Ask Slashdot: Should You Store Medical Details In The Cloud?

"Paper forms are a security risk", warns the web site for CareMonkey, which maintains digital and up-to-date medical information in the cloud "for any organization with a duty of care". This is raising concerns for long-time Slashdot reader rolandw, who says he's being asked by his daughter's school to approve using the site to store "her full medical details". CareMonkey say that this data is stored on AWS and their security page says that it is secured by every protocol ever claimed by AWS (apparently). As a sysadmin and developer who has used AWS extensively for non-secure information my alarm bells are sounding.
Should he ignore those alarm bells and approve the storage of his daughter's medical history in the cloud? And if not, what specific reason would you give for refusing?

Specific reason

[Archfeld]

Why is he required to give a specific reason ? Either give your authorization a withhold it, and do not volunteer a specific reason for or against the use. I personally don't see a reason why not IF the storage vendor can qualify as HIPAA complaint it seems like a decent idea, but I can see where the possibility of leaked data can have a negative impact on continued health care coverage as well as the impact on future coverage in both healthcare and life insurance, not to mention employment issues.

Re:Specific reason

[TheGratefulNet]

nice attempt at trying to turn it around (not the poster, the article).

having to give a reason is so backwards! they should have a good reason TO put it online.

my answer would be flat out 'no'. period. full stop.

if they insist on an answer why, simply say 'I have some background in computer security, that's why'.

doubtful they will push further than that.

amazing that some people that you'd think would be smart, suggest such bone-headed ideas.

have we not had almost a weekly break-in news article about this or that data breech?

just WHY would anyone suggest putting med info online - its clearly because they stand to make money from it, but they could care less if data gets out.

now, make them $1M liable for any breech and we'll talk. and I want the money in escrow, first, before I believe you.

No.

[bmo]

No.

There is already something called MedicAlert, run by the MedicAlert foundation. It's those little bracelets that have a number on the back and EMTs and other emergency professionals seeing these are trained to do a lookup.

It's a system that works that doesn't need "the cloud." You don't even need a computer or smartphone to access the system. Just a phone. Which means it will work where there is no cell service and can work where there isn't even phone lines - radio operators can do a phone patch.

It's /better/ than "cloud based systems" that needs fancy hardware to access which we have seen to be poorly run and insecure.

--
BMO

Answer to the question with the Question

[Trachman]

Would you store your naked pictures in the cloud? Probably no.

The same way, probably, men and women would not like to store certain type of information:

- Abortion,
- STD testing
- Sterilization
- STD's
- Genetic Abnormalities
- Addiction
- Health Risk Assessment

Every one of these items, if leaked, have serious ramifications to personal and professional life.

The answer is No.

AWS is "HIPPA-compliant"

[mi]

AWS is HIPPA-compliant, which is why the company in TFA is able to use them at all.

Your data is no less secure at AWS, than in any Internet-connected hospital — though that in itself is not saying much.

If you can not store it yourself, trusting a company like CareMonkey, whose entire business model is predicated on the security of customers' data, probably, makes more sense, than trusting someone, for whom it is but a side-show. Such companies may still experience a problem — nothing is safe — but they are less likely to.

And if you worry about government, well, to the delight of Statists, our "democratically controlled" "strong government" already has access to your medical history. And will get more, when the "single-payer" system, so beloved by those same Statists, replaces the designed to fail — and failing — Obamacare.

Re:No.

[CrimsonAvenger]

? The only argument I have heard is that insurance companies might charge more, and employers may be reluctant to hire people with bad health.

Note that the first is illegal under the ACA, and the second is likely either illegal or actionable under the ADA.

Questionable Controls

[gotpaint32]

The majority of controls they note on their website [https://www.caremonkey.com/security-2/] are standard AWS controls that anyone with an EC2 instance can claim for themselves. Likewise their 3PAO attestations all appear to have been inherited from AWS. Perhaps they did their own PCI compliance audit but I doubt it based on the write-up presented.

I also find the lack of details on their application security practices a bit disconcerting. Why do they specifically call out encrypting password data but say nothing of encrypting user content. They even note that they encrypt the data on the mobile app but are interestingly silent about this on their web database, why is that? Also I find it curious they don't note anything about utilizing AWS's dedicated hosts and storage options which is one of the major requirements by Amazon for meeting HIPAA compliance, I know this is one of the many rules, because we had to sign contracts for our systems agreeing to this stipulation.

Another question is, is caremonkey even legally bound by HIPAA regulations? Do they have legally binding agreements with any covered entity or hybrid entities that subject them to HIPAA regs? It is one thing to say you are HIPAA compliant but if the rules don't apply to you then that really doesn't mean much does it...