Can We Abandon Confidentiality For Google Apps? 480
An anonymous reader writes "I provide IT services for medium-sized medical and law practices. Lately I have been getting a lot of feedback from doctors and lawyers who use gmail at home and believe that they can run a significant portion of their practice IT on Google Apps. From a support standpoint, I'd be happy to chuck mail/calendar service management into the bin and let them run with gmail, but for these businesses, there is significant legal liability associated with the confidentiality of their communications and records (e.g., HIPAA). For those with high-profile celebrity clients, simply telling them 'Google employees can read your stuff' will usually end the conversation right there. But for smaller practices, I often get a lot of push-back in the form of 'What's wrong with trusting Google?' and 'Google's not interested in our email/calendar.' Weighing what they see as a tiny legal risk against the promise of Free IT Stuff(TM) becomes increasingly lopsided given the clear functionality / usability / ubiquity that they experience when using Google at home. So my question to the Slashdot community is: Are they right? Is it time for me to remove the Tin Foil Hat on the subject of confidentiality and stop resisting the juggernaut that is Google? If not, what is the best way to clarify the confidentiality issues for these clients?"
yes.. (Score:5, Informative)
..the google apps contract is fine. IAAL and i use google apps for all my stuff. i DO maintain a separate backup but everything goes on google. the bar is also fine with it.
No (Score:4, Informative)
Confidentiality is very, very important to businesses and individuals, even more so in the Internet age. One of the reasons to continue to operate your own infrastructure, no matter what the current hype is.
por que? (Score:3, Informative)
From here: http://docs.google.com/support/bin/answer.py?answer=82366&ctx=sibling [google.com]
"
Privacy and security: Understanding section 11.1 of our Terms of Service
Print
We've received questions over time about the meaning of section 11.1 of our Terms of Service. We realize that for those not familiar with legal agreements for services that use the Internet, these terms can look confusing, or even frightening.
The first thing to understand is that this language doesn't give Google ownership rights to your data. You, and you alone, own your content. Whether you wish to keep your content totally private, or share it with the world, that's your choice.
However, in order to honor this choice, Google Docs needs permission to display your content as you see fit. This is what we mean by a "license to reproduce." We need to ensure that when you click the "Publish document" button, or use the "Invite collaborators" option, we have the license to carry out your wishes. It is this agreement, between Google Docs and you, the user, that section 11.1 of our Terms of Service reflects."
Why would you even chance it? That's their EXISTING terms of service, but as always, those terms are subject to change without notice.
I can't imagine that HIPAA would allow this.
Haha! (Score:1, Informative)
If web apps are ever farmed out to foreign servers, you can kiss your privacy goodbye. If the government requests any data off the servers and weasels around the usual search warrant limitations, you're on your own.
Tricky HIPPA... (Score:4, Informative)
Can I find out the names of the doctors you work f (Score:3, Informative)
I'd like to report them to the regulatory commission that enforces HIPAA rules.
Seriously, read up on HIPAA and get them to follow HIPAA rules, otherwise huge fines could be coming their way.
Just because a doctor hands out those privacy pamphlets doesn't give them the green light to ignore or circumvent the privacy and security rules. Claiming ignorance is not an option.
Get them off of gmail and google apps and put them on systems and networks that you can effectively apply controls too.
You have no control over the security and privacy controls in place within google apps thus you can't effectively satisfy the HIPAA rules.If they do not want to do an internal networks with servers, outsource it all to a data center that is HIPAA compliant and where you control the servers both physically and logically.
Good luck and hire yourself a partner or subcontractor that does HIPAA and SOX regulatory consulting. You could hire me but I'm $350/hr.
An idea to make this work (Score:5, Informative)
Amazon published a white paper about using their AWS platform with HIPAA compient applications: basic idea is to keep data encrypted until it is in memory, and encrypt it again before writing to persistent storage.
For Google Apps, how about using rich clients that decrypt data for viewing/editing, and encrypt it again before storing back on big table, etc.
Perhaps Google themselves would implement this as browser plugins?
Ever read a EULA? (Score:3, Informative)
What does the fed do? (Score:4, Informative)
Re:Google appliance in the office? (Score:3, Informative)
The Google Mini (http://www.google.com/enterprise/search/index.html) is a search appliance. It will not run mail/apps.
Re:Can I find out the names of the doctors you wor (Score:3, Informative)
Source: http://www.google.com/support/forum/p/Apps%20Partner/thread?tid=4d6f74d03de056c7&hl=en [google.com]
Answer to your question.:
PeteGriffin@Google (Google Employee) + 3 other people say this answers the question:
From a sales standpoint, I would recommend turning the question around and asking them what steps they are currently taking to be compliant with the relevant compliance-acronym (HIPAA, SOX, FERPA, PCI, etc). Understand what steps they currently take to be compliant, and what their current solution is. You'll be able to quickly discover if it's a real showstopping requirement and be able to move on, if it's something that can be addressed by Google Apps... or if they are horribly un-compliant and they're hoping that Google Apps will solve all of their problems (and more!).
No solution by itself is going to be the silver bullet; organizations (especially small and medium businesses) have extremely varied IT infrastructure and policies, with information flowing in different ways for different reasons. Google doesn't certify or identify Google Apps as being compliant with any specific set of regulations. It's really up to the organization to determine if a solution meets their compliance needs for their specific situation.
Google Apps has a very impressive set of features that are extremely helpful when dealing with prospects with compliance needs. The Postini component of Google Apps (referred to as Google Message Security) allows for very granular control of email content (in and out). There are additional email archiving and retention components available. Google Apps is SAS 70 Type II certified. We have also made a good deal of information available about Google's security policies when it comes to our network of data centers through a hefty white paper.
If anyone has experiences dealing with situations like this, please feel free to share your thoughts. Tony Safoian over at SADA Systems has some good thoughts around this:
http://www.google.com/support/forum/p/Apps+Partner/thread?tid=2ce6b0904f65ac44&hl=en [google.com]
Re:Give them fair warning (Score:4, Informative)
That's one way to frame the argument, and it's a good one.
I'd stress to them that HIPAA PHI standards require the company -- AKA your bosses -- to be able to vouch for the security of the entire pipeline of information flow. It's not an issue of "they're not interested" or "the chances are low." It's an issue of minimizing the holes in the pipeline.
Google does not offer anything like PHI-compatible security. They are a big hole in the secuirty, whatever the chances or interest are. One could argue that the world's largest indexer of information, who makes the results of those indexes freely available to the public, is the antithesis of security.
If your bosses are serious about health care, they're not going to be idiots about it. (They may chose to be idiots about other things. Probably not this.)
Re:The bottom line (Score:5, Informative)
Not only did you not read TFA, but you did not even read the summary. Laziness has nothing to do with this at all. He is getting a lot of friction from his clients that don't understand HIS reservations about doing business with Google in this manner. He is concerned for their legal liability. Sounds like an IT guy that actually cares.
His question being posed to the /. community, is whether or not his clients have a point. Can we really trust Google with data that must remain confidential. Can he recommend Google services to his clients without fearing for liability later down the road.
Yeah, that sounds lazy to me....
Re:yes.. (Score:5, Informative)
If you had read the entire article you would've seen that it is written by "Brett Burney is principal of Burney Consultants, based in Cleveland." Finding his website, it turns out that mr Burney is not a lawyer, he provides some legal services FOR lawyers.
So, that article is just some guy saying how convenient those tools are. Not some sort of legal analysis of the use of web-based applications for sharing private data.
Here in Europe using stuff like that is absolutely not allowed for sensitive data, doctors, lawyers and governments are most certainly NOT allowed to use a hosted app like that.
Re:Ever read a EULA? (Score:4, Informative)
Re:yes.. (Score:5, Informative)
I can't give a legal answer for US companies, but its my job to consider questions like this for a UK based financial services business. Google's applications are essentially the same as any other outsourced services, and UK law is based on the premise that you can outsource activity but you can't outsource responsibility.
What this essentially means is that a UK business is expected both to have a legally enforceable set of data protection contract terms and to have conducted a risk assessment supported, where appropriate, by a detailed appraisal of the outsourcer's policies, procedures and practices. FWIW, the conclusion that I've drawn is that Google apps are completely unuitable for any UK business that processes customer data, as there is no guarantee that the data will remain in the EEA (European Economic Area) or another country that has equivalent data protection principles enshrined in law. UK business are not allowed to process personal data in the USA without express customer consent because its data protection laws fall short of ours.
No physical security (Score:5, Informative)
Without physical security there is no security.
If you don't own the box and control access yourself there is no physical security.
Re:por que? (Score:3, Informative)
Maybe, maybe not. The HITECH Act (which is really part of the recent federal stimulus law, the American REcovery and Reinvestment Act) and the Guidance issued under the HITECH Act requires that for HIPAA protected health information (PHI) to not be considered "unsecured", information in motion must be protected under appropriate FIPS 140-2 approved standards (for use of TLS, that's NIST Special Publication 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations), which (as well as restricting which of the avaialable cipher suites for TLS are acceptable--notably, not RC4) also provides for the use of client certificates for authentication and states that server implementations should not accept connections without them, rather than falling back on alternative authentication mechanisms like username/password. The HITECH Act requirements, and the specific standards referred to in the guidance, are rather new as specific mandates with regard to HIPPA PHI, and I am rather suspicious of anyone who, without presenting any analysis, simply says that HIPAA raises no problems with Google Apps being used for HIPAA PHI.
Re:HIPAA compliance is no joke. (Score:5, Informative)
Since HIPAA doesn't create a private cause of action for violations, only the federal government can enforce HIPAA rules generally (sometimes, under state laws, the fact that a disclosure is in violation of a federal law like HIPAA, or of a assurance or agreement mandated by HIPAA, may, with other factors, meet the standard for some private cause of action under state law, but the action won't be for a HIPAA violation, per se.) To date, AFAIK, none of the HIPAA complaints received by the Department of Health and Human Services' Office of Civil Rights (which enforces HIPAA) have resulted in monetary penalties being assessed, but most of them do result in OCR requiring business practice changes on the part of the entity against whom the complaint was lodged. A few do get referred to the Department of Justice for criminal prosecution, though I believe that, to date, no prosecutions have been made on HIPAA charges alone (sometimes HIPAA charges have been part of a broader criminal complaint.)
There was a time when that was at least generally true (where a business associate of a HIPAA covered entity might not be liable the way a covered entity was if it was not itself a covered entity), however, the recently passed HITECH Act (part of the American Recovery and Reinvestment Act of 2009 [ARRA], Pub.L. 111-5) both added additional security requirements that apply to HIPAA covered entities and extended both the existing and new security requirements on HIPAA covered entities, including the civil and criminal penalties for violations, to apply to those entities' business associates to the same extent as to covered entities themselves. (see ARRA, Title XIII, Subtitle D, Sec. 13401; codified at 42 U.S.C. Sec. 17931.)
Re:No (Score:5, Informative)
which leads to
Re:The bottom line (Score:1, Informative)
Actually he is not the one that wants to use the Apps it's his customers. He is doing do diligence and asking a panel of questionably attentive people what their opinion is. Please pay more attention to detail.
Re:yes.. (Score:3, Informative)
Re:No (Score:3, Informative)
Re:No (Score:4, Informative)
Re:yes.. (Score:2, Informative)
What your lawyer parents forgot to tell you is that lawyers use the services of all sorts of third party services, who agree and are duty bound to maintain the confidentiality of the information the lawyers entrust to them. My law firm's entire network is administered by a third party IT company. If you think there is something legally wrong with that, you need to talk to your parents again. We send out sensitive documents for copying, 40,000 pages at a time. You think any law firm on the face of the planet handles that in-house? You think the reprographics companies, who are intensely competitive for law firm business, are sitting around reading the documents? I tried a trade secrets case where the key trade secrets evidence consisted of dozens of over-sized engineering drawings. Not many law firms can reproduce those in-house. We hire scientific and accounting experts to review confidential information and serve as consultants. I use Verizon wireless, and clients leave voice-mail on Verizon's network. None of that waives attorney-client privilege or work product protections. Its not even a close call.
You also might want to tell your parents about the Stored Communications Act and the Computer Fraud and Abuse Act, both federal laws. (There is also a very broad California statute that I'm certain applies to Google.) Among other things, the Stored Communications Act makes it unlawful for a company to turn over your e-mail pursuant to a civil subpeona. In fact, there's a federal case out there that says you can sue a lawyer who serves a subpoena in blatant violation of this law. I was surprised by that case myself, so your parents should be wary if they are still practicing. On the other hand, your G-mail can be subpoenaed by law enforcement in a criminal case. But that is much less likely to happen, since those are not handed out like candy the way civil supeonas are. But then, those same criminal subpeonas can be sent to ISPs, phone companies, the list goes on.
Ultimately, all documents no matter where they are stored are discoverable unless they are subject to a specific privilege. And if they are privileged, using the services of a trusted third party who obligated to maintain confidentiality does not waive the privilege. And if someone tries to subpeona that information, the law requires notice and an opportunity to object.
Re:The bottom line (Score:2, Informative)
Having worked as consultant helping companies prepare for Sarbanes and HIPPA compliance, I can tell you that both require regular reports and testing to be performed by management ensuring that their controls are in place to prevent (preferred) and/or identify an IT guy who leaks such data. With Sarbanes-Oxley, an external auditor also performs the testing and the results are sent tot he SEC and included in any public inquiry about the financial status of your company. I assume something similar is done WRT to HIPPA, but so far I haven't actually had to work on the final reports, just the initial testing we perform to help the company figure out what they have to do to become compliant.
With proper controls in place, said IT guy would be prevented (ideal) or detected during such a disclosure, even if not immediately. Impossible for IT to get around? No, but damn difficult to do with leaving a trace, assuming proper controls concerning segregation of duties, isolation of production data from development teams, and proper system reporting.
Adding Google Apps brings in a whole separate entity for which you can employ NO controls, and who have publicly stated they won't guarantee the safety of your data. There are outsourcing companies that meet the requirements for SOX and HIPPA, and they can provide documentation (SAS70 comes to mind, but others exist too) generated by outside federally licensed auditors reporting on their status regarding such controls over their access to YOUR data and access to YOUR sensitive information. From Google's public stance on your data security, I sincerely doubt that they have undergone such auditing (or if they have, failed miserably).
So, if you trust Google more than your IT staff, then it's clear you've never undergone an external audit.
That said, if you have undergone an audit and failed it in any significant way, then the risk may be similar. But properly controlled environments are VERY difficult to steal or leak data from without leaving some sort of trail.
The audits aren't perfect but they're a hell of lot better than what Google has so far provided.
--
I drank what?
Re:yes.. (Score:3, Informative)
Hmmm Virgin Media must have updated their T&Cs recently without notifying me.
They announced they're outsourcing all email to google.
"G. Your details and how we look after them
7. By having our services activated in your home and/or by using them you consent to our transferring your information to countries which do not provide the same level of data protection as the UK if necessary for providing the services. If we do make such a transfer, we will put a contract in place to ensure your information is protected."
(Virgin's T&Cs) [virgin.net]