Posted by NonaTheNinja on May 23, 2008
A nice article I found online about the release of Google Health. I’ve tagged in under Gear Grinding and Crazy Shit because its annoying and crazy that Google would release such a feature and not comply with HIPAA. I’ve tagged it under Stupid People because do you know how STUPID you would have to be to sign up for a service that is not protected by HIPAA and could easily have vulnerabilities to allow someone to get your information. You might be thinking what could someone do with medical records right? Well just imagine what information is contained on those medical records that people can use to steal your identity or even better, steal your health insurance for themselves.
SecureThroughObscure writes “Security researcher Robert ‘RSnake’ Hansen discusses numerous concerns with Google’s new Google Health application, which aims to integrate user’s medical records online. We discussed Google Health’s opening to the public earlier this week. RSnake mentions that Google has found a loophole allowing them to provide this service without having to follow HIPAA regulations, which, combined with Google’s track record of having numerous flaws leading to private information disclosure, draws serious concern. Security researcher Nate McFeters of ZDNet’s Zero-Day Security Blog also commented on the article, mentioning several past vulnerabilities: ownership of content issues, Google Docs theft, a cross-domain hole, Google XSS, and a Google Picasa protocol handler issue leading to the theft of user images. He and fellow researcher Billy Rios disclosed these issues to Google, including the ability to steal GMail contact list information. McFeters says it’s likely that similar unpatched bugs would allow an attacker to view medical records if a user was also using Google Health. Both McFeters and Hansen tend to agree that Google’s vulnerability disclosure/notification is non-existent and really needs to be improved. Currently, Google does not report vulnerabilities it has fixed to its user base, for the obvious reason of trying to hide the fact that user data could have been stolen.”