It must be a Wednesday because it’s feeling a lot like “pick on Google” day! Let’s see here, what’s in the news today? Oh! Google Health - from the same company that brought you countless vulnerabilities both fixed and unfixed, with a policy of not alerting people to security issues comes a new service that asks you to input all your most sensitive personal health records! “But it’s medical records,” I can hear people saying, “surely they’ll be as secure as any HIPAA compliant entity.” Except, legally not so much… (from their terms of service):
Google is not a “covered entity” under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder (”HIPAA”). As a result, HIPAA does not apply to the transmission of health information by Google to any third party.
I think it’s a shame Google found a legal get out of jail free card to absolve themselves from securing consumer medical records in the same way everyone else who handles this kind of data does. At least Google gives you advice on how to protect your personal data. By uhm… protecting it!
You are responsible for the security of your passwords and for any use of your account. You must immediately notify Google of any unauthorized use of your password or account by following the instructions at this link: http://www.google.com/support/accounts/bin/answer.py?answer=48601
Incidentally my favorite line from their form is:
Google Accounts: I think someone else is using my Google Account. Tip: In most cases, this problem can be resolved by resetting your password. Please do so before completing our form.
Resetting your password will recover your stolen personal data and make you and your family whole again, I guess. As a side note, a year has come and gone and silently the Google security blog has had its first birthday. Has anyone noticed? I recall a year ago I said to a number of people I’d be surprised if anything interesting came out of it, and here we are a year later, with about 13 posts (one a month) and pretty much nothing of note about any actual issues/flaws has been discussed. There were two brief non-technical posts about “Lemon”, a year ago, to be fair. Maybe someone learned something from it, but it sure wasn’t me or any researchers I’ve talked to. Happy belated birthday, Google Security! Another year has come and gone, and the redirects still aren’t closed - how about a post about that?
As another noted security expert pointed out to me two days ago - Google represents the single greatest travesty of our generation. You gather the largest collection of the most brilliant minds you can possibly find, for the sole purpose of displaying ads next to search results. Remember, this is the same company who just a few short months ago was ranked the single worst in privacy of all the top Internet sites. Great - just who I want to be the keeper of my apparently non-HIPAA regulated medical data.
Okay, enough picking on poor Google for today.