Google Health
It must be a Wednesday because it’s feeling a lot like “pick on Google” day! Let’s see here, what’s in the news today? Oh! Google Health - from the same company that brought you countless vulnerabilities both fixed and unfixed, with a policy of not alerting people to security issues comes a new service that asks you to input all your most sensitive personal health records! “But it’s medical records,” I can hear people saying, “surely they’ll be as secure as any HIPAA compliant entity.” Except, legally not so much… (from their terms of service):
Google is not a “covered entity” under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder (”HIPAA”). As a result, HIPAA does not apply to the transmission of health information by Google to any third party.
I think it’s a shame Google found a legal get out of jail free card to absolve themselves from securing consumer medical records in the same way everyone else who handles this kind of data does. At least Google gives you advice on how to protect your personal data. By uhm… protecting it!
You are responsible for the security of your passwords and for any use of your account. You must immediately notify Google of any unauthorized use of your password or account by following the instructions at this link: http://www.google.com/support/accounts/bin/answer.py?answer=48601
Incidentally my favorite line from their form is:
Google Accounts: I think someone else is using my Google Account. Tip: In most cases, this problem can be resolved by resetting your password. Please do so before completing our form.
Resetting your password will recover your stolen personal data and make you and your family whole again, I guess. As a side note, a year has come and gone and silently the Google security blog has had its first birthday. Has anyone noticed? I recall a year ago I said to a number of people I’d be surprised if anything interesting came out of it, and here we are a year later, with about 13 posts (one a month) and pretty much nothing of note about any actual issues/flaws has been discussed. There were two brief non-technical posts about “Lemon”, a year ago, to be fair. Maybe someone learned something from it, but it sure wasn’t me or any researchers I’ve talked to. Happy belated birthday, Google Security! Another year has come and gone, and the redirects still aren’t closed - how about a post about that?
As another noted security expert pointed out to me two days ago - Google represents the single greatest travesty of our generation. You gather the largest collection of the most brilliant minds you can possibly find, for the sole purpose of displaying ads next to search results. Remember, this is the same company who just a few short months ago was ranked the single worst in privacy of all the top Internet sites. Great - just who I want to be the keeper of my apparently non-HIPAA regulated medical data.
Okay, enough picking on poor Google for today.
May 21st, 2008 at 2:34 pm
Seen this:
http://blogs.stopbadware.org/articles/2008/04/05/infections-stats-for-march-2008
Top Infected IP Addresses for March 2008 first place is for Google: 72.14.207.191 3722 US GOOGLE - Google Inc.
That kinda scares me, certainly in the light of Google Health.
May 21st, 2008 at 2:45 pm
Hmm.. GoogleHealth+OpenSocial.. who needs regulation when you can just make all of your information public with such ease?
May 21st, 2008 at 4:22 pm
Mails,Feeds,Calendars,Docs,Alerts…… and now our medical record?
I fail to understand how people can give such data to google and besides knowing their security policies ..
May 22nd, 2008 at 12:20 am
Oh well, at least the “CHE4P M3DS” spam will be targeted then, both in your mailbox and on any AdSense-enabled website. Ok people, cue your V14GR4 jokes …
May 22nd, 2008 at 5:14 am
…because:
1. people don’t care about _privacy_. It’s sad but true.
2. people (even developers) are not aware of the latest flaws. They still live in the Virus era. This is a first hand, and quite frustrating experience.
3. *Google Rockz* :). It’s tough to explain the adversaries to the _impressed_ people. I had organized an BarCamp style internal meet last month and tried explaining/talking about a few points of impact, with respect to Goog, but…
I’ll bring the topic of Google health during this months meet. Let’s see the reactions.
May 22nd, 2008 at 7:41 am
Ahhh, then it appears that Google is *not* a customer of SecTheory. From your earlier post about not posting as much, I was concerned.
May 22nd, 2008 at 8:06 am
@Spider - I’m fairly certain Google would prefer to light me on fire than give me money. Unless by giving me money that would insure that I would shut up, then money is preferable to fire - less messy.
May 23rd, 2008 at 7:09 am
You know I love the idea of being connected and of having my information available to me where and when I need it. But Google health, and the others including Microsoft’s Health Vault scare me. I don’t think they can promise the security that I require for my personal data. I, as well as many others I’m guessing, assumed that this service would fall under HIPAA guidelines. Thank you for finding this information and for publishing it. I’m not running a blog right now but I’m considering starting one just so that there will be another place for people to find this information. Let everybody know!
May 23rd, 2008 at 7:30 am
@mfmjos - thank you!
Btw, welcome slashdotters!
May 23rd, 2008 at 8:09 am
I suppose the next logical step will be when Google figures out a way to fully scan our brains and let us upload ourselves eternally. The onlineification of our being is takes another step closer with this.
May 23rd, 2008 at 10:00 am
I am amazed that anybody would want to put such sensitive information in the hands of Google. Even more so since they have found a nice little loophole in which they can bypass HIPPA. HIPPA is there for a reason and I’m ashamed at Google for offering a service that they probably won’t be able to secure properly. Most decent hospitals offer a service where you can view portions of your medical record online through the hospital network. I just think that Google is spreading itself thin. They really need to focus on what they have instead of rolling out 500 new services a year.
May 23rd, 2008 at 4:12 pm
@Ronald van den Heetkamp:
In all fairness to Google that statistic represents infected blogspot accounts. And from the looks of it these weren’t infected via security breach but through people automating account setup and intentionally adding malicious code (e.g. iframes) to the content.
Max goes into more detail about this here http://blogs.stopbadware.org/articles/2008/04/07/commentary-on-top-infection-stats
disclosure: I am a researcher @ stopbadware
May 23rd, 2008 at 4:24 pm
@Oliver - thanks for the comment, although I think we need to file this one under the “Expected behavior” category. They have no interest in fixing that vulnerability from what I have gathered. Putting malicious code on blogspot is well documented here as is their response: http://ha.ckers.org/blog/20070817/xss-hole-in-google-apps-is-expected-behavior/#comment-45992
To quote Google, “this is not a vulnerability”. Read again - infecting people with malware on blogspot is not a vulnerability. Extremely irresponsible of Google, if you ask me. I wouldn’t expect this to get fixed anytime in the near future.
May 23rd, 2008 at 8:33 pm
@Oliver - Yeah, it’s that damn blogspot that is compromised, not actually Google — but isn’t it another Google property or service. Isn’t Google Health another Google property or service? If they aren’t a covered entity, and they can’t secure Blogspot, I really hope people don’t put their medical records in there — it will end badly.
Hola RSnake, drink Id’s beer for me!
May 24th, 2008 at 3:58 am
Just have a look at what .gov project sits on top of google [googol].
Stop looking at that company as a dot com!
Its part of a project to re-capture the internet and all info flows.
A good link to start with is:
http://www.inqtel.org/technology-portfolio/atlast_software.html
May 25th, 2008 at 9:47 pm
But, if I’m reading this right, Google becomes a covered entity as soon as they facilitate the transfer of information to a health care provider. Would someone please put their birthday in Google Health, go to a doctor’s appointment, and, when they ask for your birthday, insist they pull it up on Google Health!?
easy to read summary:
http://hipaa.ohio.gov/tools/CEDefinition.pdf
full text of referenced Code of Federal Regulations
http://frwebgate.access.gpo.gov/cgi-bin/get-cfr.cgi?YEAR=current&TITLE=45&PART=164&SECTION=501&SUBPART=&TYPE=TEXT
May 27th, 2008 at 2:44 pm
Hi everyone,
I am a family physician (and the guy that discovered and suffered the first case of wiiitis
).
As a doctor and biomedical informatics expert I am really concerned about the new privacy threats that Personal Health Records will put into the arena.
There’s no doubt (from my point of view as a Emergency Room doctor) that having access to your main diseases, treatments and some well selected medical information (but not ALL your medical information) can be useful for your healthcare.
But are the privacy risks higher than the potential benefits?
I like the quote of Eric S. Raymond when he says: “Often, the most striking and innovative solutions come from realizing that your concept of the problem was wrong.”
As a lover of hacking culture I try to apply this principle in my own area of knowledge (medicine and medical informatics).
So I realized that the security of a system depends on two factors: the effort needed to breach the system and the potential value of the information inside the system.
You can increase the “security” of your system by making harder to breach it or by decreasing the value of the information inside.
So I decided to build the first TOTALLY ANONYMOUS Personal Health Record system. No email, no name, no identity needed to access to the service.
Its name is keyose and can be found in: http://www.keyose.com/
Please test it. Any comments will be of great value.
Of course we will be happy of improve our security. I know many of you can hack the site and find breaches.
It would be nice if you send me your findings on security weaks of keyose to my email: drbonis@gmail.com. We will take into account to build a better system.
See you and enjoy!
Dr Julio Bonis