Ask Slashdot: Should You Store Medical Details In The Cloud?

"Paper forms are a security risk", warns the web site for CareMonkey, which maintains digital and up-to-date medical information in the cloud "for any organization with a duty of care". This is raising concerns for long-time Slashdot reader rolandw, who says he's being asked by his daughter's school to approve using the site to store "her full medical details". CareMonkey say that this data is stored on AWS and their security page says that it is secured by every protocol ever claimed by AWS (apparently). As a sysadmin and developer who has used AWS extensively for non-secure information my alarm bells are sounding.
Should he ignore those alarm bells and approve the storage of his daughter's medical history in the cloud? And if not, what specific reason would you give for refusing?

No.

Q: Should you store anything in the cloud?

A: Only if you don't care if everyone in the world sees it and tries to use it against you.

Re:No.

[war4peace]

Yes, plenty.
If you had alcohol-related problems in the past, companies might refuse to hire you but would give you a different reason anyway. More ominously, targeted advertisement with free coupons for this or that alcoholic beverage will find their way into your mailbox, magazine you subscribe to or local store you shop from.
If you suffer from this or that mild disease (or have suffered in the past), targeted advertisement will slam you with related ads. Same if you're overweight or too thin (I'm thin and recently started getting targeted ads in my mailbox).
A girl I know has pimples and started receiving targeted ads and getting calls (yes, calls!) from companies selling beauty products ("wanna get rid of them pimples") - I suspect that's caused by her uploading some personal pictures to the cloud from her phone (stored privately but hey, that doesn't stop anyone, does it).

Re:No.

A: Only if you don't care if everyone in the world sees it and tries to use it against you.

Why should I care if everyone sees my medical records? The only argument I have heard is that insurance companies might charge more, and employers may be reluctant to hire people with bad health. But I don't have any health problems, so if my records are public, I should get lower insurance rates and better employment offers

Prior to 2010, I was in perfect health. Never smoked or drank. Exercised and was in excellent shape. Never sick a day in my life. Then suddenly, I was diagnosed with cancer, went through all the fun stuff associated with that, culminating in a really major surgery (~10 hours), followed by a chronic infection that I am still fighting today (and which has pretty much destroyed my life)

Mt point is this: Don't get all excited about being in good health, and start making all sorts of decisions based on "I'm not sick so I have nothing to worry about", because things can change in an instant.

Re:No.

[CrimsonAvenger]

? The only argument I have heard is that insurance companies might charge more, and employers may be reluctant to hire people with bad health.

Note that the first is illegal under the ACA, and the second is likely either illegal or actionable under the ADA.

Re:No.

[JustAnotherOldGuy]

? The only argument I have heard is that insurance companies might charge more, and employers may be reluctant to hire people with bad health.

Note that the first is illegal under the ACA, and the second is likely either illegal or actionable under the ADA.

Yeah....if you can prove it, and I mean really, really prove it. They'll never come right out and say, Ewww, let's not hire the sick guy!", no, it'll be that you're "unqualified" or "over-qualified" or something else. You'll never get proof of the real reason they did hire you.

Re:No.

[TheGratefulNet]

you will have medical problems.

eventually.

we all do.

its a fact. and you won't admit it but its still a fact that us older guys know.

almost no one goes thru life 'perfect'. our medical history is OUR history and that's that. you may not think so now, but you will later.

Re:No.

[anegg]

I think health insurance is for everyone, because the risk of having expensive health problems exists for just about everyone, especially if health issues due to accidents are included. This is similar to automobile insurance - everyone who drives carries insurance, not just the bad drivers. However, insurance companies of all types love to have reasons to divide people up into very small risk pools, and charge people more for insurance if they have even a casual relationship to some risk factor that indicates that they may make claims (or higher than average claims) against insurance. In the US, auto insurance companies are using things like people's credit score to determine how much to charge them for automobile insurance, on the basis of a belief that people with certain ranges of credit scores are more likely to be involved in accidents, apparently.

For health insurance, the risk of the health companies getting access to too much data about individuals is that they will start charging individuals for insurance according to their perception of the risk of insuring those individuals. Even if they could correctly screen people into various risk categories, this would be detrimental to the overall way insurance works in general - a large pool of people are charged for insurance based on the average risk in the pool. Everyone pays a more or less affordable rate, and when the risks materialize as claims, those claims get paid off, but the insurance company doesn't have to pay out more than they took in (if they did, they would go out of business).

If only sick/unhealthy people get health insurance, then the cost of that insurance has to be high, because they will have a higher rate of claims. Those who are fortunate enough to have great health might forego insurance, but on average most people expect to have some issue or other that might require insurance coverage, so on average most people will want insurance. So more people get insurance, and the average cost of insurance goes down because the average claims rate across the larger pool is lower.

The higher the certainty of people making claims, the less of a solution "insurance" is - insurance is intended to spread risk among a large pool. It seems to be very hard to get people to understand that on average, people cannot expect to get more out of an insurance plan than what they pay into the plan. If that were so, the insurance company would go out of business. As much as people may dislike insurance companies (and many insurance companies have earned the dislike/hatred of their customers), they provide a substantial social benefit when they perform their basic risk management function.

No. (Next.)

What HIPAA guarantees does CareMonkey make?

Read the fine print carefully, I'm sure there are loop holes the size of Montana.

Specific reason

[Archfeld]

Why is he required to give a specific reason ? Either give your authorization a withhold it, and do not volunteer a specific reason for or against the use. I personally don't see a reason why not IF the storage vendor can qualify as HIPAA complaint it seems like a decent idea, but I can see where the possibility of leaked data can have a negative impact on continued health care coverage as well as the impact on future coverage in both healthcare and life insurance, not to mention employment issues.

Re:Specific reason

[TheGratefulNet]

nice attempt at trying to turn it around (not the poster, the article).

having to give a reason is so backwards! they should have a good reason TO put it online.

my answer would be flat out 'no'. period. full stop.

if they insist on an answer why, simply say 'I have some background in computer security, that's why'.

doubtful they will push further than that.

amazing that some people that you'd think would be smart, suggest such bone-headed ideas.

have we not had almost a weekly break-in news article about this or that data breech?

just WHY would anyone suggest putting med info online - its clearly because they stand to make money from it, but they could care less if data gets out.

now, make them $1M liable for any breech and we'll talk. and I want the money in escrow, first, before I believe you.

Re:Specific reason

[Archfeld]

There are certain rules. Data encryption both in storage and in flight are a requirement. There are also reporting time requirements for security breaches as well as periodic auditing requirements, but essentially you are correct. You just have to be able to show that you have a plan and a set of rules in place to deal with possible failures and that you have taken basic steps to ensure the security of the data.

No.

[bmo]

No.

There is already something called MedicAlert, run by the MedicAlert foundation. It's those little bracelets that have a number on the back and EMTs and other emergency professionals seeing these are trained to do a lookup.

It's a system that works that doesn't need "the cloud." You don't even need a computer or smartphone to access the system. Just a phone. Which means it will work where there is no cell service and can work where there isn't even phone lines - radio operators can do a phone patch.

It's /better/ than "cloud based systems" that needs fancy hardware to access which we have seen to be poorly run and insecure.

--
BMO

NO!!!, and a couple of additional questions...

[QuietLagoon]

Even if every security protocol in existence were used, are they being used correctly? Additionally, what does the ToS for the service say? Are there any third-party "business partners" with whom the data are shared? Even if it were shared with personally identifiable data removed, it can still be used to identify someone.

.
A treasure trove of medical information "in the cloud" is lusted after by too many corporate entities who have little or no regard for privacy, they just want access to more data.

What business arrangements are being made with the school by CareMoney? What data, besides medical information, is the school sharing with CareMonkey?

If it were my children, I'd run fast and far from this data harvesting Trojan horse.

Re:NO!!!, and a couple of additional questions...

[ColdWetDog]

1) I would not trust anything by a company called "CareMonkey". Period.

2) Much less anything covered by "all" security protocols. (Maybe even ROT-13, twice.)

3) And finally, Betteridge's Law of Headlines.

Re:Yeah. Why not?

[BitterOak]

We can all stop pretending we have any privacy. I like the idea of a doctor having access no matter where I am.

That's easy to say when you're relatively healthy, and doctor visits have been for routine things like throat infections, a broken arm, maybe an appendix out, but you might feel differently if you're diagnosed with a mental illness, an awkward venereal disease, or something else you'd like to keep private. Once you agree to this scheme, it might be hard to get out of it.

Answer to the question with the Question

[Trachman]

Would you store your naked pictures in the cloud? Probably no.

The same way, probably, men and women would not like to store certain type of information:

- Abortion,
- STD testing
- Sterilization
- STD's
- Genetic Abnormalities
- Addiction
- Health Risk Assessment

Every one of these items, if leaked, have serious ramifications to personal and professional life.

The answer is No.

Re:Possible, but difficult

Cloud storage can certainly be done secure.

Yes it can.

But it never is.

Doing *ANYTHING* properly and securely requires a lot of time, effort and money. Your company's employees are lazy and stupid, and following strict rules is too inconvenient and too much work. Your company's management only cares about cutting expenses because less spending = more promotions and bigger bonuses, AND, when a major breach occurs, the people who refused to allocate the necessary resources to prevent it from happening, are rarely the people who get fired.

Questionable Controls

[gotpaint32]

The majority of controls they note on their website [https://www.caremonkey.com/security-2/] are standard AWS controls that anyone with an EC2 instance can claim for themselves. Likewise their 3PAO attestations all appear to have been inherited from AWS. Perhaps they did their own PCI compliance audit but I doubt it based on the write-up presented.

I also find the lack of details on their application security practices a bit disconcerting. Why do they specifically call out encrypting password data but say nothing of encrypting user content. They even note that they encrypt the data on the mobile app but are interestingly silent about this on their web database, why is that? Also I find it curious they don't note anything about utilizing AWS's dedicated hosts and storage options which is one of the major requirements by Amazon for meeting HIPAA compliance, I know this is one of the many rules, because we had to sign contracts for our systems agreeing to this stipulation.

Another question is, is caremonkey even legally bound by HIPAA regulations? Do they have legally binding agreements with any covered entity or hybrid entities that subject them to HIPAA regs? It is one thing to say you are HIPAA compliant but if the rules don't apply to you then that really doesn't mean much does it...

Re: Amazon is in the business of selling your data

[mbeckman]

Some companies use AWS in a HIPAA-compliant fashion, but many more don't. Achieving HIPAA compliance in AWS is quite complex -- and expensive -- requiring a separate virtual instance for every covered entity (e.g., insurance company or medical provider) and a slew of other sophisticated security measures. And it's not Amazon's responsibility to police companies claiming compliance. Amazon just provides APIs and services that can be built into a software company's infrastructure. But nobody is checking to make sure they do.