Here are Things I Found, If it Helps
by Hforman - 8/7/12 3:31 PM
In Reply to: Thank You by waytron
As I said, I work with a local government agency and participate on many data security "teams". My area contains many areas of criminal justice. This thing comes up all of the time with respect to criminal history and even medical data. Even LAPD was all set to sign a Google Apps contract until, at the last moment, they found that Google Docs was not certified by Criminal Justice Information Systems (CJIS) to hold that data. In a seperate article I read, Google claims that no public cloud is CJIS-compliant. (Except maybe DATAMAXX). Box is "trying" to become CJIS-certified the last I heard.
Aside from criminal data, there is the issue of HIPAA. May I refer you to Google Doc's website, FAQ's (or was it "help"?) where Google stated that, although many of their users are keeping HIPAA-related information on their website "as part of their HIPAA certification", Google claims NO RESPONSIBILITY for HIPAA compliance. (Search for HIPAA) in their FAQs).
Computerworld article: by Jalkumar Vijayan, February 7, 2012:
"FBI declares cloud vendors must meet CJIS security rules"
You might want to look at that.
Also, you might want to search the web for the words "cloud" and "HIPAA" but remember that the information is only as good as its source.
The must read: You should go over, carefully, the Terms of service (TOS, "Terms" on Google Doc's website. There has been a lot of controversy over what you read there. I don't like the part where they say that they can do all these things with your data. They give what "appears" to be a valid reason but if you don't want to publish the information or share that information, there is still no way to not give them the rights. Note that "Terms" change frequently so you may want to also read the archives of the TOS. For example, not too long ago Google and Dropbox claimed ownership of anything you upload. I imagine copyright lawyers had a field day with that. Now they say that they do not own your data but you must give them rights. Please read this.
I have read articles about HIPAA fines for users of public cloud sites but I have never heard of anyone being fined for that cloud use. I wish the government would say one way or another.
So. Is it illegal to use Google or Dropbox to hoid HIPAA-protected data? That's a good question. While the data does have some encypotion, the scanning of all uploads and the viewing by employees leave me with a feeling that the use may not be good where HIPAA data is concerned I really don't have a better answer for you than "maybe". It depends on who you talk to and what you've read.
Imagine this: You just gone into a brick-and-mortar store and bought something using your credit card. Do you know if that store is keeping your credit card information off in the cloud? Do you know if some employee in some foreign country or in the U.S. can see those card numbers?
Also, please check with technology experts such as Gartner. Last time I heard they were all down on Cloud security. I agree that encryting the data yourself (not so much as password-protecting) can help improve online security (documents on Google are all electronically scanned and i don't know if they do a raw scanning (which would bypass just a password).
As we both agree, it seems that this is all about the data. Crime scene photos? of Celebrities? Coroner photos and videos? Unfortunately I have to deal with that world.
Was this reply helpful? (0) (0)