Can We Abandon Confidentiality For Google Apps?

An anonymous reader writes "I provide IT services for medium-sized medical and law practices. Lately I have been getting a lot of feedback from doctors and lawyers who use gmail at home and believe that they can run a significant portion of their practice IT on Google Apps. From a support standpoint, I'd be happy to chuck mail/calendar service management into the bin and let them run with gmail, but for these businesses, there is significant legal liability associated with the confidentiality of their communications and records (e.g., HIPAA). For those with high-profile celebrity clients, simply telling them 'Google employees can read your stuff' will usually end the conversation right there. But for smaller practices, I often get a lot of push-back in the form of 'What's wrong with trusting Google?' and 'Google's not interested in our email/calendar.' Weighing what they see as a tiny legal risk against the promise of Free IT Stuff(TM) becomes increasingly lopsided given the clear functionality / usability / ubiquity that they experience when using Google at home. So my question to the Slashdot community is: Are they right? Is it time for me to remove the Tin Foil Hat on the subject of confidentiality and stop resisting the juggernaut that is Google? If not, what is the best way to clarify the confidentiality issues for these clients?"

Google appliance in the office?

[MartinSchou]

Far as I know the Google Mini Enterprise [google.com] comes with all of the apps you need.

And since it's a local server, I suspect it'd still qualify for your confidentiality needs the same way any other local server would.

Re:Tricky HIPPA...

[Daniel Dvorkin]

True enough -- and as an anonymous coward pointed out [slashdot.org], many (perhaps most) in-house networks aren't going to be secured all that well either. Allegedly HIPAA-compliant systems might satisfy the lawyers, but I have to say I'm deeply skeptical that the standard of privacy they actually provide is all it's cracked up to be ... or any better than what Google can do.

Professional responsibility

[rjh]

It is not your job to educate them on their professional responsibilities. Odds are very good that you aren't competent to advise them on it, and it would arguably be a violation of their canons of ethics to take advice from you. Lawyers and doctors have ethics committees to field questions like these: refer your users to them.

In the interim, stand by your guns. If your users say they'll go to the ethics committee and they're sure they'll be exonerated, propose this as a hypothetical question: if you give privileged documents to an uninvolved third party, is the veil of privilege pierced? Yes or no? (The answer is usually "yes"; exceptions are rare.) So, if you give privileged documents to Google, is the veil of privilege pierced?

Don't give advice. Just ask questions, and whatever you do, don't give in.

Re:No

[CopaceticOpus]

Wouldn't Google be more likely to keep on top of software updates and security threats than a small, local hosting company who are figuring it out as they go? Hosting one's email with a local company or at one's own office may open a person up to more risk of being hacked than simply letting Google manage it.

Re:The bottom line

[spydabyte]

When you don't pay for something, you can't rely on it. Try winning a law suit against a patient because you didn't have the correct medical knowledge because your ISP couldn't resolve a Google DNS one day...

I'd think this is a much greater issue than worrying about Google email snoops. That and unecrypted standards over wifi access. Doctors: Don't go mobile. Stay within your cellular-free hospitals.

Re:The bottom line

[Orange Crush]

And yes, it's lazyness: he's a sysadmin, and he knows the security implications. He just chooses not to care.

Of course he knows the security implications. His clients don't. And he can't force them to pay the (significant for a small office) costs of doing it "right." They'd simply stop being his clients.

Don't assume he's lazy, he's trying to do his best for his smaller clients and that's admirable. (I've often found the smaller the client the more of a cheap bastard and whiny high-maintenance client they tend to be)

Re:yes..

[nomadic]

IAAL too and I see nothing wrong with Google apps. Don't know about doctors, but lawyers are perfectly aware that nothing is foolproof once you get online, and we realize that some Google employee has access to our stuff. We're expected to maintain confidentiality in a reasonable matter, not approach it with the paranoia of a computer security expert.

Re:yes..

[chadplusplus]

IAAL too, and I saw nothing in there relating to whether the various state bars have given this the thumbs up. I suspect this would depend greatly upon the relative progressiveness of the pertinent state bar. I'd be interested in seeing an ethics ruling concerning this if you have any citations. (Sorry, I'm not paying Lexis to do a search just to satisfy my curiosity.)

Re:An idea to make this work

[AnyoneEB]

Google could do this. Using IBM's algorithms which were on Slashdot recently, it might even be possible to keep everything encrypted on the server and only decrypt on the client so the data is safe even if the server is compromised. (Note: That was an article about a new and experimental cryptographic algorithm which may not be ready for serious use yet.)

There is a problem: Google wants to show ads and encrypted data gives them no clues about what ads to show. If there is really a market for it, then maybe they should develop a paid version with encryption that a business could trust. Another possibility would be a Google Docs appliance to be put behind the company's VPN. (Or does that already exist?)

Re:HIPAA compliance is no joke.

[TheMCP]

HIPPA non-compliance can not only be expensive, it can lead to jail time.

This is my understanding based on training I received from a lawyer while working as a secondary IT director for a medical school:

The IT director for a medical organization is required to certify that the organization is HIPPA compliant. If they are not, the IT director must make them compliant, and that may have to mean simply cutting off everyone's access to computer resources until a plan is in place to allow access in a compliant manner. (Not allowing anyone to access anything is compliant.) If the IT director certifies them to be compliant when they are actually not, the IT director can go to jail, as can anyone who may have coerced them to sign the certification. Medical professionals can also be subject to fines and/or jail time for handling data in a non-compliant manner (such as entering data into a non-compliant system such as google docs), especially if they did so knowingly.

Were I in anonymous reader's shoes, I would tell my medical clients that I am convinced that because of HIPPA they must not use Google Docs for any medical information. If they press the issue I would tell them that I am so convinced that they must not use Google Docs to handle any medical information that if I find they have done so, I will drop them as a client and report them to relevant authorities at once. No job is worth going to jail for.

Re:No

[margaret]

Confidentiality is very, very important to businesses and individuals, even more so in the Internet age. One of the reasons to continue to operate your own infrastructure, no matter what the current hype is.

IAAD and I agree that confidentiality is extremely important, and health care professionals have a responsibility to safeguard PHI. However, I also think that IT admins have a responsibility to create an infrastructure that doesn't suck and that takes into account the needs of the people that actually need to use it. Because if it sucks bad enough, people will find a way to circumvent some of the safeguards in order to get their work done. Because it's human nature that getting one's work done is a more immediate need than theoretical concerns about privacy and confidentiality. So if you're going to develop an internal system, looking at what makes "the current hype" so popular might not be a bad idea.

For example, I work at a large county hospital/university system that has adopted groupwise. We are told that PHI is secure if sent through groupwise. However, besides the fact that groupwise is inherently sucky, they've made it extremely inconvenient for residents to use it. We cannot run the real client because we aren't allowed to have VPN access, so we have to use the web client, which has a horrible interface. It has a tiny storage allotment. They will not install the software that will allow it to work on the iphone. So, most people forward their groupwise email to their personal gmail or yahoo mail or whatever. Thus defeating the purpose of having the secure system.

Yes, it's wrong for the doctors to circumvent the security. However, I think it's just as wrong for the IT people to implement a system so crappy that people are driven to do this. Most doctors are thinking along the lines of "I have patients to take care of, I don't have all this time to spend fiddling with this crappy groupwise thing" not "let me violate HIPAA because I'm lazy."

Re:yes..

[Joe Wagner]

As they have explained it to me, once you voluntarily hand information off to an uninvolved third party, the veil of privilege is breached and it can be discovered.

IANAL, as well, but that statement is incomplete. You can clearly outsource at least one IT function: email, without risking privilege. Google's Postini is the the email service provider for many (most) of the nation's best and/or biggest lawfirms. (e.g. lookup the mx records of steptoe.com, chadbourne.com, perkinscoie.com, gibsondunn.com, bakernet.com, dlapiper.com, whitecase.com, sidley.com, mayerbrown.com). All *.psmtp.com.

Re:No

[bschorr]

...and no way to audit Google's data center(s) to establish compliance which is a very big deal in a lot of industries.

Re:No

[bschorr]

Lost productivity due to forgetting the thumb drive with your work at home

That's why we use a VPN to work on documnts from work rather than relying upon a flash drive.

Lost productivity due to your company's internal network going down

If my company's network goes down (which it rarely does) I can troubleshoot it and get it back on it's feet. If Google goes down I can send them an e-mail (assuming I'm NOT using GMail) and get an automated response or maybe I can call them and hear that the next avaialble agent will be with me shortly.

Lost work due to a hard drive failure

If you don't back it up then you don't deserve to have it.

Lost work AND productivity due to computer theft

If my computers get stolen then how do I log into Google?

Lost work AND productivity due to accidental overwrite of a shared file on a network drive

See: Backups.

Many people seem to believe that using something like Google Docs is just like using MS Office, but the reality is that it's fundamentally different in many ways. Nearly ubiquitous accessibility,

I wouldn't have had access to my Google Docs on the flight I just got off.

it all depends on the task at hand, as both approches have their strengths and weaknesses.

Well that I certainly agree with. Google Docs has its place. But that place will never include mission-critical or confidential work product. Not unless some drastic changes are made.

Re:No

[dkf]

I can agree with that, to a point, based on pure productivity/cost. But when you factor in legal implications, change control, training, and so forth, I don't think its sane for most businesses to use cloud apps in the vast majority of situations.

You're thinking like a techie, and probably a sysadmin there, and not like a businessman.

1. You're massively overweighting the relative value of legal implications for documents in development (finalized docs are something else, but they're best in another format, such as Dead Tree). So long as there is reasonable security and access control, the legal side should be covered.
2. A lot of businesses use no change control for anything. Moreover, Google Docs keep version history (or did the last time I checked, which admittedly is some time ago).
3. Training costs are pretty much a continual load. Really. Especially for larger businesses. How to type into a wordprocessor or spreadsheet is one of the more easily mastered things.
4. You're undervaluing opportunity costs. This is a classic mistake (along with getting involved in a land war in Asia) of sysadmins. They spend their time looking at the down-side, say "No way!" (a la Mordac), and either the business suffers or the users - and the management - ignore the sysadmin and do what they want anyway.
5. A lot of companies are not run in a sane way.

The only way to hold off cloud apps is to provide something better. For a lot of users, Word is not better and Excel is not better. They like doing things on the Web; it lets them be more productive. Fighting against that is a bit like being King Canute, telling the tide to stop coming in.