Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×
Security Cloud Databases Education Medicine

Ask Slashdot: Should You Store Medical Details In The Cloud? (caremonkey.com) 262

"Paper forms are a security risk", warns the web site for CareMonkey, which maintains digital and up-to-date medical information in the cloud "for any organization with a duty of care". This is raising concerns for long-time Slashdot reader rolandw, who says he's being asked by his daughter's school to approve using the site to store "her full medical details". CareMonkey say that this data is stored on AWS and their security page says that it is secured by every protocol ever claimed by AWS (apparently). As a sysadmin and developer who has used AWS extensively for non-secure information my alarm bells are sounding.
Should he ignore those alarm bells and approve the storage of his daughter's medical history in the cloud? And if not, what specific reason would you give for refusing?
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Should You Store Medical Details In The Cloud?

Comments Filter:
  • No. (Score:5, Insightful)

    by Anonymous Coward on Saturday June 18, 2016 @03:32PM (#52344035)

    Q: Should you store anything in the cloud?

    A: Only if you don't care if everyone in the world sees it and tries to use it against you.

    • A: Only if you don't care if everyone in the world sees it and tries to use it against you, or if you don't care if you ever see your data again. FTFY
      • A: Only if you don't care if everyone in the world sees it and tries to use it against you, or if you don't care if you ever see your data again.

        FTFY

        Nahh in 10 years the NSA or the KGB will be glad to sell you back a copy

        Take a look the Russians have been glad to help out with Hillary's data loss and backup problem.

    • I hate saying this, but THIS.
    • OK you already answered, Just Fucking No.

    • I would like to know if you have a c21 ch53. So if I can tell whether you will have cancer or not. And then discriminate against you, So as to be an ass. You know, just because I can knowledgeably say you have a 73% chance of getting cancer. Because I happen to know that.

  • No. (Next.) (Score:5, Insightful)

    by Anonymous Coward on Saturday June 18, 2016 @03:35PM (#52344057)

    What HIPAA guarantees does CareMonkey make?

    Read the fine print carefully, I'm sure there are loop holes the size of Montana.

    • What HIPAA guarantees does CareMonkey make?

      Would you trust any security guarantee from a company who thinks that putting documents in the cloud is less of a security risk than a paper document? These guys are clearly idiots who have no idea of the type of security problems they are going to be dealing with.

    • by nbauman ( 624611 )

      What HIPAA guarantees does CareMonkey make?

      Read the fine print carefully, I'm sure there are loop holes the size of Montana.

      One of the loopholes in HIPAA is that law enforcement has access to the medical records. Another loophole is that any judge can issue a subpoena for your medical records in a criminal or civil case if it's in "the interests of justice." https://en.wikipedia.org/wiki/... [wikipedia.org]

  • Specific reason (Score:5, Interesting)

    by Archfeld ( 6757 ) <treboreel@live.com> on Saturday June 18, 2016 @03:38PM (#52344075) Journal

    Why is he required to give a specific reason ? Either give your authorization a withhold it, and do not volunteer a specific reason for or against the use. I personally don't see a reason why not IF the storage vendor can qualify as HIPAA complaint it seems like a decent idea, but I can see where the possibility of leaked data can have a negative impact on continued health care coverage as well as the impact on future coverage in both healthcare and life insurance, not to mention employment issues.

    • IF the storage vendor can qualify as HIPAA complaint

      There's no qualification or certification or anything for HIPAA. It's just a legal and regulatory set of requirements. Most (not all) of the major health insurers have suffered data theft and they're all covered by HIPAA. When it happens they get a fine and some news coverage and the data is out in the wild anyway. The same goes for this outfit doing the data storage on AWS.

      • Re:Specific reason (Score:4, Informative)

        by Archfeld ( 6757 ) <treboreel@live.com> on Saturday June 18, 2016 @06:04PM (#52344665) Journal

        There are certain rules. Data encryption both in storage and in flight are a requirement. There are also reporting time requirements for security breaches as well as periodic auditing requirements, but essentially you are correct. You just have to be able to show that you have a plan and a set of rules in place to deal with possible failures and that you have taken basic steps to ensure the security of the data.

    • Re:Specific reason (Score:5, Interesting)

      by TheGratefulNet ( 143330 ) on Saturday June 18, 2016 @04:01PM (#52344187)

      nice attempt at trying to turn it around (not the poster, the article).

      having to give a reason is so backwards! they should have a good reason TO put it online.

      my answer would be flat out 'no'. period. full stop.

      if they insist on an answer why, simply say 'I have some background in computer security, that's why'.

      doubtful they will push further than that.

      amazing that some people that you'd think would be smart, suggest such bone-headed ideas.

      have we not had almost a weekly break-in news article about this or that data breech?

      just WHY would anyone suggest putting med info online - its clearly because they stand to make money from it, but they could care less if data gets out.

      now, make them $1M liable for any breech and we'll talk. and I want the money in escrow, first, before I believe you.

      • "having to give a reason is so backwards! they should have a good reason TO put it online."

        Reasonably secure offfsite storage that is (presumably) easy to integrate with the school's existing IT. It'll be embarassing if an electrical fire in the school office incinerates all the school records and it turns out there is no paper or digital backup.

        The problem of course is that many (most?) IT professionals have substantial doubts that the "secure" part of "secure offsite storage" is doable with 2016 cloud te

    • It was awkwardly phrased, but I read that not as the OP needing to give a reason to the school, but rather Slashdot wanting to see a reason from posters, so as to make an interesting discussion thread.

  • No. (Score:5, Interesting)

    by bmo ( 77928 ) on Saturday June 18, 2016 @03:41PM (#52344097)

    No.

    There is already something called MedicAlert, run by the MedicAlert foundation. It's those little bracelets that have a number on the back and EMTs and other emergency professionals seeing these are trained to do a lookup.

    It's a system that works that doesn't need "the cloud." You don't even need a computer or smartphone to access the system. Just a phone. Which means it will work where there is no cell service and can work where there isn't even phone lines - radio operators can do a phone patch.

    It's /better/ than "cloud based systems" that needs fancy hardware to access which we have seen to be poorly run and insecure.

    --
    BMO

  • We can all stop pretending we have any privacy. I like the idea of a doctor having access no matter where I am.

    • by bmo ( 77928 )

      I was going to post an argument why your assertion is wrong, that just because some privacy has disappeared that we should give up all of it.

      I'm just going to ask you:

      What is your bank account number, DOB, last 4 digits of your SSN, and mother's maiden name?

      --
      BMO

    • Re:Yeah. Why not? (Score:4, Insightful)

      by BitterOak ( 537666 ) on Saturday June 18, 2016 @04:23PM (#52344265)

      We can all stop pretending we have any privacy. I like the idea of a doctor having access no matter where I am.

      That's easy to say when you're relatively healthy, and doctor visits have been for routine things like throat infections, a broken arm, maybe an appendix out, but you might feel differently if you're diagnosed with a mental illness, an awkward venereal disease, or something else you'd like to keep private. Once you agree to this scheme, it might be hard to get out of it.

    • Then you of course, may sign the waiver. My doctor keeps paper records. That's a level of privacy digital information does not possess.

      • Exactly. Paper records are far more secure than digital ones can ever be because you need to get physical access to examine them. Anybody who trusts any of their private information to the cloud is nothing but a common, ordinary F-O-O-L.
    • It's not "the doctor having access". It's the access by unknown and untraceable third party staff members. Medical information contains a great deal of privileged information, including the identity of family members, family history, billing addresses with credit card information and social security number. It also includes data that workplaces are not allowed to ask about, such as age, chronic illnesses, and pregnancy. Such information is also politically very sensitive: discovering that a political oppon

    • We can all stop pretending we have any privacy. I like the idea of a doctor having access no matter where I am.

      You've obviously never been a person randomly selected for a 'frame job'. They really do occur.

  • And the reason I'd give is 'I don't think I can trust you'. Because that's what this comes down to - you have NO idea who these people are, really, and from what I've seen of school related software (I've got two kids in one district, and my wife teaches in another), most places selling to schools hire the people who underbid the lowest bidder.

    • And the reason I'd give is 'I don't think I can trust you'.

      funny, I say that to companies that I have to deal with as a consumer, such as comcast (for an example). I don't give them my home #, or I give a number that I used to have but let expire. I won't give them my cell # since I don't trust them not to abuse it. I don't have a landline anymore (most people don't) and I'm NOT going to give out my real actual cell # to some company who just seems to 'really want it'. if I have a problem, I'll call yo

  • by QuietLagoon ( 813062 ) on Saturday June 18, 2016 @03:55PM (#52344163)
    Even if every security protocol in existence were used, are they being used correctly? Additionally, what does the ToS for the service say? Are there any third-party "business partners" with whom the data are shared? Even if it were shared with personally identifiable data removed, it can still be used to identify someone.

    .
    A treasure trove of medical information "in the cloud" is lusted after by too many corporate entities who have little or no regard for privacy, they just want access to more data.

    What business arrangements are being made with the school by CareMoney? What data, besides medical information, is the school sharing with CareMonkey?

    If it were my children, I'd run fast and far from this data harvesting Trojan horse.

    • by ColdWetDog ( 752185 ) on Saturday June 18, 2016 @04:35PM (#52344301) Homepage

      1) I would not trust anything by a company called "CareMonkey". Period.

      2) Much less anything covered by "all" security protocols. (Maybe even ROT-13, twice.)

      3) And finally, Betteridge's Law of Headlines.

      • I would not trust anything by a company called "CareMonkey". Period.

        Seconded.

        Seriously, whatever happened to even pretending to be professional?

    • A treasure trove

      For the overwhelming majority of people I think it would more be a coin that some 5-year-olds buried in the back yard under an X. Medical information is utterly boring unless you suffer from something that could either disqualify you from something else, or someone can sell you something to fight it.

  • ... to advertisers and whoever else is willing to pay. Storing your data on Amazon premises is like tasking a fence to store your valuables.
  • Why does the school have her medical data? They should have only the bare minimum absolutely necessary. The rest of it is none of their business.

  • by Trachman ( 3499895 ) on Saturday June 18, 2016 @04:26PM (#52344275) Journal

    Would you store your naked pictures in the cloud? Probably no.

    The same way, probably, men and women would not like to store certain type of information:

    - Abortion,
    - STD testing
    - Sterilization
    - STD's
    - Genetic Abnormalities
    - Addiction
    - Health Risk Assessment

    Every one of these items, if leaked, have serious ramifications to personal and professional life.

    The answer is No.

  • by mi ( 197448 )

    AWS is HIPPA-compliant [amazon.com], which is why the company in TFA is able to use them at all.

    Your data is no less secure at AWS, than in any Internet-connected hospital — though that in itself is not saying much.

    If you can not store it yourself, trusting a company like CareMonkey, whose entire business model is predicated on the security of customers' data, probably, makes more sense, than trusting someone, for whom it is but a side-show. Such companies may still experience a problem [wikipedia.org] — nothing is safe

    • AWS is HIPPA-compliant [amazon.com], which is why the company in TFA is able to use them at all.

      Small correction: HIPAA, not HIPPA.

      HIPPA is HR law.
      HIPAA is medical privacy law.

    • AWS can be HIPAA-compliant, but that doesn't mean it always is.

      In order to be compliant, it's necessary for the provider to have a business associate agreement with Amazon, and for the provider to comply with HIPAA standards in the way they transmit and store protected health information.

      That said, if the provider follows the proper protocols, there's no reason to think it's less secure on AWS than on their own servers.

  • caremonkey seems to be a start up. look at medicalert. I think I'd trust them more

  • Ask Slashdot: Should You Store Medical Details In The Cloud?

    Me? Definitely not. I have no idea what I'm doing, so why would anyone give me their medical details? Crazy.

  • It is happening http://www.hrsa.gov/healthit/t... [hrsa.gov]
  • No.

    This is entirely obvious to anyone not trying to sell "cloud services."

  • by gotpaint32 ( 728082 ) * on Saturday June 18, 2016 @05:58PM (#52344629) Journal
    The majority of controls they note on their website [https://www.caremonkey.com/security-2/] are standard AWS controls that anyone with an EC2 instance can claim for themselves. Likewise their 3PAO attestations all appear to have been inherited from AWS. Perhaps they did their own PCI compliance audit but I doubt it based on the write-up presented.

    I also find the lack of details on their application security practices a bit disconcerting. Why do they specifically call out encrypting password data but say nothing of encrypting user content. They even note that they encrypt the data on the mobile app but are interestingly silent about this on their web database, why is that? Also I find it curious they don't note anything about utilizing AWS's dedicated hosts and storage options which is one of the major requirements by Amazon for meeting HIPAA compliance, I know this is one of the many rules, because we had to sign contracts for our systems agreeing to this stipulation.

    Another question is, is caremonkey even legally bound by HIPAA regulations? Do they have legally binding agreements with any covered entity or hybrid entities that subject them to HIPAA regs? It is one thing to say you are HIPAA compliant but if the rules don't apply to you then that really doesn't mean much does it...
  • Wherever the data is stored, in the cloud or at a terminal accessed by employees or printed on paper en route to a shredder, it's potentially exposed. The important thing is how it is stored. There should be a program to "camouflage" the data, give false positives or false negatives to everyone for everything, and create a million fake names to boot. The computer accessing could have a program filter key to remove the fake information. Maybe someone can think of something even more effective. What they

    • ... but hospitals could save billions by hosing the paper records (soaking them to clunky clods) rather than shredding them...

      This idea I like! A giant kettle down in the basement, where all the old records go. simmer, press into small bricks, and let air-dry. Turn them into building materials!

      • In the 1990s, there was a hydropulper (paper mill tech) in the basement of the Pentagon. Unfortunately they didn't have the rollers etc to produce recycled content paper out of it, but were halfway there.
  • "Should You Store Medical Details In The Cloud?"

    The answer is "No".

  • Where they store the medical data is a secondary consideration.
    What they are storing would be a major concern, and also for how long they are storing it.
    Also, I'd want to know whether the records will be destroyed after graduation.

    I assume that it's not a college or university.
    I would ask why the school is storing any medical data on the student. I also assume that the child would be getting their medical care from a hospital or clinic and not the school. The school cannot be doing anything more than the mo

  • Population health is the current big thing. Where you health info is being sent to many institutions and shared. Most hospitals do not have the resources for such an undertaking so they may fall to venders who may use the cloud for their services. As far as the hospital is conserved if there is a breach, the fault will go to the vender who will pay the fines.

  • Your doctors likely already use cloud services to store your medical data. They transmit it via the Internet to other medical providers and to insurance companies, who in turn store much of their data in the cloud.

    The cloud is neither here nor there, when it comes to security. There are secure cloud providers, and insecure ones. Doctors who do not store their data in the cloud, likely store it on their own servers, which are probably much LESS secure than AWS.

    You can't really win. Your data is out there

  • why doesn't CareMonkey do linkups with Epic here in the US??

    US /.ers raise your hand if your local medical system use something called MyChart for E-Records??

  • on whether or not you want your daughter to be allowed to attend school. Sure it might be optional now, but once a majority of uninformed parents get on board, they'll surely make it mandatory.

  • The controlling regulatory authority for medical records in the U.S. Is HIPAA. Amazon's AWS can be made HIPAA-compliant, but only by the cloud-based medical provider, not Amazon itself. Achieving HIPAA compliance in AWS is quite complex -- and costly -- requiring a separate virtual instance for every covered entity (e.g., insurance company or medical provider) and a slew of other sophisticated security measures.

    I'm a HIPAA IT security auditor, and have been amazed at how many cloud-based medical startup
  • Any company which claims that a paper medical record is less secure than a medical record stored on the cloud clearly does not understand security (or is willing to lie about it) and none of their claims about keeping your information secure is to be trusted. Any method of gaining access to the contents of paper medical records other than having to go to the office where they are stored and physically handle them can be used to gain access to electronic forms of those same records (including electronic reco
  • From the caremonkey security page:

    All data in the CareMonkey mobile apps for smartphones or tablets is stored in an encrypted format using SHA3 (512bit). An essential requirement is that if a device is lost/stolen or someone gains access to the data files on the device that they are not be able to access any personal data.

    SHA3 is not an encryption algorithm, it's hash function (it's right there in the name, SHA= Secure Hash Algorithm).

  • by Morpeth ( 577066 )

    That is all.

    Of if you need more details, no, no.. fuck no, no fucking way, NO GODDAMNIT -- NO !!!!

  • There is only "other peoples' servers".
    This is true of both physical and virtual machines.

  • To quote the Free Software Foundation Europe [fsfe.org]...

    "There is no cloud...

    ...just other people's computers."

  • Their using something called MyVCM to "to ensure we operate a robust information security and privacy program", whatever that actually means. I found this [pages.omkt.co], which at least mentions " HIPAA, NIST, FedRAMP, COBIT, COPPA, ISO/IEC, and PCI DSS". Not sure just what particular NIST their referring to, but any company that actually pays attention to the 800 series and doesn't just go by the scant HIPAA security "regulations" is at least looking in the right direction. All of this [ostendio.com] is straight off the HIPAA Security

We can defeat gravity. The problem is the paperwork involved.

Working...