1. OCAU Merchandise is available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion in this thread.
    Dismiss Notice

Google Apps in the Health Industry

Discussion in 'Business & Enterprise Computing' started by Smokin Whale, Oct 7, 2014.

  1. Smokin Whale

    Smokin Whale Member

    Joined:
    Nov 29, 2006
    Messages:
    5,188
    Location:
    Pacific Ocean off SC
    Hey guys,

    Currently working in small business IT support and have been supporting small businesses and individuals in my area for the last 4 years or so. One of my newest clients is my local general medical centre, which is a relatively small place with 5 staff. Whilst their server system and medical software seems to be under control by the last guy who set everything up, their email, documents, contacts and calendars are a bit of a mess.

    Now normally, I wouldn't hesitate to push Google Apps for a small business like this, but I'm not so sure in a medical environment due to the number of extra regulations that the government imposes on their data management practices.

    Just wondering if anyone has had any experiences with cloud based information systems such as Google apps in the Health industry or if locally hosted solutions such as MS Exchange were more suitable.
     
    Last edited: Oct 7, 2014
  2. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,610
    Location:
    Brisbane
    Have a read of the RACGP guidelines

    http://www.racgp.org.au/your-practice/e-health/protecting-information/ciss/

    Last I read them (roughly 12 months ago) - PCI DSS is coming, but we're not going to use that specific language yet.

    I don't know if GoogleApps meets that standard - but it wasn't an option for our client based on geographical location and internet services available.

    Our solution presented involved a lot of Next-Gen firewalls, regular Pen testing, regular log reviews, strict security policies and a security process that involved regular reviews with new implementations to meet new threats.

    The standard blew from about 90 pages, to 300+ last year. I fully expect it to be even stricter in 2016, which brings challenges to small IT providers (and indeed small medical firms) that aren't familiar with this language and meeting the requirements of such reviews and audits.

    The Health Industry in Australia lags behind the US and HIPAA. The idea of e-health records is a great one (huge, massive, unreal cost savings across medicare - and potential huge improvements for health outcomes overall) however our government (Labor at the time, no doubt Liberal is the same) is having no bar of the responsibility of potential data leakage - meta or otherwise - and is pushing this all onto the individual practices. Doctors - who are renownedly tight - are about to have to approach IT with the same level of safety and auditing as sterilisation, and its going to dramatically increase costs.
     
    Last edited: Oct 7, 2014
  3. OP
    OP
    Smokin Whale

    Smokin Whale Member

    Joined:
    Nov 29, 2006
    Messages:
    5,188
    Location:
    Pacific Ocean off SC
    Thanks for the well thought out response. Basically, it sounds like a bit of a handful. The practice I am looking at now has a pretty decent connection (20mbps) so that shouldn't be an issue.

    I'm going through the policy now and it appears to list a lot of common sense items (regular backups to disconnected media, proper network and data security, documentation, reporting etc) but I haven't come across anything that specifically says that cloud based providers are not allowed (and according to Google, they are HIPAA certified). Will continue to read.
     
    Last edited: Oct 7, 2014
  4. below5

    below5 Member

    Joined:
    Sep 18, 2002
    Messages:
    345
    Location:
    Victoria
    Look into privacy laws as well. You may be in breach of the privacy act to store information about patients off shore as your data would be subject to the country that it is stored ins privacy laws.
     
  5. kronikabis

    kronikabis Member

    Joined:
    Jul 27, 2006
    Messages:
    396
    Location:
    Illawarra
    Have heard this too.
    something to do with information offshore etc etc.
     
  6. Cubix

    Cubix Member

    Joined:
    Apr 15, 2011
    Messages:
    110
    It surprises me the number of IT consultants, in-house and managed service providers that do not know where their clients or businesses stand in terms of the Privacy Act changes implemented in March. Once upon a time this could be dismissed as oversight or only important to other departments of the business but with the huge push towards cloud knowing the legal obligations of the business to protect its customers data is now cemented as a fundamental part of the IT role within the business or enterprise.

    http://www.oaic.gov.au/privacy/applying-privacy-law/app-guidelines/

    Pay attention to APP 8 (particularly 8.14) and APP 11.
     
    Last edited: Oct 9, 2014
  7. Iceman

    Iceman Member

    Joined:
    Jun 27, 2001
    Messages:
    6,647
    Location:
    Brisbane (nth), Australia
    That's mostly because it's not the job of the IT consultants TO know the relevant laws for each and every individual industry. They might be passingly familiar with them - but they're IT experts, not legal or industry specific experts.

    The *client* (ie, the person operating IN the relevant industry) should either know or have purchased advice on how to comply with the relevant legislation. They should then turn this into a list of requirements for the IT consultant to execute.
     
  8. GiantGuineaPig

    GiantGuineaPig Member

    Joined:
    Oct 23, 2006
    Messages:
    4,027
    Location:
    Adelaide
    Indeed, you can't outsource knowing your own company's legal requirements because Company X did an install for you. Just like they may not know OH&S for how you should sit at the computer while using their product, or your data retention laws for the information you PUT in the cloud.
     
  9. GreenBeret

    GreenBeret Member

    Joined:
    Dec 31, 2001
    Messages:
    19,370
    Location:
    Melbourne
    It surprises me every time that businesses do not know their own legal requirements, processes and risk management strategies, and expect IT consultants / staff to know it all.

    Having worked with clients in med (research), the answer to the OP's question (Google Apps) is a resounding NO.
     
  10. Cubix

    Cubix Member

    Joined:
    Apr 15, 2011
    Messages:
    110
    The privacy act is not purely industry specific, it applies to any business in Australia with an annual turn over of $3 million dollars or more per year. (if you are in health or education then you must comply regardless of turn over).

    You can cry out of scope as much as you want but at the end of the day if you are selling a solution to a client be it cloud or on-premises you need to have an idea of what the business does, its needs and what you are selling before you present anything to them.

    Use of cloud is not forbidden by the act, in most cases it just requires additional clauses in the contractual agreement between the client and the cloud service provider (and most cloud providers are happy to do this, especially US and UK providers as they have much stricter requirements imposed by their governments than our own).
     
    Last edited: Oct 9, 2014
  11. OP
    OP
    Smokin Whale

    Smokin Whale Member

    Joined:
    Nov 29, 2006
    Messages:
    5,188
    Location:
    Pacific Ocean off SC
    I wasn't planning to use any cloud based information system for for the storage of patient info - I wouldn't even consider that - but it was something I was considering for the internal workings of the organisation. However, it's too much of a grey area in terms what can be considered patient related data so it looks like an internal solution is the way to go. Last thing I want is my ass on the line.

    It's a shame though, there seems to be a number of american healthcare providers that use Google Apps quite happily.
     
  12. IPPacket

    IPPacket Member

    Joined:
    Feb 6, 2002
    Messages:
    401
    Location:
    Duh Smart State

    Good call here. Having worked in the healthcare industry for 4 years, the amount of identifying patient details and health results passed around in email is huge...Dr's are told not to...but they do : (
     
  13. Iceman

    Iceman Member

    Joined:
    Jun 27, 2001
    Messages:
    6,647
    Location:
    Brisbane (nth), Australia
    Again, not the job of the implementor to necessarily sell a solution that does or doesn't comply with the privacy act. It's the job of the business itself to ensure the equipment it uses complies - usually by remembering to ask the person implementing it to ensure such things.

    No you don't. If the client insists on an IT solution that is completely inappropriate for their business or legal requirements, a vendor can sell them that. As long as they haven't misrepresented their offering as being something it isn't or violated any other laws as part of the install it's completely not on the IT vendor how their IT solution does or does not comply with the relevant industry laws.

    You think amazon or gmail are going to allow you to "add additional clauses" to their offerings and on the back end, change their procedures to ensure that your data is kept extra especially safe?
     
  14. Cubix

    Cubix Member

    Joined:
    Apr 15, 2011
    Messages:
    110
    Because Amazon and Google are the only cloud service providers that exist.....

    But to answer your question, yes Amazon actually already has a whitepaper available to assist in this process as mentioned previously most US and UK cloud providers already meet the requirements as their own governments have stricter laws surrounding privacy of data than that held by the OAIC.
     
  15. OP
    OP
    Smokin Whale

    Smokin Whale Member

    Joined:
    Nov 29, 2006
    Messages:
    5,188
    Location:
    Pacific Ocean off SC
    Okay... isn't this in violation of government regulations though :confused:
     
  16. clonex

    clonex Member

    Joined:
    Jun 30, 2001
    Messages:
    24,887
    Location:
    north pole
    Probs find that some have been relaxed/revised that it can outsourced to india etc :)
     
  17. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,610
    Location:
    Brisbane
    All you have to do is;

    1. Find the Regulations.
    2. Prove that your solution meets said regulations.

    Given that a big part of IAC's job is doing this, I'm not surprised he can demonstrate that solutions he recommends can meet said regulations, point for point.

    It also wont have been a small player that engaged him, so "extra" services from cloud providers if required to meet said obligations wont have been too much of a problem.
     
  18. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    760
    Location:
    ork.sg
    This is not correct, the APP applies to those organizations, but not necessarily the entirety of the act, as you wrote above.

    Further more, this is not correct in that it doesn't apply regardless. The APP does not apply to State Governments, the states have their own privacy requirements. And only applies to health providers if they are defined under Healthcare Identifiers Act 2010. Its not at all as black and white as you suggest.

    For OP I suggest you just reading here:
    http://www.oaic.gov.au/privacy/priv...viders/resources-for-health-service-providers


    To follow on from NSanity's post.

    3. Have legal approve.
    4. Do it.
     
    Last edited: Oct 10, 2014
  19. Cubix

    Cubix Member

    Joined:
    Apr 15, 2011
    Messages:
    110
    Original post specifically identifies the APP's not the entirety of the act. The privacy act is a law, the APP's make up part of that law so if an APP applies then the privacy act applies for example: A breach of an APP is a breach of the Privacy Act, where as a breach of the Privacy Act is not necessarily a breach of an APP.

    I never mentioned state governments as that is where it gets murky. For example QLD Health adhere to the NPP's (which were superseded by the APP's back in March) whereas the rest of QLD Government departments adhere to the Information Privacy Act.

    In regards to health providers (non government), this is at odds with all documentation I have seen. link

    If you could provide a link or reference to documentation supporting your statement I would appreciate it for future reference.
     
    Last edited: Oct 10, 2014
  20. GreenBeret

    GreenBeret Member

    Joined:
    Dec 31, 2001
    Messages:
    19,370
    Location:
    Melbourne
    Google can and have done so, if the deal is big enough.
     

Share This Page

Advertisement: