Delving Into Google Health's Privacy Concerns

SecureThroughObscure writes "Security researcher Robert 'RSnake' Hansen discusses numerous concerns with Google's new Google Health application, which aims to integrate user's medical records online. We discussed Google Health's opening to the public earlier this week. RSnake mentions that Google has found a loophole allowing them to provide this service without having to follow HIPAA regulations, which, combined with Google's track record of having numerous flaws leading to private information disclosure, draws serious concern. Security researcher Nate McFeters of ZDNet's Zero-Day Security Blog also commented on the article, mentioning several past vulnerabilities: ownership of content issues, Google Docs theft, a cross-domain hole, Google XSS, and a Google Picasa protocol handler issue leading to the theft of user images. He and fellow researcher Billy Rios disclosed these issues to Google, including the ability to steal GMail contact list information. McFeters says it's likely that similar unpatched bugs would allow an attacker to view medical records if a user was also using Google Health. Both McFeters and Hansen tend to agree that Google's vulnerability disclosure/notification is non-existent and really needs to be improved. Currently, Google does not report vulnerabilities it has fixed to its user base, for the obvious reason of trying to hide the fact that user data could have been stolen."

Google Calendar exploit?

[bramp]

I think I found a information disclosure problem with Google Calendar, but after a trying to contact Google twice I have given up.

If anyone is interested please read: http://bramp.net/blog/google-calendar-exploit [bramp.net]

and hopefully if this is a bug it can get passed on to Google.

Re:Loophole?

[ShieldW0lf]

This is good. Game-changing type of good.

By the time this has all panned out, there won't be any illusions of privacy, only an ever increasing number of people getting their information bought and sold and revealed all over the place until they finally demand to be in on the "knowing whats going on" like everyone else and demand a social order that doesn't revolve around secrets and leverage.

Go Google! Gather it all and screw up keeping control like you usually do!

Safe Now With Windoze?

[Erris]

Most hospitals now use some form of Windoze client like Impact. The staff surf the web with IE on the same machines. Do you think HIPA means anything in an environment like that? You might as well let Google serve records to people's home PCs because there's no difference between home and hospital now.

Re:Not me

[hal9000(jr)]

Google isn't doing this out of the goodness of their hearts. They want to monetize it, so how will they do that? Sell ads? Ok, where and when will they show up? Only when you are searching your health information or whenever you happen to be searching?

what about selling health information to other entities. Maybe they don't sell the identifying bits, but even regional data can have an enormous impact on your ability to get health and life insurance, the premiums you pay, etc. Insurance carriers already track regional trends, but more data means better predictions.

Look, corporate entities, and never, ever forget that Google is a corporate entity, have to make money and think about how they will do that.

Google and Do Evil

[Stormcrow309]

I always had a problem with a company with the value statement of 'Do no evil' who doesn't spell out what that means in detail. I was listening to Stafford's Entrepreneurial Thought Leaders series this weekend and Google.org was discussing using their engineering talent to recognize epidemics before anyone else. My guess is this is how Google plans to do it. It is clear Google intends to use this data, but I think has done a poor job defining exactly how. Add in the fact that Google has bowed to governments for information on their citizens and I end up with a cold chill. Working in the health care industry, I see the value of patient records that are easy to transfer for the patient, but I am not sure this is the way. The little security analyst in me is screaming bloody murder.

Re:Not me

[ShieldW0lf]

You don't understand insurance in the slightest, or you wouldn't make statements like that.

1) When you get insurance as an individual, if you have a previously existing medical condition, and you manage to conceal it, they won't dig hard. They'll just take your money. When it comes time to make a claim, it WILL come out then, and they will refuse to cover you, even though they took your money. Transparency in medical records will protect people from doing this to themselves.

2) When you get group insurance, personal medical records don't come into it at all. Not at all. They calculate the risks based on the probability that any employee will require treatment based entirely on their demographic. That is what makes group insurance plans so appealing in the first place.

I used to sell the stuff for a brief period of time, until I learned how it really worked and realized I wouldn't be able to look myself in the mirror if I didn't get out of that industry. I know what I'm talking about.

Re:I'm Your Insurance Company

[MrMarket]

No, we are arguing that the security of this information affects peoples' livelihoods and that users should be aware that the information in Google Health does not fall under the legal protections that HIPAA provides for privacy and security when deciding to use it.