Your SlideShare is downloading. ×
0
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Google Health - NYHIMA
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Google Health - NYHIMA

1,199

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,199
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. <ul><ul><li>Chief Technology Officer </li></ul></ul><ul><ul><li>Brainlink International, Inc. </li></ul></ul>Google Health's Impact on Compliance and Patient Care Raj Goel, CISSP
  • 2. Google Health's Impact on Healthcare <ul><li>It's going to be HUGE . </li></ul><ul><li>Gmail-like huge. TRW/Equifax/Experian Huge. </li></ul><ul><li>Current Partners: </li></ul><ul><li>AllScripts Beth Israel Deaconess Medical Center, </li></ul><ul><li>Blue Cross Blue Shield of MA The Cleveland Clinic </li></ul><ul><li>CVS, CVS CareMark Medco Health Solutions </li></ul><ul><li>Quest Diagnostics Walgreens </li></ul><ul><li>Kmart Pharmacy and Others </li></ul><ul><li>Consumer Products: </li></ul><ul><li>WiScale bathroom scale connects to GH. Track weight + BMI for 8 family members. - www.withings.com </li></ul>
  • 3. Google Health's Impact on Healthcare <ul><li>It's going to be HUGE . </li></ul><ul><li>Gmail-like huge. TRW/Equifax/Experian Huge. </li></ul><ul><li>Current Partners: </li></ul><ul><li>AllScripts Beth Israel Deaconess Medical Center, </li></ul><ul><li>Blue Cross Blue Shield of MA The Cleveland Clinic </li></ul><ul><li>CVS, CVS CareMark Medco Health Solutions </li></ul><ul><li>Quest Diagnostics Walgreens </li></ul><ul><li>Kmart Pharmacy and Others </li></ul><ul><li>Consumer Products: </li></ul><ul><li>WiScale bathroom scale connects to GH. Track weight + BMI for 8 family members. - www.withings.com </li></ul>1936 - SSNs established 1938 - Wallet manufacturer includes secretary's SSN card inside a wallet. 40,000 people thought it was their SSN. Pre-1986 - kids under 14yrs not required Post-1990 - Kids get SSN # with Birth Certificate http://en.wikipedia.org/wiki/Social_Security_number
  • 4. Did I say TRW/Equifax/Experian Huge? <ul><li>Error-prone and user-unfriendly. Just like your credit profiles. </li></ul><ul><li>Why? </li></ul><ul><li>GH imports medical records with INSURANCE BILLING CODES, not diagnoses. </li></ul><ul><li>Hmm...how many tests does your organization perform on a patient to RULE OUT conditions? Or to avoid malpractice lawsuits? </li></ul><ul><li>GH (currently) can't differentiate between a test to rule out a condition and the actual diagnoses. </li></ul><ul><li>How many procedures are billed using different billing codes? Sometimes, an office visit isn't just an office visit...or a stress test. </li></ul>
  • 5. Your users & staff will want it...anyway <ul><li>It's got's that “Don't Be Evil” halo effect. </li></ul><ul><li>If it's Google, it's got to be great (Google in 2010 == IBM 1960s) </li></ul><ul><li>Google has trained an entire generation to give away their privacy and legal rights for convenience. </li></ul><ul><li>The fragmented landscape of healthcare IT, and the differing agendas have left healthcare stuck in the 1970s in terms of convenience, and user-friendliness. </li></ul><ul><li>Healthcare IT 2010 == Bank IT 1970. Pre ATMs, pre-online banking, pre-debit cards, pre-gift cards, pre-online bill payments, etc. </li></ul>
  • 6. Your users & staff will want it...anyway <ul><li>It's got's that “Don't Be Evil” halo effect. </li></ul><ul><li>If it's Google, it's got to be great (Google in 2010 == IBM 1960s) </li></ul><ul><li>Google has trained an entire generation to give away their privacy and legal rights for convenience. </li></ul><ul><li>The fragmented landscape of healthcare IT, and the differing agendas have left healthcare stuck in the 1970s in terms of convenience, and user-friendliness. </li></ul><ul><li>Healthcare IT 2010 == Bank IT 1970. Pre ATMs, pre-online banking, pre-debit cards, pre-gift cards, pre-online bill payments, etc. </li></ul>ISO 8583 - Standard for ATM Transactions 1987 Version 1993 Version 2003 Version Each organization maps their data to the standard when communicating with other firms. Exactly what Healthcare has been trying to do for 20+ years.
  • 7. How is Google Marketing Google Health? Currently, working with selected organizations. Employees and Patients of these organizations are invited to use GH. Same marketing model as Gmail or GoogleTalk. Early adopters get invites which are “limited” in quantity. Overtime, everyone who wants it will get it. Microsoft HealthVault and GoogleHealth use similar models. Walmart, and other large corporations (Intel, AT&T, Pitney-Bowes, Sanofi-Aventis, etc), are testing/using/rolling out Dossia to their employees.
  • 8. What's wrong with Google Health? GH Privacy Policy <ul><li>3. Google will use aggregate data to publish trend statistics and associations. For example, Google might publish trend data similar to what is published in Google Trends. None of this data can be used to personally identify an individual. </li></ul><ul><li>4. Certain features of Google Health can be used in conjunction with other Google products, and those features may share information to provide a better user experience and to improve the quality of our services. For example, Google Health can help you save your doctors' contact information into your Google Contact List. </li></ul><ul><li>- http://www.google.com/intl/en-US/health/privacy.html Feb 16, 2010 </li></ul>
  • 9. What's wrong with Google Health? GH Privacy Policy <ul><li>3. Google will use aggregate data to publish trend statistics and associations. For example, Google might publish trend data similar to what is published in Google Trends. None of this data can be used to personally identify an individual. </li></ul><ul><li>4. Certain features of Google Health can be used in conjunction with other Google products, and those features may share information to provide a better user experience and to improve the quality of our services. For example, Google Health can help you save your doctors' contact information into your Google Contact List. </li></ul><ul><li>- http://www.google.com/intl/en-US/health/privacy.html Feb 16, 2010 </li></ul>These 3 rd parties and subsidiaries are NOT enumerated. One of Google’s subsidiaries is DoubleClick – one of the reasons HIPAA Privacy & Security rules were created was to protect healthcare data from marketers like DoubleClick.
  • 10. Google Health's Terms <ul><li>4. Use of Your Information </li></ul><ul><li>If you create, transmit, or display health or other information while using Google Health, you may provide only information that you own or have the right to use. When you provide your information through Google Health, you give Google a license to use and distribute it in connection with Google Health and other Google services. However, Google may only use health information you provide as permitted by the Google Health Privacy Policy, your Sharing Authorization, and applicable law. Google is not a &quot;covered entity&quot; under the Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder (&quot;HIPAA&quot;). As a result, HIPAA does not apply to the transmission of health information by Google to any third party. </li></ul><ul><li>- http://www.google.com/intl/en-US/health/terms.html Feb 16, 2010 </li></ul>
  • 11. Google Flu Trends <ul><li>Google Flu Trends: Google automatically analyzes the search queries for “flu”, “influenza”, etc. Displays charts of aggregate data. </li></ul><ul><li>Hmm – search terms are a good indicator of flu infections! </li></ul><ul><li>Data corellates to CDC data. Google released data for past 6 years. </li></ul>
  • 12. Google Flu Trends <ul><li>Google Flu Trends: Google automatically analyzes the search queries for “flu”, “influenza”, etc. Displays charts of aggregate data. </li></ul><ul><li>Hmm – search terms are a good indicator of flu infections! </li></ul><ul><li>Data corellates to CDC data. Google released data for past 6 years. </li></ul>Search for “dark web”
  • 13. ECPA – Electronic Communications Privacy Act (1986) <ul><li>ECPA declared that e-mail was a private means of communication, and that we might hope for the same level of privacy in it as we have in phone calls and letters. Among other things, it means that police need a wiretap warrant to read your e-mails, and that your e-mail company's employees can't disclose your e-mails to others. </li></ul><ul><li>[...] E-mail in transit is protected, but those in law enforcement advocate that once mail is processed and stored, it is no longer the same private letter, but simply a database service. </li></ul><ul><li>GMail's big selling point is that they don't simply deliver your mail. They store it for you, and they index it so you can search it. </li></ul><ul><li>- Brad Templeton, Chairman of the Electronic Frontier Foundation, http://www.templetons.com/brad/gmail.html </li></ul>
  • 14. ECPA – Electronic Communications Privacy Act (1986) <ul><li>ECPA declared that e-mail was a private means of communication, and that we might hope for the same level of privacy in it as we have in phone calls and letters. Among other things, it means that police need a wiretap warrant to read your e-mails, and that your e-mail company's employees can't disclose your e-mails to others. </li></ul><ul><li>[...] E-mail in transit is protected, but those in law enforcement advocate that once mail is processed and stored, it is no longer the same private letter, but simply a database service. </li></ul><ul><li>GMail's big selling point is that they don't simply deliver your mail. They store it for you, and they index it so you can search it. </li></ul><ul><li>- Brad Templeton, Chairman of the Electronic Frontier Foundation, http://www.templetons.com/brad/gmail.html </li></ul>FBI Abuses Patriot Act http://www.nytimes.com/2007/03/10/washington/10fbi.html Sprint received 8 MILLION law enforcement requests in 13 months http://www.eff.org/deeplinks/2009/12/surveillance-shocker-sprint-received-8-million-law Your Identity for Sale http://money.cnn.com/2005/05/09/pf/security_info_profit/index.htm Google &quot;FBI buys data from private sector&quot;
  • 15. ECPA – Disclosure Rules <ul><li>Compelled Disclosure Rules in 18 U.S.C. § 2703 </li></ul><ul><li>Section 2703 mandates different standards the government must satisfy to compel different types of communications. To compel a provider of ECS to disclose contents of communications in its possession that are in temporary “electronic storage” for 180 days or less, the government must obtain a search warrant.67 To compel a provider of ECS to disclose contents in electronic storage for greater than 180 days or to compel a provider of RCS to disclose contents, the government has three options. </li></ul><ul><li>First, the government can obtain a search warrant. </li></ul><ul><li>Alternatively,investigators can use less process than a warrant, as long as they combine that process with prior notice. </li></ul><ul><li>Specifically, the government can use either a subpoena or a “specific and articulable facts” court order pursuant to 18U.S.C. § 2703(d), combined with prior notice to the “subscriber or customer” (which can be delayed in some circumstances).73 The court order found in § 2703(d), often referred to as a “2703(d)” order or simply a “d” order, is something like a mix between a subpoena and a search warrant. To obtain the order, the government must provide “specific and articulable facts showing that there are reasonable grounds to believe” that the information to be compelled is “relevant and material to an ongoing criminal investigation.”74 If the judge finds that the factual showing has been made, the judge signs the order. The order is then served like an ordinary subpoena; investigators bring or fax the order to the ISP, and the ISP complies by turning over the information to the investigators. </li></ul><ul><li>- http://papers.ssrn.com/sol3/papers.cfm?abstract_id=421860 </li></ul><ul><li>Professor Orin Kerr, George Washington University - Law School </li></ul><ul><li>TRANSLATION: </li></ul><ul><li>After 180 days, Government access to your Gmail, Hotmail, Yahoo Mail, etc. becomes significantly easier. </li></ul>
  • 16. ECPA – Disclosure Rules <ul><li>Compelled Disclosure Rules in 18 U.S.C. § 2703 </li></ul><ul><li>Section 2703 mandates different standards the government must satisfy to compel different types of communications. To compel a provider of ECS to disclose contents of communications in its possession that are in temporary “electronic storage” for 180 days or less, the government must obtain a search warrant.67 To compel a provider of ECS to disclose contents in electronic storage for greater than 180 days or to compel a provider of RCS to disclose contents, the government has three options. </li></ul><ul><li>First, the government can obtain a search warrant. </li></ul><ul><li>Alternatively,investigators can use less process than a warrant, as long as they combine that process with prior notice. </li></ul><ul><li>Specifically, the government can use either a subpoena or a “specific and articulable facts” court order pursuant to 18U.S.C. § 2703(d), combined with prior notice to the “subscriber or customer” (which can be delayed in some circumstances).73 The court order found in § 2703(d), often referred to as a “2703(d)” order or simply a “d” order, is something like a mix between a subpoena and a search warrant. To obtain the order, the government must provide “specific and articulable facts showing that there are reasonable grounds to believe” that the information to be compelled is “relevant and material to an ongoing criminal investigation.”74 If the judge finds that the factual showing has been made, the judge signs the order. The order is then served like an ordinary subpoena; investigators bring or fax the order to the ISP, and the ISP complies by turning over the information to the investigators. </li></ul><ul><li>- http://papers.ssrn.com/sol3/papers.cfm?abstract_id=421860 </li></ul><ul><li>Professor Orin Kerr, George Washington University - Law School </li></ul><ul><li>TRANSLATION: </li></ul><ul><li>After 180 days, Government access to your Gmail, Hotmail, Yahoo Mail, etc. becomes significantly easier. </li></ul>CSO's and CPOs should know about ECPA Employees are forwarding emails to GMAIL because it is fast, easy to use and has copious capacity. The opposite of most corporate email systems. How many of your employees are forwarding emails to gmail/yahoo/hotmail right now?
  • 17. ECPA – Disclosure Rules <ul><li>Compelled Disclosure Rules in 18 U.S.C. § 2703 </li></ul><ul><li>Section 2703 mandates different standards the government must satisfy to compel different types of communications. To compel a provider of ECS to disclose contents of communications in its possession that are in temporary “electronic storage” for 180 days or less, the government must obtain a search warrant.67 To compel a provider of ECS to disclose contents in electronic storage for greater than 180 days or to compel a provider of RCS to disclose contents, the government has three options. </li></ul><ul><li>First, the government can obtain a search warrant. </li></ul><ul><li>Alternatively,investigators can use less process than a warrant, as long as they combine that process with prior notice. </li></ul><ul><li>Specifically, the government can use either a subpoena or a “specific and articulable facts” court order pursuant to 18U.S.C. § 2703(d), combined with prior notice to the “subscriber or customer” (which can be delayed in some circumstances).73 The court order found in § 2703(d), often referred to as a “2703(d)” order or simply a “d” order, is something like a mix between a subpoena and a search warrant. To obtain the order, the government must provide “specific and articulable facts showing that there are reasonable grounds to believe” that the information to be compelled is “relevant and material to an ongoing criminal investigation.”74 If the judge finds that the factual showing has been made, the judge signs the order. The order is then served like an ordinary subpoena; investigators bring or fax the order to the ISP, and the ISP complies by turning over the information to the investigators. </li></ul><ul><li>- http://papers.ssrn.com/sol3/papers.cfm?abstract_id=421860 </li></ul><ul><li>Professor Orin Kerr, George Washington University - Law School </li></ul><ul><li>TRANSLATION: </li></ul><ul><li>After 180 days, Government access to your Gmail, Hotmail, Yahoo Mail, etc. becomes significantly easier. </li></ul>Shameless Self-Promo!! Brainlinks provides HIPAA, PCI-DSS and State Privacy Breach law compliance audits Information Security Audits IT Consulting for Healthcare If you like what you're hearing, hire us! www.brainlink.com
  • 18. US vs WARSHAK <ul><li>US Gov't claims: </li></ul><ul><li>“ users of ISPs don't have a reasonable expectation of privacy” </li></ul><ul><li>“ Many employees are provided with e-mail and Internet services by their employers. ...[Court] orders directed to the email of employees who have waived any possible expectation of privacy do not violate the Fourth Amendment.” </li></ul><ul><li>&quot;some email accounts are abandoned, as when an account holder stops paying for the service [or dies] and the account is cancelled.&quot; There &quot;can be no reasonable expectation of privacy in such accounts. </li></ul><ul><li>“ ... hackers may obtain internet services and email accounts using stolen credit cards. Hackers maintain no reasonable expectation of privacy in such accounts.” </li></ul><ul><li>- http://www.theregister.com/2007/11/04/4th-amendment_email_privacy/ </li></ul><ul><li>So, Where's your email hosted? Do the TOS' specify privacy and ownership? What about your clients, partners or vendors? </li></ul>
  • 19. US vs WARSHAK <ul><li>US Gov't claims: </li></ul><ul><li>“ users of ISPs don't have a reasonable expectation of privacy” </li></ul><ul><li>“ Many employees are provided with e-mail and Internet services by their employers. ...[Court] orders directed to the email of employees who have waived any possible expectation of privacy do not violate the Fourth Amendment.” </li></ul><ul><li>&quot;some email accounts are abandoned, as when an account holder stops paying for the service [or dies] and the account is cancelled.&quot; There &quot;can be no reasonable expectation of privacy in such accounts. </li></ul><ul><li>“ ... hackers may obtain internet services and email accounts using stolen credit cards. Hackers maintain no reasonable expectation of privacy in such accounts.” </li></ul><ul><li>- http://www.theregister.com/2007/11/04/4th-amendment_email_privacy/ </li></ul><ul><li>So, Where's your email hosted? Do the TOS' specify privacy and ownership? What about your clients, partners or vendors? </li></ul>US v Warshak could set the benchmark for online privacy expectations.
  • 20. US vs WARSHAK <ul><li>US Gov't claims: </li></ul><ul><li>“ users of ISPs don't have a reasonable expectation of privacy” </li></ul><ul><li>“ Many employees are provided with e-mail and Internet services by their employers. ...[Court] orders directed to the email of employees who have waived any possible expectation of privacy do not violate the Fourth Amendment.” </li></ul><ul><li>&quot;some email accounts are abandoned, as when an account holder stops paying for the service [or dies] and the account is cancelled.&quot; There &quot;can be no reasonable expectation of privacy in such accounts. </li></ul><ul><li>“ ... hackers may obtain internet services and email accounts using stolen credit cards. Hackers maintain no reasonable expectation of privacy in such accounts.” </li></ul><ul><li>- http://www.theregister.com/2007/11/04/4th-amendment_email_privacy/ </li></ul><ul><li>So, Where's your email hosted? Do the TOS' specify privacy and ownership? What about your clients, partners or vendors? </li></ul>Hackers transfer $ 378,000 from Poughkeepsie to Ukraine http://www.finextra.com/News/fullstory.aspx?newsitemid=21055 ATM hackers steal $ 9 Million in 1 day http://www.wired.com/threatlevel/2009/02/atm/ Banking Trojan steals $ 438,000 http://news.cnet.com/8301-27080_3-10363836-245.html Bank Of America vs. Lopez http://www.americanbanker.com/usb_issues/115_4/-246231-1.html Read “Trends in Financial Crimes” http://www.brainlink.com/news/159/24/InfoSecurity-Issue-7---Trends-In-Financial-Crimes.html
  • 21. Threats <ul><li>Gmail, Facebook, MySpace, etc. take advantage of the ignorance of kids, senior citizens and society at large to trade long-term privacy for online games, convenience and &quot;fun&quot;. </li></ul><ul><li>What looks cute today, will become embarassing 20 years down the road. </li></ul><ul><li>Topless pictures, angry rants, teenage pranks, etc. </li></ul><ul><li>Except, on the web, NOTHING ever gets deleted. </li></ul>
  • 22. Threats <ul><li>Gmail, Facebook, MySpace, etc. take advantage of the ignorance of kids, senior citizens and society at large to trade long-term privacy for online games, convenience and &quot;fun&quot;. </li></ul><ul><li>What looks cute today, will become embarassing 20 years down the road. </li></ul><ul><li>Topless pictures, angry rants, teenage pranks, etc. </li></ul><ul><li>Except, on the web, NOTHING ever gets deleted. </li></ul>Users treat their computers like cars. They assume there's a lemon law for software, or a seatbelt protecting them from themselves. Nothing could be further from the truth.
  • 23. Threats <ul><li>Your current users! </li></ul><ul><li>Google Toolbar, Desktop, Picasa, etc are being installed with free Software: </li></ul><ul><li>- Firefox, Ccleaner, Foxit Reader, etc. </li></ul><ul><li>An entire ecosystem of “free” software now installs Google's products. </li></ul><ul><li>What about software loads being shipped by vendors – Dell, HP, etc? </li></ul><ul><li>What's your desktop policy? How're you coping with the demand for widgets and desktop eye-candy? Do you allow users to siphon emails to gmail? </li></ul><ul><li>Are you SURE they aren't doing it anyway? </li></ul><ul><li>Google “enhances” their products with new features – Google Buzz </li></ul><ul><li>Flaws in Google's products – XSS flaws, poor design, etc. </li></ul>
  • 24. Threats <ul><li>Your current users! </li></ul><ul><li>Google Toolbar, Desktop, Picasa, etc are being installed with free Software: </li></ul><ul><li>- Firefox, Ccleaner, Foxit Reader, etc. </li></ul><ul><li>An entire ecosystem of “free” software now installs Google's products. </li></ul><ul><li>What about software loads being shipped by vendors – Dell, HP, etc? </li></ul><ul><li>What's your desktop policy? How're you coping with the demand for widgets and desktop eye-candy? Do you allow users to siphon emails to gmail? </li></ul><ul><li>Are you SURE they aren't doing it anyway? </li></ul><ul><li>Google “enhances” their products with new features – Google Buzz </li></ul><ul><li>Flaws in Google's products – XSS flaws, poor design, etc. </li></ul>Why does a PDF reader install a virus scanner? Do you allow your users to install software? Can you roll-back user installations? Can you find rogue software installations? Unlike desktop applications, where you control when updates get applied, Web 2.0 applications can add features, change privacy policies, etc. at anytime, outside your control. Woman loses job after tweeting to Governor Barbour http://www.wlbt.com/Global/story.asp?S=11713360
  • 25. Threats <ul><li>Your current users! </li></ul><ul><li>Google Toolbar, Desktop, Picasa, etc are being installed with free Software: </li></ul><ul><li>- Firefox, Ccleaner, Foxit Reader, etc. </li></ul><ul><li>An entire ecosystem of “free” software now installs Google's products. </li></ul><ul><li>What about software loads being shipped by vendors – Dell, HP, etc? </li></ul><ul><li>What's your desktop policy? How're you coping with the demand for widgets and desktop eye-candy? Do you allow users to siphon emails to gmail? </li></ul><ul><li>Are you SURE they aren't doing it anyway? </li></ul><ul><li>Google “enhances” their products with new features – Google Buzz </li></ul><ul><li>Flaws in Google's products – XSS flaws, poor design, etc. </li></ul>People like new technology, new tools. However, they don't always understand the risks involved. Web-based applications are integrating with each other (OpenSocial, OpenID, Ebay+Paypal, etc) - Google Buzz merges social networking with contacts Desktop tools are integrating with online systems - Google Desktop, Picasa, etc. - Office 2010 with Facebook & Twitter integration
  • 26. Other Threats - Online profiles <ul><li>What about your kids? </li></ul><ul><li>(you know, the future interns, tomorrow's new hire's, your future boss...)‏ </li></ul><ul><li>- Gmail @ School </li></ul><ul><li>- Facebook disclosures </li></ul><ul><ul><li>“ For Some, Online Persona Undermines a Résumé” </li></ul></ul><ul><ul><li>“ At Facebook, a popular social networking site, the executive found the candidate's Web page with this description of his interests: &quot;smokin' blunts&quot; (cigars hollowed out and stuffed with marijuana), shooting people and obsessive sex, all described in vivid slang. </li></ul></ul><ul><ul><li>It did not matter that the student was clearly posturing. He was done. </li></ul></ul><ul><ul><li>&quot;A lot of it makes me think, what kind of judgment does this person have?&quot; said the company's president, Brad Karsh. &quot;Why are you allowing this to be viewed publicly, effectively, or semipublicly?&quot; </li></ul></ul><ul><ul><li>At New York University, recruiters from about 30 companies told career counselors that they were looking at the sites, said Trudy G. Steinfeld, executive director of the center for career development.“ </li></ul></ul><ul><ul><li>http://www.nytimes.com/2006/06/11/us/11recruit.html?ex=1307678400&en=ddfbe1e3b386090b&ei=509 0 </li></ul></ul>
  • 27. Other Threats - Online profiles <ul><li>What about your kids? </li></ul><ul><li>(you know, the future interns, tomorrow's new hire's, your future boss...)‏ </li></ul><ul><li>- Gmail @ School </li></ul><ul><li>- Facebook disclosures </li></ul><ul><ul><li>“ For Some, Online Persona Undermines a Résumé” </li></ul></ul><ul><ul><li>“ At Facebook, a popular social networking site, the executive found the candidate's Web page with this description of his interests: &quot;smokin' blunts&quot; (cigars hollowed out and stuffed with marijuana), shooting people and obsessive sex, all described in vivid slang. </li></ul></ul><ul><ul><li>It did not matter that the student was clearly posturing. He was done. </li></ul></ul><ul><ul><li>&quot;A lot of it makes me think, what kind of judgment does this person have?&quot; said the company's president, Brad Karsh. &quot;Why are you allowing this to be viewed publicly, effectively, or semipublicly?&quot; </li></ul></ul><ul><ul><li>At New York University, recruiters from about 30 companies told career counselors that they were looking at the sites, said Trudy G. Steinfeld, executive director of the center for career development.“ </li></ul></ul><ul><ul><li>http://www.nytimes.com/2006/06/11/us/11recruit.html?ex=1307678400&en=ddfbe1e3b386090b&ei=509 0 </li></ul></ul>You can purchase a person's online profile report that consolidates information from various social networks, credit reports, etc in a single document. Recruiters are vetting online profiles when interviewing or submitting candidates.
  • 28. Other Threats - Online profiles <ul><li>What about your kids? </li></ul><ul><li>(you know, the future interns, tomorrow's new hire's, your future boss...)‏ </li></ul><ul><li>- Gmail @ School </li></ul><ul><li>- Facebook disclosures </li></ul><ul><ul><li>“ For Some, Online Persona Undermines a Résumé” </li></ul></ul><ul><ul><li>“ At Facebook, a popular social networking site, the executive found the candidate's Web page with this description of his interests: &quot;smokin' blunts&quot; (cigars hollowed out and stuffed with marijuana), shooting people and obsessive sex, all described in vivid slang. </li></ul></ul><ul><ul><li>It did not matter that the student was clearly posturing. He was done. </li></ul></ul><ul><ul><li>&quot;A lot of it makes me think, what kind of judgment does this person have?&quot; said the company's president, Brad Karsh. &quot;Why are you allowing this to be viewed publicly, effectively, or semipublicly?&quot; </li></ul></ul><ul><ul><li>At New York University, recruiters from about 30 companies told career counselors that they were looking at the sites, said Trudy G. Steinfeld, executive director of the center for career development.“ </li></ul></ul><ul><ul><li>http://www.nytimes.com/2006/06/11/us/11recruit.html?ex=1307678400&en=ddfbe1e3b386090b&ei=509 0 </li></ul></ul>Does your HIPAA Compliance Policy, or Employee handbook, have a procedure for dealing with online postings regarding terminations? How soon after termination can they twitter or facebook or otherwise advertise their new, unemployed, status?
  • 29. Recommended Reading <ul><li>http://www.brainlink.com/news/138/24/Is-Your-Company-Googling-its-Security-and-Privacy-Away-Raj-Goel-investigates.html </li></ul><ul><li>http://www.brainlink.com/news/150/24/InfoSecurity-Issue-6----DATA-LEAK-Googling-AWAY-your-Security-and-Privacy.html </li></ul><ul><li>http://www.eff.org/cases/warshak-v-usa </li></ul><ul><li>http://blog.jayparkinsonmd.com/post/92060107/the-promise-of-google-health-and-data-liquidity-in </li></ul><ul><li>http://google.about.com/od/experimentalgoogletools/qt/GoogleFluTrends.htm </li></ul>
  • 30. Summary <ul><li>Neither you, nor your patients own this data. Google does. </li></ul><ul><li>Flaw in ANY of Google’s or 3 rd party applications can expose health care data. </li></ul><ul><li>This sets the stage for ID theft, Insurance Theft, Employment Denials and increased Government and Corporate surveillance like nothing else. </li></ul><ul><li>PHR’s stand HIPAA on it’s head – they invert the founding principles </li></ul><ul><li>GH is a PHR, NOT an EMR. PHR is a HIPAA/HITECH loophole you could drive a battleship through. </li></ul>
  • 31. Summary <ul><li>Neither you, nor your patients own this data. Google does. </li></ul><ul><li>Flaw in ANY of Google’s or 3 rd party applications can expose health care data. </li></ul><ul><li>This sets the stage for ID theft, Insurance Theft, Employment Denials and increased Government and Corporate surveillance like nothing else. </li></ul><ul><li>PHR’s stand HIPAA on it’s head – they invert the founding principles </li></ul><ul><li>GH is a PHR, NOT an EMR. PHR is a HIPAA/HITECH loophole you could drive a battleship through. </li></ul>EMR – Electronic Medical Record – software is deployed by the covered entity PMR/PHR – Personal Medical/Health Record – software adopted by patients to self-manage their medical records.
  • 32. Raj Goel, CISSP Raj Goel, CISSP, is an Oracle and Solaris expert and he has over 22 years of experience in software development, systems, networks, communications and security for the financial, banking, insurance, health care and pharmaceutical industries. Raj is a regular speaker on HIPAA, Sarbanes-Oxley,PCI-DSS Credit Card Security, Information Security and other technology and business issues, addressing diverse audiences including technologists, policy-makers, front-line workers and corporate executives. He also works with community and professional organizations such as the InfraGard, ISC2, and TibetAid.org, and the Association of Cancer Online Research - ACOR.org. <ul><li>A nationally known expert, Raj has appeared in over 20 magazine and newspaper articles worldwide, including Entrepreneur Magazine , Business2.0 and InformationWeek , and on television including CNNfn and Geraldo At Large . </li></ul>
  • 33. Contact Information <ul><li>Raj Goel, CISSP </li></ul><ul><li>Chief Technology Officer </li></ul><ul><li>Brainlink International, Inc. </li></ul><ul><li>C: 917-685-7731 </li></ul><ul><li>[email_address] </li></ul><ul><li>www.brainlink.com </li></ul><ul><li>www.linkedin.com/in/rajgoel </li></ul>

×