Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Can We Abandon Confidentiality For Google Apps?

kdawson posted more than 5 years ago | from the what-price-convenience dept.

Privacy 480

An anonymous reader writes "I provide IT services for medium-sized medical and law practices. Lately I have been getting a lot of feedback from doctors and lawyers who use gmail at home and believe that they can run a significant portion of their practice IT on Google Apps. From a support standpoint, I'd be happy to chuck mail/calendar service management into the bin and let them run with gmail, but for these businesses, there is significant legal liability associated with the confidentiality of their communications and records (e.g., HIPAA). For those with high-profile celebrity clients, simply telling them 'Google employees can read your stuff' will usually end the conversation right there. But for smaller practices, I often get a lot of push-back in the form of 'What's wrong with trusting Google?' and 'Google's not interested in our email/calendar.' Weighing what they see as a tiny legal risk against the promise of Free IT Stuff(TM) becomes increasingly lopsided given the clear functionality / usability / ubiquity that they experience when using Google at home. So my question to the Slashdot community is: Are they right? Is it time for me to remove the Tin Foil Hat on the subject of confidentiality and stop resisting the juggernaut that is Google? If not, what is the best way to clarify the confidentiality issues for these clients?"

Sorry! There are no comments related to the filter you selected.

No (1)

jpyeron (456009) | more than 5 years ago | (#28948149)

No, keep the hat, and demand better.

Re:No (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28948183)

If you use Google products or services, you will become the next goatse [] guy. Google is looking for a black goatse guy in particular.

Re:No (4, Insightful)

commodore64_love (1445365) | more than 5 years ago | (#28948753)

Agreed. Also online aps are more-expensive longterm. For example I purchased Microsoft Office 97, and I'm still using it 12 years later, which is an annual cost of just ~$12. Online aps have significantly higher fees than that.

There's also the advantage of owning the software. If for example you develop a design, you can archive both the design and the tools so they can still be used 15-20 years from now and "resurrected" from the basement. You can't do that with online aps which are constantly updated with no way to "freeze" a tool at a certain point.

yes.. (5, Informative)

Anonymous Coward | more than 5 years ago | (#28948165)

..the google apps contract is fine. IAAL and i use google apps for all my stuff. i DO maintain a separate backup but everything goes on google. the bar is also fine with it.

Re:yes.. (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28948371)

yes but we're talking about a LEGAL bar here, not that skank you banged on the sticky floor behind the local dive.

Re:yes.. (4, Insightful)

Anonymous Coward | more than 5 years ago | (#28948527)

Good thing you posted anonymously. That means you won't lose clients and we don't have to take you seriously.

Re:yes.. (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28948579)

typical ignorant geek. stick to your computer, son. []

Re:yes.. (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28948715)

Woosh fucker!

The bottom line (5, Insightful)

Samalie (1016193) | more than 5 years ago | (#28948181)

If you are in an industry where your internal communications/documents/etc should or must remain confidential, than you cannot trust Google Apps as your free platform for email/document creation/document storage.

If you don't mind the possibility that the world may get your data, then by all means feel free to use Google, or any other SaaS type offering.

Re:The bottom line (1)

Jurily (900488) | more than 5 years ago | (#28948261)

Lazy sysadmin wants to compromise his company to work less. News at 11.

Re:The bottom line (3, Insightful)

CharlyFoxtrot (1607527) | more than 5 years ago | (#28948423)

Lazy sysadmin wants to compromise his company to work less. News at 11.

Come on it's not just laziness. People use the Google apps at home, they do the job. It's no wonder they say "Why not use the same stuff at the office?" That's how MS got where they are after all, it also might be why they've got their panties in a twist over Google.

Re:The bottom line (-1, Troll)

Jurily (900488) | more than 5 years ago | (#28948573)

That's how MS got where they are after all

MS got there with pure dumb luck, shady business tactics and buying out potential competitors.

And yes, it's lazyness: he's a sysadmin, and he knows the security implications. He just chooses not to care.

Re:The bottom line (1)

erikdalen (99500) | more than 5 years ago | (#28948749)

For small businesses that don't have a full time sysadmin there's also risks running your own. It might fail and take long time to fix for example. And it might go for long times without security patches.

I suppose both those things are true for larger places as well with sysadmins overloaded with work :(

Re:The bottom line (1)

Orange Crush (934731) | more than 5 years ago | (#28948591)

It's also hard to compete with "free."

Re:The bottom line (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#28948567)

Lazy sysadmin wants to compromise his company to work less. News at 11.

Damn at least read RTFS...

Cheap-jew client doesn't want to pay for IT to save money. News at 11.

There, fixed that for ya.

Re:The bottom line (4, Informative)

EdIII (1114411) | more than 5 years ago | (#28948759)

Not only did you not read TFA, but you did not even read the summary. Laziness has nothing to do with this at all. He is getting a lot of friction from his clients that don't understand HIS reservations about doing business with Google in this manner. He is concerned for their legal liability. Sounds like an IT guy that actually cares.

His question being posed to the /. community, is whether or not his clients have a point. Can we really trust Google with data that must remain confidential. Can he recommend Google services to his clients without fearing for liability later down the road.

Yeah, that sounds lazy to me....

Re:The bottom line (0, Flamebait)

Anonymous Coward | more than 5 years ago | (#28948319)

and an internal IT guy cant leak your data to the world ? you stupid or something ?
i trust google way more than internal IT staff with grudges.
and you can sue google without a eula type contract.

Re:The bottom line (4, Insightful)

Shakrai (717556) | more than 5 years ago | (#28948445)

and you can sue google without a eula type contract.

You can sue the IT guy with a grudge too but that won't help you to recover your business reputation or lost clients after a data breach. Why the hell does everybody look at something and think that "we can sue them!" is some sort of plus anyway? I'd rather avoid being in the position of having to decide whether or not to file a lawsuit altogether, thank you very much.

Re:The bottom line (4, Insightful)

jeffasselin (566598) | more than 5 years ago | (#28948649)

Number of internal IT guys with systems access: 5
Number of Google employees: 3 billions

Chance to identify and sue the pants off the leaker if he's internal: 99%
Chance to sue Google and not get ass-raped by their robotic lawyers with laser eyes: Infinitesimal

Re:The bottom line (5, Insightful)

eln (21727) | more than 5 years ago | (#28948353)

If you are in an industry where your internal communications/documents/etc should or must remain confidential, than you cannot trust any Internet-based system as your free platform for email/document creation/document storage.

FTFY. If your documents exist on the Internet, especially unencrypted, they won't be confidential for very long. Whether or not Google as a company is trustworthy or not is irrelevant. If anyone hacked into your Google account, they would have access to everything. If a random employee at Google decided to sell your stuff to a tabloid, there's nothing you could do to stop them until it was already too late. Without ironclad confidentiality agreements with real penalties for breaking said agreements, you shouldn't be trusting any third party with this stuff, and you certainly shouldn't have it on the Internet.

Re:The bottom line (0)

Anonymous Coward | more than 5 years ago | (#28948439)

in fact (yeah yeah IANAL), it seems to me you're already breaking your own confidentiality agreement

Re:The bottom line (2, Insightful)

HTH NE1 (675604) | more than 5 years ago | (#28948467)

Further, if you share data with an outside company, you don't have a reasonable expectation of privacy in that data anymore, and the government can subpoena that company for what it knows about you. Just like a lawyer engaging in communications with his client with a third party present, those communications are no longer privileged.

IANAL, I just watch fake ones on TV.

Ever read a EULA? (2, Informative)

porkThreeWays (895269) | more than 5 years ago | (#28948461)

When you click "Accept" on many EULA's you give up rights to privacy of your data to that company. What's the difference if it's hosted or not. Microsoft can just as easily have Exchange phone home with data as Google employees can read your mail. There's no difference. You just have to decide which company you trust most.

Re:Ever read a EULA? (0)

Anonymous Coward | more than 5 years ago | (#28948755)

I guess you've never heard of a closed network.

Possibility? (2, Insightful)

Chuck Chunder (21021) | more than 5 years ago | (#28948597)

If you don't mind the possibility that the world may get your data, then by all means feel free to use Google, or any other SaaS type offering.

I don't understand what "possibility" has to do with it. Your data could "possibly" be exposed if you have your own infrastructure.

A more relevant question is probability. Is there additional exposure through using Google? Are Google internal security practices likely to be better than yours? If you are a small shop outsourcing your IT services anyway then why is Google worse than some other party?

Re:The bottom line (4, Interesting)

spydabyte (1032538) | more than 5 years ago | (#28948699)

When you don't pay for something, you can't rely on it. Try winning a law suit against a patient because you didn't have the correct medical knowledge because your ISP couldn't resolve a Google DNS one day...

I'd think this is a much greater issue than worrying about Google email snoops. That and unecrypted standards over wifi access. Doctors: Don't go mobile. Stay within your cellular-free hospitals.

Slashdot layout broken AGAIN (0, Offtopic)

koreaman (835838) | more than 5 years ago | (#28948201)

Why does the story header appear *red* instead of the usual green? (Firefox 3.5 on Vista)

Re:Slashdot layout broken AGAIN (0)

Anonymous Coward | more than 5 years ago | (#28948245)

Why does the story header appear *red* instead of the usual green? (Firefox 3.5 on Vista)

Yeah, Seen that too. Opera 10 Beta, Windows XP Professional Sp2.

Back to actually posting...
I'd say, force them to use the proper means, I knows it is kinda hard to, but if you go ahead and tell them to use Google Apps, and then happen to get audited, or someone claims that the information has been leaked, then the chopping block usually will fall on the IT's head for not providing enough security.

Thats just my two cents.

Re:Slashdot layout broken AGAIN (1)

rnaiguy (1304181) | more than 5 years ago | (#28948255)

I think the YRO section always has the red border, just like games always has the blue/purple border.

Re:Slashdot layout broken AGAIN (3, Funny)

Scrameustache (459504) | more than 5 years ago | (#28948283)

Why does the story header appear *red* instead of the usual green? (Firefox 3.5 on Vista)

It does that when the story is brand spanking new, I think. It means you're getting the freshest of slashdot's offerings, rejoice!

Re:Slashdot layout broken AGAIN (0)

Anonymous Coward | more than 5 years ago | (#28948307)

I usually see it on stories with no (or nearly no) comments to entice suckers like us to read and post.

Re:Slashdot layout broken AGAIN (0, Offtopic)

master5o1 (1068594) | more than 5 years ago | (#28948489)

Actually it's to tell people that they have a chance at getting a first post. Though, it is still unlikely because that damned Anonymous Coward always gets it. Damn Anonymous Coward and his super fast reflexes to Red stories.

Re:Slashdot layout broken AGAIN (3, Funny)

master5o1 (1068594) | more than 5 years ago | (#28948553)

Some stories are red to show that they were posted by a communist.

Re:Slashdot layout broken AGAIN (1, Offtopic)

Red Flayer (890720) | more than 5 years ago | (#28948571)

Why does the story header appear *red* instead of the usual green? (Firefox 3.5 on Vista)

Totally off-topic, I know. But it irks me that when we bring up a display issue, our reflex is to mention our browser AND our operating system.

Just goes to show that we are nowhere near any kind of usable standards for browsers like the kind that's been envisioned for a decade (or more!).

Re:Slashdot layout broken AGAIN (1, Funny)

Anonymous Coward | more than 5 years ago | (#28948703)

Because it is a RED ALERT. You are supposed to have your shields up and you need to report ready at general quarters. Hurry up - and shut off that damned noise!

No (3, Informative)

gweihir (88907) | more than 5 years ago | (#28948207)

Confidentiality is very, very important to businesses and individuals, even more so in the Internet age. One of the reasons to continue to operate your own infrastructure, no matter what the current hype is.

Re:No (1)

Shakrai (717556) | more than 5 years ago | (#28948533)

Confidentiality is very, very important to businesses and individuals, even more so in the Internet age. One of the reasons to continue to operate your own infrastructure, no matter what the current hype is.

More to the point, some of his reasoning seems questionable. "Google Apps is easy to use from home" Yeah, and your point is? Never heard of a VPN? Never heard of remote desktop/terminal services/Citrix? It's not like they are particularly complicated these days. Hell, if you choose a vendor neutral solution with an accepted standard (IPSec) you might not even need to install any extra software on the clients.

Re:No (1)

Orange Crush (934731) | more than 5 years ago | (#28948709)

^Great, now convince a 60 year old doctor with his own small practice and 8 to a dozen employees why he needs to spend thousands getting that all set up.

Re:No (0)

Anonymous Coward | more than 5 years ago | (#28948587)

Google Apps does offer solutions using their Postini product that should offer email archiving. This is not free. IANAL, and I don't use Google's apps for much, but I would consult an attorney who is versed at this form of law practice to sign off and ensure that there are no glaring holes that someone could sue or regulators could find criminal charges to press.

However, for CYA value if something does happen, I'd consider a commercial solution, such as a hosted E-mail provider that is familar with Sarbanes Oxley, HIPAA, FERPA, or other laws. For internal apps, I'd avoid being reliant on Web based stuff, just in case of a downed network. For CYA value, I would go with a commercial app solution. Microsoft Office is one solid solution. Another is Sun's StarOffice. The reason for a commercial solution is the ability to point a finger should something happen and say "Blame the software maker". There isn't anything wrong with OpenOffice, but having an ability to pass the buck is important.

If I were doing a basic professional office that is under these regulations, I'd be starting from the ground up with all commercial solutions from the ground up. Not because Dell makes a better desktop than I can do with decent parts, but because I can have a documentation trail that I can hand regulators if something happens (client makes a complaint, a security breach). This doesn't mean MS Windows only, because for most day to day use (and excluding specific databases or applications), a shop can happily run on RedHat, OS X, Solaris, or AIX workstations.

Disclaimer: IANAL.

Re:No (2, Interesting)

CopaceticOpus (965603) | more than 5 years ago | (#28948645)

Wouldn't Google be more likely to keep on top of software updates and security threats than a small, local hosting company who are figuring it out as they go? Hosting one's email with a local company or at one's own office may open a person up to more risk of being hacked than simply letting Google manage it.

Yes (0)

Anonymous Coward | more than 5 years ago | (#28948209)

Well, I can. But not the idiots screaming 1984.

If you can e-mail info (0, Troll)

AvitarX (172628) | more than 5 years ago | (#28948217)

I would think Google apps is fine.

HIPPA requirements should... (3, Insightful)

Nutria (679911) | more than 5 years ago | (#28948227)

immediately squelch any such thoughts.

Re:HIPPA requirements should... (1, Redundant)

Daniel Dvorkin (106857) | more than 5 years ago | (#28948315)

Yes, everyone should be worried about a nonexistent law.

There is a law called HIPAA that might possibly have some bearing on this too, and as it happens, that one's real.

por que? (3, Informative)

Em Emalb (452530) | more than 5 years ago | (#28948241)

From here: []

Privacy and security: Understanding section 11.1 of our Terms of Service
We've received questions over time about the meaning of section 11.1 of our Terms of Service. We realize that for those not familiar with legal agreements for services that use the Internet, these terms can look confusing, or even frightening.

The first thing to understand is that this language doesn't give Google ownership rights to your data. You, and you alone, own your content. Whether you wish to keep your content totally private, or share it with the world, that's your choice.

However, in order to honor this choice, Google Docs needs permission to display your content as you see fit. This is what we mean by a "license to reproduce." We need to ensure that when you click the "Publish document" button, or use the "Invite collaborators" option, we have the license to carry out your wishes. It is this agreement, between Google Docs and you, the user, that section 11.1 of our Terms of Service reflects."

Why would you even chance it? That's their EXISTING terms of service, but as always, those terms are subject to change without notice.

I can't imagine that HIPAA would allow this.

Re:por que? (0)

Anonymous Coward | more than 5 years ago | (#28948529)

you can use google apps without google docs. HIPAA is fine with it.
you would chance it because [a] you cant afford to run an IT dept, [b] your internal admin which you hire for little money can steal your data and is more likely to, [c] you can sue google. google apps is ideal for small businesses. you dont need to use the docs component at all. you can keep patient records internally on a off the shelf NAS box costing less than $500 with encrypted drives and use email for communication.

Need to assess more than one criteria (4, Insightful)

Anonymous Coward | more than 5 years ago | (#28948253)

It might be an acceptable compromise. The same clients considering Google Apps are 99.999% likely to have a non-existent or ineffective backup/archiving system, lack the expertise/cash for sysadmining Microsoft enterprise apps and would probably benefit from being able to log in on multiple machines to access their data. All strategies involve risk - if you veto Google, they may be missing out on the best compromise solution. YMMV.

Re:Need to assess more than one criteria (0)

Anonymous Coward | more than 5 years ago | (#28948731)

Google is not bound by the same laws as lawyers and doctors and data which is stored on Google's servers is not protected by the same laws as data on the computers of lawyers and doctors. It is one thing to have to trust someone who works on systems with confidential data. It's quite another thing to move the data off-site.

Say hello to your lawyer (4, Insightful)

PolyDwarf (156355) | more than 5 years ago | (#28948273)

This is slashdot, not legaldot.

That being said, your writeup sounds like you're a contractor/have your own company. If that's the case, the best you can do (Outside of telling your customers you aren't going to and being fired) is make very clear, in writing, what your opinion is, and get them to sign off, in writing, that they are responsible and/or have another way for handling confidential info, etc.

I'm not sure if that's enough to cover your butt or not. See first sentence about this is slashdot, not legaldot. I would consult with a lawyer, preferably one that is not one of your customers.

Re:Say hello to your lawyer (5, Insightful)

Red Flayer (890720) | more than 5 years ago | (#28948493)

It's been said before:

If you're response to an Ask Slashdot submission about $X is "Ask a lawyer about $X", then you should rewrite the Ask Slashdot question in your mind to "What should I know before I talk to a lawyer about $X?"

Lawyers are expensive. Community knowledge can e very helpful in reducing the amount needing to be spend on legal fees, and I'm sure plenty of Slashdotters have good insight that can help the submitter.

For my part, all I can say is that I wouldn't use a doctor if I knew they used Google Apps. There's too much risk that an employee at Google might let loose the secret of my debilitating suppurative penile encrustations.

Re:Say hello to your lawyer (1, Funny)

Red Flayer (890720) | more than 5 years ago | (#28948519)

Oh crap. The cat's out of the bag.

Unsubmit! Unsubmit!

Re:Say hello to your lawyer (1)

PolyDwarf (156355) | more than 5 years ago | (#28948589)

Yeah, but when your question directly revolves around a question of law, it does kind of beg the question that lawyers should be your first stop. Especially when you know enough to know the name of the law (in this case, HIPAA). A quick google search would lead you to, and there's a handy-dandy menu on the left with all sorts of stuff to know.

The guy already knows enough to know this is a Bad Idea (tm), so it was more an Ask Slashdot about "Hey, I know this is a Bad Idea (tm), but is there any way I can weasel out of it being a Bad Idea (tm)?"

And as for your penile encrustations... That sounds like another Ask Slashdot question.

Re:Say hello to your lawyer (1)

aztracker1 (702135) | more than 5 years ago | (#28948783)

I have to agree... simply get a liability release, that they are responsible and have made decision X. Then do what they have asked.

Haha! (1, Informative)

Anonymous Coward | more than 5 years ago | (#28948309)

If web apps are ever farmed out to foreign servers, you can kiss your privacy goodbye. If the government requests any data off the servers and weasels around the usual search warrant limitations, you're on your own.

Give them fair warning (3, Insightful)

Lonewolf666 (259450) | more than 5 years ago | (#28948317)

Tell them about what could happen, and that the risk may be low but not zero. Because data have been exposed through sloppiness before, not only through malice.
Then make sure YOU are not liable if they violate HIPPA or something similar. Either don't support their Google stuff or make sure you have documented that they use Google SAS against your advice.

Re:Give them fair warning (1)

hedwards (940851) | more than 5 years ago | (#28948441)

Hosting this sort of thing off site on a service that's not really intended for HIPAA or similar is a recipe for disaster. It's not that Google is necessarily untrustworthy, it's that they're not promising to comply with the requirements under those laws. And they're certainly not going to be liable should anything go wrong that puts the firm or the IT department in breech of those particular laws.

Re:Give them fair warning (3, Informative)

GMFTatsujin (239569) | more than 5 years ago | (#28948633)

That's one way to frame the argument, and it's a good one.

I'd stress to them that HIPAA PHI standards require the company -- AKA your bosses -- to be able to vouch for the security of the entire pipeline of information flow. It's not an issue of "they're not interested" or "the chances are low." It's an issue of minimizing the holes in the pipeline.

Google does not offer anything like PHI-compatible security. They are a big hole in the secuirty, whatever the chances or interest are. One could argue that the world's largest indexer of information, who makes the results of those indexes freely available to the public, is the antithesis of security.

If your bosses are serious about health care, they're not going to be idiots about it. (They may chose to be idiots about other things. Probably not this.)

HIPAA compliance is no joke. (4, Insightful)

MarkvW (1037596) | more than 5 years ago | (#28948323)

If they wanna do it, they gotta get a lawyer--a lawyer who knows HIPAA. HIPAA compliance is a pain--and noncompliance can be very expensive.

Lawyer costs may even outweigh the Google savings

Re:HIPAA compliance is no joke. (1)

ArsonSmith (13997) | more than 5 years ago | (#28948681)

Biggest problem is Doctors like to think they are above the law. I worked in IT for a hospital chain and trying to explain that they can't do that is nearly impossible.

Tricky HIPPA... (4, Informative)

Annwvyn (1611587) | more than 5 years ago | (#28948327)

As a Paramedic, I can say that HIPPA is extremely strict and will, if violated, force your license to be questioned as well as cause fines to be pushed your way. Honestly, doing ANYTHING outside of a secured network or a patient care medium (i.e. Pyxis, Temsis) with privileged, confidential information will plant a bullseye on your back. It is just not worth risking it. I can guarantee that an expert data thief is going to be more skilled and knowledgeable at computers and networking than any physician I know.

Re:Tricky HIPPA... (2, Interesting)

Daniel Dvorkin (106857) | more than 5 years ago | (#28948397)

True enough -- and as an anonymous coward pointed out [] , many (perhaps most) in-house networks aren't going to be secured all that well either. Allegedly HIPAA-compliant systems might satisfy the lawyers, but I have to say I'm deeply skeptical that the standard of privacy they actually provide is all it's cracked up to be ... or any better than what Google can do.

Re:Tricky HIPPA... (1)

Annwvyn (1611587) | more than 5 years ago | (#28948449)

I would have to agree with you that HIPPA's standards and their ability to provide for the people are pretty flimsy. However.... the risk you put on your license and career, as well as the fines that you can accrue if you violate HIPPA, are very real. It isn't so much whether you should follow HIPPA because it is the right thing to do and they are all-wise... you should basically follow it to cover you rear.

Re:Tricky HIPPA... (-1, Troll)

Anonymous Coward | more than 5 years ago | (#28948733)

As a paramedic, you should know it is HIPAA not HIPPA.

I didn't read the rest of your post as you lost all credibility in the first 8 words.

Just accept it (5, Insightful)

scoile (144858) | more than 5 years ago | (#28948329)

Your role, as a qualified member of the IT staff, is to make the higher-ups aware of the risks. Do your due-diligence, tell them the data isn't secure (in person, in e-mail, and maybe even on paper), and remind them from time-to-time (using creative new analogies whenever possible). That's it, you've done your job.

The fact of the matter is, regardless what the policy is, and regardless what they all "agree" on, they're going to put sensitive information on the Web. You'd have to take away their Internet access and portable devices to prevent it, and even then, they'd just go home and use that.

Accept that the best you can do is educate them and provide alternatives.

Re:Just accept it (1)

FlyingBishop (1293238) | more than 5 years ago | (#28948679)

You can't put confidential information in the hands of sysadmins who haven't signed off on the requisite forms. Unless Google is willing to certify that all people with any access to your data or the hardware on which it sits takes the requisite classes and signs HIPPA non-disclosure forms with regard to your data, you can't sign off on such a move.

Even then, I would expect that access is restricted to a reasonably small group of people (for a small doctor's office no more than the 5 or 6 you might have on-site.)

Email is not confidential. (0)

Anonymous Coward | more than 5 years ago | (#28948341)

You don't use email for confidential information.

That is the biggest problem is that users think that email SHOULD be confidential. it is not.

Re:Email is not confidential. (1)

hedwards (940851) | more than 5 years ago | (#28948473)

Precisely, that's why my healthcare providers only use it to notify me that a message has been received. I have to log in to their site via SSL if I actually want to read the information. There are still risks, but with a properly secured DNS server and the appropriate measures to make sure it isn't a forgery, it's as secure as you can get.

Can I find out the names of the doctors you work f (3, Informative)

Anonymous Coward | more than 5 years ago | (#28948343)

I'd like to report them to the regulatory commission that enforces HIPAA rules.

Seriously, read up on HIPAA and get them to follow HIPAA rules, otherwise huge fines could be coming their way.

Just because a doctor hands out those privacy pamphlets doesn't give them the green light to ignore or circumvent the privacy and security rules. Claiming ignorance is not an option.

Get them off of gmail and google apps and put them on systems and networks that you can effectively apply controls too.
You have no control over the security and privacy controls in place within google apps thus you can't effectively satisfy the HIPAA rules.If they do not want to do an internal networks with servers, outsource it all to a data center that is HIPAA compliant and where you control the servers both physically and logically.

Good luck and hire yourself a partner or subcontractor that does HIPAA and SOX regulatory consulting. You could hire me but I'm $350/hr.

Re:Can I find out the names of the doctors you wor (2, Informative)

Proudrooster (580120) | more than 5 years ago | (#28948607)

Source: []

Answer to your question.:
  PeteGriffin@Google (Google Employee) + 3 other people say this answers the question:
From a sales standpoint, I would recommend turning the question around and asking them what steps they are currently taking to be compliant with the relevant compliance-acronym (HIPAA, SOX, FERPA, PCI, etc). Understand what steps they currently take to be compliant, and what their current solution is. You'll be able to quickly discover if it's a real showstopping requirement and be able to move on, if it's something that can be addressed by Google Apps... or if they are horribly un-compliant and they're hoping that Google Apps will solve all of their problems (and more!).

No solution by itself is going to be the silver bullet; organizations (especially small and medium businesses) have extremely varied IT infrastructure and policies, with information flowing in different ways for different reasons. Google doesn't certify or identify Google Apps as being compliant with any specific set of regulations. It's really up to the organization to determine if a solution meets their compliance needs for their specific situation.

Google Apps has a very impressive set of features that are extremely helpful when dealing with prospects with compliance needs. The Postini component of Google Apps (referred to as Google Message Security) allows for very granular control of email content (in and out). There are additional email archiving and retention components available. Google Apps is SAS 70 Type II certified. We have also made a good deal of information available about Google's security policies when it comes to our network of data centers through a hefty white paper.

If anyone has experiences dealing with situations like this, please feel free to share your thoughts. Tony Safoian over at SADA Systems has some good thoughts around this: []

No difference (0)

Anonymous Coward | more than 5 years ago | (#28948349)

Frankly there is very little difference between individual employees at Google having access, and individual employees of a firm's IT consultant (or employees of the firm itself) having access. Yes, you might not, as a firm, know the identities of the relevant individuals at Google, but you probably don't know the identity of everyone who works at your IT consultant either. Oh, and Google has much, much more to lose if it becomes apparent that confidentiality has been compromised.

The bottom line is, Google doesn't have to provide an absolute assurance of confidentiality. It just has to be at least as good as what firms get now. In my view, that's not a particularly high bar.

Re:No difference (1)

hedwards (940851) | more than 5 years ago | (#28948501)

Google, is that the same Google that lost a lot of data a couple years back? I'm not really suggesting that they're not to be trusted, but they have lost data in the past, and as unlikely as it might be, it could happen again. Not to mention the fact that they allow access through insecure methods to the data.

Re:No difference (1)

jaymz2k4 (790806) | more than 5 years ago | (#28948503)

I'd have to agree with this. The minute people start to use non-internal staff & resources to provide information infrastructure you're implicitly trusting that the company as a whole will protect your data.

I'd just as well trust Google with my mail data & docs than yet another consultancy that provides core IT services.

The bottom line is who do you trust. The best option in my opinion, which has been mentioned plenty before, is let your clients know what you think, give them the (quantified) risks and what (if any) violations of policy it would entail and let them decide. Then make sure its in a signed agreement.

Proper legal advice would also be the order of the day when you've done as much research that you can on your own (i.e., stuff like this)

HIPAA?? (0)

Anonymous Coward | more than 5 years ago | (#28948355)

You're gonna give up HIPAA info to the cloud? Sounds like a great way to end up in jail.

For corporate business I might be fine with using google apps, but I would never mess around with HIPAA-sensitive data... both for moral and for legal reasons.

wanted: client side encryption (0)

Anonymous Coward | more than 5 years ago | (#28948359)

What is missing in todays solutions is encryption on the client side so that the mail/calendar/photo/storage site cannot access the users own data. Question is, what will the "free it" providers gain by implementing that? I believe this can best be pushed by political means, forcing these kinds of requirements upon the providers.

An idea to make this work (4, Informative)

MarkWatson (189759) | more than 5 years ago | (#28948377)

Amazon published a white paper about using their AWS platform with HIPAA compient applications: basic idea is to keep data encrypted until it is in memory, and encrypt it again before writing to persistent storage.

For Google Apps, how about using rich clients that decrypt data for viewing/editing, and encrypt it again before storing back on big table, etc.

Perhaps Google themselves would implement this as browser plugins?

Google appliance in the office? (2, Interesting)

MartinSchou (1360093) | more than 5 years ago | (#28948389)

Far as I know the Google Mini Enterprise [] comes with all of the apps you need.

And since it's a local server, I suspect it'd still qualify for your confidentiality needs the same way any other local server would.

Re:Google appliance in the office? (3, Informative)

Anonymous Coward | more than 5 years ago | (#28948523)

The Google Mini ( is a search appliance. It will not run mail/apps.

Re:Google appliance in the office? (0)

Anonymous Coward | more than 5 years ago | (#28948545)

I was about to suggest something similar. A local server running google applications is the answer. Just like our computers running installed native software.

Re:Google appliance in the office? (0)

Anonymous Coward | more than 5 years ago | (#28948689)

Really people mod this guy up. The clients of interest on this really need to stop trying to be cheap and at the very least use this. It supports email and policy settings and runs locally. It will save money over having an IT guy maintain servers but I think the first step is to call Google corporate sales and ask about compliance. They are doctors for christ sake, do they really have cash flow problems that would prevent $50 yearly per user?

If my lawyer used Google Apps, I'd get rid of him. (1)

Animats (122034) | more than 5 years ago | (#28948447)

No lawyer can legitimately use Google-hosted services, unless they're doing work for Google. It would be a huge violation of confidentiality.

In Silicon Valley, where many lawyers are doing work adverse to Google, absolutely no way would this be tolerated. Even Microsoft Windows Update makes some lawyers nervous.

Do you abandon confidentiality for Google apps? (1)

Chuck Chunder (21021) | more than 5 years ago | (#28948453)

That's a better question.
Their policy suggests not [] .
Perhaps a Google engineer somewhere can "read your stuff" but only in the same sense that you could as the person administering your clients mail. Is that a worry? I'd expect Google have a lot more to lose if such a privacy breach happened than you, their whole apps hosting business would evaporate.

That said, if there are specific legal requirements for your industry you'd need to evaluate on those specific requirements not on what a random guy on Slashdot thinks.

Searched Google for ya' (1)

SloppyElvis (450156) | more than 5 years ago | (#28948469)

Typed "Google Apps HIPAA compliance" into Google and found your response from Google: Is Google Apps HIPAA compliant? [] The answer is of course, "it depends".

What does the fed do? (4, Informative)

ljaszcza (741803) | more than 5 years ago | (#28948477)

We are a contractor for the Veterans administration. The VA insists that we comply with privacy issues strictly. Any communications that have patient information must be sent on encrypted secure systems. No open email servers/hotmail/gmail/whatever is allowed. Failure to comply with the privacy (detailed in the out of control HIPAA set of rules and standards) is punishable both financially and by being banned from contracting with the US federal government. As an administrator, I have to remind physicians that if they are caught transmitting identifiable information of our patients over unsecured channels, it may cost us our contract and may result in their being banned from seeing medicare/medicaid patients. Anyhow, that's my two cents on utilizing gmail or such for sensitive information.

Another thought (1)

PolyDwarf (156355) | more than 5 years ago | (#28948483)

I just had another thought on this.

Assuming you cover yourself properly from legal liability, do whatever your clients want... Then turn them all into the HIPAA police (I know there aren't HIPAA police... I have no idea who does the enforcement actions; you get the idea) for some sort of reward.

Professional responsibility (2, Interesting)

rjh (40933) | more than 5 years ago | (#28948499)

It is not your job to educate them on their professional responsibilities. Odds are very good that you aren't competent to advise them on it, and it would arguably be a violation of their canons of ethics to take advice from you. Lawyers and doctors have ethics committees to field questions like these: refer your users to them.

In the interim, stand by your guns. If your users say they'll go to the ethics committee and they're sure they'll be exonerated, propose this as a hypothetical question: if you give privileged documents to an uninvolved third party, is the veil of privilege pierced? Yes or no? (The answer is usually "yes"; exceptions are rare.) So, if you give privileged documents to Google, is the veil of privilege pierced?

Don't give advice. Just ask questions, and whatever you do, don't give in.

mod d03n (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#28948509)

tops respo8sibility noises out of the reciprocating bad problem; a few fqucking numbers,

Here is what google has to say on the subject... (0)

Anonymous Coward | more than 5 years ago | (#28948541)

So you know email isn't secure... right? (0)

Anonymous Coward | more than 5 years ago | (#28948575)

Unless you & your customers are encrypting all your communications then your email is already available to be intercepted & read. Aside from which, it's probably more likely that someone internal will be the one to leak emails, rather than some big bad corp. Do you expend the effort on security that google or other providers do?

Personally I think IT guys need to stop thinking that they're the hub of the business. If you're in the legal business IT is not your core business, it's an enabler. So whatever you can do to make that simpler/cheaper is a good thing as long as it meets your other requirements. Rather than a free service, you should look at paid services where there are contracts in place with SLA's. It doesn't change anything, but gives you a "you sue us, we sue them" position in the event something does go wrong. Make sure you're able to take backups locally so that you always hold a copy of your data & you're good to go.

Hosting providers? (4, Insightful)

RichardJenkins (1362463) | more than 5 years ago | (#28948583)

I think there are three classes of company for the purposes of this discussion:

If you trust shared hosting providers; you shouldn't care about the Google employees who can access your data

If you trust managed hosting providers like Rackspace, particularly if they're hosting virtualised servers for you; you probably shouln't care about Google employees with access to your data.

If you don't trust managed hosting providers; well you're probably not reading this from the office, and Google Apps doesn't get a look in.

I'd say most companies fall into the second.

Not yet relevant... (1)

Denagoth (582705) | more than 5 years ago | (#28948585)

Until Google Apps can FLAWLESSLY import and export files with Microsoft Office (doc / xls / ppt) no company is going to use it. For good or ill, those are the file formats the world runs on. If Google fixes that issue (and that's a big if), then we can tackle the privacy question.

Can we trust Microsoft for that matter? (0)

Anonymous Coward | more than 5 years ago | (#28948605)

If you think about it. We buy this closed software from a vendor and place it in our homes, businesses, schools and so forth. We then enter the most confidential data and undertake highly sensitive transaction and such and all the time MS are the only ones who know the inner working of this beast. Can we trust that MS are not accessing our data? Do they (or their selected partners) have a back door? Are they able to read our data?
This software is in govt depts around the world and in formats that they control - why should Google be any different?

are you nuts? (1)

TheGratefulNet (143330) | more than 5 years ago | (#28948615)

don't even THINK about outsourcing that.

yes, giving it to google is outsourcing. what, you thought.....

you didn't think.


keep the network OFF your medical (etc) files. sheesh! this is 101 level, people. come on.

let me be very clear; you do not want to put medical, legal or ANY sensitive info 'in the cloud'. anyone's cloud.

got it?

its very simple.

Google's not interested in our email/calendar. (2, Insightful)

seifried (12921) | more than 5 years ago | (#28948625)

But google is. They place ads based on the content of your emails (i.e. I get SVN commit messages, and lo and behold ads for SVN related stuff on the side bar). So at a bare minimum they have automated processes reading all your emails, extracting meaning from them and displaying ads to you.

if you're paying them, why not? (1)

discogravy (455376) | more than 5 years ago | (#28948647)

if it were a service the lawyer/doctors/etc were paying them for, how would this be different than say a lawyer's office contracting their IT work to a tech firm?

If they don't care why do you? (1)

Rix (54095) | more than 5 years ago | (#28948669)

Sure, explain the risks, and recommend they run the idea past their lawyers.

It's their risk to take, and look at it from their perspective; they're already trusting you with their data. Why should they trust Google, with it's nigh infinitely deep and sueable pockets, less than they trust you?

Just screw HIPAA (0)

Anonymous Coward | more than 5 years ago | (#28948693)

What do you care more about, laws or Google's success? That's what I thought. Take the easy road./sarcasm
It's HIPAA, by the way, not HIPPA.

What about trusting you? (1)

Dr_Harm (529148) | more than 5 years ago | (#28948701)

It sounds like you are a contractor. So, your "clients" have to trust you, don't they? You could read their e-mail, calendar, etc... and if you developed an interest in one of their more famous clients, you could do just as much damage.

The question, then, is not one of "needing to trust Google". The question is, "Is Google more or less trustworthy than the current solution?" There is a fair argument that a large, multi-billion dollar company has a lot more to lose should things go sideways than a contractor. There is also a fair argument that they probably have 1000x more people with access to the data than an independent contractor.

This, of course, ignores any legal requirements like HIPAA, PCI DSS, etc. etc. But I think my point is still valid: If the client has already contracted out management and/or hosting of their data, they have already made the decision to trust an outsider. Going with Google or not is just a question of "which outsider do we trust"

Google is evil (1)

DNS-and-BIND (461968) | more than 5 years ago | (#28948769)

Don't believe anything they say - Google is a publically traded corporation. The job of the directors is not to make a profit, it is to maximize profits. The example the founders set will only go so far. How much attention do other companies pay to their corporate slogans? How many of you can name the slogans of AT&T, IBM, Facebook, or other companies? And how much attention do the employees of these corps pay to their slogan? Does the Goldman Sachs slogan really drive its employees?

Google Apps is as secure as the (1)

Bob_Who (926234) | more than 5 years ago | (#28948777)

The fact is that if Google Apps is not secure enough for you, then neither is any network data that also shares a connection to the internet. Lets be honest, any network connection is a pathway to your data. If you really want security, close the loop. Otherwise, Google Apps is perhaps an appropriate reminder that you're ultimately vulnerable. If hackers can get onto the Google Apps Servers, then they're not going to be stopped by your internet security either. At least, not for long....Buggy browsers, malware, users, and Windows will eventually leave you naked. Google Apps is appropriate for many and is more secure than a Trojan bot key logger root kit polymorphic virus windows IE beta orgy toolbar macro, like most small business systems that I encounter.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?