Google Health vs. HealthVault round 1

Everyone is talking about Googles new PHR offering vs. Microsoft HealthVault. Mostly the talk is drivel. I was able to get a seat at the Press Interview with Google CEO Eric Schmidt at HIMSS and, I kid you not, two reporters asked “Is the data in Google Health covered by HIPAA?” within five minutes of each other. Frankly, not-covered-by-HIPAA is an industry standard for PHRs, and the fact that the question was asked at all is an indication that the press covering this largely have no idea what is going on. (I will talk more about HIPAA and PHRs in a future post.)

Rather than finding drama in all of the wrong places, I wanted to highlight a couple of differences that really are worth paying attention to. I have had the privilege of speaking with the programming leads for both projects extensively, and it is not yet time to give a close blow by blow of where these two system are in comparison to each other. (that will happen after Google Health goes live) I hope that what little technical meat I was able to dig up will be interesting to you.

Privacy Policies:

Google has not published its privacy policy. However, it has historically given great weight to privacy concerns. Most notably take the Google Toolbar privacy notice. It begins “Please read this carefully, it’s not the usual Yada Yada”. It does a fair job of warning a user about the considerably privacy issues surrounding a tool placed directly within a browser. In fact, the sites you browse on the internet is probably as great a privacy concern as any health information you have. If you have any serious health conditions you have probably already searched for them and visited sites with content relevant to that condition. If you use toolbars, the information about where you visited was potentially transmitted back to the author of that toolbar. Google is upfront about this, and gives you an opt-out. This is much better than your average toolbar.

Microsoft’s Privacy Policy is awful. It has language that includes things like: “you give us permission to host your data off-shore”, and “we can change this policy anytime we like”. The current HealthVault privacy policy does nothing to protect a patients privacy from future policy changes within Microsoft. Based on the current language, the privacy policy might as well not exist. I discussed this with the HealthVault team and their response was “boiler-plate language”.

Frankly, the fact that ANY boiler-plate language was included in a privacy policy is a good indication that the thinking at Microsoft Legal is totally backwards. It is currently thinking “What will the market let us get away with” rather than “Hey this is a new moral sphere, if we do the right thing here, maybe the Government(s) will not make our lives completely miserable by over-regulating this industry.”

Privacy Policy Verdict:

Google wins. Without even releasing a Privacy Policy. On a scale of 1-10 Healthvaults scores a -2 which in English translates “hell-no”. That makes Google’s lack of score actually come out ahead.

API Design:

Google Health uses a CCR record wrapped in some of its standard web-service APIs. It would be better if they could have adopted CCD. But they said it was not ready when they started, which is a fair response. Still CCR is already a popular standard and a smart move for Google.

HealthVault has released its own XML specification. While they have promised to promise not to sue the pants of people like me who decide to use those specifications, creating a “new standard” in the healthcare space is regrettable step backwards.

API Design Verdict:

Google wins for respecting current standards.

Security Architecture:
Google is using their authsub system to allow users to provide token based access to other people (care-givers etc) for temporary and limited access.

HealthVault is using a “root” user notion that is transitive. That means that if I trust bob enough to make him a “root” user on my PHR record, then he can do anything with my record. Including passing the root privilege to Jenny, who can pass it to Sam, who can pass it to Ruth who can then do anything with my PHR account. See the problem? While the HealthVault system does allow for finer grain control, there is no concept of passing along “complete control” without also passing along the ability to create other “root” users.

(updated 03-04-08 Sean Nolan from Microsoft has posted a rebuttal to the previous sentence, while the rebuttal does not address my criticisms of a “transitive root” privilege system, it does argue that this design can be considered a feature rather than a flaw)

Security Architecture Verdict:

Obviously Google has time to screw this up before coming out of beta, but it looks like its access control system has been better thought out.

Time to Market Verdict:

Obviously, Microsoft wins here. HealthVault has been out for months. However, if they do not get their act together they will not have any remaining first-mover advantage. Google is obviously making very sharp moves, in fact, maybe their best move was not coming to market before they were ready.

Now that Microsoft has made some FOSS friendly sounds, I will take a closer look at their software. When Google Health is finally released, I will do a complete comparison.


10 thoughts on “Google Health vs. HealthVault round 1

  1. While I’m not totally familiar with what Google is doing now, I do know enough about what Microsoft is attempting to provide with their HealthVault platform. Microsoft’s strategy may be the tortoise to Google’s hare. While there might be what you’re calling flaws in the security model, which I disagree with, those can be addressed. What is more meaningful to take in and expose to your readers is that Microsoft is providing a platform that many vendors and partners can write applications for. The initial applications are not as compelling as you would hope for, but then again this is a new area where applications for Consumer driven Healthcare are new to the block. Microsoft has relationships with a great many device vendors which means that consumers can actively participate in the collection of their own healthcare data. In order for Google to do the same thing they are going to have to provide tools that allow the devices to upload data, or like the earlier versions of Google Health (just let the patients type it into a free format text box). Doctors that I’ve talked to are highly against consuming data from patients that has not been vetted in some way. For that part of the eco-system I think that Microsoft has provided a better platform.

    Also, I wouldn’t focus too much on Google or Microsoft support for CCR/CCD (incidently you CAN import/export both in HealthVault). Current EMR vendors only have CCR/CCD support minimally and you still have the big problem of document versioning that you’ll need to expose to the consumer. Which clinic and which CCD is most up to date? Should I overwrite the one in Google Health/HealthVault? How do I update only the blood pressure part of the CCD and what applications have the rights to do so on my behalf?

    I think that this comparison between the two platforms is irrelevant. Google has an entirely different mission and objective than Microsoft does. Until both platforms have more time for adoption and flushing out, I don’t see that it makes sense to say, Google wins here, Microsoft is broken here, etc…

  2. John,
    Thanks for your comments. You wrote:

    “What is more meaningful to take in and expose to your readers is that Microsoft is providing a platform that many vendors and partners can write applications for.”

    From what the Google folks are telling me, the Google Health is intended to be a platform too. That is exactly the term that Eric Schmidt spoke about at HIMSS. I have seen the demo of the application, and had as careful a look as any “outsider” I know of, from what I can tell it is obviously designed to be a platform. Google has already committed to releasing an API, just like HealthVault.

    As for Google not providing as compelling a platform as Microsoft, I cannot imagine a device maker that would work with Microsoft, but would not work with Google Health. Further, Google has been a market leader in creating web-platforms.

    The Microsoft guys have already commented on my comments regarding proprietary XML vs CCD, and until I have had a better chance to look at their implementation I will not comment on it further. If you (and Microsoft) are correct, I will update my current review.

    As for commenting too soon, I completely disagree with you. Carefully commenting at this stage might help shape the policies for both Microsoft and Google, which will ultimately impact how the industry is regulated etc etc. Now seems like the perfect time to make noise.


  3. Nice comparison review. I hope you’re planning a round 2 now that Google Health has been released to the public.

  4. I went to sign up for MS Health Vault, but decided against it after encountering their inane password strength policy. Demanding that a user not use their password of choice and instead adopt a new one containing no common words and a mixture of digits and punctuation, leads to that new, difficult to remember password being written down on paper or saved in a non-secure system (e-mail, Word document). Let me manage my my personal security the way I see fit.

  5. For the record, I like MSFT’s OpenID login, However has anyone else had a problem with Health Vault data accuracy? I tried to enter an approximate date for a family member’s condition ‘start date’ as 2007. It showed up presumably due to data type error as ‘1900’. So I deleted the reference entirely. It disappeared from the results. I then added it back by selecting an exact date from the calendar control/applet (Choosing July 14, 2007). It showed up again as ‘1900’. If MSFT cannot even accurately record and remember dates, I have decided not to trust ANYTHING on Health Vault.

    Recently checked Google Health and it appears to be winning the intuitive and interoperability race.

    I think MSFT may be missing the boat to rely on high end device requiring application driver software etc. This is so 1990’s.

  6. “HealthVault has released its own XML specification. While they have promised to promise not to sue the pants of people like me who decide to use those specifications, creating a “new standard” in the healthcare space is regrettable step backwards.”

    Agreed. It’s surprising actually how many people in the industry believe HealthVault has full CCD support though, due in part to Microsoft’s past comments. My colleague has written a good analysis on the Healthvault’s creative interpretation of “CCD support” at

  7. Id love to see you do a similar writeup on google health, dossia, and MSHV now that theyve been around for a while.

Comments are closed.