Part I: Follow Up to PHR Access Post and GTUG Campout "Breach"- Google Health, Ringful, and the Asthma Journal App Experience
To all who have requested updates on my adventures earlier this month exploring Google Health's architecture, sharing/linking permissions, and access of my PHR by Ringful and the Asthma Journal application (which I thought had granted unauthorized access to my PHR at Google Health via an unknown organization called 'Axial Exchange'), here's a lengthy update.
My apologies for the delay - as you'll see from the transcript of events it's taken a bit of time to detail what happened and figure out what to do about it (and proffer a solution I hope will help prevent this from happening to anyone else using PHRs).
Please note as you read I'm happy to respond to individual requests for more information, but am working on the final stages of an app for Contagion Health (unrelated to my work with the Google GTUG Student Summer Health Project and Chief Medical Officer development) so may be a bit slow getting back to you.
First, I want to compliment (again) Roni Zeiger, Google Health Product Manager and Jason Cooper of Google, who was onsite at the GTUG Campout earlier this month. I also want to complement Michael Yuan, CEO of Ringful (the maker of iPhone app 'Asthma Journal' which is connected to Axial Exchange at healthcare-exchange.appspot.com).
Everyone has responded with alacrity and an appropriate level of concern and proactivity to help clarify my understanding of Google Health profile linking permissions vs. sharing profile permissions to ensure something like this does not happen again.
Background: Now for further details on what I believed to be a breach of my Google Health PHR, but turned out to be a linked profile share enabled via my download and use of the Ringful Asthma Journal iPhone app (prepare yourself for a meaty read)...
Here's what happened:
1. The second night of the GTUG Campout, I read about Ringful, Michael Yuan, and the company's Asthma Journal iPhone app, believed to be the first mHealth app rolled out (ie available in the iTunes store) that built on top of Google Health's PHR.
2. Since the GTUG Student Group with which I am working is working to d
evelop the open-source Chief Medical Officer app to help users update conditions in Google Health via smartphones, I downloaded the Asthma Journal app to play around with it, and accessed it on my iPhone.
3. In the process of exploring the app, I granted the app permission to access my Google Health profile (see below for more details on the language
used...I'm also including some screenshots).
4. I took a look at the rest of the Asthma Journal app, but since I do not suffer from asthma (thank goodness) I did not add any information via the Asthma Journal application or interact with my Google Health profile via the app.
5. The next morning at the GTUG Campout I signed into my Contagion Google Health PHR profile, which I created to support the GTUG team's work on the Chief Medical Officer application.
6. I noticed a strange (to me) looking addendum at the bottom of my profile that showed an unknown app/organization linked to my profile. I did not recognize the organization nor the Appspot extension.
Here's how everyone responded:
1. I freaked, totally and completely. I had never seen this Axial Exchange link, hadn't heard of the company or organization despite significant research into mHealth. When I clicked through (via copy and pasting the Appspot exchange link into my Safari web browser), I found only a very generic description of Axial, which worried me.
2. I Googled Axial, and didn't like what I saw; a very small online 'footprint' consisting of a website I'd never heard of and a few blog mentions.
3. I immediately went back to my Google Health PHR profile, and checked my "Share this profile" link on the lower left hand menu frame of my Google Health PHR, which showed I had NOT elected to share my profile with any individual or company.
4. I freaked again, thinking some unauthorized org was accessing my PHR to practice the dark arts of healthcare data stealing.
5. I started talking to folks at the GTUG Campout to try and find out if this had happened to anyone else (it hadn't, because no one else was using Ringful's Asthma Exchange app).
6. I tweeted about it using my @jensmccabe handle, and asked if any of the health/medical folks I know using Twitter had experienced a link/access by Axial or 'healthcare-exchange' (no one had, again because no one else had downloaded Ringful's Asthma Journal app).
7. Lawrence Wong, an organizer and leader of the GTUG (Google Technology User Group) heard my frustration (he was onsite at the GTUG Campout) and recognized immediately the potential seriousness of the issue. He found a Google staff member to speak with me personally onsite about the issue (Jason Cooper). Jason of Google sat down with me, talked through my concerns, looked at the app and my profile (with my permission - I used my laptop to show him what I was worried about), and placed a very high level request for assistance.
8. Roni Zieger of Google Health responded, sending me a direct message via Twitter and even calling my mobile phone (from his home, on a Sunday afternoon).
9. Roni and I talked through my concerns, and I mentioned where I thought the issue occurred; by this time someone on Twitter sent me a screenshot of the Axial Appspot logs, which I used to identify Michael Yuan (thank goodness I recognized his name from reading about Ringful the day prior).
NOTE: In the Appspot logs it is important here to note that neither the name 'Ringful' (the app maker) nor the app name itself ('Asthma Journal') that was linking to my Google Health profile appeared anywhere on my Google Health PHR page nor on the Appspot description page for Axial.
In other words, there was no way to discern a connection between the org linking to my Google Health PHR profile, Ringful, nor the Asthma Journal OTHER than Michael Yuan's name appearing on the logs. From corresponding with Michael, I know this was not a malicious effort to 'hide' the connection, but rather a simple oversight that resulted in a great deal of confusion on my end.
How the issue was solved:
1. Through tweets and help onsite at GTUG Campout (Lawrence Wong the GTUG organizer and Jason Cooper of Google), I discovered that Axial, the appspot that linked to my Google Health profile (after I opted to allow a link with the app during the "Asthma Journal" install process) is linked to Ringful, an iPhone application development shop and maker of the "Asthma Journal" app.
2. Once I could connect Ringful, the Asthma Journal app, Michael Yuan, and Axial, it was just a matter of contacting Michael (via Googling him and looking up his email). Again, Ringful is the maker of iPhone app "Asthma Journal," which I downloaded and installed on my iPhone the night before the Axial 'healthcare-exchange' appspot link appeared on my Google Health profile.
3. Michael and I corresponded with Roni Zieger of Google Health via email to address the issue, detail exactly what happened, and get the language of the Appspot page for Axial updated to make the link to Axial and the Asthma Journal and Ringful transparent.
4. I became determined to create a recommended 'blueprint' (optional) detailing user-protective best practices for mobile health applications accessing PHRs, ie a "universal terms of service" that organizations and developers could adopt at will.
Before I go into detail about the granular level of access and permissions I'm working on for the Universal mHealth App TOS, I'll detail what happened from a process/UX perspective, and what I saw as a user (excuse me if there's redundancy here):
1. When you download and install Asthma Journal, you have the option to connect to your Google PHR (Google Health).
2. I did this, and was redirected to the web interface for Google Health. This action serves as consent for unlimited access to your entire PHR (ie no granular level sharing permissions, it's 'all or nothing') under the Ringful/Axial/Google Health process.
3. If you'd like to see the language used, download Asthma Journal from the iTunes store, and click on the "Tools" tab at bottom nav. Next click on Google Health (Connect text will show up as title of tab). NOTE: You must have a Google Health PHR to perform this action.
4. Here's the consent/permissions language used in Asthma Journal, the version I downloaded, verbatim... A screenshot is available here:
Ringful, at the behest of the Google Health group, has made very beneficial language changes on the web interface, so by the time you download the Asthma Journal app, changes have been made to the app permissions language as well.)
5. Here's what I saw:
"Now, please click on the link below to log into Google and link this iPhone app to your Google Health account. You might be asked to login twice (first for Google and second for Google Health). Once the linking is done, you will see health-exchange.appspot.com as an app with access to your Google profile. Link this iPhone to your Google account Privacy Policy."
6. As I've blogged about previously here (and detailed above), the next day I noticed a linked appspot account, healthcare-exchange.appspot.com, and incandescent fury ensued.
7. See screenshots above and my previous Posterous posts to view what the healthcare-exchange.appspot.com language said when I accessed it.
And, to demonstrate the positive power of patient advocacy and epatient involvement, here's the NEW healthcare-exchange.appspot.com language that Ringful and Google Health now offer (NOTE: GREAT changes Michael!):
"Ringful Health Information Exchange: The Health Exchange currently provides services to multiple mobile personal health monitoring apps from Ringful. It allows mobile users to propagate their data to any EHR or PHR system of their choice, including Google Health, Microsoft HealthVault, and consumer portals of major hospital EHR systems."
Please read Parts II and III of this update for more details, results, and action items moving forward...
