Google Health - NYHIMA

Proprietary and Confidential© 2010 Brainlink International, Inc. www.brainlink.com | [email protected] | 917.685.7731 1

DISCLAIMER: I am not a lawyer. This is not legal advice. These are my personal opinions. Use at your own risk.

Brainlink International, Inc.IT Management & Solutions

Chief Technology OfficerBrainlink International, Inc.

Google Health's Impact on Google Health's Impact on Compliance and Patient CareCompliance and Patient Care

Raj Goel, CISSPRaj Goel, CISSP




Google Health's Impact on HealthcareGoogle Health's Impact on Healthcare

It's going to be HUGE.

Gmail-like huge. TRW/Equifax/Experian Huge.

Current Partners:

AllScripts Beth Israel Deaconess Medical Center,

Blue Cross Blue Shield of MA The Cleveland Clinic

CVS, CVS CareMark Medco Health Solutions

Quest Diagnostics Walgreens

Kmart Pharmacy and Others

Consumer Products:

WiScale bathroom scale connects to GH. Track weight + BMI for 8 family members. - www.withings.com




Google Health's Impact on HealthcareGoogle Health's Impact on Healthcare

It's going to be HUGE.

Gmail-like huge. TRW/Equifax/Experian Huge.

Current Partners:

AllScripts Beth Israel Deaconess Medical Center,

Blue Cross Blue Shield of MA The Cleveland Clinic

CVS, CVS CareMark Medco Health Solutions

Quest Diagnostics Walgreens

Kmart Pharmacy and Others

Consumer Products:

WiScale bathroom scale connects to GH. Track weight + BMI for 8 family members. - www.withings.com

1936 - SSNs established1938 - Wallet manufacturer includes secretary's SSN card inside a wallet. 40,000 people thought it was their SSN.Pre-1986 - kids under 14yrs not requiredPost-1990 - Kids get SSN # with Birth Certificate

http://en.wikipedia.org/wiki/Social_Security_number




Did I say TRW/Equifax/Experian Huge?Did I say TRW/Equifax/Experian Huge?

Error-prone and user-unfriendly. Just like your credit profiles.

Why?

GH imports medical records with INSURANCE BILLING CODES, not diagnoses.

Hmm...how many tests does your organization perform on a patient to RULE OUT conditions? Or to avoid malpractice lawsuits?

GH (currently) can't differentiate between a test to rule out a condition and the actual diagnoses.

How many procedures are billed using different billing codes? Sometimes, an office visit isn't just an office visit...or a stress test.




Your users & staff will want it...anywayYour users & staff will want it...anyway

It's got's that “Don't Be Evil” halo effect.

If it's Google, it's got to be great (Google in 2010 == IBM 1960s)

Google has trained an entire generation to give away their privacy and legal rights for convenience.

The fragmented landscape of healthcare IT, and the differing agendas have left healthcare stuck in the 1970s in terms of convenience, and user-friendliness.

Healthcare IT 2010 == Bank IT 1970. Pre ATMs, pre-online banking, pre-debit cards, pre-gift cards, pre-online bill payments, etc.




Your users & staff will want it...anywayYour users & staff will want it...anyway

It's got's that “Don't Be Evil” halo effect.

If it's Google, it's got to be great (Google in 2010 == IBM 1960s)

Google has trained an entire generation to give away their privacy and legal rights for convenience.

The fragmented landscape of healthcare IT, and the differing agendas have left healthcare stuck in the 1970s in terms of convenience, and user-friendliness.

Healthcare IT 2010 == Bank IT 1970. Pre ATMs, pre-online banking, pre-debit cards, pre-gift cards, pre-online bill payments, etc.

ISO 8583 - Standard for ATM Transactions1987 Version1993 Version2003 Version

Each organization maps their data to the standard when communicating with other firms. Exactly what Healthcare has been trying to do for 20+ years.




How is Google Marketing Google Health?How is Google Marketing Google Health?

Currently, working with selected organizations.

Employees and Patients of these organizations are invited to use GH.

Same marketing model as Gmail or GoogleTalk. Early adopters get invites which are “limited” in quantity. Overtime, everyone who wants it will get it.

Microsoft HealthVault and GoogleHealth use similar models.

Walmart, and other large corporations (Intel, AT&T, Pitney-Bowes, Sanofi-Aventis, etc), are testing/using/rolling out Dossia to their employees.




What's wrong with Google Health?What's wrong with Google Health?GH Privacy PolicyGH Privacy Policy

3. Google will use aggregate data to publish trend statistics and associations. For example, Google might publish trend data similar to what is published in Google Trends. None of this data can be used to personally identify an individual.

4. Certain features of Google Health can be used in conjunction with other Google products, and those features may share information to provide a better user experience and to improve the quality of our services. For example, Google Health can help you save your doctors' contact information into your Google Contact List.

- http://www.google.com/intl/en-US/health/privacy.html Feb 16, 2010




What's wrong with Google Health?What's wrong with Google Health?GH Privacy PolicyGH Privacy Policy

3. Google will use aggregate data to publish trend statistics and associations. For example, Google might publish trend data similar to what is published in Google Trends. None of this data can be used to personally identify an individual.

4. Certain features of Google Health can be used in conjunction with other Google products, and those features may share information to provide a better user experience and to improve the quality of our services. For example, Google Health can help you save your doctors' contact information into your Google Contact List.

- http://www.google.com/intl/en-US/health/privacy.html Feb 16, 2010

These 3rd parties and subsidiaries are NOT enumerated.

One of Google’s subsidiaries is DoubleClick – one of the reasons HIPAA Privacy & Security rules were created was to protect healthcare data from marketers like DoubleClick.




Google Health's TermsGoogle Health's Terms

4. Use of Your Information

If you create, transmit, or display health or other information while using Google Health, you may provide only information that you own or have the right to use. When you provide your information through Google Health, you give Google a license to use and distribute it in connection with Google Health and other Google services. However, Google may only use health information you provide as permitted by the Google Health Privacy Policy, your Sharing Authorization, and applicable law. Google is not a "covered entity" under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder ("HIPAA"). As a result, HIPAA does not apply to the transmission of health information by Google to any third party.

- http://www.google.com/intl/en-US/health/terms.html Feb 16, 2010




Google Flu TrendsGoogle Flu Trends

Google Flu Trends: Google automatically analyzes the search queries for “flu”, “influenza”, etc. Displays charts of aggregate data.Hmm – search terms are a good indicator of flu infections!Data corellates to CDC data. Google released data for past 6 years.




Google Flu TrendsGoogle Flu Trends

Google Flu Trends: Google automatically analyzes the search queries for “flu”, “influenza”, etc. Displays charts of aggregate data.Hmm – search terms are a good indicator of flu infections!Data corellates to CDC data. Google released data for past 6 years.

Search for “dark web”




ECPA – ECPA – Electronic Communications Privacy Act (1986)Electronic Communications Privacy Act (1986)

ECPA declared that e-mail was a private means of communication, and that we might hope for the same level of privacy in it as we have in phone calls and letters. Among other things, it means that police need a wiretap warrant to read your e-mails, and that your e-mail company's employees can't disclose your e-mails to others.

[...] E-mail in transit is protected, but those in law enforcement advocate that once mail is processed and stored, it is no longer the same private letter, but simply a database service.

GMail's big selling point is that they don't simply deliver your mail. They store it for you, and they index it so you can search it.

- Brad Templeton, Chairman of the Electronic Frontier Foundation, http://www.templetons.com/brad/gmail.html




ECPA – ECPA – Electronic Communications Privacy Act (1986)Electronic Communications Privacy Act (1986)

ECPA declared that e-mail was a private means of communication, and that we might hope for the same level of privacy in it as we have in phone calls and letters. Among other things, it means that police need a wiretap warrant to read your e-mails, and that your e-mail company's employees can't disclose your e-mails to others.

[...] E-mail in transit is protected, but those in law enforcement advocate that once mail is processed and stored, it is no longer the same private letter, but simply a database service.

GMail's big selling point is that they don't simply deliver your mail. They store it for you, and they index it so you can search it.

- Brad Templeton, Chairman of the Electronic Frontier Foundation, http://www.templetons.com/brad/gmail.html

FBI Abuses Patriot Acthttp://www.nytimes.com/2007/03/10/washington/10fbi.html

Sprint received 8 MILLION law enforcement requests in 13 monthshttp://www.eff.org/deeplinks/2009/12/surveillance-shocker-sprint-received-8-million-law

Your Identity for Salehttp://money.cnn.com/2005/05/09/pf/security_info_profit/index.htm

Google "FBI buys data from private sector"




ECPA – Disclosure RulesECPA – Disclosure Rules• Compelled Disclosure Rules in 18 U.S.C. § 2703• Section 2703 mandates different standards the government must satisfy to compel

different types of communications. To compel a provider of ECS to disclose contents of communications in its possession that are in temporary “electronic storage” for 180 days or less, the government must obtain a search warrant.67 To compel a provider of ECS to disclose contents in electronic storage for greater than 180 days or to compel a provider of RCS to disclose contents, the government has three options.

• First, the government can obtain a search warrant.• Alternatively,investigators can use less process than a warrant, as long as they combine that

process with prior notice.• Specifically, the government can use either a subpoena or a “specific and articulable facts”

court order pursuant to 18U.S.C. § 2703(d), combined with prior notice to the “subscriber or customer” (which can be delayed in some circumstances).73 The court order found in § 2703(d), often referred to as a “2703(d)” order or simply a “d” order, is something like a mix between a subpoena and a search warrant. To obtain the order, the government must provide “specific and articulable facts showing that there are reasonable grounds to believe” that the information to be compelled is “relevant and material to an ongoing criminal investigation.”74 If the judge finds that the factual showing has been made, the judge signs the order. The order is then served like an ordinary subpoena; investigators bring or fax the order to the ISP, and the ISP complies by turning over the information to the investigators.

- http://papers.ssrn.com/sol3/papers.cfm?abstract_id=421860Professor Orin Kerr, George Washington University - Law School TRANSLATION:

After 180 days, Government access to your Gmail, Hotmail, Yahoo Mail, etc. After 180 days, Government access to your Gmail, Hotmail, Yahoo Mail, etc. becomes significantly easier.becomes significantly easier.











CSO's and CPOs should know about ECPA

Employees are forwarding emails to GMAIL because it is fast, easy to use and has copious capacity. The opposite of most corporate email systems.

How many of your employees are forwarding emails to gmail/yahoo/hotmail right now?











Shameless Self-Promo!!

Brainlinks provides HIPAA, PCI-DSS and State Privacy Breach law compliance audits

Information Security Audits

IT Consulting for Healthcare

If you like what you're hearing, hire us!

www.brainlink.com




US vs WARSHAKUS vs WARSHAK

US Gov't claims:“users of ISPs don't have a reasonable expectation of privacy”“Many employees are provided with e-mail and Internet services by their employers. ...[Court] orders directed to the email of employees who have waived any possible expectation of privacy do not violate the Fourth Amendment.”"some email accounts are abandoned, as when an account holder stops paying for the service [or dies] and the account is cancelled." There "can be no reasonable expectation of privacy in such accounts.“... hackers may obtain internet services and email accounts using stolen credit cards. Hackers maintain no reasonable expectation of privacy in such accounts.”

- http://www.theregister.com/2007/11/04/4th-amendment_email_privacy/

So, Where's your email hosted? Do the TOS' specify privacy and ownership? What about your clients, partners or vendors?








US v Warshak could set the benchmark for online privacy expectations.








Hackers transfer $ 378,000 from Poughkeepsie to Ukrainehttp://www.finextra.com/News/fullstory.aspx?newsitemid=21055

ATM hackers steal $ 9 Million in 1 dayhttp://www.wired.com/threatlevel/2009/02/atm/

Banking Trojan steals $ 438,000 http://news.cnet.com/8301-27080_3-10363836-245.html

Bank Of America vs. Lopezhttp://www.americanbanker.com/usb_issues/115_4/-246231-1.html

Read “Trends in Financial Crimes”http://www.brainlink.com/news/159/24/InfoSecurity-Issue-7---Trends-In-Financial-Crimes.html




ThreatsThreatsGmail, Facebook, MySpace, etc. take advantage of the ignorance of

kids, senior citizens and society at large to trade long-term privacy for online games, convenience and "fun".

What looks cute today, will become embarassing 20 years down the road.

Topless pictures, angry rants, teenage pranks, etc.

Except, on the web, NOTHING ever gets deleted.




ThreatsThreatsGmail, Facebook, MySpace, etc. take advantage of the ignorance of

kids, senior citizens and society at large to trade long-term privacy for online games, convenience and "fun".

What looks cute today, will become embarassing 20 years down the road.

Topless pictures, angry rants, teenage pranks, etc.

Except, on the web, NOTHING ever gets deleted.

Users treat their computers like cars.

They assume there's a lemon law for software, or a seatbelt protecting them from themselves.

Nothing could be further from the truth.




ThreatsThreatsYour current users!

Google Toolbar, Desktop, Picasa, etc are being installed with free Software:

- Firefox, Ccleaner, Foxit Reader, etc.

An entire ecosystem of “free” software now installs Google's products.

What about software loads being shipped by vendors – Dell, HP, etc?

What's your desktop policy? How're you coping with the demand for widgets and desktop eye-candy? Do you allow users to siphon emails to gmail?

Are you SURE they aren't doing it anyway?

Google “enhances” their products with new features – Google Buzz

Flaws in Google's products – XSS flaws, poor design, etc.













Why does a PDF reader install a virus scanner?

Do you allow your users to install software?Can you roll-back user installations?Can you find rogue software installations?

Unlike desktop applications, where you control when updates get applied, Web 2.0 applications can add features, change privacy policies, etc. at anytime, outside your control.

Woman loses job after tweeting to Governor Barbourhttp://www.wlbt.com/Global/story.asp?S=11713360













People like new technology, new tools.

However, they don't always understand the risks involved.

Web-based applications are integrating with each other(OpenSocial, OpenID, Ebay+Paypal, etc)- Google Buzz merges social networking with contacts

Desktop tools are integrating with online systems- Google Desktop, Picasa, etc.- Office 2010 with Facebook & Twitter integration




Other Threats - Online profilesOther Threats - Online profiles

What about your kids?

(you know, the future interns, tomorrow's new hire's, your future boss...)

- Gmail @ School

- Facebook disclosures“For Some, Online Persona Undermines a Résumé”“At Facebook, a popular social networking site, the executive found the candidate's Web

page with this description of his interests: "smokin' blunts" (cigars hollowed out and stuffed with marijuana), shooting people and obsessive sex, all described in vivid slang.

It did not matter that the student was clearly posturing. He was done."A lot of it makes me think, what kind of judgment does this person have?" said the

company's president, Brad Karsh. "Why are you allowing this to be viewed publicly, effectively, or semipublicly?"

At New York University, recruiters from about 30 companies told career counselors that they were looking at the sites, said Trudy G. Steinfeld, executive director of the center for career development.“

– http://www.nytimes.com/2006/06/11/us/11recruit.html?ex=1307678400&en=ddfbe1e3b386090b&ei=5090







- Gmail @ School







You can purchase a person's online profile report that consolidates information from various social networks, credit reports, etc in a single document.

Recruiters are vetting online profiles when interviewing or submitting candidates.







- Gmail @ School







Does your HIPAA Compliance Policy, or Employee handbook, have a procedure for dealing with online postings regarding terminations?

How soon after termination can they twitter or facebook or otherwise advertise their new, unemployed, status?




Recommended ReadingRecommended Reading

• http://www.brainlink.com/news/138/24/Is-Your-Company-Googling-its-Security-and-Privacy-Away-Raj-Goel-investigates.html

• http://www.brainlink.com/news/150/24/InfoSecurity-Issue-6----DATA-LEAK-Googling-AWAY-your-Security-and-Privacy.html

• http://www.eff.org/cases/warshak-v-usa

• http://blog.jayparkinsonmd.com/post/92060107/the-promise-of-google-health-and-data-liquidity-in

• http://google.about.com/od/experimentalgoogletools/qt/GoogleFluTrends.htm




SummarySummary

Neither you, nor your patients own this data. Google does.

Flaw in ANY of Google’s or 3rd party applications can expose health care data.

This sets the stage for ID theft, Insurance Theft, Employment Denials and increased Government and Corporate surveillance like nothing else.

PHR’s stand HIPAA on it’s head – they invert the founding principles

GH is a PHR, NOT an EMR. PHR is a HIPAA/HITECH loophole you could drive a battleship through.




SummarySummary

Neither you, nor your patients own this data. Google does.

Flaw in ANY of Google’s or 3rd party applications can expose health care data.

This sets the stage for ID theft, Insurance Theft, Employment Denials and increased Government and Corporate surveillance like nothing else.

PHR’s stand HIPAA on it’s head – they invert the founding principles

GH is a PHR, NOT an EMR. PHR is a HIPAA/HITECH loophole you could drive a battleship through.

EMR – Electronic Medical Record – software is deployed by the covered entity

PMR/PHR – Personal Medical/Health Record – software adopted by patients to self-manage their medical records.




Raj Goel, CISSPRaj Goel, CISSP

Raj Goel, CISSP, is an Oracle and Solaris expert and he has over 22 years of experience in software development, systems, networks, communications and security for the financial, banking, insurance, health care and pharmaceutical industries. Raj is a regular speaker on HIPAA, Sarbanes-Oxley,PCI-DSS Credit Card Security, Information Security and other technology and business issues, addressing diverse audiences including technologists, policy-makers, front-line workers and corporate executives.

He also works with community and professional organizations such as the InfraGard, ISC2, and TibetAid.org, and the Association of Cancer Online Research - ACOR.org.

A nationally known expert, Raj has appeared in over 20 magazine and newspaper articles worldwide, including Entrepreneur Magazine, Business2.0 and InformationWeek, and on television including CNNfn and Geraldo At Large.




Contact InformationContact Information

Raj Goel, CISSPChief Technology Officer

Brainlink International, Inc.

C: 917-685-7731

[email protected]

www.brainlink.com

www.linkedin.com/in/rajgoel

Google Health - NYHIMA

Technology

Transcript of Google Health - NYHIMA