Can We Abandon Confidentiality For Google Apps? 480
An anonymous reader writes "I provide IT services for medium-sized medical and law practices. Lately I have been getting a lot of feedback from doctors and lawyers who use gmail at home and believe that they can run a significant portion of their practice IT on Google Apps. From a support standpoint, I'd be happy to chuck mail/calendar service management into the bin and let them run with gmail, but for these businesses, there is significant legal liability associated with the confidentiality of their communications and records (e.g., HIPAA). For those with high-profile celebrity clients, simply telling them 'Google employees can read your stuff' will usually end the conversation right there. But for smaller practices, I often get a lot of push-back in the form of 'What's wrong with trusting Google?' and 'Google's not interested in our email/calendar.' Weighing what they see as a tiny legal risk against the promise of Free IT Stuff(TM) becomes increasingly lopsided given the clear functionality / usability / ubiquity that they experience when using Google at home. So my question to the Slashdot community is: Are they right? Is it time for me to remove the Tin Foil Hat on the subject of confidentiality and stop resisting the juggernaut that is Google? If not, what is the best way to clarify the confidentiality issues for these clients?"
yes.. (Score:5, Informative)
..the google apps contract is fine. IAAL and i use google apps for all my stuff. i DO maintain a separate backup but everything goes on google. the bar is also fine with it.
Re:yes.. (Score:4, Insightful)
Good thing you posted anonymously. That means you won't lose clients and we don't have to take you seriously.
Re:yes.. (Score:5, Informative)
If you had read the entire article you would've seen that it is written by "Brett Burney is principal of Burney Consultants, based in Cleveland." Finding his website, it turns out that mr Burney is not a lawyer, he provides some legal services FOR lawyers.
So, that article is just some guy saying how convenient those tools are. Not some sort of legal analysis of the use of web-based applications for sharing private data.
Here in Europe using stuff like that is absolutely not allowed for sensitive data, doctors, lawyers and governments are most certainly NOT allowed to use a hosted app like that.
Re:yes.. (Score:5, Interesting)
Re:yes.. (Score:5, Informative)
I can't give a legal answer for US companies, but its my job to consider questions like this for a UK based financial services business. Google's applications are essentially the same as any other outsourced services, and UK law is based on the premise that you can outsource activity but you can't outsource responsibility.
What this essentially means is that a UK business is expected both to have a legally enforceable set of data protection contract terms and to have conducted a risk assessment supported, where appropriate, by a detailed appraisal of the outsourcer's policies, procedures and practices. FWIW, the conclusion that I've drawn is that Google apps are completely unuitable for any UK business that processes customer data, as there is no guarantee that the data will remain in the EEA (European Economic Area) or another country that has equivalent data protection principles enshrined in law. UK business are not allowed to process personal data in the USA without express customer consent because its data protection laws fall short of ours.
Re: (Score:3, Funny)
UK business are not allowed to process personal data in the USA without express customer consent because its data protection laws fall short of ours.
US and UK privacy protections differ, but to say that the US protections "fall short" of UK protections is false. They have different aims, and I prefer the aims of US privacy protection to those of the UK and Europe, thank you very much.
I think you see the kind of myth you're repeating perpetuated by the UK government; anti-American rhetoric makes a great cov
Re: (Score:3, Informative)
Hmmm Virgin Media must have updated their T&Cs recently without notifying me.
They announced they're outsourcing all email to google.
"G. Your details and how we look after them
7. By having our services activated in your home and/or by using them you consent to our transferring your information to countries which do not provide the same level of data protection as the UK if necessary for providing the services. If we do make such a transfer, we will put a contract in place to ensure your information is pr
Re:yes.. (Score:4, Interesting)
Re:yes.. (Score:5, Insightful)
It doesn't take a "computer security expert" to know that you're unnecessarily risking your clients' confidentiality by sending your communications wholesale to a 3rd party.
Re:yes.. (Score:5, Insightful)
IANAL. My only legal credential is that I come from a family of lawyers and judges who are absolutely adamant about their moral obligation to preserve privilege.
As they have explained it to me, once you voluntarily hand information off to an uninvolved third party, the veil of privilege is breached and it can be discovered.
As they have explained it to me, anything you give to Google can be subpoenaed. Google is currently one of the most-frequently-served companies in the world, and Google gives full and enthusiastic cooperation with lawfully issued subpoenas.
If you really see nothing wrong with risking the privilege of your work product by putting it into the hands of a third party, and if you really see nothing wrong with making it discoverable via subpoena, then by all means use Google Docs. However, for my own sake, I refuse to deal with lawyers who use outsourced IT services.
Re: (Score:3, Interesting)
As they have explained it to me, once you voluntarily hand information off to an uninvolved third party, the veil of privilege is breached and it can be discovered.
IANAL, as well, but that statement is incomplete. You can clearly outsource at least one IT function: email, without risking privilege. Google's Postini is the the email service provider for many (most) of the nation's best and/or biggest lawfirms. (e.g. lookup the mx records of steptoe.com, chadbourne.com, perkinscoie.com, gibsondunn.com, bakernet.com, dlapiper.com, whitecase.com, sidley.com, mayerbrown.com). All *.psmtp.com.
Re:yes.. (Score:5, Insightful)
Yes. When I was looking for a lawyer, I asked them how they contacted their clients, and where their email servers were located. The guy I eventually chose as my lawyer told me he contacts clients via email, phone and IM only to arrange face to face meetings, and then walked me down the hall to the server room. He introduced me to the sysadmin, and the law firm sysadmin answered more of my questions.
Choosing a lawyer is a big deal. You should treat it like one. Any lawyer who is not willing to fully answer your questions is not worth your time or money.
Re: (Score:3, Informative)
Re: (Score:3, Insightful)
He just has to ask himself whether or not he feels lucky. I work with ePHI every day, and would NOT want to be the first person targeted with prosecution over that. Remember, HIPAA is a criminal statue, not just civil. Lawsuits would be the least of your worries if you ended out disclosing patient information.
Re: (Score:3, Funny)
The bottom line (Score:5, Insightful)
If you are in an industry where your internal communications/documents/etc should or must remain confidential, than you cannot trust Google Apps as your free platform for email/document creation/document storage.
If you don't mind the possibility that the world may get your data, then by all means feel free to use Google, or any other SaaS type offering.
Re: (Score:2)
Lazy sysadmin wants to compromise his company to work less. News at 11.
Re: (Score:3, Insightful)
Lazy sysadmin wants to compromise his company to work less. News at 11.
Come on it's not just laziness. People use the Google apps at home, they do the job. It's no wonder they say "Why not use the same stuff at the office?" That's how MS got where they are after all, it also might be why they've got their panties in a twist over Google.
Re: (Score:2)
Re: (Score:3, Insightful)
>>>People use the Google apps at home, they do the job. It's no wonder they say "Why not use the same stuff at the office?" That's how MS got where they are after all
>>>
Actually Microsoft went in the opposite direction, hanging onto IBM's coattails which grew dominant in the office while Atari and Commodore were dominant at home (from 1980 to 1986). Then people started saying, "I want to bring my work to my home", and so they went and bought IBM PCs which became dominant from 1987 onward
Re: (Score:2)
For small businesses that don't have a full time sysadmin there's also risks running your own. It might fail and take long time to fix for example. And it might go for long times without security patches.
I suppose both those things are true for larger places as well with sysadmins overloaded with work :(
Re:The bottom line (Score:4, Interesting)
Of course he knows the security implications. His clients don't. And he can't force them to pay the (significant for a small office) costs of doing it "right." They'd simply stop being his clients.
Don't assume he's lazy, he's trying to do his best for his smaller clients and that's admirable. (I've often found the smaller the client the more of a cheap bastard and whiny high-maintenance client they tend to be)
Re: (Score:3, Insightful)
People in all sorts of fields get offered money to comprimise themselves every day.
You need to determine where the line is and stick to it. Doing someting stupid because someone else paid you doesn't automatically restore your reputation or protect you from legal liability.
Try read a welding forum somtimes. Someone will show up and want a hole in their gas tank welded. The welder will say "no". Then every so often you read about the guy who said yes and died.
I
Re:The bottom line (Score:5, Informative)
Not only did you not read TFA, but you did not even read the summary. Laziness has nothing to do with this at all. He is getting a lot of friction from his clients that don't understand HIS reservations about doing business with Google in this manner. He is concerned for their legal liability. Sounds like an IT guy that actually cares.
His question being posed to the /. community, is whether or not his clients have a point. Can we really trust Google with data that must remain confidential. Can he recommend Google services to his clients without fearing for liability later down the road.
Yeah, that sounds lazy to me....
Re:The bottom line (Score:5, Insightful)
If you are in an industry where your internal communications/documents/etc should or must remain confidential, than you cannot trust any Internet-based system as your free platform for email/document creation/document storage.
FTFY. If your documents exist on the Internet, especially unencrypted, they won't be confidential for very long. Whether or not Google as a company is trustworthy or not is irrelevant. If anyone hacked into your Google account, they would have access to everything. If a random employee at Google decided to sell your stuff to a tabloid, there's nothing you could do to stop them until it was already too late. Without ironclad confidentiality agreements with real penalties for breaking said agreements, you shouldn't be trusting any third party with this stuff, and you certainly shouldn't have it on the Internet.
Re: (Score:3, Insightful)
Further, if you share data with an outside company, you don't have a reasonable expectation of privacy in that data anymore, and the government can subpoena that company for what it knows about you. Just like a lawyer engaging in communications with his client with a third party present, those communications are no longer privileged.
IANAL, I just watch fake ones on TV.
Re: (Score:3, Insightful)
which is why lexis nexis gets subpoenaed so many times.... oh wait, they dont. gee... with all that confidential legal strategy online at lexis ... oh wait, it doesnt.
you would think they do. and using lexis breaks priv
i know youre not a lawyer but please dont be an idiot as well.
using microsoft word or any other tool does NOT break priv, google apps is SSL encrypted and secure enough (Google Apps is SAS 70 Type II certified) that its not a problem. so is lexis, westlaw and the hundreds of other third party
No physical security (Score:5, Informative)
Without physical security there is no security.
If you don't own the box and control access yourself there is no physical security.
Ever read a EULA? (Score:3, Informative)
Re:Ever read a EULA? (Score:4, Informative)
Re:Ever read a EULA? (Score:4, Insightful)
Possibility? (Score:3, Insightful)
I don't understand what "possibility" has to do with it. Your data could "possibly" be exposed if you have your own infrastructure.
A more relevant question is probability. Is there additional exposure through using Google? Are Google internal security practices likely to be better than yours? If you are a small shop outsourcing your IT services anyway then why is
Yes, there's an additional vulnerability (Score:4, Insightful)
Once something is on Google, the up side is: any computer with internet access can log in and access it. The down side is the same: any computer with internet access can log in and access it.
If something is on your internal network, that already puts a bit of a limit on who can access those files. It's not bulletproof, and you can still get rooted, but it's a limit. The average Tom, Dick and Harry are as good as physically separated from that data, even if they can guess your password.
Once that stuff is on Google, essentially anyone who can guess your password is good to go.
For example, you only need one employee who uses the same password everywhere (it happens more often than you'd think) and has ever shared their home email password with their spouse, or their WoW account with the chinese guy who power-levelled it, or whatever. Or they only need the same password somewhere where you need to guess their mother's maiden name to get that password. (Again, you'd be surprised how many put the real maiden name there.)
Or some passwords are that easy to find out, because they're weak. People use their nickname, or pet's name, or whatnot as passwords all the time.
Some passwords aren't even kept secret. I know the logins for a local hospital _and_ the emergency medical service, without ever having worked there, just because the former was taped to the monitor and the latter was spoken out loud while I was there. And yes, apparently veryone there used the same. So every ex-employee knows those too. Plus any patient who can read or has ears.
So, ok, now you know a name and password for the hospital computers. Now what?
In a traditional IT scenario, they're only accessible from the internal network. Sure, you can try to sneak into a room and use their computer, but you can be caught, so most people won't. Sure, you can try to get them rooted somehow, but again most people wouldn't even know how.
Now move those files on Google, and you have a real extra problem. If that hospital ever moves its data to Google, every single patient who ever read the post-it on a monitor, can try it from their own home. No having to sneak anywhere, no risking that someone walks in on you, no l33t haxxx0r skillz needed. Just point your browser at Google, log in as a doctor, and read the medical data of everyone who ever used that hospital.
Re:The bottom line (Score:5, Interesting)
I'd think this is a much greater issue than worrying about Google email snoops. That and unecrypted standards over wifi access. Doctors: Don't go mobile. Stay within your cellular-free hospitals.
Re:The bottom line (Score:4, Insightful)
I would agree with this. I would *never* use a attorney who didn't take proper care of my confidential records. Those are more than just slightly sensitive.
Re:The bottom line (Score:5, Insightful)
and you can sue google without a eula type contract.
You can sue the IT guy with a grudge too but that won't help you to recover your business reputation or lost clients after a data breach. Why the hell does everybody look at something and think that "we can sue them!" is some sort of plus anyway? I'd rather avoid being in the position of having to decide whether or not to file a lawsuit altogether, thank you very much.
Re:The bottom line (Score:5, Insightful)
Number of internal IT guys with systems access: 5
Number of Google employees: 3 billions
Chance to identify and sue the pants off the leaker if he's internal: 99%
Chance to sue Google and not get ass-raped by their robotic lawyers with laser eyes: Infinitesimal
Re: (Score:3, Funny)
And another number for to weight in your list:
Chances your internal IT guys know more about securing your data than Google engineers: 5%
Yes, my number was pulled out of my ass too.
No (Score:4, Informative)
Confidentiality is very, very important to businesses and individuals, even more so in the Internet age. One of the reasons to continue to operate your own infrastructure, no matter what the current hype is.
Re: (Score:2)
Confidentiality is very, very important to businesses and individuals, even more so in the Internet age. One of the reasons to continue to operate your own infrastructure, no matter what the current hype is.
More to the point, some of his reasoning seems questionable. "Google Apps is easy to use from home" Yeah, and your point is? Never heard of a VPN? Never heard of remote desktop/terminal services/Citrix? It's not like they are particularly complicated these days. Hell, if you choose a vendor neutral solution with an accepted standard (IPSec) you might not even need to install any extra software on the clients.
Re: (Score:2)
Re: (Score:3, Interesting)
Wouldn't Google be more likely to keep on top of software updates and security threats than a small, local hosting company who are figuring it out as they go? Hosting one's email with a local company or at one's own office may open a person up to more risk of being hacked than simply letting Google manage it.
Re: (Score:3, Funny)
operate your own infrastructure, no matter what the current hype is
Exactly. You should be digging trenches, laying fibre, and setting up entirely separate networks so that no email you send ever passes through a machine or a network or a cable accessible by a third party.
Re: (Score:3, Interesting)
Confidentiality is very, very important to businesses and individuals, even more so in the Internet age. One of the reasons to continue to operate your own infrastructure, no matter what the current hype is.
IAAD and I agree that confidentiality is extremely important, and health care professionals have a responsibility to safeguard PHI. However, I also think that IT admins have a responsibility to create an infrastructure that doesn't suck and that takes into account the needs of the people that actually need to use it. Because if it sucks bad enough, people will find a way to circumvent some of the safeguards in order to get their work done. Because it's human nature that getting one's work done is a more
Re:No (Score:5, Informative)
which leads to
HIPPA requirements should... (Score:4, Insightful)
immediately squelch any such thoughts.
por que? (Score:3, Informative)
From here: http://docs.google.com/support/bin/answer.py?answer=82366&ctx=sibling [google.com]
"
Privacy and security: Understanding section 11.1 of our Terms of Service
Print
We've received questions over time about the meaning of section 11.1 of our Terms of Service. We realize that for those not familiar with legal agreements for services that use the Internet, these terms can look confusing, or even frightening.
The first thing to understand is that this language doesn't give Google ownership rights to your data. You, and you alone, own your content. Whether you wish to keep your content totally private, or share it with the world, that's your choice.
However, in order to honor this choice, Google Docs needs permission to display your content as you see fit. This is what we mean by a "license to reproduce." We need to ensure that when you click the "Publish document" button, or use the "Invite collaborators" option, we have the license to carry out your wishes. It is this agreement, between Google Docs and you, the user, that section 11.1 of our Terms of Service reflects."
Why would you even chance it? That's their EXISTING terms of service, but as always, those terms are subject to change without notice.
I can't imagine that HIPAA would allow this.
Re: (Score:3, Informative)
Maybe, maybe not. The HITECH Act (which is really part of the recent federal stimulus law, the American REcovery and Reinvestment Act) and the Guidance issued under the HITECH Act requires that for HIPAA protected health information (PHI) to not be considered "unsecured", information in motion must be protected under appropriate FIPS 140-2 approved standards (for use of TLS, that's NIST Special Publication 800-52, Guidelines for the Selectio
Need to assess more than one criteria (Score:4, Insightful)
Say hello to your lawyer (Score:5, Insightful)
This is slashdot, not legaldot.
That being said, your writeup sounds like you're a contractor/have your own company. If that's the case, the best you can do (Outside of telling your customers you aren't going to and being fired) is make very clear, in writing, what your opinion is, and get them to sign off, in writing, that they are responsible and/or have another way for handling confidential info, etc.
I'm not sure if that's enough to cover your butt or not. See first sentence about this is slashdot, not legaldot. I would consult with a lawyer, preferably one that is not one of your customers.
Re:Say hello to your lawyer (Score:5, Insightful)
If you're response to an Ask Slashdot submission about $X is "Ask a lawyer about $X", then you should rewrite the Ask Slashdot question in your mind to "What should I know before I talk to a lawyer about $X?"
Lawyers are expensive. Community knowledge can e very helpful in reducing the amount needing to be spend on legal fees, and I'm sure plenty of Slashdotters have good insight that can help the submitter.
For my part, all I can say is that I wouldn't use a doctor if I knew they used Google Apps. There's too much risk that an employee at Google might let loose the secret of my debilitating suppurative penile encrustations.
Re: (Score:2, Funny)
Unsubmit! Unsubmit!
Re: (Score:2)
Yeah, but when your question directly revolves around a question of law, it does kind of beg the question that lawyers should be your first stop. Especially when you know enough to know the name of the law (in this case, HIPAA). A quick google search would lead you to www.hipaa.org, and there's a handy-dandy menu on the left with all sorts of stuff to know.
The guy already knows enough to know this is a Bad Idea (tm), so it was more an Ask Slashdot about "Hey, I know this is a Bad Idea (tm), but is there a
Give them fair warning (Score:4, Insightful)
Tell them about what could happen, and that the risk may be low but not zero. Because data have been exposed through sloppiness before, not only through malice.
Then make sure YOU are not liable if they violate HIPPA or something similar. Either don't support their Google stuff or make sure you have documented that they use Google SAS against your advice.
Re: (Score:2)
Re:Give them fair warning (Score:4, Informative)
That's one way to frame the argument, and it's a good one.
I'd stress to them that HIPAA PHI standards require the company -- AKA your bosses -- to be able to vouch for the security of the entire pipeline of information flow. It's not an issue of "they're not interested" or "the chances are low." It's an issue of minimizing the holes in the pipeline.
Google does not offer anything like PHI-compatible security. They are a big hole in the secuirty, whatever the chances or interest are. One could argue that the world's largest indexer of information, who makes the results of those indexes freely available to the public, is the antithesis of security.
If your bosses are serious about health care, they're not going to be idiots about it. (They may chose to be idiots about other things. Probably not this.)
HIPAA compliance is no joke. (Score:5, Insightful)
If they wanna do it, they gotta get a lawyer--a lawyer who knows HIPAA. HIPAA compliance is a pain--and noncompliance can be very expensive.
Lawyer costs may even outweigh the Google savings
Re: (Score:2)
Biggest problem is Doctors like to think they are above the law. I worked in IT for a hospital chain and trying to explain that they can't do that is nearly impossible.
Re:HIPAA compliance is no joke. (Score:4, Interesting)
HIPPA non-compliance can not only be expensive, it can lead to jail time.
This is my understanding based on training I received from a lawyer while working as a secondary IT director for a medical school:
The IT director for a medical organization is required to certify that the organization is HIPPA compliant. If they are not, the IT director must make them compliant, and that may have to mean simply cutting off everyone's access to computer resources until a plan is in place to allow access in a compliant manner. (Not allowing anyone to access anything is compliant.) If the IT director certifies them to be compliant when they are actually not, the IT director can go to jail, as can anyone who may have coerced them to sign the certification. Medical professionals can also be subject to fines and/or jail time for handling data in a non-compliant manner (such as entering data into a non-compliant system such as google docs), especially if they did so knowingly.
Were I in anonymous reader's shoes, I would tell my medical clients that I am convinced that because of HIPPA they must not use Google Docs for any medical information. If they press the issue I would tell them that I am so convinced that they must not use Google Docs to handle any medical information that if I find they have done so, I will drop them as a client and report them to relevant authorities at once. No job is worth going to jail for.
Re:HIPAA compliance is no joke. (Score:5, Informative)
Since HIPAA doesn't create a private cause of action for violations, only the federal government can enforce HIPAA rules generally (sometimes, under state laws, the fact that a disclosure is in violation of a federal law like HIPAA, or of a assurance or agreement mandated by HIPAA, may, with other factors, meet the standard for some private cause of action under state law, but the action won't be for a HIPAA violation, per se.) To date, AFAIK, none of the HIPAA complaints received by the Department of Health and Human Services' Office of Civil Rights (which enforces HIPAA) have resulted in monetary penalties being assessed, but most of them do result in OCR requiring business practice changes on the part of the entity against whom the complaint was lodged. A few do get referred to the Department of Justice for criminal prosecution, though I believe that, to date, no prosecutions have been made on HIPAA charges alone (sometimes HIPAA charges have been part of a broader criminal complaint.)
There was a time when that was at least generally true (where a business associate of a HIPAA covered entity might not be liable the way a covered entity was if it was not itself a covered entity), however, the recently passed HITECH Act (part of the American Recovery and Reinvestment Act of 2009 [ARRA], Pub.L. 111-5) both added additional security requirements that apply to HIPAA covered entities and extended both the existing and new security requirements on HIPAA covered entities, including the civil and criminal penalties for violations, to apply to those entities' business associates to the same extent as to covered entities themselves. (see ARRA, Title XIII, Subtitle D, Sec. 13401; codified at 42 U.S.C. Sec. 17931.)
Tricky HIPPA... (Score:4, Informative)
Re: (Score:3, Interesting)
True enough -- and as an anonymous coward pointed out [slashdot.org], many (perhaps most) in-house networks aren't going to be secured all that well either. Allegedly HIPAA-compliant systems might satisfy the lawyers, but I have to say I'm deeply skeptical that the standard of privacy they actually provide is all it's cracked up to be ... or any better than what Google can do.
Just accept it (Score:5, Insightful)
Your role, as a qualified member of the IT staff, is to make the higher-ups aware of the risks. Do your due-diligence, tell them the data isn't secure (in person, in e-mail, and maybe even on paper), and remind them from time-to-time (using creative new analogies whenever possible). That's it, you've done your job.
The fact of the matter is, regardless what the policy is, and regardless what they all "agree" on, they're going to put sensitive information on the Web. You'd have to take away their Internet access and portable devices to prevent it, and even then, they'd just go home and use that.
Accept that the best you can do is educate them and provide alternatives.
Can I find out the names of the doctors you work f (Score:3, Informative)
I'd like to report them to the regulatory commission that enforces HIPAA rules.
Seriously, read up on HIPAA and get them to follow HIPAA rules, otherwise huge fines could be coming their way.
Just because a doctor hands out those privacy pamphlets doesn't give them the green light to ignore or circumvent the privacy and security rules. Claiming ignorance is not an option.
Get them off of gmail and google apps and put them on systems and networks that you can effectively apply controls too.
You have no control over the security and privacy controls in place within google apps thus you can't effectively satisfy the HIPAA rules.If they do not want to do an internal networks with servers, outsource it all to a data center that is HIPAA compliant and where you control the servers both physically and logically.
Good luck and hire yourself a partner or subcontractor that does HIPAA and SOX regulatory consulting. You could hire me but I'm $350/hr.
Re:Can I find out the names of the doctors you wor (Score:3, Informative)
Source: http://www.google.com/support/forum/p/Apps%20Partner/thread?tid=4d6f74d03de056c7&hl=en [google.com]
Answer to your question.:
PeteGriffin@Google (Google Employee) + 3 other people say this answers the question:
From a sales standpoint, I would recommend turning the question around and asking them what steps they are currently taking to be compliant with the relevant compliance-acronym (HIPAA, SOX, FERPA, PCI, etc). Understand what steps they currently take to be compliant, and what their current solutio
An idea to make this work (Score:5, Informative)
Amazon published a white paper about using their AWS platform with HIPAA compient applications: basic idea is to keep data encrypted until it is in memory, and encrypt it again before writing to persistent storage.
For Google Apps, how about using rich clients that decrypt data for viewing/editing, and encrypt it again before storing back on big table, etc.
Perhaps Google themselves would implement this as browser plugins?
Re: (Score:3, Interesting)
Google could do this. Using IBM's algorithms which were on Slashdot recently, it might even be possible to keep everything encrypted on the server and only decrypt on the client so the data is safe even if the server is compromised. (Note: That was an article about a new and experimental cryptographic algorithm which may not be ready for serious use yet.)
There is a problem: Google wants to show ads and encrypted data gives them no clues about what ads to show. If there is really a market for it, then maybe
Google appliance in the office? (Score:2, Interesting)
Far as I know the Google Mini Enterprise [google.com] comes with all of the apps you need.
And since it's a local server, I suspect it'd still qualify for your confidentiality needs the same way any other local server would.
Re: (Score:3, Informative)
The Google Mini (http://www.google.com/enterprise/search/index.html) is a search appliance. It will not run mail/apps.
If my lawyer used Google Apps, I'd get rid of him. (Score:2)
No lawyer can legitimately use Google-hosted services, unless they're doing work for Google. It would be a huge violation of confidentiality.
In Silicon Valley, where many lawyers are doing work adverse to Google, absolutely no way would this be tolerated. Even Microsoft Windows Update makes some lawyers nervous.
Re: (Score:3, Insightful)
Do you abandon confidentiality for Google apps? (Score:2)
Their policy suggests not [google.com].
Perhaps a Google engineer somewhere can "read your stuff" but only in the same sense that you could as the person administering your clients mail. Is that a worry? I'd expect Google have a lot more to lose if such a privacy breach happened than you, their whole apps hosting business would evaporate.
That said, if there are specific legal requirements for your industry you'd need to evaluate on those specific requirements not on what a random guy on Slash
Searched Google for ya' (Score:2)
What does the fed do? (Score:4, Informative)
Another thought (Score:2)
I just had another thought on this.
Assuming you cover yourself properly from legal liability, do whatever your clients want... Then turn them all into the HIPAA police (I know there aren't HIPAA police... I have no idea who does the enforcement actions; you get the idea) for some sort of reward.
Professional responsibility (Score:3, Interesting)
It is not your job to educate them on their professional responsibilities. Odds are very good that you aren't competent to advise them on it, and it would arguably be a violation of their canons of ethics to take advice from you. Lawyers and doctors have ethics committees to field questions like these: refer your users to them.
In the interim, stand by your guns. If your users say they'll go to the ethics committee and they're sure they'll be exonerated, propose this as a hypothetical question: if you give privileged documents to an uninvolved third party, is the veil of privilege pierced? Yes or no? (The answer is usually "yes"; exceptions are rare.) So, if you give privileged documents to Google, is the veil of privilege pierced?
Don't give advice. Just ask questions, and whatever you do, don't give in.
Hosting providers? (Score:5, Insightful)
I think there are three classes of company for the purposes of this discussion:
If you trust shared hosting providers; you shouldn't care about the Google employees who can access your data
If you trust managed hosting providers like Rackspace, particularly if they're hosting virtualised servers for you; you probably shouln't care about Google employees with access to your data.
If you don't trust managed hosting providers; well you're probably not reading this from the office, and Google Apps doesn't get a look in.
I'd say most companies fall into the second.
are you nuts? (Score:2)
don't even THINK about outsourcing that.
yes, giving it to google is outsourcing. what, you thought.....
you didn't think.
THINK.
keep the network OFF your medical (etc) files. sheesh! this is 101 level, people. come on.
let me be very clear; you do not want to put medical, legal or ANY sensitive info 'in the cloud'. anyone's cloud.
got it?
its very simple.
Google's not interested in our email/calendar. (Score:3, Insightful)
if you're paying them, why not? (Score:2)
If they don't care why do you? (Score:2)
Sure, explain the risks, and recommend they run the idea past their lawyers.
It's their risk to take, and look at it from their perspective; they're already trusting you with their data. Why should they trust Google, with it's nigh infinitely deep and sueable pockets, less than they trust you?
Google is evil (Score:2)
Re: (Score:2)
Re:Slashdot layout broken AGAIN (Score:4, Funny)
Why does the story header appear *red* instead of the usual green? (Firefox 3.5 on Vista)
It does that when the story is brand spanking new, I think. It means you're getting the freshest of slashdot's offerings, rejoice!
Re:Slashdot layout broken AGAIN (Score:4, Funny)
Re: (Score:2, Offtopic)
Totally off-topic, I know. But it irks me that when we bring up a display issue, our reflex is to mention our browser AND our operating system.
Just goes to show that we are nowhere near any kind of usable standards for browsers like the kind that's been envisioned for a decade (or more!).
Re: (Score:2)
Re: (Score:2)
Re:No (Score:5, Insightful)
Agreed. Also online aps are more-expensive longterm. For example I purchased Microsoft Office 97, and I'm still using it 12 years later, which is an annual cost of just ~$12. Online aps have significantly higher fees than that.
There's also the advantage of owning the software. If for example you develop a design, you can archive both the design and the tools so they can still be used 15-20 years from now and "resurrected" from the basement. You can't do that with online aps which are constantly updated with no way to "freeze" a tool at a certain point.
Re:No (Score:5, Insightful)
Agreed. Also online aps are more-expensive longterm. For example I purchased Microsoft Office 97, and I'm still using it 12 years later, which is an annual cost of just ~$12. Online aps have significantly higher fees than that.
.
Do you really think it's wise or responsible to be using a piece of closed-source software (and one not known for its security, to say the least) so many years after the vendor has stopped supporting or releasing patches for it, and for which known exploits are in the wild?
.
In what way does, for example, Google Apps Standard Edition ($0/year), cost more -- either up-front or in the long term?
.
Do you not think using current tools at the time to produce a file, then ensuring the file is stored in an industry-standard open file format (such as ODF, RTF, plain text, HTML, TeX, or PDF -- or even better, more than one), is an acceptable archive, without needing to also archive a copy of (or later run) a dated (and bug-ridden and proprietary, in this case) application along with it -- which may not even run on machines "15 or 20 years" later, as you mention?
Re:No (Score:5, Insightful)
Do you really think it's wise or responsible to be using a piece of closed-source software (and one not known for its security, to say the least) so many years after the vendor has stopped supporting or releasing patches for it, and for which known exploits are in the wild?
Word/Excel/Powerpoint? I really wouldn't worry about it, as long as they meet his needs. (Although, I'd consider giving OO.o a try.)
Outlook - yeah, I'd suggest he pony up for a new copy, or switch to something else.
In what way does, for example, Google Apps Standard Edition ($0/year), cost more -- either up-front or in the long term?
Lost productivity.
1) Lost productivity when the local ISP or some some intermediate router is down? Multiply by each user. (In a lot of places that's pretty significant. Lots of places suffer multiple hours of network down time / flaky internet every month.)
2) Lost productivity as your employees are clicking on google ads and browsing online when they should be working on that spreadsheet or word document, or simply lost productivity as the ads become insufferably intrusive and distracting.
Think about it... you are getting standard edition for "free". Google wouldn't do unless some non-trivial number of users is READING and CLICKING on those ads. If your secretary is working on a budget spreadsheet, and gets distracted by an google ad in the corner of her spreadsheet, gets distracted and clicks on it, and goes browsing for 20 minutes as a result... that costs you money. And THAT is PRECISELY what your beloved partner google is counting on. THAT is their entire business model. Give you the app for free, and then extract a profit by luring your staff to click ads instead of work.
Now you might counter that google ads are unobtrusive and easily ignored. That's true to a point, but I find adds in my productivity apps VERY distracting; far more than I do on the web. I personally won't use ad supported software, but don't find them nearly so distracting on the web. Maybe its just me... But face facts google is a multi-billion dollar advertising company as direct result of people not ignoring those ads. So the ads =DO= work. Maybe YOU don't click them, but SOMEBODY is. And every time they work on someone in your company they cost you money.
I don't object to google apps for home and noncommercial use, and their 'premium' stuff is ad free, as you are now paying them directly for service.
But a business owner who gets his staff to use standard edition? Its idiotic... what's next? Will you switch to "free" printer toner from the Jehova's Witnesses, and in exchange they'll have witnesses wander around your office to spread the good news?
Do you not think using current tools at the time to produce a file, then ensuring the file is stored in an industry-standard open file format (such as ODF, RTF, plain text, HTML, TeX, or PDF -- or even better, more than one), is an acceptable archive, without needing to also archive a copy of (or later run) a dated (and bug-ridden and proprietary, in this case) application along with it -- which may not even run on machines "15 or 20 years" later, as you mention?
What makes you so confident ODF will be readable in 20 years by Google Apps, or that a google apps will even exist? All ODF being a standard ensures is that you WILL be able to write something that can read it 20 years from now, because the specification is documented and public. There is no gaurantee google apps or anything else will run it 20 years from now. And if you are looking to archive ODF, you should probably make a point of storing something that can actually read it too, ideally along with its source, unless you want to gamble on having to implement something yourself from scratch 20 years from now.
Google apps doesn't enable you to avoid making your own backups, and if anything google apps, makes it slightly more complicated. Google apps could disappear tomorrow (unlikely in the immediate future, but possible, and who knows what the more distant future holds; companies have been shut off before), so not only do you need backups, but you should have some means of reading them too... because you can't rely on google apps being available or supporting the files.
Re:No (Score:5, Insightful)
You forgot the other side of the coin:
Many people seem to believe that using something like Google Docs is just like using MS Office, but the reality is that it's fundamentally different in many ways. Nearly ubiquitous accessibility, collaborative tools, change history, backups, etc. The amount of productivity and work that saves alone is WAY more than any time you could lose due to advertising in my estimation. Your comparison is absurd and poorly thought out as well, because "getting toner from Jehovah's Witnesses does not give you any benefit other than getting it for free. Using cloud authoring software compared to personal software is COMPLETELY different for the reasons I listed above and others.
The fact is that neither one is REALLY better than the other, it all depends on the task at hand, as both approches have their strengths and weaknesses. If I'm just writing a quick letter, then I'm going to use Word or OO, but if the file itself is going to be used over an extended period of time, and especially viewed or contributed to by others, I find it makes more sense to use Google Docs.
Plus, I can't count how many times I've worked with a team on something and wound up using a Google Doc as what essentially amounts to a massive whiteboard to outline our plan of attack and add our ideas and solutions to the task at hand, as well as comment on others.
Re: (Score:3, Insightful)
1. Lost productivity due to forgetting the thumb drive with your work at home
2. Lost productivity due to your company's internal network going down
3. Lost work due to a hard drive failure
4. Lost work AND productivity due to computer theft
5. Lost work AND productivity due to accidental overwrite of a shared file on a network drive
6. Lost work AND productivity due to malicious code (viruses, trojans, et al)
7. Lost productivity due to most software's inability to provide a decent collaborative environment
2,3,4
Re: (Score:3, Interesting)
I can agree with that, to a point, based on pure productivity/cost. But when you factor in legal implications, change control, training, and so forth, I don't think its sane for most businesses to use cloud apps in the vast majority of situations.
You're thinking like a techie, and probably a sysadmin there, and not like a businessman.
Re:No (Score:4, Insightful)
1) Lost productivity when the local ISP or some some intermediate router is down? Multiply by each user. (In a lot of places that's pretty significant. Lots of places suffer multiple hours of network down time / flaky internet every month.)
Google Chrome supports offline use of google apps.
2) Lost productivity as your employees are clicking on google ads and browsing online when they should be working on that spreadsheet or word document, or simply lost productivity as the ads become insufferably intrusive and distracting.
Only the standard free version is ad based. If you upgrade to the premium the ads are gone. For anything serious like outlook integration, you need google apps premium.
Re:No (Score:4, Insightful)
That would never work for our military projects. Everything has to stay within the building's walls, including email.
Re: (Score:3, Funny)
Your walls [photobucket.com] mean nothing to us.
Re: (Score:3, Informative)
Re:No (Score:5, Insightful)
pgp is fine for a small practice to use between say the receptionist and the doctor. the problem with using pgp to obtain your confidentiality with respect to HIPAA is that emails sent from outside sources (e.g. patients) are subject to HIPAA as well, and unless you can convince all their customers to use pgp, that'll never work.
My advice for the original asker is to take a firm stand with your clients. If there is any way that they can pin the liability on you for recommending use of google apps or other online services they will when the lawyers come knocking. I suggest you strongly recommend against it, in writing, and keep that recommendation on file.
Re:No (Score:4, Informative)