Delving Into Google Health's Privacy Concerns 121
SecureThroughObscure writes "Security researcher Robert 'RSnake' Hansen discusses numerous concerns with Google's new Google Health application, which aims to integrate user's medical records online. We discussed Google Health's opening to the public earlier this week. RSnake mentions that Google has found a loophole allowing them to provide this service without having to follow HIPAA regulations, which, combined with Google's track record of having numerous flaws leading to private information disclosure, draws serious concern. Security researcher Nate McFeters of ZDNet's Zero-Day Security Blog also commented on the article, mentioning several past vulnerabilities: ownership of content issues, Google Docs theft, a cross-domain hole, Google XSS, and a Google Picasa protocol handler issue leading to the theft of user images. He and fellow researcher Billy Rios disclosed these issues to Google, including the ability to steal GMail contact list information. McFeters says it's likely that similar unpatched bugs would allow an attacker to view medical records if a user was also using Google Health. Both McFeters and Hansen tend to agree that Google's vulnerability disclosure/notification is non-existent and really needs to be improved. Currently, Google does not report vulnerabilities it has fixed to its user base, for the obvious reason of trying to hide the fact that user data could have been stolen."
Not me (Score:5, Insightful)
Re:Not me (Score:4, Insightful)
Safe Now With Windoze? (Score:1, Interesting)
Most hospitals now use some form of Windoze client like Impact. The staff surf the web with IE on the same machines. Do you think HIPA means anything in an environment like that? You might as well let Google serve records to people's home PCs because there's no difference between home and hospital now.
Re: (Score:2)
Re: (Score:2, Informative)
Also we are currently testing out the Microsoft solution for this, as Electronic Health Record stuff is getting to be a very big deal and we don't want to be left behind...
More and more vendors are doing IE
Re:Safe Now With Windoze? (Score:4, Insightful)
It's basically common knowledge, what GP is saying. I clearly remember watching both what my dentist's and my GP's secretaries used to type in my data, and it was obviously a client running on a Windows box. In the case of my dentist, there's a whole Windows dental information suite that he runs, which shows him x-rays and everything. He has multiple rooms with dentist's chairs, and each contains an apparently-identical computer; he can view x-rays and records at any of them, so they are obviously networked. How likely is it that this network is separated from the Internet by anything more than a consumer-grade router? Not very.
How much of a threat really is this, relative to tapes left in cars overnight, or the sloppy (or malicious) use of thumb drives? My gut says, "not a huge one," but I don't really know.
Re: (Score:2, Insightful)
Security concern becomes of a whole different order of magnitude when dental, medical, and mental health information all get chunked into the same system, then it becomes kind of like a Real ID for health; convenient one-stop shopping for all your privacy-invading needs.
Re: (Score:2)
No, it's not "common knowledge" at all. My company did a HIPAA-compliant [wikipedia.org] solution for a large provider in 2004-2006 (think Kaiser Permanente-level scale). I wasn't in charge of the client side (which were rich client apps) but I know the developers had a hell of a time trying to get everything to work because the terminals were so locked down. For starters, they didn't have a connection to the internet, and IE wasn't even available. The login provider was
Re: (Score:2)
Mod up! Good info here. I'm curious about this now; I wonder if small doctors' offices like the ones I was talking about maintain a similar level of security? I'm sure they hadn't modified the hardware (as different from your case); the computers I've seen each time I've looked have clearly just been vanilla Dell models. I wonder if they at least leave them off the internet as AC suggested? There are hints that they don't, but now I need to investigate this more to know for sure.
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2, Funny)
Re:Not me (Score:5, Insightful)
1) Insurance companies: "Thank you for choosing Overabarrel Insurance, Co. Your policy is enclosed. Because your father and uncle had colon cancer, your monthly premium will be $10,000/month."
2) Employers: "You're a great programmer, but we can't bring you on full-time. Your records show that your father and uncle had colon cancer, and we can't afford to take on the risk of our insurance premiums going through the roof if you get it."
Essentially, health status can be a significant driver of discrimination in many different forms. The less someone knows about your health status (or your relatives health status), the hard it is for them to discriminate against you.
Re: (Score:2, Insightful)
Re:Not me (Score:4, Interesting)
1) When you get insurance as an individual, if you have a previously existing medical condition, and you manage to conceal it, they won't dig hard. They'll just take your money. When it comes time to make a claim, it WILL come out then, and they will refuse to cover you, even though they took your money. Transparency in medical records will protect people from doing this to themselves.
2) When you get group insurance, personal medical records don't come into it at all. Not at all. They calculate the risks based on the probability that any employee will require treatment based entirely on their demographic. That is what makes group insurance plans so appealing in the first place.
I used to sell the stuff for a brief period of time, until I learned how it really worked and realized I wouldn't be able to look myself in the mirror if I didn't get out of that industry. I know what I'm talking about.
Re: (Score:1)
Re: (Score:2)
How will they prove it was preexisting if it was never documented anywhere (e.g. MIB, Google's big brother database, or what have you)?
Because the medical records are there, and have always been there. They aren't actually hard to find, it just takes time, so they don't bother to do it when you apply. They wait till they've gotten 10,000 of your money and are going to have to pay out 1,000,000 to care for you, then they pay someone to spend
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
If you open a hair salon with 20 hair stylists, they don't assess the 20 stylists for risk.
What they do is consult their actuary tables and determine the likelihood that someone will become ill or die based on their records for all hair stylists from all companies they have done business with in that industry over the last hundred years.
That is how they determine risk in groups. It doesn't have anything to do with the individual group, but on the demographic of the group.
Re: (Score:1)
After a long bout with emphysema an employee at Varney's, a family-owned business in Manhattan, Kan., died several years ago. But for Varney's health insurer, her legacy lived on.
The next year, 2002, the insurer raised Varne's premiums by 28 percent â" even though most of the other three dozen employees were significantly younger and healthier than their departed colleague, who had been in her mid-70â(TM)s. And Varney's premiums continued to climb.
âoeIt was as if her
Re: (Score:2)
Re: (Score:1)
However, several factors go into calculating your "risk" from which your insurance rate is derived: race, age, sex, are the basic ones. Any factor, including family history (not only your personal medical history) if available, will affect this rate. So if they accep
Re: (Score:2)
2) In my experience, that is an outright falsehood. Cite a source.
Re: (Score:1)
1. I've been looking for evidence of this, but so far I haven't seen anything that says you have to disclose family history. What you have to disclose is medical history and pre-existing conditions for yourself and whoever is covered under your policy, but unless your parents and grandparents are under your policy, I have seen nothing that requires you to share their medical history. This might be in some p
Re: (Score:1)
Bush signs genetic discrimination bill [msn.com]
Not a huge surprise.
I'm Your Insurance Company (Score:1)
I'm sorry Joe but based upon your Google Health Records, we have to let you go. We simply can't afford the loss of insurance coverage for everyone else in the company. No hard feelings.
That's just a couple of reasons for HIPPA. Do you rea
Re: (Score:2, Insightful)
Google stores your information securely and privately. We will never sell your data. You are in control, you choose what you want to share and what you want to keep private.
Also it is not like g
Re: (Score:2, Interesting)
Re: (Score:1)
We're slowly approaching an age where genetic profiling is becoming more widely available. I have a family member who got his genetic information mapped, and it's possible that this is going to become common practice within ten years.
At that point, your doctor will be aware of your genetic profile and will be able to better assess your risk of contracting specific diseases, which would improve your ability to prevent them. This is something we could all
Re:Not me (Score:4, Interesting)
what about selling health information to other entities. Maybe they don't sell the identifying bits, but even regional data can have an enormous impact on your ability to get health and life insurance, the premiums you pay, etc. Insurance carriers already track regional trends, but more data means better predictions.
Look, corporate entities, and never, ever forget that Google is a corporate entity, have to make money and think about how they will do that.
Re: (Score:2)
Re: (Score:2)
idiot. (Score:1)
People that worry about privacy are either stupid or hiding something.
FTC regulations cover them which is likely better (Score:3, Insightful)
Also, I believe an organization which changes a policy must ask their members to re-accept their policies under FTC regs.
Re: (Score:2)
Do people really have so many diseases it takes a computer program to organize them?
Unless you're really old, in which case you probably don't even own a computer. Would you need one to write down "don't forget take your blood pressure pills" or "remember to check your pee for diabetes"?
Or maybe you had a weird accident, in which case you would write "healthy, except for that nasty missi
The use case for online health records (Score:2)
There's also the issue of the sorts of things people use MedicAlert bracelets for. I knew someone who was short on clotting factors and went to the hospital with chest pains. They told him some
Re: (Score:1)
Limits of HIPAA (Score:2)
(My doctor's office has documents with labels that say "HIPPA". I've given up on ever having it spelled correctly.)
Re: (Score:2)
Re: (Score:1)
But think of the benefits... (Score:5, Funny)
Re: (Score:1, Funny)
Microsoft's HealthVault.com policies comparison (Score:5, Insightful)
Let's examine Microsoft's HealthVault.com policies and how they compare to Google Health.
Re: (Score:3, Informative)
Re:Microsoft's HealthVault.com policies comparison (Score:4, Informative)
Sent: Wednesday, December 19, 2007 4:22 PM
To: XXXXXXXXX
Subject: RE: Health Vault Privacy
Dear Mr. XXXXX,
Our sincere apologies for the long delay in providing you a response to your inquiry.
Because HIPAA applies to organizations and not products, HealthVault and HealthVault Search do not fall under its purview. Microsoft is not waiting for regulations to define our privacy and security practices. Microsoft made the decision early on to set rigorous privacy policies for these products.
Health information technology is evolving rapidly and privacy remains a central concern. Core to Microsoft's privacy principles is our belief that health information is most effectively protected when consumer are at the center of the healthcare system and in control of their information.
Microsoft supports a comprehensive federal approach to privacy legislation. We believe federal privacy legislation should include four key elements to help protect consumer privacy, and to support businesses' privacy policies and compliance efforts. First, there should be a uniform baseline standard that applies across all organizations and industries. Second, any legislation must increase the transparency regarding collection, use and disclosure of personal information. Third, individuals must have meaningful control over the use and disclosure of personal information. Finally, we believe there should be minimum-security requirements around the storage and transit of personal information.
Best regards,
HSG Privacy Team
From: XXXXXXXXXXXX
Sent: Thursday, October 04, 2007 10:36 AM
To: HSG Privacy
Subject: Health Vault Privacy
I noticed while going through the privacy statement there was no reference to HIPAA. With something as personal as one's medical records, HIPAA compliance is a must! http://www.hhs.gov/ocr/hipaa/ [hhs.gov]
Also, I would not be surprised to see a company offer some sort of beneficial tracking program, and then use the data they get through authorization to deny insurance or raise premiums. With advertising being the primary reason for the service, the probability of misuse would be relatively high, I would think.
Re: (Score:2)
Both Google and Microsoft are engaged in transmitting healthcare information.
Correct Citation (Score:2)
Re: (Score:2)
Re: (Score:2)
Both seem to apply here.
Loophole? (Score:5, Funny)
So the only thing protecting personal health information at Google Health is internal policy and "Don't be evil"? I guess that means they'll protect your PHI--as long as you're not a dissident in China.
Re: (Score:3, Interesting)
By the time this has all panned out, there won't be any illusions of privacy, only an ever increasing number of people getting their information bought and sold and revealed all over the place until they finally demand to be in on the "knowing whats going on" like everyone else and demand a social order that doesn't revolve around secrets and leverage.
Go Google! Gather it all and screw up keeping control like you usually do!
Re: (Score:3, Insightful)
And then they will have to buy their own information just to find out what it is. Doesn't matter that you gave it up for free; if you want to know how it is being used or presented, it will cost you.
It will be kind of like the credit bureaus: you can get a free credit report from them (once a year) but if y
Re:Loophole? (Score:5, Informative)
If Google or any healthcare records storage comapany is being used by a CE and has a contract with that CE, they are a Business Associate. BAs of CEs are subject to the HIPAA Security Rule (the section of HIPAA that is in question and largely referred to about protecting healthcare data).
Re: (Score:3, Insightful)
(It's not funny, it's pretty much how Google operates.)
Re: (Score:2)
Google Calendar exploit? (Score:2, Interesting)
If anyone is interested please read: http://bramp.net/blog/google-calendar-exploit [bramp.net]
and hopefully if this is a bug it can get passed on to Google.
Re: (Score:2)
Do evil (Score:1)
Rough Analog (Score:3, Insightful)
To me, this would be akin to plastering my personal medical records on a bulletin board in a busy public place with a single coversheet on each item that says "Private Medical Information: Please don't read this."
Thanks to the military, I had an introduction to very early "on-line" medical records. Yes, you guessed correctly. Those records are "no longer available." Fortunately, I requested copies of every contact and kept those in a personal copy of my medical records.
Oh Geeze...stop hyperventilating (Score:3, Insightful)
Quite frankly I'm tired of people complaining on my behalf. Especially when I don't use whatever is being complained about and when the people complaining don't use it either.
Also..it IS a BETA (test). Once they are out of BETA they might actually have to apply HIPPA.
Re: (Score:2)
I think your first piece of advice is the best piece there blue canary. If you are worried, then don't use it. I personally want as few people as possible handling my medical records.
Oh boy another person with no idea (Score:2)
Besides, see my other 2 posts on this page explaing why HIPAA doesn't matter anyway.
My goodness, you were modded insightful with such mis-information?? way to go mods!
Re: (Score:2)
Whatever factors may conflate to determine whether or not Google Health legally falls under the purview of HIPAA, I assure you that whether the product has a "Beta" in its name is not one of them.
document and image "theft"? (Score:2)
Talking heads (Score:1)
Google managing my medical records? (Score:3, Funny)
Re: (Score:1)
Have fun with that. I'm sure Google won't hesitate to include you as a statistic somewhere as a result.
What's all the fuss? (Score:4, Informative)
I for one will not be using Google Health for my own records, but that's just me.
Thanks for a real and EDUCATED response! (Score:3, Insightful)
I responded above how actually the word is now that these PHRS and their privacy policies are under FTC regulations. My understanding is that the FTC regulations recourses are actually stronger than the HIPAA ones anyway. All the PHR vendors have privacy and data use policies tha
Re: (Score:2)
Or not. The whole idea is to make the records available to anyone who needs them, such as emergency personnel in the distant town you're visiting when you're unconscious. (I'm not making that one up; it's one of the favorite selling points for these access-anywhere databases.)
It's a great idea, but of course it only works if every EMT on the planet has access to your records. You can calculate
Exactly! Medical Records in my Wallet! (Score:2, Insightful)
>> Allow Google to store your ePHI is no different than asking a friend to hold onto your paper medical records.
I keep a list of my wifes allergies and medications in my wallet in case of an emergency. Yeah on a piece of paper in my wallet. So having them available online is just convienent. So I guess someone could steal my wallet too.
Also, as if a gave a crap who knows my medical history. You people have 12 deadbolts on your doors too? Paraniod much???
Re: (Score:3, Informative)
And then there is a large portion of the industry which no one really looks at anyway. Right now a good portion of medical records are shipped to part-time home workers to transcribe audio
Re: (Score:1)
I work for a clearinghouse, my job is to assist them in getting set up to use us. I handle mostly UNIX based systems, you would be astounded at how quickly they will give up their root password. So quickly that I can't help but think that they would tell anyone that called and asked.
I probably say "you really shouldn't do that, it's a HIPAA violation" 5-6 times a day. Also, everyone so quick to champion the HIPPA laws probably doesn't realize tha
Re: (Score:2)
Google and Do Evil (Score:3, Interesting)
I always had a problem with a company with the value statement of 'Do no evil' who doesn't spell out what that means in detail. I was listening to Stafford's Entrepreneurial Thought Leaders series this weekend and Google.org was discussing using their engineering talent to recognize epidemics before anyone else. My guess is this is how Google plans to do it. It is clear Google intends to use this data, but I think has done a poor job defining exactly how. Add in the fact that Google has bowed to governments for information on their citizens and I end up with a cold chill. Working in the health care industry, I see the value of patient records that are easy to transfer for the patient, but I am not sure this is the way. The little security analyst in me is screaming bloody murder.
Don't be evil spelled out in details (Score:1)
Re: (Score:2)
I would agree with you. I am surprised that HIMSS hasn't raised unholy hell over this. I think that I am safe to recommend that users do not trust this service and not use it. I think that an electronic way of moving data between places is a good thing, but with a requirement that every data move transaction requires patent consent. Without patent consent, which is the best standard of how we should do things in health care, then data should not be shared, with a check for consent per instance of use. In ad
Health (Score:1)
Want access to thousands of Google accounts? (Score:2, Insightful)
1. Start a website requiring users to sign up with email addresses and passwords
2. Go through your DB and get a list of all the gmail ones
3. Try logging in with the gmail usernames and the passwords they gave your site
4. Over half of them will probably work
5. PROFIT!!!!!!
Last time I tried this, I picked about 10 at random. Six worked. I have thousands of gmail accounts in my users table. Lucky I'm not a black hat.
S
Re: (Score:1)
who where when (Score:2)
we're sorry Mr. JoeSixpack we Googled your health record and shows you are not qualified for the position and we already filled the position with a sterilized android...
Re: (Score:1)
I understand that you want to own your information but there should be limits to whom you can give access to.
The same as you're not allowed to give up your rights you shouldn't be allowed to give up certain private information.
I already don't like that your health information is given to health insurance companies so why should i want to give it to Google
The necessary results of a fragmented system (Score:3, Insightful)
Re: (Score:2)
Madness (Score:1)
You would have to be stark-staring insane to put or allow ANY of your medical information on a system like this. The health insurance companies would love this, and would use it against you. In the Single Payer system, you are REQUIRED to give them access to EVERY bit of medical in
Re: (Score:2)
When anyone other than my employer or my bank asks me if they can have my SSN, the answer is "no".
They don't care (Score:1, Insightful)
You people are paraniod!! (Score:2, Insightful)
Oh my god!!
And, No I don't have a built in 100,000volt security system around my ass incase sometries to steal it.
Google Health is right. Security guy is wrong. (Score:1)
I have written extensively criticizing the HealthVault model. (which also applies to the Google Health model in some places)
However, in this case. Google is in the right. They are not and should not be covered by HIPAA. The purpose of HIPAA is to ensure that your healthcare providers to not abuse their information privileges (i.e. knowing you have AIDS before you do) by improperly disclosing that information.
Anything that Google Health does, is theoretically an extension of what you, t