GDS & Medical Information
I recently received information from the Palo Alto Medical Foundation warning against use of the Google Desktop Search tool:
Do you use the Google Desktop Search tool or use a shared computer to view PAMFOnline?
Google recently released a new tool that allows people to scan computers for information in the same way they use Google to search the Internet. To enable the search, there is a setting that will index and cache Web pages including secure web pages like PAMFOnline. In other words, the tool has a photographic memory of what is on your computer.
…
How does this affect me? If this tool has been installed on a PC that you are using, it is possible for your private health information viewed through PAMFOnline to be cached on the computer’s hard drive and retrieved later by someone else.
…
The good news: Google Desktop Search is only able to retrieve Web pages that are viewed after it is installed. In other words, if you view PAMFOnline on a shared computer (e.g., Internet café, Library), someone cannot come along after you, install Google Desktop Search and pull up the pages you previously viewed.
For more information on the Google Desktop Search Tool and your privacy go to: http://searchenginewatch.com/sereport/article.php/3421621
A full copy of the warning is archived here.
This is pretty impressive – the risk presented by a new technology to personal patient health information was discovered, analyzed, and a solution distributed in a fairly short period of time. Makes me wonder: is PAMF unique amongst medical care providers due to its proximity to Silicon Valley? Or is this a sign of increasing sophistication of healthcare providers in light of HIPAA and other regulations designed to protect personally-identifiable information?
Of course, this kind of vulnerability applies equally to any of the other desktop search tools. One has to wonder: will the Spotlight feature in Tiger (the next version of the Mac OS X) similarly risk exposing user’s sensitive data?
And do users recognize that GDS even poses a risk to data secured by hard disk encryption solutions? After all, as long as the data is accessible at some point (such as when the encrypted volume is mounted by the user), GDS will probably attempt to index it and, in doing so, risk leaking data outside the confines of the encrypted volume.
One more thing to note about the Spotlight Store: There is one content index and one meta-data store per file system. This keeps the content indexes and meta-data stores with the files they belong to–crucial when using external FireWire drives that travel from Mac to Mac.
from: http://developer.apple.com/macosx/tiger/spotlight.html
So it would appear that the GDS bug may hit again…
Well, actually, it would appear that the Spotlight design team was smart enough to avoid the problem entirely. Storing the index with the volume to which it relates guards against sensitive data residing on an encrypted volume from being exposed when the volume is not mounted.
However, I’m unclear on whether or not GDS has made the same design choice. Would require additional research.