When it comes to Google Apps, I’m certifiable

Back in mid-2007 I deployed my first instance of Google Apps, replacing a Microsoft Exchange 2003 server. It was a controversial choice back then — Google Apps was still pretty new and it wasn’t yet clear whether Google was going to stick with the platform and build it out. But there were several deciding factors that pushed me to an Apps deployment:

I was working at a nonprofit, so Google Apps was free for us; worst case I could always fall back to the in-house system
Our Microsoft Exchange 2003 server was constantly running out of space and was a pain to backup
We lived under a monstrous waterfall of spam that required a special appliance outside the Exchange box that worked well but was costly
Our Internet connection was relatively slow and outrageously expensive, so handling all the mail traffic in-house was painful, especially when the in-house web site was what we really wanted to share with the world, not our email system
Our users wanted to send and receive larger and larger files via email, which only strained all of the above factors further

We made the switch, I uploaded a bunch of mail using Google’s then-primitive migration tools, and I put everyone onto the web-based interface — no Outlook allowed. We did trainings and I spent a lot of time helping users get acclimated to the new way of doing things. This was before drag-and-drop email attachments in Gmail. It was before full compatibility with external calendar invitations. It was before Chrome.

And I was immediately hooked.

Why Go Google?

From an IT perspective, this Google Apps thing was awesome. There were no servers to own, nothing to back up, nothing to manage — aside from creating and deleting accounts. The users had far more space than they’d ever had (7GB at the time) and far more space than I could have ever offered locally at a reasonable price. The system was accessible everywhere, and no matter where you got your mail or looked at your calendar, it functioned the same way. And, as a nonprofit, it was all free! We even started using Google Docs right away, sharing selected spreadsheet data with remote workers and volunteers, allowing for real-time collaboration that at the time was mind-blowingly simple yet powerful.

Since then the Google Apps platform has matured with better features, a more homogenized interface in the apps, better administration tools, more reporting, more granular controls, and great (paid) add-ons for email archiving and spam control. And since then I’ve deployed Google Apps 4 more times, not to mention personal use. My most recent migration was last year, again dropping Microsoft Exchange 2003 and Outlook to go all-cloud all the time.

And then there was this past weekend.

Getting Certified

After managing and evangelizing Google Apps all these years, I stumbled across a certification program for Google Apps nerds like me: the Google Apps Certified Deployment Specialist. So I dug through the Study Guide, re-read a lot of stuff I knew, learned a few new tricks Google has developed in the last couple of years, and paid my testing fee.

The weird part was the testing method. Rather than send you to a local testing center — where you might sit for Microsoft or Citrix or VMware or other vendor exams — this one is done at home or in your office. You can take the test anywhere you have a live Internet connection, a Windows or Mac machine, and a special USB webcam they make you buy. Total cost is about the same as those other exams, but you can schedule it on weekends in evenings and take it at home. They proctor the exam through the webcam and special software.

It worked great. The only thing I was “corrected” on during the exam was the fact that I started to read some of the questions out loud, to puzzle them out audibly. That’s verboten, probably because they fear you’d read the questions out loud so you could either record the questions (and give them away to others wanting to take the exam) or ask someone else nearby to provide an answer. It’s too bad, because I like to “talk out” technical solutions. Oh, well.

61 questions after starting, I had passed the exam, so now I’m certified! It’s the first major cert I’ve picked up since the “good old days” of Windows NT 4 and Lotus Notes and Domino. And it’s fun to have a Google certification, perhaps because it’s so rare. My certificate was numbered “1298”, which suggests there were less than 1,300 people certified when I took the exam. That’s cool — I’m in a group smaller than my high school census (except we’re all certified Google Apps pros!).

Can you use Google Apps in a healthcare environment?

I may need to address this further in a future post, but the short answer is yes. People freak out about HIPAA (as they well should) but the key thing to consider is how you use your email system. Bottom line: If you don’t store or share PHI (protected health information) in your email system, then HIPAA rules don’t apply. And for those that are using email systems (of any kind) to share or transmit patient data, I have a question: Are you out of your mind? Email is a promiscuous platform by design — it’ll “sleep” with anyone and it’s 1 degree away from every email account worldwide — so why would you ever push patient information through it? If it helps, I’ve actually addressed the Apps/HIPAA discussion elsewhere before.

Sidebar: I may also have to write a post someday (really a rant) about email footers with lots of legal language in them — a silly practice that has no force of law behind it. If you want to put in a “please don’t share this” message down there, that’s cool, but stop trying to create unilateral contracts with your footers — that’s not a thing.

All that said, I do think Google needs to rethink their stance on signing HIPAA Business Associate Agreements (they won’t sign them). They either need to start signing or they need to post a definitive position paper on HIPAA issues related to Google Apps. Microsoft has shown a willingness to sign BAAs for Office 365 services, which makes their service more attractive, despite their downtime problems. Google has done a good job addressing the overall security of Google Apps, but they need to go a step further, to assuage the fears of healthcare executives and Boards that don’t understand technology very well.

What’s next?

For now I’m a happy Google Apps administrator, still learning, still sharing tips with users new to the platform. Oh, and I’m a Certified Deployment Specialist, of course! So if you’ve got questions about going Google in your healthcare environment (or any business, really) just let me know. I can answer some questions in the comments or we can take the conversation offline.

Desperately seeking a HIPAA-compliant Ford Mustang

After the harrowing account of a hospice in northern Idaho being slapped with a $50,000 fine for 411 breached patient records, it’s good to see that even the big players — the biggest in the industry — screw up from time to time.

This widely-cited case, first reported by the L.A. Times, tells the story of how healthcare giant Kaiser Permanente got a little sloppy and ended up working with a contractor who stored electronic patient records all over the place, including sometimes storing records — and I love this — in the trunk of his Ford Mustang.

Which raises the obvious question: Are Ford Mustangs HIPAA compliant? What about a Honda Accord? Maybe a PT Cruiser?

And while that’s the wildest part of the story for me, what’s even more fun is the fact that Kaiser and their mom-and-pop patient records handler (yes, literally — mom-and-pop) have been trading accusations in and out of court for the past 2 years, each accusing the other of not caring about patient privacy and data security.

L.A. Times writer Chad Terhune did a masterful job painting a picture of the comical data security with these gems:

“On a recent day [the patient records] sat next to a red recliner where Ziggy, the family’s black-and-white cat, curled up for a nap.”
“…kept those patient records at a warehouse in Indio that they shared with another man’s party rental business and his Ford Mustang until 2010.”
“…Kaiser said the Deans put patient data at risk by leaving two computer hard drives in their garage with the door open. In response, Stephan Dean moved them to a spare room.”
“‘We could have sold these emails [with patient records] to somebody in Nigeria, but Kaiser doesn’t care about its patients’ information.'”
“‘[Kaiser] should have signed a contract prior to the commencement of this project,” the manager wrote.”

Be sure to read the article all the way to the end. That last sentence is a killer.

Kaiser got into this mess because they gobbled up yet another smaller hospital and needed to absorb all the patient records quickly. So they outsourced the job. No problem there, really. It’s who they outsourced to that ended up being a disaster.

So far, there’s no known patient data breach, which is great for patients. But authorities are investigating and Kaiser’s got a lot of egg on face with such a high-profile piece hitting the Times.

The lessons for your patient data security efforts? Wait… you really need me to spell this out?

It’s simple. You need your own Ziggy — a certified Patient Privacy Attack Cat — and a Mustang. IT’S RIGHT THERE IN THE FEDERAL CODE, PEOPLE.

Health IT Links: 2012-01-03

Here are my selected links, with commentary, from the Health IT, community health center (CHC), nonprofit, and general IT sectors today. Please pass me any recommendations you’ve got in the comments or hit me up on Twitter: @jmproffitt.

Products

PhoneFactor (Mini-Review at SC Magazine)
Add 2-factor authentication based on phone calls, SMS messages, and OATH to your web apps, Terminal Services, Citrix sessions, and RADIUS-backed VPN sessions on the cheap. Pretty cool. SC Magazine certainly liked it. (Another option would be to deploy an SSL VPN with 2-factor features built-in, but that’s a story for another day.)
Technologies to watch 2013: Windows Server 2012 cannot be ignored
The Windows Server platform continues to march on, with some great additions in the 2012 edition. This article points to more than 9 advances that just might solve some problems for you, including the vastly-improved Hyper-V, and some fascinating storage pooling techniques blended with a faster SMB file transmission implementation. Of course, watch out for application hosting issues — your app vendors may not yet support Server 2012. I don’t know about you, but we’re still eliminating Windows Server 2003 servers.

Security

Microsoft issues temporary fix for zero-day IE vulnerability
You’re not still using Internet Explorer 6, 7, or 8, right? Well, get the fix from Microsoft and start deploying. Better yet, move to IE 9 and get ready for IE 10.

Business of Healthcare

WellPoint to cover virtual doctor visits
More payers are starting to cover telemedicine / telehealth costs. Do you do any telehealth in your clinic today? We don’t do it yet, but there’s a real future here, so I know I’m paying close attention.

Lose a laptop with 441 patients’ records, pay $50,000 and pray for donations

The latest HIPAA breach story out of northern Idaho breaks my heart. It also chills me to the bone. First off, here’s the news:

It’s official: HHS announces first breach settlement on report affecting less than 500
Hospice Gets $50,000 HIPAA Penalty
HHS Press Release: HHS announces first HIPAA breach settlement involving less than 500 patients

I actually worked with a hospice on tech issues in the last couple years, and I can tell you the attitude about security and IT in general was… less than progressive. They had better things to do. Literally. Hospice folks have a really rough job, emotionally and financially, providing a service that’s simply not properly supported by payers, whether private or public. They live on donations and posthumous gifts. They’re the soup kitchen of modern healthcare, providing a vital service that no one really wants to think about.

But pleading a charity case obviously didn’t work on HHS. The hammer continues to fall with increasing speed and strength in matters of ePHI security.

Yet again, this breach is the story of a lost, unencrypted laptop with patient information on board. It’s not clear whether the records were actually accessed or distributed, but that’s obviously irrelevant.

Community Health Centers and other smaller health providers: Pay attention. HHS is now bringing the penalty thunder down to breaches of less than 500 records. And the price is high, at $50K for just 441 records (theoretically) stolen in this case. Of course the HHS write-up points to lack of policies, no risk assessment, no controls over mobile devices, no encryption, and so on. It’s kind of a broken record now.

So consider this your last chance to get your HIPAA policies and procedures drafted and start making regular progress on improving security. The key is to show active interest and ongoing improvements. Do your risk assessment. Build your list of critical improvements. Do them. Keep records of what you’re doing.

This stuff takes staff time and cash money to buy some technology, which is always tough in nonprofit healthcare. So get these stories in front of your CEO right away if you’re not getting the resources you need. Alternatively, put them in front of your CFO — because a big enough breach could threaten the financial viability of the company.

Health Care and Healthcare: One gets you well, the other gets paid

It’s good to know I’m not the only one confused over the use of “healthcare” and “health care” when referring to elements in this industry. Lots of articles out there, including these, that shed light on the controversy:

The general consensus seems to be that “healthcare” is suggestive of the entire system, or the industry, and not specific acts of medical service. When the space is added between the words, it’s more personal, more medical, more health-focused.

If we agree on that, then most of the time I’ll be using “healthcare” in my writing, since I’m usually thinking and working at a systemic level — I’m not a provider. So for me…

I’m a “health care” consumer when I see a doctor.
I’m at the mercy of “healthcare” when I deal with my insurance company.
I’m a “healthcare” practitioner by way of technology, and hopefully my colleagues can provide better “health care” when I’ve done my job well.

Or put simply: health care gets you well, but healthcare gets paid.

Bonus Points: HIPAA
Seeing HIPAA written incorrectly is a particular pet peeve of mine, so I loved this quote from Bob Coffield at the Health Care Law Blog:

As for HIPAA — I always use whether someone spells it correctly to judge how knowledgeable they are about the subject.

Why Go Google?

Getting Certified

Can you use Google Apps in a healthcare environment?

What’s next?

Share:

Share:

Products

Security

Business of Healthcare

Share:

Share:

Share: