Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Privacy IT

Can We Abandon Confidentiality For Google Apps? 480

An anonymous reader writes "I provide IT services for medium-sized medical and law practices. Lately I have been getting a lot of feedback from doctors and lawyers who use gmail at home and believe that they can run a significant portion of their practice IT on Google Apps. From a support standpoint, I'd be happy to chuck mail/calendar service management into the bin and let them run with gmail, but for these businesses, there is significant legal liability associated with the confidentiality of their communications and records (e.g., HIPAA). For those with high-profile celebrity clients, simply telling them 'Google employees can read your stuff' will usually end the conversation right there. But for smaller practices, I often get a lot of push-back in the form of 'What's wrong with trusting Google?' and 'Google's not interested in our email/calendar.' Weighing what they see as a tiny legal risk against the promise of Free IT Stuff(TM) becomes increasingly lopsided given the clear functionality / usability / ubiquity that they experience when using Google at home. So my question to the Slashdot community is: Are they right? Is it time for me to remove the Tin Foil Hat on the subject of confidentiality and stop resisting the juggernaut that is Google? If not, what is the best way to clarify the confidentiality issues for these clients?"
This discussion has been archived. No new comments can be posted.

Can We Abandon Confidentiality For Google Apps?

Comments Filter:
  • yes.. (Score:5, Informative)

    by Anonymous Coward on Tuesday August 04, 2009 @04:55PM (#28948165)

    ..the google apps contract is fine. IAAL and i use google apps for all my stuff. i DO maintain a separate backup but everything goes on google. the bar is also fine with it.

    • Re:yes.. (Score:4, Insightful)

      by Anonymous Coward on Tuesday August 04, 2009 @05:17PM (#28948527)

      Good thing you posted anonymously. That means you won't lose clients and we don't have to take you seriously.

    • Re:yes.. (Score:5, Informative)

      by jonnyj ( 1011131 ) on Tuesday August 04, 2009 @05:46PM (#28948859)

      I can't give a legal answer for US companies, but its my job to consider questions like this for a UK based financial services business. Google's applications are essentially the same as any other outsourced services, and UK law is based on the premise that you can outsource activity but you can't outsource responsibility.

      What this essentially means is that a UK business is expected both to have a legally enforceable set of data protection contract terms and to have conducted a risk assessment supported, where appropriate, by a detailed appraisal of the outsourcer's policies, procedures and practices. FWIW, the conclusion that I've drawn is that Google apps are completely unuitable for any UK business that processes customer data, as there is no guarantee that the data will remain in the EEA (European Economic Area) or another country that has equivalent data protection principles enshrined in law. UK business are not allowed to process personal data in the USA without express customer consent because its data protection laws fall short of ours.

      • Re: (Score:3, Funny)

        by speedtux ( 1307149 )

        UK business are not allowed to process personal data in the USA without express customer consent because its data protection laws fall short of ours.

        US and UK privacy protections differ, but to say that the US protections "fall short" of UK protections is false. They have different aims, and I prefer the aims of US privacy protection to those of the UK and Europe, thank you very much.

        I think you see the kind of myth you're repeating perpetuated by the UK government; anti-American rhetoric makes a great cov

    • Re:yes.. (Score:4, Interesting)

      by nomadic ( 141991 ) <{moc.liamg} {ta} {dlrowcidamon}> on Tuesday August 04, 2009 @05:59PM (#28949039) Homepage
      IAAL too and I see nothing wrong with Google apps. Don't know about doctors, but lawyers are perfectly aware that nothing is foolproof once you get online, and we realize that some Google employee has access to our stuff. We're expected to maintain confidentiality in a reasonable matter, not approach it with the paranoia of a computer security expert.
      • Re:yes.. (Score:5, Insightful)

        by michaelhood ( 667393 ) on Tuesday August 04, 2009 @06:32PM (#28949447)

        It doesn't take a "computer security expert" to know that you're unnecessarily risking your clients' confidentiality by sending your communications wholesale to a 3rd party.

      • Re:yes.. (Score:5, Insightful)

        by rjh ( 40933 ) <rjh@sixdemonbag.org> on Tuesday August 04, 2009 @07:34PM (#28950107)

        IANAL. My only legal credential is that I come from a family of lawyers and judges who are absolutely adamant about their moral obligation to preserve privilege.

        As they have explained it to me, once you voluntarily hand information off to an uninvolved third party, the veil of privilege is breached and it can be discovered.

        As they have explained it to me, anything you give to Google can be subpoenaed. Google is currently one of the most-frequently-served companies in the world, and Google gives full and enthusiastic cooperation with lawfully issued subpoenas.

        If you really see nothing wrong with risking the privilege of your work product by putting it into the hands of a third party, and if you really see nothing wrong with making it discoverable via subpoena, then by all means use Google Docs. However, for my own sake, I refuse to deal with lawyers who use outsourced IT services.

        • Re: (Score:3, Interesting)

          by Joe Wagner ( 547696 )

          As they have explained it to me, once you voluntarily hand information off to an uninvolved third party, the veil of privilege is breached and it can be discovered.

          IANAL, as well, but that statement is incomplete. You can clearly outsource at least one IT function: email, without risking privilege. Google's Postini is the the email service provider for many (most) of the nation's best and/or biggest lawfirms. (e.g. lookup the mx records of steptoe.com, chadbourne.com, perkinscoie.com, gibsondunn.com, bakernet.com, dlapiper.com, whitecase.com, sidley.com, mayerbrown.com). All *.psmtp.com.

  • The bottom line (Score:5, Insightful)

    by Samalie ( 1016193 ) on Tuesday August 04, 2009 @04:56PM (#28948181)

    If you are in an industry where your internal communications/documents/etc should or must remain confidential, than you cannot trust Google Apps as your free platform for email/document creation/document storage.

    If you don't mind the possibility that the world may get your data, then by all means feel free to use Google, or any other SaaS type offering.

    • by Jurily ( 900488 )

      Lazy sysadmin wants to compromise his company to work less. News at 11.

      • Re: (Score:3, Insightful)

        Lazy sysadmin wants to compromise his company to work less. News at 11.

        Come on it's not just laziness. People use the Google apps at home, they do the job. It's no wonder they say "Why not use the same stuff at the office?" That's how MS got where they are after all, it also might be why they've got their panties in a twist over Google.

        • It's also hard to compete with "free."
        • Re: (Score:3, Insightful)

          >>>People use the Google apps at home, they do the job. It's no wonder they say "Why not use the same stuff at the office?" That's how MS got where they are after all
          >>>

          Actually Microsoft went in the opposite direction, hanging onto IBM's coattails which grew dominant in the office while Atari and Commodore were dominant at home (from 1980 to 1986). Then people started saying, "I want to bring my work to my home", and so they went and bought IBM PCs which became dominant from 1987 onward

      • Re:The bottom line (Score:5, Informative)

        by EdIII ( 1114411 ) * on Tuesday August 04, 2009 @05:40PM (#28948759)

        Not only did you not read TFA, but you did not even read the summary. Laziness has nothing to do with this at all. He is getting a lot of friction from his clients that don't understand HIS reservations about doing business with Google in this manner. He is concerned for their legal liability. Sounds like an IT guy that actually cares.

        His question being posed to the /. community, is whether or not his clients have a point. Can we really trust Google with data that must remain confidential. Can he recommend Google services to his clients without fearing for liability later down the road.

        Yeah, that sounds lazy to me....

    • Re:The bottom line (Score:5, Insightful)

      by eln ( 21727 ) on Tuesday August 04, 2009 @05:06PM (#28948353)

      If you are in an industry where your internal communications/documents/etc should or must remain confidential, than you cannot trust any Internet-based system as your free platform for email/document creation/document storage.

      FTFY. If your documents exist on the Internet, especially unencrypted, they won't be confidential for very long. Whether or not Google as a company is trustworthy or not is irrelevant. If anyone hacked into your Google account, they would have access to everything. If a random employee at Google decided to sell your stuff to a tabloid, there's nothing you could do to stop them until it was already too late. Without ironclad confidentiality agreements with real penalties for breaking said agreements, you shouldn't be trusting any third party with this stuff, and you certainly shouldn't have it on the Internet.

      • Re: (Score:3, Insightful)

        by HTH NE1 ( 675604 )

        Further, if you share data with an outside company, you don't have a reasonable expectation of privacy in that data anymore, and the government can subpoena that company for what it knows about you. Just like a lawyer engaging in communications with his client with a third party present, those communications are no longer privileged.

        IANAL, I just watch fake ones on TV.

        • Re: (Score:3, Insightful)

          by Anonymous Coward

          which is why lexis nexis gets subpoenaed so many times.... oh wait, they dont. gee... with all that confidential legal strategy online at lexis
          you would think they do. and using lexis breaks priv ... oh wait, it doesnt.
          i know youre not a lawyer but please dont be an idiot as well.
          using microsoft word or any other tool does NOT break priv, google apps is SSL encrypted and secure enough (Google Apps is SAS 70 Type II certified) that its not a problem. so is lexis, westlaw and the hundreds of other third party

      • No physical security (Score:5, Informative)

        by pentalive ( 449155 ) on Tuesday August 04, 2009 @06:01PM (#28949067) Journal
        No matter how ironclad the agreement or how draconian the penalties your data will still be public. Sue Google into non existence and well your data is still public.

        Without physical security there is no security.
        If you don't own the box and control access yourself there is no physical security.
    • When you click "Accept" on many EULA's you give up rights to privacy of your data to that company. What's the difference if it's hosted or not. Microsoft can just as easily have Exchange phone home with data as Google employees can read your mail. There's no difference. You just have to decide which company you trust most.
    • Possibility? (Score:3, Insightful)

      If you don't mind the possibility that the world may get your data, then by all means feel free to use Google, or any other SaaS type offering.

      I don't understand what "possibility" has to do with it. Your data could "possibly" be exposed if you have your own infrastructure.

      A more relevant question is probability. Is there additional exposure through using Google? Are Google internal security practices likely to be better than yours? If you are a small shop outsourcing your IT services anyway then why is

      • by Moraelin ( 679338 ) on Tuesday August 04, 2009 @06:16PM (#28949257) Journal

        Once something is on Google, the up side is: any computer with internet access can log in and access it. The down side is the same: any computer with internet access can log in and access it.

        If something is on your internal network, that already puts a bit of a limit on who can access those files. It's not bulletproof, and you can still get rooted, but it's a limit. The average Tom, Dick and Harry are as good as physically separated from that data, even if they can guess your password.

        Once that stuff is on Google, essentially anyone who can guess your password is good to go.

        For example, you only need one employee who uses the same password everywhere (it happens more often than you'd think) and has ever shared their home email password with their spouse, or their WoW account with the chinese guy who power-levelled it, or whatever. Or they only need the same password somewhere where you need to guess their mother's maiden name to get that password. (Again, you'd be surprised how many put the real maiden name there.)

        Or some passwords are that easy to find out, because they're weak. People use their nickname, or pet's name, or whatnot as passwords all the time.

        Some passwords aren't even kept secret. I know the logins for a local hospital _and_ the emergency medical service, without ever having worked there, just because the former was taped to the monitor and the latter was spoken out loud while I was there. And yes, apparently veryone there used the same. So every ex-employee knows those too. Plus any patient who can read or has ears.

        So, ok, now you know a name and password for the hospital computers. Now what?

        In a traditional IT scenario, they're only accessible from the internal network. Sure, you can try to sneak into a room and use their computer, but you can be caught, so most people won't. Sure, you can try to get them rooted somehow, but again most people wouldn't even know how.

        Now move those files on Google, and you have a real extra problem. If that hospital ever moves its data to Google, every single patient who ever read the post-it on a monitor, can try it from their own home. No having to sneak anywhere, no risking that someone walks in on you, no l33t haxxx0r skillz needed. Just point your browser at Google, log in as a doctor, and read the medical data of everyone who ever used that hospital.

    • Re:The bottom line (Score:5, Interesting)

      by spydabyte ( 1032538 ) on Tuesday August 04, 2009 @05:35PM (#28948699)
      When you don't pay for something, you can't rely on it. Try winning a law suit against a patient because you didn't have the correct medical knowledge because your ISP couldn't resolve a Google DNS one day...

      I'd think this is a much greater issue than worrying about Google email snoops. That and unecrypted standards over wifi access. Doctors: Don't go mobile. Stay within your cellular-free hospitals.
    • Re:The bottom line (Score:4, Insightful)

      by WinterSolstice ( 223271 ) on Tuesday August 04, 2009 @05:45PM (#28948839)

      I would agree with this. I would *never* use a attorney who didn't take proper care of my confidential records. Those are more than just slightly sensitive.

  • No (Score:4, Informative)

    by gweihir ( 88907 ) on Tuesday August 04, 2009 @04:57PM (#28948207)

    Confidentiality is very, very important to businesses and individuals, even more so in the Internet age. One of the reasons to continue to operate your own infrastructure, no matter what the current hype is.

    • Comment removed based on user account deletion
      • ^Great, now convince a 60 year old doctor with his own small practice and 8 to a dozen employees why he needs to spend thousands getting that all set up.
    • Re: (Score:3, Interesting)

      Wouldn't Google be more likely to keep on top of software updates and security threats than a small, local hosting company who are figuring it out as they go? Hosting one's email with a local company or at one's own office may open a person up to more risk of being hacked than simply letting Google manage it.

    • Re: (Score:3, Funny)

      by Swampash ( 1131503 )

      operate your own infrastructure, no matter what the current hype is

      Exactly. You should be digging trenches, laying fibre, and setting up entirely separate networks so that no email you send ever passes through a machine or a network or a cable accessible by a third party.

    • Re: (Score:3, Interesting)

      by margaret ( 79092 )

      Confidentiality is very, very important to businesses and individuals, even more so in the Internet age. One of the reasons to continue to operate your own infrastructure, no matter what the current hype is.

      IAAD and I agree that confidentiality is extremely important, and health care professionals have a responsibility to safeguard PHI. However, I also think that IT admins have a responsibility to create an infrastructure that doesn't suck and that takes into account the needs of the people that actually need to use it. Because if it sucks bad enough, people will find a way to circumvent some of the safeguards in order to get their work done. Because it's human nature that getting one's work done is a more

  • by Nutria ( 679911 ) on Tuesday August 04, 2009 @04:59PM (#28948227)

    immediately squelch any such thoughts.

  • por que? (Score:3, Informative)

    by Em Emalb ( 452530 ) <{ememalb} {at} {gmail.com}> on Tuesday August 04, 2009 @05:00PM (#28948241) Homepage Journal

    From here: http://docs.google.com/support/bin/answer.py?answer=82366&ctx=sibling [google.com]

    "
    Privacy and security: Understanding section 11.1 of our Terms of Service
    Print
    We've received questions over time about the meaning of section 11.1 of our Terms of Service. We realize that for those not familiar with legal agreements for services that use the Internet, these terms can look confusing, or even frightening.

    The first thing to understand is that this language doesn't give Google ownership rights to your data. You, and you alone, own your content. Whether you wish to keep your content totally private, or share it with the world, that's your choice.

    However, in order to honor this choice, Google Docs needs permission to display your content as you see fit. This is what we mean by a "license to reproduce." We need to ensure that when you click the "Publish document" button, or use the "Invite collaborators" option, we have the license to carry out your wishes. It is this agreement, between Google Docs and you, the user, that section 11.1 of our Terms of Service reflects."

    Why would you even chance it? That's their EXISTING terms of service, but as always, those terms are subject to change without notice.

    I can't imagine that HIPAA would allow this.

  • by Anonymous Coward on Tuesday August 04, 2009 @05:01PM (#28948253)
    It might be an acceptable compromise. The same clients considering Google Apps are 99.999% likely to have a non-existent or ineffective backup/archiving system, lack the expertise/cash for sysadmining Microsoft enterprise apps and would probably benefit from being able to log in on multiple machines to access their data. All strategies involve risk - if you veto Google, they may be missing out on the best compromise solution. YMMV.
  • by PolyDwarf ( 156355 ) on Tuesday August 04, 2009 @05:01PM (#28948273)

    This is slashdot, not legaldot.

    That being said, your writeup sounds like you're a contractor/have your own company. If that's the case, the best you can do (Outside of telling your customers you aren't going to and being fired) is make very clear, in writing, what your opinion is, and get them to sign off, in writing, that they are responsible and/or have another way for handling confidential info, etc.

    I'm not sure if that's enough to cover your butt or not. See first sentence about this is slashdot, not legaldot. I would consult with a lawyer, preferably one that is not one of your customers.

    • by Red Flayer ( 890720 ) on Tuesday August 04, 2009 @05:15PM (#28948493) Journal
      It's been said before:

      If you're response to an Ask Slashdot submission about $X is "Ask a lawyer about $X", then you should rewrite the Ask Slashdot question in your mind to "What should I know before I talk to a lawyer about $X?"

      Lawyers are expensive. Community knowledge can e very helpful in reducing the amount needing to be spend on legal fees, and I'm sure plenty of Slashdotters have good insight that can help the submitter.

      For my part, all I can say is that I wouldn't use a doctor if I knew they used Google Apps. There's too much risk that an employee at Google might let loose the secret of my debilitating suppurative penile encrustations.
      • Re: (Score:2, Funny)

        by Red Flayer ( 890720 )
        Oh crap. The cat's out of the bag.

        Unsubmit! Unsubmit!
      • Yeah, but when your question directly revolves around a question of law, it does kind of beg the question that lawyers should be your first stop. Especially when you know enough to know the name of the law (in this case, HIPAA). A quick google search would lead you to www.hipaa.org, and there's a handy-dandy menu on the left with all sorts of stuff to know.

        The guy already knows enough to know this is a Bad Idea (tm), so it was more an Ask Slashdot about "Hey, I know this is a Bad Idea (tm), but is there a

  • by Lonewolf666 ( 259450 ) on Tuesday August 04, 2009 @05:04PM (#28948317)

    Tell them about what could happen, and that the risk may be low but not zero. Because data have been exposed through sloppiness before, not only through malice.
    Then make sure YOU are not liable if they violate HIPPA or something similar. Either don't support their Google stuff or make sure you have documented that they use Google SAS against your advice.

    • Hosting this sort of thing off site on a service that's not really intended for HIPAA or similar is a recipe for disaster. It's not that Google is necessarily untrustworthy, it's that they're not promising to comply with the requirements under those laws. And they're certainly not going to be liable should anything go wrong that puts the firm or the IT department in breech of those particular laws.
    • by GMFTatsujin ( 239569 ) on Tuesday August 04, 2009 @05:28PM (#28948633) Homepage

      That's one way to frame the argument, and it's a good one.

      I'd stress to them that HIPAA PHI standards require the company -- AKA your bosses -- to be able to vouch for the security of the entire pipeline of information flow. It's not an issue of "they're not interested" or "the chances are low." It's an issue of minimizing the holes in the pipeline.

      Google does not offer anything like PHI-compatible security. They are a big hole in the secuirty, whatever the chances or interest are. One could argue that the world's largest indexer of information, who makes the results of those indexes freely available to the public, is the antithesis of security.

      If your bosses are serious about health care, they're not going to be idiots about it. (They may chose to be idiots about other things. Probably not this.)

  • by MarkvW ( 1037596 ) on Tuesday August 04, 2009 @05:04PM (#28948323)

    If they wanna do it, they gotta get a lawyer--a lawyer who knows HIPAA. HIPAA compliance is a pain--and noncompliance can be very expensive.

    Lawyer costs may even outweigh the Google savings

    • Biggest problem is Doctors like to think they are above the law. I worked in IT for a hospital chain and trying to explain that they can't do that is nearly impossible.

    • by TheMCP ( 121589 ) on Tuesday August 04, 2009 @08:18PM (#28950415) Homepage

      HIPPA non-compliance can not only be expensive, it can lead to jail time.

      This is my understanding based on training I received from a lawyer while working as a secondary IT director for a medical school:

      The IT director for a medical organization is required to certify that the organization is HIPPA compliant. If they are not, the IT director must make them compliant, and that may have to mean simply cutting off everyone's access to computer resources until a plan is in place to allow access in a compliant manner. (Not allowing anyone to access anything is compliant.) If the IT director certifies them to be compliant when they are actually not, the IT director can go to jail, as can anyone who may have coerced them to sign the certification. Medical professionals can also be subject to fines and/or jail time for handling data in a non-compliant manner (such as entering data into a non-compliant system such as google docs), especially if they did so knowingly.

      Were I in anonymous reader's shoes, I would tell my medical clients that I am convinced that because of HIPPA they must not use Google Docs for any medical information. If they press the issue I would tell them that I am so convinced that they must not use Google Docs to handle any medical information that if I find they have done so, I will drop them as a client and report them to relevant authorities at once. No job is worth going to jail for.

  • Tricky HIPPA... (Score:4, Informative)

    by Annwvyn ( 1611587 ) on Tuesday August 04, 2009 @05:04PM (#28948327)
    As a Paramedic, I can say that HIPPA is extremely strict and will, if violated, force your license to be questioned as well as cause fines to be pushed your way. Honestly, doing ANYTHING outside of a secured network or a patient care medium (i.e. Pyxis, Temsis) with privileged, confidential information will plant a bullseye on your back. It is just not worth risking it. I can guarantee that an expert data thief is going to be more skilled and knowledgeable at computers and networking than any physician I know.
    • Re: (Score:3, Interesting)

      True enough -- and as an anonymous coward pointed out [slashdot.org], many (perhaps most) in-house networks aren't going to be secured all that well either. Allegedly HIPAA-compliant systems might satisfy the lawyers, but I have to say I'm deeply skeptical that the standard of privacy they actually provide is all it's cracked up to be ... or any better than what Google can do.

  • Just accept it (Score:5, Insightful)

    by scoile ( 144858 ) on Tuesday August 04, 2009 @05:04PM (#28948329)

    Your role, as a qualified member of the IT staff, is to make the higher-ups aware of the risks. Do your due-diligence, tell them the data isn't secure (in person, in e-mail, and maybe even on paper), and remind them from time-to-time (using creative new analogies whenever possible). That's it, you've done your job.

    The fact of the matter is, regardless what the policy is, and regardless what they all "agree" on, they're going to put sensitive information on the Web. You'd have to take away their Internet access and portable devices to prevent it, and even then, they'd just go home and use that.

    Accept that the best you can do is educate them and provide alternatives.

  • by Anonymous Coward on Tuesday August 04, 2009 @05:05PM (#28948343)

    I'd like to report them to the regulatory commission that enforces HIPAA rules.

    Seriously, read up on HIPAA and get them to follow HIPAA rules, otherwise huge fines could be coming their way.

    Just because a doctor hands out those privacy pamphlets doesn't give them the green light to ignore or circumvent the privacy and security rules. Claiming ignorance is not an option.

    Get them off of gmail and google apps and put them on systems and networks that you can effectively apply controls too.
    You have no control over the security and privacy controls in place within google apps thus you can't effectively satisfy the HIPAA rules.If they do not want to do an internal networks with servers, outsource it all to a data center that is HIPAA compliant and where you control the servers both physically and logically.

    Good luck and hire yourself a partner or subcontractor that does HIPAA and SOX regulatory consulting. You could hire me but I'm $350/hr.

  • by MarkWatson ( 189759 ) on Tuesday August 04, 2009 @05:08PM (#28948377) Homepage

    Amazon published a white paper about using their AWS platform with HIPAA compient applications: basic idea is to keep data encrypted until it is in memory, and encrypt it again before writing to persistent storage.

    For Google Apps, how about using rich clients that decrypt data for viewing/editing, and encrypt it again before storing back on big table, etc.

    Perhaps Google themselves would implement this as browser plugins?

    • Re: (Score:3, Interesting)

      by AnyoneEB ( 574727 )

      Google could do this. Using IBM's algorithms which were on Slashdot recently, it might even be possible to keep everything encrypted on the server and only decrypt on the client so the data is safe even if the server is compromised. (Note: That was an article about a new and experimental cryptographic algorithm which may not be ready for serious use yet.)

      There is a problem: Google wants to show ads and encrypted data gives them no clues about what ads to show. If there is really a market for it, then maybe

  • Far as I know the Google Mini Enterprise [google.com] comes with all of the apps you need.

    And since it's a local server, I suspect it'd still qualify for your confidentiality needs the same way any other local server would.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      The Google Mini (http://www.google.com/enterprise/search/index.html) is a search appliance. It will not run mail/apps.

  • No lawyer can legitimately use Google-hosted services, unless they're doing work for Google. It would be a huge violation of confidentiality.

    In Silicon Valley, where many lawyers are doing work adverse to Google, absolutely no way would this be tolerated. Even Microsoft Windows Update makes some lawyers nervous.

  • That's a better question.
    Their policy suggests not [google.com].
    Perhaps a Google engineer somewhere can "read your stuff" but only in the same sense that you could as the person administering your clients mail. Is that a worry? I'd expect Google have a lot more to lose if such a privacy breach happened than you, their whole apps hosting business would evaporate.

    That said, if there are specific legal requirements for your industry you'd need to evaluate on those specific requirements not on what a random guy on Slash
  • Typed "Google Apps HIPAA compliance" into Google and found your response from Google: Is Google Apps HIPAA compliant? [google.com] The answer is of course, "it depends".
  • by ljaszcza ( 741803 ) on Tuesday August 04, 2009 @05:14PM (#28948477)
    We are a contractor for the Veterans administration. The VA insists that we comply with privacy issues strictly. Any communications that have patient information must be sent on encrypted secure systems. No open email servers/hotmail/gmail/whatever is allowed. Failure to comply with the privacy (detailed in the out of control HIPAA set of rules and standards) is punishable both financially and by being banned from contracting with the US federal government. As an administrator, I have to remind physicians that if they are caught transmitting identifiable information of our patients over unsecured channels, it may cost us our contract and may result in their being banned from seeing medicare/medicaid patients. Anyhow, that's my two cents on utilizing gmail or such for sensitive information.
  • I just had another thought on this.

    Assuming you cover yourself properly from legal liability, do whatever your clients want... Then turn them all into the HIPAA police (I know there aren't HIPAA police... I have no idea who does the enforcement actions; you get the idea) for some sort of reward.

  • by rjh ( 40933 ) <rjh@sixdemonbag.org> on Tuesday August 04, 2009 @05:16PM (#28948499)

    It is not your job to educate them on their professional responsibilities. Odds are very good that you aren't competent to advise them on it, and it would arguably be a violation of their canons of ethics to take advice from you. Lawyers and doctors have ethics committees to field questions like these: refer your users to them.

    In the interim, stand by your guns. If your users say they'll go to the ethics committee and they're sure they'll be exonerated, propose this as a hypothetical question: if you give privileged documents to an uninvolved third party, is the veil of privilege pierced? Yes or no? (The answer is usually "yes"; exceptions are rare.) So, if you give privileged documents to Google, is the veil of privilege pierced?

    Don't give advice. Just ask questions, and whatever you do, don't give in.

  • Hosting providers? (Score:5, Insightful)

    by RichardJenkins ( 1362463 ) on Tuesday August 04, 2009 @05:21PM (#28948583)

    I think there are three classes of company for the purposes of this discussion:

    If you trust shared hosting providers; you shouldn't care about the Google employees who can access your data

    If you trust managed hosting providers like Rackspace, particularly if they're hosting virtualised servers for you; you probably shouln't care about Google employees with access to your data.

    If you don't trust managed hosting providers; well you're probably not reading this from the office, and Google Apps doesn't get a look in.

    I'd say most companies fall into the second.

  • don't even THINK about outsourcing that.

    yes, giving it to google is outsourcing. what, you thought.....

    you didn't think.

    THINK.

    keep the network OFF your medical (etc) files. sheesh! this is 101 level, people. come on.

    let me be very clear; you do not want to put medical, legal or ANY sensitive info 'in the cloud'. anyone's cloud.

    got it?

    its very simple.

  • by seifried ( 12921 ) on Tuesday August 04, 2009 @05:27PM (#28948625) Homepage
    But google is. They place ads based on the content of your emails (i.e. I get SVN commit messages, and lo and behold ads for SVN related stuff on the side bar). So at a bare minimum they have automated processes reading all your emails, extracting meaning from them and displaying ads to you.
  • if it were a service the lawyer/doctors/etc were paying them for, how would this be different than say a lawyer's office contracting their IT work to a tech firm?
  • Sure, explain the risks, and recommend they run the idea past their lawyers.

    It's their risk to take, and look at it from their perspective; they're already trusting you with their data. Why should they trust Google, with it's nigh infinitely deep and sueable pockets, less than they trust you?

  • Don't believe anything they say - Google is a publically traded corporation. The job of the directors is not to make a profit, it is to maximize profits. The example the founders set will only go so far. How much attention do other companies pay to their corporate slogans? How many of you can name the slogans of AT&T, IBM, Facebook, or other companies? And how much attention do the employees of these corps pay to their slogan? Does the Goldman Sachs slogan really drive its employees?

% APL is a natural extension of assembler language programming; ...and is best for educational purposes. -- A. Perlis

Working...