
Google's Past Data Use Could Impede Its Health Care Push - jonbaer
https://www.wired.com/story/googles-past-data-use-could-impede-healthcare-push/
======
snuxoll
Work for a medical billing company owned by a physician group, had somebody in
from Google a month or two ago wanting access to a stream of patient data from
us in exchange for building some software for us. There was absolutely no
detail on what they thought they could build, just that they would see what
they could come up with after we started feeding them data.

The architect on our team immediately began laughing in the meeting, as it's
clear that Google has absolutely zero idea how HIPAA works.

~~~
saulrh
You know what the really stupid thing is? Looking at the attack surfaces and
data values and compromise histories, and having been inside Google to see how
it treats PII and been inside a cloud EMR provider to see how _it_ treated P
_H_ I, I'd move my data out of that EMR and into Google in a heartbeat. If
you're saying that Google would need to learn about a brand new truckload of
paperwork, sure. But HIPAA is neither necessary nor sufficient for privacy or
security.

~~~
snuxoll
The problem is HIPAA doesn't allow one to share data without a reason - in
fact it's only to be ACCESSED with a reason even by those with privileges to
do so. I would trust Google to keep data safe, but brazenly asking for data
without a defined use case is in blatant disregard for the regulations we
operate under.

~~~
saulrh
Like I said, I suspect this is mostly a question of learning new paperwork. My
experience at Google has been that the security and privacy tooling is
granular enough that access can be proposed, vetted, authorized, controlled,
and monitored at the level of individual build numbers of individual binaries.
I'd guess that the casual assumption was that there'd be a "defined use case"
step but that it'd be covered by existing internal procedures, and I'd also
guess that in any sane world it _would_ be covered.

(This is, honestly, one of the reasons I call the entire thing stupid and
trust HIPAA so little - at that cloud EMR company, every one of the 500+ devs
must have had something like a perpetually-active use case of "debugging the
product". If it weren't for the fact that I _know_ that that company made it
through audits I'd have phoned HHS my first month.)

~~~
vageli
> (This is, honestly, one of the reasons I call the entire thing stupid and
> trust HIPAA so little - at that cloud EMR company, every one of the 500+
> devs must have had something like a perpetually-active use case of
> "debugging the product". If it weren't for the fact that I know that that
> company made it through audits I'd have phoned HHS my first month.)

So you're saying a valid use case to access patient data under HIPAA is for
debugging the product? That sounds incredibly unlikely; even at my job we use
faked data for this kind of thing. Can you point me to a source for your
claim?

~~~
saulrh
I wrote up a bit reply to clarify, but now I'm looking and thinking about it
for the first time in a few years, with four years of job experience instead
of four days, and realizing that I probably need to be showing this to a
lawyer. The "learn to SQL" exercises directed me to manually inspect
individual rows in the prod customer database. Even _with_ the managers and
senior devs all assuring me that it was okay and the company having survived
for twenty years without being fined into oblivion, this is just...
unbelievable. :/

------
crazygringo
Title seems totally unsupported by the article...

There's nothing in here that says anything Google has done in the past impedes
anything.

To the contrary, the meat of the article (4/5ths down) says:

> _Under UK data protection law, DeepMind is not the “controller” of the
> clinical data crunched by Streams; its partners are. That means Google
> doesn’t own the data or get to choose how it is processed and used.
> Similarly in the US, the federal HIPAA law prevents organizations working
> with health data from arbitrarily adapting it to new purposes. Worse for
> Google executives who want to move quickly, the company can’t immediately
> assume DeepMind’s contracts with hospitals. Those institutions need to give
> consent, potentially giving them a chance to negotiate different terms._

So actually it's national law that's "impeding" things, not Google's past.
Presumably the law is intended to protect people's data, and is working as
intended. (And on top of that, nothing in the article actually supports that
anything is being "impeded" at all -- seems like that's total speculation by
the writer?)

Feels like a totally clickbait headline to me.

~~~
ionised
Yeah, I'm totally fine with Google being 'impeded' in this way.

------
londons_explore
This is sad, because I believe tens of millions of lives could be saved by
giving all healthcare data to Google to do with as it pleases.

Sure, privacy would probably be impacted, but in my opinion, life and death is
more important than privacy.

We're talking far more lives than terrorism here, and we were happy to lose a
lot more privacy for that. Probably more lives than guns, car accidents, etc.
too.

When we've saved those millions of lives, we can work on ways to get the
benefits of both privacy _and_ still saving those lives.

~~~
Lio
Do you also think that Google should open source all the code and results that
it gets from working with that data?

~~~
londons_explore
It would be great if they did...

But even if they didn't, they would still have a commercial incentive to get
it in the hands of as many people as possible.

------
londons_explore
It should be a _requirement_ to hand over medical data for research like this.

Why should you get to be treated for cancer without sharing with everyone else
data to help make better treatments? Without that data, other people will go
through the same treatment and die. That's selfish, and borderline immoral.

~~~
DerpyBaby123
Maybe a doctor should be able to come to an agreement with an individual,
without injecting the watchful eye of other offices or governments.

------
ve55
Good. It's funny we have HIPAA but yet Google is able to collect significantly
more personal information than just healthcare information on us, yet there is
not a single regulation they need to truly care about.

------
Lio
> Google didn’t respond to a request for comment on its plans.

This is what’s bothering me. These big foreign companies make promises not to
do something. They then go back on their word and do it anyway. They then
refuse to speak to the press or parliament.

They’re unaccountable.

