Everyone is talking about Googles new PHR offering vs. Microsoft HealthVault. Mostly the talk is drivel. I was able to get a seat at the Press Interview with Google CEO Eric Schmidt at HIMSS and, I kid you not, two reporters asked “Is the data in Google Health covered by HIPAA?” within five minutes of each other. Frankly, not-covered-by-HIPAA is an industry standard for PHRs, and the fact that the question was asked at all is an indication that the press covering this largely have no idea what is going on. (I will talk more about HIPAA and PHRs in a future post.)
Rather than finding drama in all of the wrong places, I wanted to highlight a couple of differences that really are worth paying attention to. I have had the privilege of speaking with the programming leads for both projects extensively, and it is not yet time to give a close blow by blow of where these two system are in comparison to each other. (that will happen after Google Health goes live) I hope that what little technical meat I was able to dig up will be interesting to you.
Google Health uses a CCR record wrapped in some of its standard web-service APIs. It would be better if they could have adopted CCD. But they said it was not ready when they started, which is a fair response. Still CCR is already a popular standard and a smart move for Google.
HealthVault has released its own XML specification. While they have promised to promise not to sue the pants of people like me who decide to use those specifications, creating a “new standard” in the healthcare space is regrettable step backwards.
API Design Verdict:
Google wins for respecting current standards.
Google is using their authsub system to allow users to provide token based access to other people (care-givers etc) for temporary and limited access.
HealthVault is using a “root” user notion that is transitive. That means that if I trust bob enough to make him a “root” user on my PHR record, then he can do anything with my record. Including passing the root privilege to Jenny, who can pass it to Sam, who can pass it to Ruth who can then do anything with my PHR account. See the problem? While the HealthVault system does allow for finer grain control,
there is no concept of passing along “complete control” without also passing along the ability to create other “root” users.
(updated 03-04-08 Sean Nolan from Microsoft has posted a rebuttal to the previous sentence, while the rebuttal does not address my criticisms of a “transitive root” privilege system, it does argue that this design can be considered a feature rather than a flaw)
Security Architecture Verdict:
Obviously Google has time to screw this up before coming out of beta, but it looks like its access control system has been better thought out.
Time to Market Verdict:
Obviously, Microsoft wins here. HealthVault has been out for months. However, if they do not get their act together they will not have any remaining first-mover advantage. Google is obviously making very sharp moves, in fact, maybe their best move was not coming to market before they were ready.
Now that Microsoft has made some FOSS friendly sounds, I will take a closer look at their software. When Google Health is finally released, I will do a complete comparison.