Ask Slashdot: Should You Store Medical Details In The Cloud? (caremonkey.com)

← Back to Stories (view on slashdot.org)

Ask Slashdot: Should You Store Medical Details In The Cloud? (caremonkey.com)

Posted by EditorDavid on Saturday June 18, 2016 @07:30AM from the nursing-a-headache dept.

"Paper forms are a security risk", warns the web site for CareMonkey, which maintains digital and up-to-date medical information in the cloud "for any organization with a duty of care". This is raising concerns for long-time Slashdot reader rolandw, who says he's being asked by his daughter's school to approve using the site to store "her full medical details". CareMonkey say that this data is stored on AWS and their security page says that it is secured by every protocol ever claimed by AWS (apparently). As a sysadmin and developer who has used AWS extensively for non-secure information my alarm bells are sounding.
Should he ignore those alarm bells and approve the storage of his daughter's medical history in the cloud? And if not, what specific reason would you give for refusing?

29 of 262 comments (clear)

Min score:

Reason:

Sort:

No. by Anonymous Coward · 2016-06-18 07:32 · Score: 5, Insightful

Q: Should you store anything in the cloud?
A: Only if you don't care if everyone in the world sees it and tries to use it against you.
1. Re:No. by war4peace · 2016-06-18 08:49 · Score: 4, Insightful
  
  Yes, plenty.
  If you had alcohol-related problems in the past, companies might refuse to hire you but would give you a different reason anyway. More ominously, targeted advertisement with free coupons for this or that alcoholic beverage will find their way into your mailbox, magazine you subscribe to or local store you shop from.
  If you suffer from this or that mild disease (or have suffered in the past), targeted advertisement will slam you with related ads. Same if you're overweight or too thin (I'm thin and recently started getting targeted ads in my mailbox).
  A girl I know has pimples and started receiving targeted ads and getting calls (yes, calls!) from companies selling beauty products ("wanna get rid of them pimples") - I suspect that's caused by her uploading some personal pictures to the cloud from her phone (stored privately but hey, that doesn't stop anyone, does it).
  
  --
  ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
2. Re:No. by kqs · 2016-06-18 09:04 · Score: 2, Insightful
  
  A very clear pattern. If you (and all of your dependents) are in good health, physically and mentally, you don't care about sharing that data. If you are not in good health, someone will try to use that against you.
  Why, do you see another pattern?
3. Re:No. by Anonymous Coward · 2016-06-18 09:09 · Score: 5, Insightful
  
  A: Only if you don't care if everyone in the world sees it and tries to use it against you.
  Why should I care if everyone sees my medical records? The only argument I have heard is that insurance companies might charge more, and employers may be reluctant to hire people with bad health. But I don't have any health problems, so if my records are public, I should get lower insurance rates and better employment offers
  Prior to 2010, I was in perfect health. Never smoked or drank. Exercised and was in excellent shape. Never sick a day in my life. Then suddenly, I was diagnosed with cancer, went through all the fun stuff associated with that, culminating in a really major surgery (~10 hours), followed by a chronic infection that I am still fighting today (and which has pretty much destroyed my life)
  Mt point is this: Don't get all excited about being in good health, and start making all sorts of decisions based on "I'm not sick so I have nothing to worry about", because things can change in an instant.
4. Re:No. by CrimsonAvenger · 2016-06-18 09:22 · Score: 3, Interesting
  
  ? The only argument I have heard is that insurance companies might charge more, and employers may be reluctant to hire people with bad health.
  
  Note that the first is illegal under the ACA, and the second is likely either illegal or actionable under the ADA.
  
  --
  
  "I do not agree with what you say, but I will defend to the death your right to say it"
5. Re:No. by Crashmarik · 2016-06-18 10:23 · Score: 2
  
  A: Only if you don't care if everyone in the world sees it and tries to use it against you, or if you don't care if you ever see your data again.
  FTFY
  Nahh in 10 years the NSA or the KGB will be glad to sell you back a copy
  Take a look the Russians have been glad to help out with Hillary's data loss and backup problem.
6. Re:No. by JustAnotherOldGuy · 2016-06-18 10:23 · Score: 2
  
  Is there some downside that I am overlooking?
  Errr, yes. Unless you're the only person in the world with your name (or a similar name) AND you don't think you have to worry about accidentally being mistaken for another patient OR you think that data entry people never make a mistakes and mix up or link your records with those of someone else, then, no, have a ball!
  Of course, if your records have mistakes in them or later it's found out that you may be statistically likely to develop some expensive condition based on an analysis of your currently innocuous medical history, then you might want to rethink that whole, "I'm healthy, let 'em see my info" plan.
  And finally, being healthy is a temporary condition at best. If you do get sick and you somehow manage to remove your records from the cloud (ha ha, good luck!) the sudden disappearance of your online medical records may in itself trigger a "Whoah, what's this guy got to hide?" response by the insurance companies. But don't worry, because you're healthy (today anyway).
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
7. Re:No. by JustAnotherOldGuy · 2016-06-18 10:25 · Score: 3, Insightful
  
  ? The only argument I have heard is that insurance companies might charge more, and employers may be reluctant to hire people with bad health.
  Note that the first is illegal under the ACA, and the second is likely either illegal or actionable under the ADA.
  Yeah....if you can prove it, and I mean really, really prove it. They'll never come right out and say, Ewww, let's not hire the sick guy!", no, it'll be that you're "unqualified" or "over-qualified" or something else. You'll never get proof of the real reason they did hire you.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
8. Re:No. by Gr8Apes · 2016-06-18 10:27 · Score: 2
  
  ? The only argument I have heard is that insurance companies might charge more, and employers may be reluctant to hire people with bad health.
  Note that the first is illegal under the ACA, and the second is likely either illegal or actionable under the ADA.
  Gee, there's this law back in 1967, ADEA, that was passed to make it illegal to discriminate against people 40+. Seems to have worked. Silicon Valley openly discriminates against 30+.
  
  --
  The cesspool just got a check and balance.
9. Re:No. by TheGratefulNet · 2016-06-18 10:27 · Score: 4, Insightful
  
  you will have medical problems.
  eventually.
  we all do.
  its a fact. and you won't admit it but its still a fact that us older guys know.
  almost no one goes thru life 'perfect'. our medical history is OUR history and that's that. you may not think so now, but you will later.
  
  --
  
  --
  "It is now safe to switch off your computer."
10. Re:No. by fluffernutter · 2016-06-18 12:12 · Score: 2
  
  Insurance is supposed to be for people who are not in good health.
  
  --
  Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
11. Re:No. by anegg · 2016-06-18 12:35 · Score: 4, Insightful
  
  I think health insurance is for everyone, because the risk of having expensive health problems exists for just about everyone, especially if health issues due to accidents are included. This is similar to automobile insurance - everyone who drives carries insurance, not just the bad drivers. However, insurance companies of all types love to have reasons to divide people up into very small risk pools, and charge people more for insurance if they have even a casual relationship to some risk factor that indicates that they may make claims (or higher than average claims) against insurance. In the US, auto insurance companies are using things like people's credit score to determine how much to charge them for automobile insurance, on the basis of a belief that people with certain ranges of credit scores are more likely to be involved in accidents, apparently.
  For health insurance, the risk of the health companies getting access to too much data about individuals is that they will start charging individuals for insurance according to their perception of the risk of insuring those individuals. Even if they could correctly screen people into various risk categories, this would be detrimental to the overall way insurance works in general - a large pool of people are charged for insurance based on the average risk in the pool. Everyone pays a more or less affordable rate, and when the risks materialize as claims, those claims get paid off, but the insurance company doesn't have to pay out more than they took in (if they did, they would go out of business).
  If only sick/unhealthy people get health insurance, then the cost of that insurance has to be high, because they will have a higher rate of claims. Those who are fortunate enough to have great health might forego insurance, but on average most people expect to have some issue or other that might require insurance coverage, so on average most people will want insurance. So more people get insurance, and the average cost of insurance goes down because the average claims rate across the larger pool is lower.
  The higher the certainty of people making claims, the less of a solution "insurance" is - insurance is intended to spread risk among a large pool. It seems to be very hard to get people to understand that on average, people cannot expect to get more out of an insurance plan than what they pay into the plan. If that were so, the insurance company would go out of business. As much as people may dislike insurance companies (and many insurance companies have earned the dislike/hatred of their customers), they provide a substantial social benefit when they perform their basic risk management function.
12. Re:No. by penix1 · 2016-06-18 14:13 · Score: 2
  
  If only sick/unhealthy people get health insurance, then the cost of that insurance has to be high, because they will have a higher rate of claims. Those who are fortunate enough to have great health might forego insurance, but on average most people expect to have some issue or other that might require insurance coverage, so on average most people will want insurance. So more people get insurance, and the average cost of insurance goes down because the average claims rate across the larger pool is lower.
  The higher the certainty of people making claims, the less of a solution "insurance" is - insurance is intended to spread risk among a large pool. It seems to be very hard to get people to understand that on average, people cannot expect to get more out of an insurance plan than what they pay into the plan. If that were so, the insurance company would go out of business. As much as people may dislike insurance companies (and many insurance companies have earned the dislike/hatred of their customers), they provide a substantial social benefit when they perform their basic risk management function.
  You forgot to mention that insurance is also designed to not be used. With out of pocket expenses, high deductibles, yearly maximum benefits and co-pays that make it unsuitable even every year doctor visits. Add in the high cost of medications and god forbid an ambulance ride to the hospital for an extended stay and you still have the threat of bankruptcy.
  
  --
  This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
13. Re: No. by Cinnamon+Beige · 2016-06-20 02:52 · Score: 2
  
  Actually, from a medical standpoint BMI is a worse than bad measure--it basically assumes you've got a certain bone:fat:muscle ratio, which pretty automatically means it will start saying interesting things if you're not of the correct ancestry and lifestyle...and by lifestyle I mean it was developed to get it roughly okay maybe if your athletic endeavors are along the lines of 'middle manager who occasionally takes a walk for relaxation.' (Correct ancestry is a bit harder to pin down; probably Belgian given where it was developed.)
  Oh, and it's utterly useless for kids because they're not even physically scaled-down adults.
  Basically, if you're an athlete it's almost certainly going to insist you're morbidly obese, and if you want something that sucks? Try being where you're having trouble keeping a safe distance away from anorexia athletica--which has serious lifetime consequences--and getting people trying to get you to lose weight anyway because they consider the BMI accurate despite any and all evidence.
No. (Next.) by Anonymous Coward · 2016-06-18 07:35 · Score: 5, Insightful

What HIPAA guarantees does CareMonkey make?
Read the fine print carefully, I'm sure there are loop holes the size of Montana.
Specific reason by Archfeld · 2016-06-18 07:38 · Score: 4, Interesting

Why is he required to give a specific reason ? Either give your authorization a withhold it, and do not volunteer a specific reason for or against the use. I personally don't see a reason why not IF the storage vendor can qualify as HIPAA complaint it seems like a decent idea, but I can see where the possibility of leaked data can have a negative impact on continued health care coverage as well as the impact on future coverage in both healthcare and life insurance, not to mention employment issues.

--
errr....umm...*whooosh* *whoosh* Is this thing on ?
1. Re:Specific reason by magarity · 2016-06-18 07:55 · Score: 2
  
  IF the storage vendor can qualify as HIPAA complaint
  There's no qualification or certification or anything for HIPAA. It's just a legal and regulatory set of requirements. Most (not all) of the major health insurers have suffered data theft and they're all covered by HIPAA. When it happens they get a fine and some news coverage and the data is out in the wild anyway. The same goes for this outfit doing the data storage on AWS.
2. Re:Specific reason by TheGratefulNet · 2016-06-18 08:01 · Score: 4, Interesting
  
  nice attempt at trying to turn it around (not the poster, the article).
  having to give a reason is so backwards! they should have a good reason TO put it online.
  my answer would be flat out 'no'. period. full stop.
  if they insist on an answer why, simply say 'I have some background in computer security, that's why'.
  doubtful they will push further than that.
  amazing that some people that you'd think would be smart, suggest such bone-headed ideas.
  have we not had almost a weekly break-in news article about this or that data breech?
  just WHY would anyone suggest putting med info online - its clearly because they stand to make money from it, but they could care less if data gets out.
  now, make them $1M liable for any breech and we'll talk. and I want the money in escrow, first, before I believe you.
  
  --
  
  --
  "It is now safe to switch off your computer."
3. Re:Specific reason by Archfeld · 2016-06-18 10:04 · Score: 3, Informative
  
  There are certain rules. Data encryption both in storage and in flight are a requirement. There are also reporting time requirements for security breaches as well as periodic auditing requirements, but essentially you are correct. You just have to be able to show that you have a plan and a set of rules in place to deal with possible failures and that you have taken basic steps to ensure the security of the data.
  
  --
  errr....umm...*whooosh* *whoosh* Is this thing on ?
4. Re:Specific reason by vtcodger · 2016-06-18 21:19 · Score: 2
  
  "having to give a reason is so backwards! they should have a good reason TO put it online."
  Reasonably secure offfsite storage that is (presumably) easy to integrate with the school's existing IT. It'll be embarassing if an electrical fire in the school office incinerates all the school records and it turns out there is no paper or digital backup.
  The problem of course is that many (most?) IT professionals have substantial doubts that the "secure" part of "secure offsite storage" is doable with 2016 cloud technology.
  
  --
  You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
No. by bmo · 2016-06-18 07:41 · Score: 4, Interesting

No.
There is already something called MedicAlert, run by the MedicAlert foundation. It's those little bracelets that have a number on the back and EMTs and other emergency professionals seeing these are trained to do a lookup.
It's a system that works that doesn't need "the cloud." You don't even need a computer or smartphone to access the system. Just a phone. Which means it will work where there is no cell service and can work where there isn't even phone lines - radio operators can do a phone patch.
It's /better/ than "cloud based systems" that needs fancy hardware to access which we have seen to be poorly run and insecure.
--
BMO
Yeah. Why not? by fustakrakich · 2016-06-18 07:42 · Score: 2

We can all stop pretending we have any privacy. I like the idea of a doctor having access no matter where I am.

--
“He’s not deformed, he’s just drunk!”
1. Re:Yeah. Why not? by BitterOak · 2016-06-18 08:23 · Score: 3, Insightful
  
  We can all stop pretending we have any privacy. I like the idea of a doctor having access no matter where I am.
  That's easy to say when you're relatively healthy, and doctor visits have been for routine things like throat infections, a broken arm, maybe an appendix out, but you might feel differently if you're diagnosed with a mental illness, an awkward venereal disease, or something else you'd like to keep private. Once you agree to this scheme, it might be hard to get out of it.
  
  --
  If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
NO!!!, and a couple of additional questions... by QuietLagoon · 2016-06-18 07:55 · Score: 4, Insightful

Even if every security protocol in existence were used, are they being used correctly? Additionally, what does the ToS for the service say? Are there any third-party "business partners" with whom the data are shared? Even if it were shared with personally identifiable data removed, it can still be used to identify someone.
.
A treasure trove of medical information "in the cloud" is lusted after by too many corporate entities who have little or no regard for privacy, they just want access to more data.
What business arrangements are being made with the school by CareMoney? What data, besides medical information, is the school sharing with CareMonkey?
If it were my children, I'd run fast and far from this data harvesting Trojan horse.
1. Re:NO!!!, and a couple of additional questions... by ColdWetDog · 2016-06-18 08:35 · Score: 3, Insightful
  
  1) I would not trust anything by a company called "CareMonkey". Period.
  2) Much less anything covered by "all" security protocols. (Maybe even ROT-13, twice.)
  3) And finally, Betteridge's Law of Headlines.
  
  --
  Faster! Faster! Faster would be better!
Answer to the question with the Question by Trachman · 2016-06-18 08:26 · Score: 3, Interesting

Would you store your naked pictures in the cloud? Probably no.
The same way, probably, men and women would not like to store certain type of information:
- Abortion,
- STD testing
- Sterilization
- STD's
- Genetic Abnormalities
- Addiction
- Health Risk Assessment
Every one of these items, if leaked, have serious ramifications to personal and professional life.
The answer is No.
Re:Possible, but difficult by Anonymous Coward · 2016-06-18 09:18 · Score: 5, Insightful

Cloud storage can certainly be done secure.
Yes it can.
But it never is.
Doing *ANYTHING* properly and securely requires a lot of time, effort and money. Your company's employees are lazy and stupid, and following strict rules is too inconvenient and too much work. Your company's management only cares about cutting expenses because less spending = more promotions and bigger bonuses, AND, when a major breach occurs, the people who refused to allocate the necessary resources to prevent it from happening, are rarely the people who get fired.
Questionable Controls by gotpaint32 · 2016-06-18 09:58 · Score: 4, Interesting

The majority of controls they note on their website [https://www.caremonkey.com/security-2/] are standard AWS controls that anyone with an EC2 instance can claim for themselves. Likewise their 3PAO attestations all appear to have been inherited from AWS. Perhaps they did their own PCI compliance audit but I doubt it based on the write-up presented.

I also find the lack of details on their application security practices a bit disconcerting. Why do they specifically call out encrypting password data but say nothing of encrypting user content. They even note that they encrypt the data on the mobile app but are interestingly silent about this on their web database, why is that? Also I find it curious they don't note anything about utilizing AWS's dedicated hosts and storage options which is one of the major requirements by Amazon for meeting HIPAA compliance, I know this is one of the many rules, because we had to sign contracts for our systems agreeing to this stipulation.

Another question is, is caremonkey even legally bound by HIPAA regulations? Do they have legally binding agreements with any covered entity or hybrid entities that subject them to HIPAA regs? It is one thing to say you are HIPAA compliant but if the rules don't apply to you then that really doesn't mean much does it...

--
Nuclear war would really set back cable. - Ted Turner
Re: Amazon is in the business of selling your data by mbeckman · 2016-06-18 13:13 · Score: 4, Informative

Some companies use AWS in a HIPAA-compliant fashion, but many more don't. Achieving HIPAA compliance in AWS is quite complex -- and expensive -- requiring a separate virtual instance for every covered entity (e.g., insurance company or medical provider) and a slew of other sophisticated security measures. And it's not Amazon's responsibility to police companies claiming compliance. Amazon just provides APIs and services that can be built into a software company's infrastructure. But nobody is checking to make sure they do.