Ask Slashdot: Should You Store Medical Details In The Cloud?

"Paper forms are a security risk", warns the web site for CareMonkey, which maintains digital and up-to-date medical information in the cloud "for any organization with a duty of care". This is raising concerns for long-time Slashdot reader rolandw, who says he's being asked by his daughter's school to approve using the site to store "her full medical details". CareMonkey say that this data is stored on AWS and their security page says that it is secured by every protocol ever claimed by AWS (apparently). As a sysadmin and developer who has used AWS extensively for non-secure information my alarm bells are sounding.
Should he ignore those alarm bells and approve the storage of his daughter's medical history in the cloud? And if not, what specific reason would you give for refusing?

Re:Specific reason

[Archfeld]

There are certain rules. Data encryption both in storage and in flight are a requirement. There are also reporting time requirements for security breaches as well as periodic auditing requirements, but essentially you are correct. You just have to be able to show that you have a plan and a set of rules in place to deal with possible failures and that you have taken basic steps to ensure the security of the data.

Re: Amazon is in the business of selling your data

[mbeckman]

Some companies use AWS in a HIPAA-compliant fashion, but many more don't. Achieving HIPAA compliance in AWS is quite complex -- and expensive -- requiring a separate virtual instance for every covered entity (e.g., insurance company or medical provider) and a slew of other sophisticated security measures. And it's not Amazon's responsibility to police companies claiming compliance. Amazon just provides APIs and services that can be built into a software company's infrastructure. But nobody is checking to make sure they do.