Cenzic 232 Patent
Paid Advertising
web application security lab

Google Health

It must be a Wednesday because it’s feeling a lot like “pick on Google” day! Let’s see here, what’s in the news today? Oh! Google Health - from the same company that brought you countless vulnerabilities both fixed and unfixed, with a policy of not alerting people to security issues comes a new service that asks you to input all your most sensitive personal health records! “But it’s medical records,” I can hear people saying, “surely they’ll be as secure as any HIPAA compliant entity.” Except, legally not so much… (from their terms of service):

Google is not a “covered entity” under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder (”HIPAA”). As a result, HIPAA does not apply to the transmission of health information by Google to any third party.

I think it’s a shame Google found a legal get out of jail free card to absolve themselves from securing consumer medical records in the same way everyone else who handles this kind of data does. At least Google gives you advice on how to protect your personal data. By uhm… protecting it!

You are responsible for the security of your passwords and for any use of your account. You must immediately notify Google of any unauthorized use of your password or account by following the instructions at this link: http://www.google.com/support/accounts/bin/answer.py?answer=48601

Incidentally my favorite line from their form is:

Google Accounts: I think someone else is using my Google Account. Tip: In most cases, this problem can be resolved by resetting your password. Please do so before completing our form.

Resetting your password will recover your stolen personal data and make you and your family whole again, I guess. As a side note, a year has come and gone and silently the Google security blog has had its first birthday. Has anyone noticed? I recall a year ago I said to a number of people I’d be surprised if anything interesting came out of it, and here we are a year later, with about 13 posts (one a month) and pretty much nothing of note about any actual issues/flaws has been discussed. There were two brief non-technical posts about “Lemon”, a year ago, to be fair. Maybe someone learned something from it, but it sure wasn’t me or any researchers I’ve talked to. Happy belated birthday, Google Security! Another year has come and gone, and the redirects still aren’t closed - how about a post about that?

As another noted security expert pointed out to me two days ago - Google represents the single greatest travesty of our generation. You gather the largest collection of the most brilliant minds you can possibly find, for the sole purpose of displaying ads next to search results. Remember, this is the same company who just a few short months ago was ranked the single worst in privacy of all the top Internet sites. Great - just who I want to be the keeper of my apparently non-HIPAA regulated medical data.

Okay, enough picking on poor Google for today.

18 Responses to “Google Health”

  1. Ronald van den Heetkamp Says:

    Seen this:

    http://blogs.stopbadware.org/articles/2008/04/05/infections-stats-for-march-2008

    Top Infected IP Addresses for March 2008 first place is for Google: 72.14.207.191 3722 US GOOGLE - Google Inc.

    That kinda scares me, certainly in the light of Google Health. :(

  2. thrill Says:

    Hmm.. GoogleHealth+OpenSocial.. who needs regulation when you can just make all of your information public with such ease?

  3. Sirw2p Says:

    Mails,Feeds,Calendars,Docs,Alerts…… and now our medical record?

    I fail to understand how people can give such data to google and besides knowing their security policies ..

  4. B10m Says:

    Oh well, at least the “CHE4P M3DS” spam will be targeted then, both in your mailbox and on any AdSense-enabled website. Ok people, cue your V14GR4 jokes …

  5. Bipin Upadhyay Says:

    I fail to understand how people can give such data to google and besides knowing their security policies ..

    …because:
    1. people don’t care about _privacy_. It’s sad but true.
    2. people (even developers) are not aware of the latest flaws. They still live in the Virus era. This is a first hand, and quite frustrating experience.
    3. *Google Rockz* :). It’s tough to explain the adversaries to the _impressed_ people. I had organized an BarCamp style internal meet last month and tried explaining/talking about a few points of impact, with respect to Goog, but… :)

    I’ll bring the topic of Google health during this months meet. Let’s see the reactions. :)

  6. Spider Says:

    Ahhh, then it appears that Google is *not* a customer of SecTheory. From your earlier post about not posting as much, I was concerned.

  7. RSnake Says:

    @Spider - I’m fairly certain Google would prefer to light me on fire than give me money. Unless by giving me money that would insure that I would shut up, then money is preferable to fire - less messy. ;)

  8. mfmjos Says:

    You know I love the idea of being connected and of having my information available to me where and when I need it. But Google health, and the others including Microsoft’s Health Vault scare me. I don’t think they can promise the security that I require for my personal data. I, as well as many others I’m guessing, assumed that this service would fall under HIPAA guidelines. Thank you for finding this information and for publishing it. I’m not running a blog right now but I’m considering starting one just so that there will be another place for people to find this information. Let everybody know!

  9. RSnake Says:

    @mfmjos - thank you!

    Btw, welcome slashdotters! :)

  10. Frank Says:

    I suppose the next logical step will be when Google figures out a way to fully scan our brains and let us upload ourselves eternally. The onlineification of our being is takes another step closer with this.

  11. hazmat Says:

    I am amazed that anybody would want to put such sensitive information in the hands of Google. Even more so since they have found a nice little loophole in which they can bypass HIPPA. HIPPA is there for a reason and I’m ashamed at Google for offering a service that they probably won’t be able to secure properly. Most decent hospitals offer a service where you can view portions of your medical record online through the hospital network. I just think that Google is spreading itself thin. They really need to focus on what they have instead of rolling out 500 new services a year.

  12. Oliver Day Says:

    @Ronald van den Heetkamp:
    In all fairness to Google that statistic represents infected blogspot accounts. And from the looks of it these weren’t infected via security breach but through people automating account setup and intentionally adding malicious code (e.g. iframes) to the content.

    Max goes into more detail about this here http://blogs.stopbadware.org/articles/2008/04/07/commentary-on-top-infection-stats

    disclosure: I am a researcher @ stopbadware

  13. RSnake Says:

    @Oliver - thanks for the comment, although I think we need to file this one under the “Expected behavior” category. They have no interest in fixing that vulnerability from what I have gathered. Putting malicious code on blogspot is well documented here as is their response: http://ha.ckers.org/blog/20070817/xss-hole-in-google-apps-is-expected-behavior/#comment-45992

    To quote Google, “this is not a vulnerability”. Read again - infecting people with malware on blogspot is not a vulnerability. Extremely irresponsible of Google, if you ask me. I wouldn’t expect this to get fixed anytime in the near future.

  14. jono - from the left coast Says:

    @Oliver - Yeah, it’s that damn blogspot that is compromised, not actually Google — but isn’t it another Google property or service. Isn’t Google Health another Google property or service? If they aren’t a covered entity, and they can’t secure Blogspot, I really hope people don’t put their medical records in there — it will end badly.

    Hola RSnake, drink Id’s beer for me!

  15. Anna McMillan Says:

    Just have a look at what .gov project sits on top of google [googol].
    Stop looking at that company as a dot com!
    Its part of a project to re-capture the internet and all info flows.

    A good link to start with is:
    http://www.inqtel.org/technology-portfolio/atlast_software.html

  16. Niels Olson Says:

    But, if I’m reading this right, Google becomes a covered entity as soon as they facilitate the transfer of information to a health care provider. Would someone please put their birthday in Google Health, go to a doctor’s appointment, and, when they ask for your birthday, insist they pull it up on Google Health!?

    easy to read summary:
    http://hipaa.ohio.gov/tools/CEDefinition.pdf

    full text of referenced Code of Federal Regulations
    http://frwebgate.access.gpo.gov/cgi-bin/get-cfr.cgi?YEAR=current&TITLE=45&PART=164&SECTION=501&SUBPART=&TYPE=TEXT

  17. Dr Bonis Says:

    Hi everyone,

    I am a family physician (and the guy that discovered and suffered the first case of wiiitis ;-) ).

    As a doctor and biomedical informatics expert I am really concerned about the new privacy threats that Personal Health Records will put into the arena.

    There’s no doubt (from my point of view as a Emergency Room doctor) that having access to your main diseases, treatments and some well selected medical information (but not ALL your medical information) can be useful for your healthcare.

    But are the privacy risks higher than the potential benefits?

    I like the quote of Eric S. Raymond when he says: “Often, the most striking and innovative solutions come from realizing that your concept of the problem was wrong.”

    As a lover of hacking culture I try to apply this principle in my own area of knowledge (medicine and medical informatics).

    So I realized that the security of a system depends on two factors: the effort needed to breach the system and the potential value of the information inside the system.

    You can increase the “security” of your system by making harder to breach it or by decreasing the value of the information inside.

    So I decided to build the first TOTALLY ANONYMOUS Personal Health Record system. No email, no name, no identity needed to access to the service.

    Its name is keyose and can be found in: http://www.keyose.com/

    Please test it. Any comments will be of great value.

    Of course we will be happy of improve our security. I know many of you can hack the site and find breaches.

    It would be nice if you send me your findings on security weaks of keyose to my email: drbonis@gmail.com. We will take into account to build a better system.

    See you and enjoy!

    Dr Julio Bonis

  18. M Swiegers Says:

    I am trying in vain to create a GOOGLES ACCOUNT. Hackers have stolen my identity, not only that, they have changed the TOOLBAR on my GOOGLES Internet webpage, removed certain things and added their own. We know who it is, but our Police do nothing to assist us.

    When I punch in any password, they often change it while I am still busy. Often they use my identity to cause problems else where…

    The block me from using my own computer should it be ‘made safe’ with a pass word.. they will never stop as long as they are walking free in PRETORIA,. SOUTH AFRICA. It is a syndicate.