Ask Slashdot: Should You Store Medical Details In The Cloud?

"Paper forms are a security risk", warns the web site for CareMonkey, which maintains digital and up-to-date medical information in the cloud "for any organization with a duty of care". This is raising concerns for long-time Slashdot reader rolandw, who says he's being asked by his daughter's school to approve using the site to store "her full medical details". CareMonkey say that this data is stored on AWS and their security page says that it is secured by every protocol ever claimed by AWS (apparently). As a sysadmin and developer who has used AWS extensively for non-secure information my alarm bells are sounding.
Should he ignore those alarm bells and approve the storage of his daughter's medical history in the cloud? And if not, what specific reason would you give for refusing?

No.

Q: Should you store anything in the cloud?

A: Only if you don't care if everyone in the world sees it and tries to use it against you.

Re:No.

[war4peace]

Yes, plenty.
If you had alcohol-related problems in the past, companies might refuse to hire you but would give you a different reason anyway. More ominously, targeted advertisement with free coupons for this or that alcoholic beverage will find their way into your mailbox, magazine you subscribe to or local store you shop from.
If you suffer from this or that mild disease (or have suffered in the past), targeted advertisement will slam you with related ads. Same if you're overweight or too thin (I'm thin and recently started getting targeted ads in my mailbox).
A girl I know has pimples and started receiving targeted ads and getting calls (yes, calls!) from companies selling beauty products ("wanna get rid of them pimples") - I suspect that's caused by her uploading some personal pictures to the cloud from her phone (stored privately but hey, that doesn't stop anyone, does it).

Re:No.

[kqs]

A very clear pattern. If you (and all of your dependents) are in good health, physically and mentally, you don't care about sharing that data. If you are not in good health, someone will try to use that against you.

Why, do you see another pattern?

Re:No.

A: Only if you don't care if everyone in the world sees it and tries to use it against you.

Why should I care if everyone sees my medical records? The only argument I have heard is that insurance companies might charge more, and employers may be reluctant to hire people with bad health. But I don't have any health problems, so if my records are public, I should get lower insurance rates and better employment offers

Prior to 2010, I was in perfect health. Never smoked or drank. Exercised and was in excellent shape. Never sick a day in my life. Then suddenly, I was diagnosed with cancer, went through all the fun stuff associated with that, culminating in a really major surgery (~10 hours), followed by a chronic infection that I am still fighting today (and which has pretty much destroyed my life)

Mt point is this: Don't get all excited about being in good health, and start making all sorts of decisions based on "I'm not sick so I have nothing to worry about", because things can change in an instant.

Re:No.

[JustAnotherOldGuy]

? The only argument I have heard is that insurance companies might charge more, and employers may be reluctant to hire people with bad health.

Note that the first is illegal under the ACA, and the second is likely either illegal or actionable under the ADA.

Yeah....if you can prove it, and I mean really, really prove it. They'll never come right out and say, Ewww, let's not hire the sick guy!", no, it'll be that you're "unqualified" or "over-qualified" or something else. You'll never get proof of the real reason they did hire you.

Re:No.

[TheGratefulNet]

you will have medical problems.

eventually.

we all do.

its a fact. and you won't admit it but its still a fact that us older guys know.

almost no one goes thru life 'perfect'. our medical history is OUR history and that's that. you may not think so now, but you will later.

Re:No.

[anegg]

I think health insurance is for everyone, because the risk of having expensive health problems exists for just about everyone, especially if health issues due to accidents are included. This is similar to automobile insurance - everyone who drives carries insurance, not just the bad drivers. However, insurance companies of all types love to have reasons to divide people up into very small risk pools, and charge people more for insurance if they have even a casual relationship to some risk factor that indicates that they may make claims (or higher than average claims) against insurance. In the US, auto insurance companies are using things like people's credit score to determine how much to charge them for automobile insurance, on the basis of a belief that people with certain ranges of credit scores are more likely to be involved in accidents, apparently.

For health insurance, the risk of the health companies getting access to too much data about individuals is that they will start charging individuals for insurance according to their perception of the risk of insuring those individuals. Even if they could correctly screen people into various risk categories, this would be detrimental to the overall way insurance works in general - a large pool of people are charged for insurance based on the average risk in the pool. Everyone pays a more or less affordable rate, and when the risks materialize as claims, those claims get paid off, but the insurance company doesn't have to pay out more than they took in (if they did, they would go out of business).

If only sick/unhealthy people get health insurance, then the cost of that insurance has to be high, because they will have a higher rate of claims. Those who are fortunate enough to have great health might forego insurance, but on average most people expect to have some issue or other that might require insurance coverage, so on average most people will want insurance. So more people get insurance, and the average cost of insurance goes down because the average claims rate across the larger pool is lower.

The higher the certainty of people making claims, the less of a solution "insurance" is - insurance is intended to spread risk among a large pool. It seems to be very hard to get people to understand that on average, people cannot expect to get more out of an insurance plan than what they pay into the plan. If that were so, the insurance company would go out of business. As much as people may dislike insurance companies (and many insurance companies have earned the dislike/hatred of their customers), they provide a substantial social benefit when they perform their basic risk management function.

No. (Next.)

What HIPAA guarantees does CareMonkey make?

Read the fine print carefully, I'm sure there are loop holes the size of Montana.

NO!!!, and a couple of additional questions...

[QuietLagoon]

Even if every security protocol in existence were used, are they being used correctly? Additionally, what does the ToS for the service say? Are there any third-party "business partners" with whom the data are shared? Even if it were shared with personally identifiable data removed, it can still be used to identify someone.

.
A treasure trove of medical information "in the cloud" is lusted after by too many corporate entities who have little or no regard for privacy, they just want access to more data.

What business arrangements are being made with the school by CareMoney? What data, besides medical information, is the school sharing with CareMonkey?

If it were my children, I'd run fast and far from this data harvesting Trojan horse.

Re:NO!!!, and a couple of additional questions...

[ColdWetDog]

1) I would not trust anything by a company called "CareMonkey". Period.

2) Much less anything covered by "all" security protocols. (Maybe even ROT-13, twice.)

3) And finally, Betteridge's Law of Headlines.

Re:Yeah. Why not?

[BitterOak]

We can all stop pretending we have any privacy. I like the idea of a doctor having access no matter where I am.

That's easy to say when you're relatively healthy, and doctor visits have been for routine things like throat infections, a broken arm, maybe an appendix out, but you might feel differently if you're diagnosed with a mental illness, an awkward venereal disease, or something else you'd like to keep private. Once you agree to this scheme, it might be hard to get out of it.

Re:Possible, but difficult

Cloud storage can certainly be done secure.

Yes it can.

But it never is.

Doing *ANYTHING* properly and securely requires a lot of time, effort and money. Your company's employees are lazy and stupid, and following strict rules is too inconvenient and too much work. Your company's management only cares about cutting expenses because less spending = more promotions and bigger bonuses, AND, when a major breach occurs, the people who refused to allocate the necessary resources to prevent it from happening, are rarely the people who get fired.