Can We Abandon Confidentiality For Google Apps? 480
An anonymous reader writes "I provide IT services for medium-sized medical and law practices. Lately I have been getting a lot of feedback from doctors and lawyers who use gmail at home and believe that they can run a significant portion of their practice IT on Google Apps. From a support standpoint, I'd be happy to chuck mail/calendar service management into the bin and let them run with gmail, but for these businesses, there is significant legal liability associated with the confidentiality of their communications and records (e.g., HIPAA). For those with high-profile celebrity clients, simply telling them 'Google employees can read your stuff' will usually end the conversation right there. But for smaller practices, I often get a lot of push-back in the form of 'What's wrong with trusting Google?' and 'Google's not interested in our email/calendar.' Weighing what they see as a tiny legal risk against the promise of Free IT Stuff(TM) becomes increasingly lopsided given the clear functionality / usability / ubiquity that they experience when using Google at home. So my question to the Slashdot community is: Are they right? Is it time for me to remove the Tin Foil Hat on the subject of confidentiality and stop resisting the juggernaut that is Google? If not, what is the best way to clarify the confidentiality issues for these clients?"
Google appliance in the office? (Score:2, Interesting)
Far as I know the Google Mini Enterprise [google.com] comes with all of the apps you need.
And since it's a local server, I suspect it'd still qualify for your confidentiality needs the same way any other local server would.
Re:Tricky HIPPA... (Score:3, Interesting)
True enough -- and as an anonymous coward pointed out [slashdot.org], many (perhaps most) in-house networks aren't going to be secured all that well either. Allegedly HIPAA-compliant systems might satisfy the lawyers, but I have to say I'm deeply skeptical that the standard of privacy they actually provide is all it's cracked up to be ... or any better than what Google can do.
Professional responsibility (Score:3, Interesting)
It is not your job to educate them on their professional responsibilities. Odds are very good that you aren't competent to advise them on it, and it would arguably be a violation of their canons of ethics to take advice from you. Lawyers and doctors have ethics committees to field questions like these: refer your users to them.
In the interim, stand by your guns. If your users say they'll go to the ethics committee and they're sure they'll be exonerated, propose this as a hypothetical question: if you give privileged documents to an uninvolved third party, is the veil of privilege pierced? Yes or no? (The answer is usually "yes"; exceptions are rare.) So, if you give privileged documents to Google, is the veil of privilege pierced?
Don't give advice. Just ask questions, and whatever you do, don't give in.
Re:No (Score:3, Interesting)
Wouldn't Google be more likely to keep on top of software updates and security threats than a small, local hosting company who are figuring it out as they go? Hosting one's email with a local company or at one's own office may open a person up to more risk of being hacked than simply letting Google manage it.
Re:The bottom line (Score:5, Interesting)
I'd think this is a much greater issue than worrying about Google email snoops. That and unecrypted standards over wifi access. Doctors: Don't go mobile. Stay within your cellular-free hospitals.
Re:The bottom line (Score:4, Interesting)
Of course he knows the security implications. His clients don't. And he can't force them to pay the (significant for a small office) costs of doing it "right." They'd simply stop being his clients.
Don't assume he's lazy, he's trying to do his best for his smaller clients and that's admirable. (I've often found the smaller the client the more of a cheap bastard and whiny high-maintenance client they tend to be)
Re:yes.. (Score:4, Interesting)
Re:yes.. (Score:5, Interesting)
Re:An idea to make this work (Score:3, Interesting)
Google could do this. Using IBM's algorithms which were on Slashdot recently, it might even be possible to keep everything encrypted on the server and only decrypt on the client so the data is safe even if the server is compromised. (Note: That was an article about a new and experimental cryptographic algorithm which may not be ready for serious use yet.)
There is a problem: Google wants to show ads and encrypted data gives them no clues about what ads to show. If there is really a market for it, then maybe they should develop a paid version with encryption that a business could trust. Another possibility would be a Google Docs appliance to be put behind the company's VPN. (Or does that already exist?)
Re:HIPAA compliance is no joke. (Score:4, Interesting)
HIPPA non-compliance can not only be expensive, it can lead to jail time.
This is my understanding based on training I received from a lawyer while working as a secondary IT director for a medical school:
The IT director for a medical organization is required to certify that the organization is HIPPA compliant. If they are not, the IT director must make them compliant, and that may have to mean simply cutting off everyone's access to computer resources until a plan is in place to allow access in a compliant manner. (Not allowing anyone to access anything is compliant.) If the IT director certifies them to be compliant when they are actually not, the IT director can go to jail, as can anyone who may have coerced them to sign the certification. Medical professionals can also be subject to fines and/or jail time for handling data in a non-compliant manner (such as entering data into a non-compliant system such as google docs), especially if they did so knowingly.
Were I in anonymous reader's shoes, I would tell my medical clients that I am convinced that because of HIPPA they must not use Google Docs for any medical information. If they press the issue I would tell them that I am so convinced that they must not use Google Docs to handle any medical information that if I find they have done so, I will drop them as a client and report them to relevant authorities at once. No job is worth going to jail for.
Re:No (Score:3, Interesting)
Confidentiality is very, very important to businesses and individuals, even more so in the Internet age. One of the reasons to continue to operate your own infrastructure, no matter what the current hype is.
IAAD and I agree that confidentiality is extremely important, and health care professionals have a responsibility to safeguard PHI. However, I also think that IT admins have a responsibility to create an infrastructure that doesn't suck and that takes into account the needs of the people that actually need to use it. Because if it sucks bad enough, people will find a way to circumvent some of the safeguards in order to get their work done. Because it's human nature that getting one's work done is a more immediate need than theoretical concerns about privacy and confidentiality. So if you're going to develop an internal system, looking at what makes "the current hype" so popular might not be a bad idea.
For example, I work at a large county hospital/university system that has adopted groupwise. We are told that PHI is secure if sent through groupwise. However, besides the fact that groupwise is inherently sucky, they've made it extremely inconvenient for residents to use it. We cannot run the real client because we aren't allowed to have VPN access, so we have to use the web client, which has a horrible interface. It has a tiny storage allotment. They will not install the software that will allow it to work on the iphone. So, most people forward their groupwise email to their personal gmail or yahoo mail or whatever. Thus defeating the purpose of having the secure system.
Yes, it's wrong for the doctors to circumvent the security. However, I think it's just as wrong for the IT people to implement a system so crappy that people are driven to do this. Most doctors are thinking along the lines of "I have patients to take care of, I don't have all this time to spend fiddling with this crappy groupwise thing" not "let me violate HIPAA because I'm lazy."
Re:yes.. (Score:3, Interesting)
As they have explained it to me, once you voluntarily hand information off to an uninvolved third party, the veil of privilege is breached and it can be discovered.
IANAL, as well, but that statement is incomplete. You can clearly outsource at least one IT function: email, without risking privilege. Google's Postini is the the email service provider for many (most) of the nation's best and/or biggest lawfirms. (e.g. lookup the mx records of steptoe.com, chadbourne.com, perkinscoie.com, gibsondunn.com, bakernet.com, dlapiper.com, whitecase.com, sidley.com, mayerbrown.com). All *.psmtp.com.
Re:No (Score:2, Interesting)
...and no way to audit Google's data center(s) to establish compliance which is a very big deal in a lot of industries.
Re:No (Score:2, Interesting)
Lost productivity due to forgetting the thumb drive with your work at home
That's why we use a VPN to work on documnts from work rather than relying upon a flash drive.
Lost productivity due to your company's internal network going down
If my company's network goes down (which it rarely does) I can troubleshoot it and get it back on it's feet. If Google goes down I can send them an e-mail (assuming I'm NOT using GMail) and get an automated response or maybe I can call them and hear that the next avaialble agent will be with me shortly.
Lost work due to a hard drive failure
If you don't back it up then you don't deserve to have it.
Lost work AND productivity due to computer theft
If my computers get stolen then how do I log into Google?
Lost work AND productivity due to accidental overwrite of a shared file on a network drive
See: Backups.
Many people seem to believe that using something like Google Docs is just like using MS Office, but the reality is that it's fundamentally different in many ways. Nearly ubiquitous accessibility,
I wouldn't have had access to my Google Docs on the flight I just got off.
it all depends on the task at hand, as both approches have their strengths and weaknesses.
Well that I certainly agree with. Google Docs has its place. But that place will never include mission-critical or confidential work product. Not unless some drastic changes are made.
Re:No (Score:3, Interesting)
I can agree with that, to a point, based on pure productivity/cost. But when you factor in legal implications, change control, training, and so forth, I don't think its sane for most businesses to use cloud apps in the vast majority of situations.
You're thinking like a techie, and probably a sysadmin there, and not like a businessman.
The only way to hold off cloud apps is to provide something better. For a lot of users, Word is not better and Excel is not better. They like doing things on the Web; it lets them be more productive. Fighting against that is a bit like being King Canute, telling the tide to stop coming in.