. The less someone knows about your health status (or your relatives health status), the hard it is for them to discriminate against you.

Re:Safe Now With Windoze?

[TerranFury]

It's basically common knowledge, what GP is saying. I clearly remember watching both what my dentist's and my GP's secretaries used to type in my data, and it was obviously a client running on a Windows box. In the case of my dentist, there's a whole Windows dental information suite that he runs, which shows him x-rays and everything. He has multiple rooms with dentist's chairs, and each contains an apparently-identical computer; he can view x-rays and records at any of them, so they are obviously networked. How likely is it that this network is separated from the Internet by anything more than a consumer-grade router? Not very.

How much of a threat really is this, relative to tapes left in cars overnight, or the sloppy (or malicious) use of thumb drives? My gut says, "not a huge one," but I don't really know.

The necessary results of a fragmented system

[Zamfir]

The real problem here is that your health care data is scattered across many processing and medical records systems from all the insurers and care givers that you have ever been involved with. This results in doctors not having the needed information, costly redundant care, misdiagnoses, etc. Couple that with the growing trend to have people/patients manage their health care costs, and it becomes clear that solutions like Microsoft's and Google's are necessary and the potential benefit outweighs the privacy risk (trust me: no one cares about your anal fissures) This is far less of a problem in more centralized models where a longitudinal view of a patient is much more readily available (kind of like how the IRS has your tax history).

Re:Not me

[OverlordsShadow]

Exactly. Not to mention there could be more targeted spam, via email, flyers or phone calls. Someone sees you got burnt years back, call you up with the newest of the new plastic surgery techniques. Woman has breast cancer, gets an email from an implants company. Kid loses leg, gets a call, and multiple emails about cheeta prostetics and such. The list goes on. Someone will have a cure for anything they can find wrong with you. Not to mention targeted Google ads?

Re:Loophole?

[Hoplite3]

"Don't be Evil" is localized to the local value of evil.

(It's not funny, it's pretty much how Google operates.)

Re:Safe Now With Windoze?

[Schlage]

Of course, your insecurely networked dentist only has access to a small portion of your medical records, while Google Health would (presumably) eventually be caching your entire medical history.

Security concern becomes of a whole different order of magnitude when dental, medical, and mental health information all get chunked into the same system, then it becomes kind of like a Real ID for health; convenient one-stop shopping for all your privacy-invading needs.

Re:I'm Your Insurance Company

[Archimagus]

A lot of you seem to be assuming that Google is trying to make your health information freely available to the public. That is not the case. This article talks about the possibility of your information getting STOLEN from google. Which, last I checked is illigal. So if your insurance compay got there hands on your information they would be contributing to illigal activities and run the risk of being shut down or at least sued to Hell and back. Right from the Google Health Web site.

Google stores your information securely and privately. We will never sell your data. You are in control, you choose what you want to share and what you want to keep private.

Also it is not like google is going out and digging up all of your records, you have to manualy upload your records to their servers. If there is something you absolutely can not have get out then don't up load it, then it's not there to be stolen.

Re:Loophole?

[Dekortage]

...an ever increasing number of people getting their information bought and sold and revealed all over the place until they finally demand to be in on the "knowing whats going on" like everyone else...

And then they will have to buy their own information just to find out what it is. Doesn't matter that you gave it up for free; if you want to know how it is being used or presented, it will cost you.

It will be kind of like the credit bureaus: you can get a free credit report from them (once a year) but if you want your All-Powerful Credit Score, you gotta pay. Sure, it's not a lot of money, but it's still You Paying For Your Own Info.

They don't care

[Anonymous Coward]

If you would have read the WSJ and NYT articles, you would see people in the pilot were NOT concerned about others seeing their medical information. For them, the benefits outweighed the risks. It is THEIR decision, and it doesn't jive with yours, you're not forced to use it.

Exactly! Medical Records in my Wallet!

[AmigaHeretic]

Great post!

>> Allow Google to store your ePHI is no different than asking a friend to hold onto your paper medical records.

I keep a list of my wifes allergies and medications in my wallet in case of an emergency. Yeah on a piece of paper in my wallet. So having them available online is just convienent. So I guess someone could steal my wallet too.

Also, as if a gave a crap who knows my medical history. You people have 12 deadbolts on your doors too? Paraniod much???

You people are paraniod!!

[AmigaHeretic]

I keep a list of mine and my wifes allergies and medications on a PIECE OF WHITE PAPER in my WALLET!!!

Oh my god!!

And, No I don't have a built in 100,000volt security system around my ass incase sometries to steal it.