Ask Slashdot: Should You Store Medical Details In The Cloud? (caremonkey.com) 262
"Paper forms are a security risk", warns the web site for CareMonkey, which maintains digital and up-to-date medical information in the cloud "for any organization with a duty of care". This is raising concerns for long-time Slashdot reader rolandw, who says he's being asked by his daughter's school to approve using the site to store "her full medical details".
CareMonkey say that this data is stored on AWS and their security page says that it is secured by every protocol ever claimed by AWS (apparently). As a sysadmin and developer who has used AWS extensively for non-secure information my alarm bells are sounding.
Should he ignore those alarm bells and approve the storage of his daughter's medical history in the cloud? And if not, what specific reason would you give for refusing?
Should he ignore those alarm bells and approve the storage of his daughter's medical history in the cloud? And if not, what specific reason would you give for refusing?
No. (Score:5, Insightful)
Q: Should you store anything in the cloud?
A: Only if you don't care if everyone in the world sees it and tries to use it against you.
Re: (Score:2)
Re: (Score:3)
A: Only if you don't care if everyone in the world sees it and tries to use it against you, or if you don't care if you ever see your data again.
FTFY
Nahh in 10 years the NSA or the KGB will be glad to sell you back a copy
Take a look the Russians have been glad to help out with Hillary's data loss and backup problem.
Re: (Score:2)
I had them burn a DVD of my MRI. 1996. So your shit has been out there forever.
Re: (Score:2)
Re: (Score:2)
OK you already answered, Just Fucking No.
Re: (Score:2)
I would like to know if you have a c21 ch53. So if I can tell whether you will have cancer or not. And then discriminate against you, So as to be an ass. You know, just because I can knowledgeably say you have a 73% chance of getting cancer. Because I happen to know that.
Re:No. (Score:5, Insightful)
Yes, plenty.
If you had alcohol-related problems in the past, companies might refuse to hire you but would give you a different reason anyway. More ominously, targeted advertisement with free coupons for this or that alcoholic beverage will find their way into your mailbox, magazine you subscribe to or local store you shop from.
If you suffer from this or that mild disease (or have suffered in the past), targeted advertisement will slam you with related ads. Same if you're overweight or too thin (I'm thin and recently started getting targeted ads in my mailbox).
A girl I know has pimples and started receiving targeted ads and getting calls (yes, calls!) from companies selling beauty products ("wanna get rid of them pimples") - I suspect that's caused by her uploading some personal pictures to the cloud from her phone (stored privately but hey, that doesn't stop anyone, does it).
Re: (Score:2, Funny)
See a pattern here?
Re: (Score:3, Insightful)
A very clear pattern. If you (and all of your dependents) are in good health, physically and mentally, you don't care about sharing that data. If you are not in good health, someone will try to use that against you.
Why, do you see another pattern?
Re: (Score:3)
Re:No. (Score:5, Insightful)
I think health insurance is for everyone, because the risk of having expensive health problems exists for just about everyone, especially if health issues due to accidents are included. This is similar to automobile insurance - everyone who drives carries insurance, not just the bad drivers. However, insurance companies of all types love to have reasons to divide people up into very small risk pools, and charge people more for insurance if they have even a casual relationship to some risk factor that indicates that they may make claims (or higher than average claims) against insurance. In the US, auto insurance companies are using things like people's credit score to determine how much to charge them for automobile insurance, on the basis of a belief that people with certain ranges of credit scores are more likely to be involved in accidents, apparently.
For health insurance, the risk of the health companies getting access to too much data about individuals is that they will start charging individuals for insurance according to their perception of the risk of insuring those individuals. Even if they could correctly screen people into various risk categories, this would be detrimental to the overall way insurance works in general - a large pool of people are charged for insurance based on the average risk in the pool. Everyone pays a more or less affordable rate, and when the risks materialize as claims, those claims get paid off, but the insurance company doesn't have to pay out more than they took in (if they did, they would go out of business).
If only sick/unhealthy people get health insurance, then the cost of that insurance has to be high, because they will have a higher rate of claims. Those who are fortunate enough to have great health might forego insurance, but on average most people expect to have some issue or other that might require insurance coverage, so on average most people will want insurance. So more people get insurance, and the average cost of insurance goes down because the average claims rate across the larger pool is lower.
The higher the certainty of people making claims, the less of a solution "insurance" is - insurance is intended to spread risk among a large pool. It seems to be very hard to get people to understand that on average, people cannot expect to get more out of an insurance plan than what they pay into the plan. If that were so, the insurance company would go out of business. As much as people may dislike insurance companies (and many insurance companies have earned the dislike/hatred of their customers), they provide a substantial social benefit when they perform their basic risk management function.
Re: (Score:3)
Re: (Score:2)
It's trickier because health is also a function of age, so everyone's health is constantly changing.
Re: (Score:2)
Health insurance is not at all like the required automobile insurance. Everyone is required to buy liability insurance for their car. Everyone must insure against the damage he does with the vehicle, not damage done to
Re: (Score:2)
Insurance is supposed to be for people who are not in good health.
Is car insurance for people that have already wrecked their car?
Re: (Score:2)
OK. Very amused.
Re: (Score:2)
Insurance is supposed to be for people who are not in good health.
If that was supposed to be funny I missed it. Insurance is about taking money from as many people as possible, whilst paying back out as little as possible. Where do unhealthy people fit into that? Oh, on that side of the accounting columns. Take your sick ass and leave friend, before you start thinking about making a claim. Don't care if you been paying us for 15 years without claiming nothin, you sick now.
Over reacting?
Re: (Score:2)
There's no such thing as perfect health. :)
If you're in such a perfect health, the government will snatch you one night and experiment on you
Re: No. (Score:2)
There is an obesity epidemic. Acting like it isn't just because BMI doesn't work for olympic powerlifters is the usual action of people in denial.
Re: (Score:3)
Actually, from a medical standpoint BMI is a worse than bad measure--it basically assumes you've got a certain bone:fat:muscle ratio, which pretty automatically means it will start saying interesting things if you're not of the correct ancestry and lifestyle...and by lifestyle I mean it was developed to get it roughly okay maybe if your athletic endeavors are along the lines of 'middle manager who occasionally takes a walk for relaxation.' (Correct ancestry is a bit harder to pin down; probably Belgian giv
Re:No. (Score:5, Insightful)
A: Only if you don't care if everyone in the world sees it and tries to use it against you.
Why should I care if everyone sees my medical records? The only argument I have heard is that insurance companies might charge more, and employers may be reluctant to hire people with bad health. But I don't have any health problems, so if my records are public, I should get lower insurance rates and better employment offers
Prior to 2010, I was in perfect health. Never smoked or drank. Exercised and was in excellent shape. Never sick a day in my life. Then suddenly, I was diagnosed with cancer, went through all the fun stuff associated with that, culminating in a really major surgery (~10 hours), followed by a chronic infection that I am still fighting today (and which has pretty much destroyed my life)
Mt point is this: Don't get all excited about being in good health, and start making all sorts of decisions based on "I'm not sick so I have nothing to worry about", because things can change in an instant.
Re:No. (Score:4, Interesting)
Note that the first is illegal under the ACA, and the second is likely either illegal or actionable under the ADA.
Re:No. (Score:4, Insightful)
Note that the first is illegal under the ACA, and the second is likely either illegal or actionable under the ADA.
Yeah....if you can prove it, and I mean really, really prove it. They'll never come right out and say, Ewww, let's not hire the sick guy!", no, it'll be that you're "unqualified" or "over-qualified" or something else. You'll never get proof of the real reason they did hire you.
Re: (Score:2)
Note that the first is illegal under the ACA, and the second is likely either illegal or actionable under the ADA.
Gee, there's this law back in 1967, ADEA, that was passed to make it illegal to discriminate against people 40+. Seems to have worked. Silicon Valley openly discriminates against 30+.
Re: (Score:2)
OK, self taught: roundfile.
Re: (Score:3)
Is there some downside that I am overlooking?
Errr, yes. Unless you're the only person in the world with your name (or a similar name) AND you don't think you have to worry about accidentally being mistaken for another patient OR you think that data entry people never make a mistakes and mix up or link your records with those of someone else, then, no, have a ball!
Of course, if your records have mistakes in them or later it's found out that you may be statistically likely to develop some expensive condition based on an analysis of your currently innocu
Re:No. (Score:5, Insightful)
you will have medical problems.
eventually.
we all do.
its a fact. and you won't admit it but its still a fact that us older guys know.
almost no one goes thru life 'perfect'. our medical history is OUR history and that's that. you may not think so now, but you will later.
Re: (Score:2)
But I don't have any health problems...
As medical records get more comprehensive, they will show your genetic predispositions based on DNA tests. You could be discriminated against based on potential maladies that you may never even contract. It doesn't matter if you completely healthy until the day you get hit by a bus, you might still be deemed a potential risk and therefore not get lower insurance or better employment offers.
And even if that wasn't the case, how short sighted do you have to be do think that you will as healthy as you are now
Re: (Score:2)
Here's an example. Suppose you smoke marijuana at some point. Your doctor asks you about that and mentions it on your medical record, because it's clearly health-related, significant and part of a good medical history.
20 years later, you have knee surgery and you're left with severe, intractable pain. The only thing that controls it is opioid drugs. Your doctor looks at your medical record and sees that you have a history of marijuana use. There are "risk scales" that define that as "drug abuse" (for exampl
No. (Next.) (Score:5, Insightful)
What HIPAA guarantees does CareMonkey make?
Read the fine print carefully, I'm sure there are loop holes the size of Montana.
Would you Trust Any Guarantee? (Score:2)
What HIPAA guarantees does CareMonkey make?
Would you trust any security guarantee from a company who thinks that putting documents in the cloud is less of a security risk than a paper document? These guys are clearly idiots who have no idea of the type of security problems they are going to be dealing with.
Re: (Score:2)
What HIPAA guarantees does CareMonkey make?
Read the fine print carefully, I'm sure there are loop holes the size of Montana.
One of the loopholes in HIPAA is that law enforcement has access to the medical records. Another loophole is that any judge can issue a subpoena for your medical records in a criminal or civil case if it's in "the interests of justice." https://en.wikipedia.org/wiki/... [wikipedia.org]
Specific reason (Score:5, Interesting)
Why is he required to give a specific reason ? Either give your authorization a withhold it, and do not volunteer a specific reason for or against the use. I personally don't see a reason why not IF the storage vendor can qualify as HIPAA complaint it seems like a decent idea, but I can see where the possibility of leaked data can have a negative impact on continued health care coverage as well as the impact on future coverage in both healthcare and life insurance, not to mention employment issues.
Re: (Score:3)
IF the storage vendor can qualify as HIPAA complaint
There's no qualification or certification or anything for HIPAA. It's just a legal and regulatory set of requirements. Most (not all) of the major health insurers have suffered data theft and they're all covered by HIPAA. When it happens they get a fine and some news coverage and the data is out in the wild anyway. The same goes for this outfit doing the data storage on AWS.
Re:Specific reason (Score:4, Informative)
There are certain rules. Data encryption both in storage and in flight are a requirement. There are also reporting time requirements for security breaches as well as periodic auditing requirements, but essentially you are correct. You just have to be able to show that you have a plan and a set of rules in place to deal with possible failures and that you have taken basic steps to ensure the security of the data.
Re:Specific reason (Score:5, Interesting)
nice attempt at trying to turn it around (not the poster, the article).
having to give a reason is so backwards! they should have a good reason TO put it online.
my answer would be flat out 'no'. period. full stop.
if they insist on an answer why, simply say 'I have some background in computer security, that's why'.
doubtful they will push further than that.
amazing that some people that you'd think would be smart, suggest such bone-headed ideas.
have we not had almost a weekly break-in news article about this or that data breech?
just WHY would anyone suggest putting med info online - its clearly because they stand to make money from it, but they could care less if data gets out.
now, make them $1M liable for any breech and we'll talk. and I want the money in escrow, first, before I believe you.
Re: (Score:3)
"having to give a reason is so backwards! they should have a good reason TO put it online."
Reasonably secure offfsite storage that is (presumably) easy to integrate with the school's existing IT. It'll be embarassing if an electrical fire in the school office incinerates all the school records and it turns out there is no paper or digital backup.
The problem of course is that many (most?) IT professionals have substantial doubts that the "secure" part of "secure offsite storage" is doable with 2016 cloud te
Re: (Score:2)
It was awkwardly phrased, but I read that not as the OP needing to give a reason to the school, but rather Slashdot wanting to see a reason from posters, so as to make an interesting discussion thread.
No. (Score:5, Interesting)
No.
There is already something called MedicAlert, run by the MedicAlert foundation. It's those little bracelets that have a number on the back and EMTs and other emergency professionals seeing these are trained to do a lookup.
It's a system that works that doesn't need "the cloud." You don't even need a computer or smartphone to access the system. Just a phone. Which means it will work where there is no cell service and can work where there isn't even phone lines - radio operators can do a phone patch.
It's /better/ than "cloud based systems" that needs fancy hardware to access which we have seen to be poorly run and insecure.
--
BMO
Yeah. Why not? (Score:2)
We can all stop pretending we have any privacy. I like the idea of a doctor having access no matter where I am.
Re: (Score:2)
I was going to post an argument why your assertion is wrong, that just because some privacy has disappeared that we should give up all of it.
I'm just going to ask you:
What is your bank account number, DOB, last 4 digits of your SSN, and mother's maiden name?
--
BMO
Re: (Score:2)
It's a good thing you decided to post as AC, because if I was going to post what you just posted, I would hate it if people thought I was as dumb as your post.
--
BMO
Re: (Score:2)
It's a good thing you decided to post as AC, because if I was going to post what you just posted, I would hate it if people thought I was as dumb as your post.
Can't resist pointing out that here's a case where being as dumb as "your post" is equivalent to being as dumb as a post.
Re: (Score:2)
> it's about a fucking school that wants to store private medical details
Schools need at least the student's immmunization records, doctor contact information, history of allergies, and a record of treatments received at the school.
Re: (Score:2)
> it's about a fucking school that wants to store private medical details
Schools need at least the student's immmunization records, doctor contact information, history of allergies, and a record of treatments received at the school.
OK. That's a fair point. Except this information was not instantly electronically available in the past and schools seemed to do just fine.
This is another example of "Just because you can do something doesn't mean you should"
then they can hook into the PCPs E-Record system (Score:2)
heck if CareMonkey had any smart chimps they would hook into the Major Providers to get hot copies of the data (after getting the perms from the guardians).
Re: (Score:2)
The government recognised there is a public health issue in school vaccinators/GPs having up to date info on immunisations, so they could schedule vaccination programmes and quickly know where low coverage rates existed in case of an outbreak.
So - the school carries out vaccinations, and the details get electronically transmitted (using HL7 protocol) to a central register managed/hosted by the ministry of he
Re: (Score:2)
> it's about a fucking school that wants to store private medical details
Schools need at least the student's immmunization records, doctor contact information, history of allergies, and a record of treatments received at the school.
How much information do they need? Doctor contact information and immunization should be enough. Very few schools treat students at the school any more.
Re: (Score:2)
> How much information do they need?
That is a key question. Schools are often the available caregivers, with the legal responsibilities described as "in loco parentis". They are responsible for the child's safety on the school grounds, including the child's medical safety. How much information does a nanny, a babysitter, or an athletic coach nned to handle emergencies? Anaphylactic shock from a bee-sting or peanut allergy can kill within 30 minutes, much too long to obtain medical records from a highly
Re:Yeah. Why not? (Score:4, Insightful)
We can all stop pretending we have any privacy. I like the idea of a doctor having access no matter where I am.
That's easy to say when you're relatively healthy, and doctor visits have been for routine things like throat infections, a broken arm, maybe an appendix out, but you might feel differently if you're diagnosed with a mental illness, an awkward venereal disease, or something else you'd like to keep private. Once you agree to this scheme, it might be hard to get out of it.
Re: (Score:2)
Then you of course, may sign the waiver. My doctor keeps paper records. That's a level of privacy digital information does not possess.
Re: (Score:2)
Re: (Score:2)
Paper records are far more secure than digital ones
Re: (Score:2)
Re: (Score:2)
It's not "the doctor having access". It's the access by unknown and untraceable third party staff members. Medical information contains a great deal of privileged information, including the identity of family members, family history, billing addresses with credit card information and social security number. It also includes data that workplaces are not allowed to ask about, such as age, chronic illnesses, and pregnancy. Such information is also politically very sensitive: discovering that a political oppon
Re: (Score:2)
We can all stop pretending we have any privacy. I like the idea of a doctor having access no matter where I am.
You've obviously never been a person randomly selected for a 'frame job'. They really do occur.
I would advise against it (Score:2)
And the reason I'd give is 'I don't think I can trust you'. Because that's what this comes down to - you have NO idea who these people are, really, and from what I've seen of school related software (I've got two kids in one district, and my wife teaches in another), most places selling to schools hire the people who underbid the lowest bidder.
Re: (Score:2)
And the reason I'd give is 'I don't think I can trust you'.
funny, I say that to companies that I have to deal with as a consumer, such as comcast (for an example). I don't give them my home #, or I give a number that I used to have but let expire. I won't give them my cell # since I don't trust them not to abuse it. I don't have a landline anymore (most people don't) and I'm NOT going to give out my real actual cell # to some company who just seems to 'really want it'. if I have a problem, I'll call yo
NO!!!, and a couple of additional questions... (Score:5, Insightful)
.
A treasure trove of medical information "in the cloud" is lusted after by too many corporate entities who have little or no regard for privacy, they just want access to more data.
What business arrangements are being made with the school by CareMoney? What data, besides medical information, is the school sharing with CareMonkey?
If it were my children, I'd run fast and far from this data harvesting Trojan horse.
Re:NO!!!, and a couple of additional questions... (Score:4, Insightful)
1) I would not trust anything by a company called "CareMonkey". Period.
2) Much less anything covered by "all" security protocols. (Maybe even ROT-13, twice.)
3) And finally, Betteridge's Law of Headlines.
Re: (Score:2)
Seconded.
Seriously, whatever happened to even pretending to be professional?
Re: (Score:2)
A treasure trove
For the overwhelming majority of people I think it would more be a coin that some 5-year-olds buried in the back yard under an X. Medical information is utterly boring unless you suffer from something that could either disqualify you from something else, or someone can sell you something to fight it.
Amazon is in the business of selling your data... (Score:2)
Re: Amazon is in the business of selling your data (Score:5, Informative)
Why does the school have it in the first place? (Score:2)
Why does the school have her medical data? They should have only the bare minimum absolutely necessary. The rest of it is none of their business.
Answer to the question with the Question (Score:4, Interesting)
Would you store your naked pictures in the cloud? Probably no.
The same way, probably, men and women would not like to store certain type of information:
- Abortion,
- STD testing
- Sterilization
- STD's
- Genetic Abnormalities
- Addiction
- Health Risk Assessment
Every one of these items, if leaked, have serious ramifications to personal and professional life.
The answer is No.
AWS is "HIPPA-compliant" (Score:2, Interesting)
AWS is HIPPA-compliant [amazon.com], which is why the company in TFA is able to use them at all.
Your data is no less secure at AWS, than in any Internet-connected hospital — though that in itself is not saying much.
If you can not store it yourself, trusting a company like CareMonkey, whose entire business model is predicated on the security of customers' data, probably, makes more sense, than trusting someone, for whom it is but a side-show. Such companies may still experience a problem [wikipedia.org] — nothing is safe
Re: (Score:2)
AWS is HIPPA-compliant [amazon.com], which is why the company in TFA is able to use them at all.
Small correction: HIPAA, not HIPPA.
HIPPA is HR law.
HIPAA is medical privacy law.
Re: (Score:2)
AWS can be HIPAA-compliant, but that doesn't mean it always is.
In order to be compliant, it's necessary for the provider to have a business associate agreement with Amazon, and for the provider to comply with HIPAA standards in the way they transmit and store protected health information.
That said, if the provider follows the proper protocols, there's no reason to think it's less secure on AWS than on their own servers.
buzzwords and marketing (Score:2)
caremonkey seems to be a start up. look at medicalert. I think I'd trust them more
Me? Definitely not (Score:2)
Ask Slashdot: Should You Store Medical Details In The Cloud?
Me? Definitely not. I have no idea what I'm doing, so why would anyone give me their medical details? Crazy.
RHIO (Score:2)
No. (Score:2)
No.
This is entirely obvious to anyone not trying to sell "cloud services."
Questionable Controls (Score:5, Interesting)
I also find the lack of details on their application security practices a bit disconcerting. Why do they specifically call out encrypting password data but say nothing of encrypting user content. They even note that they encrypt the data on the mobile app but are interestingly silent about this on their web database, why is that? Also I find it curious they don't note anything about utilizing AWS's dedicated hosts and storage options which is one of the major requirements by Amazon for meeting HIPAA compliance, I know this is one of the many rules, because we had to sign contracts for our systems agreeing to this stipulation.
Another question is, is caremonkey even legally bound by HIPAA regulations? Do they have legally binding agreements with any covered entity or hybrid entities that subject them to HIPAA regs? It is one thing to say you are HIPAA compliant but if the rules don't apply to you then that really doesn't mean much does it...
Randomise, Falsify, Encrypt and Decode. Then Soak (Score:2)
Wherever the data is stored, in the cloud or at a terminal accessed by employees or printed on paper en route to a shredder, it's potentially exposed. The important thing is how it is stored. There should be a program to "camouflage" the data, give false positives or false negatives to everyone for everything, and create a million fake names to boot. The computer accessing could have a program filter key to remove the fake information. Maybe someone can think of something even more effective. What they
Re: (Score:2)
... but hospitals could save billions by hosing the paper records (soaking them to clunky clods) rather than shredding them...
This idea I like! A giant kettle down in the basement, where all the old records go. simmer, press into small bricks, and let air-dry. Turn them into building materials!
Re: (Score:2)
And the answer is.... (Score:2)
"Should You Store Medical Details In The Cloud?"
The answer is "No".
Why is the school storing any medical data? (Score:2)
Where they store the medical data is a secondary consideration.
What they are storing would be a major concern, and also for how long they are storing it.
Also, I'd want to know whether the records will be destroyed after graduation.
I assume that it's not a college or university.
I would ask why the school is storing any medical data on the student. I also assume that the child would be getting their medical care from a hospital or clinic and not the school. The school cannot be doing anything more than the mo
How do you know it isn't already. (Score:2)
Population health is the current big thing. Where you health info is being sent to many institutions and shared. Most hospitals do not have the resources for such an undertaking so they may fall to venders who may use the cloud for their services. As far as the hospital is conserved if there is a breach, the fault will go to the vender who will pay the fines.
It's already in the cloud (Score:2)
Your doctors likely already use cloud services to store your medical data. They transmit it via the Internet to other medical providers and to insurance companies, who in turn store much of their data in the cloud.
The cloud is neither here nor there, when it comes to security. There are secure cloud providers, and insecure ones. Doctors who do not store their data in the cloud, likely store it on their own servers, which are probably much LESS secure than AWS.
You can't really win. Your data is out there
a bit of an Epic question (Score:2)
why doesn't CareMonkey do linkups with Epic here in the US??
US /.ers raise your hand if your local medical system use something called MyChart for E-Records??
Depends... (Score:2)
on whether or not you want your daughter to be allowed to attend school. Sure it might be optional now, but once a majority of uninformed parents get on board, they'll surely make it mandatory.
HIPAA Fraud (Score:2)
I'm a HIPAA IT security auditor, and have been amazed at how many cloud-based medical startup
Claiming the "cloud" is more secure than paper? (Score:2)
SHA3 is not an encryption algorithm (Score:2)
From the caremonkey security page:
All data in the CareMonkey mobile apps for smartphones or tablets is stored in an encrypted format using SHA3 (512bit). An essential requirement is that if a device is lost/stolen or someone gains access to the data files on the device that they are not be able to access any personal data.
SHA3 is not an encryption algorithm, it's hash function (it's right there in the name, SHA= Secure Hash Algorithm).
NO (Score:2)
That is all.
Of if you need more details, no, no.. fuck no, no fucking way, NO GODDAMNIT -- NO !!!!
There is no "cloud" (Score:2)
There is only "other peoples' servers".
This is true of both physical and virtual machines.
There is no cloud (Score:2)
To quote the Free Software Foundation Europe [fsfe.org]...
"There is no cloud...
...just other people's computers."
Per their site (Score:2)
Re: (Score:2)
Unless your daughter has a condition that requires very specific knowledge
Then it would be even worse to risk having one's health data stolen. Imagine when she's grown up and is surruptitiously denied employment over it.
Re: (Score:2)
Well, except the whole part about "the cloud" is that you don't particularly know or care where the server is, who's running it or who's got admin access. It just scales up and down, they provision something for you somewhere on some hardware. If you only look at external hackers then sure internet facing == internet facing and if that's the only threat scenario you care about, fine. Go put it in the cloud.
Re: (Score:2)
Re: (Score:2)
AWS signs HIPAA Business Associate Agreements with covered entities every day. There is a subset of services (EC2, S3, EBS, etc.) that meet HIPAA requirements and I know for fact that CMS approves of such systems. So, whatever your notion of "HIPA" (sic) compliance is, there is plenty of HIPAA covered PHI on at least one major cloud provider.
Re:Possible, but difficult (Score:5, Insightful)
Cloud storage can certainly be done secure.
Yes it can.
But it never is.
Doing *ANYTHING* properly and securely requires a lot of time, effort and money. Your company's employees are lazy and stupid, and following strict rules is too inconvenient and too much work. Your company's management only cares about cutting expenses because less spending = more promotions and bigger bonuses, AND, when a major breach occurs, the people who refused to allocate the necessary resources to prevent it from happening, are rarely the people who get fired.
Re: (Score:2)
HIPAA means nothing and does not restrict putting the data online. HIPAA doesn't even enforce or require encryption, hell, you could even put it on the linux.org FTP servers, as long as you make sure nobody downloads it, it would be fine to HIPAA.
The way your hospital(s) handle the data, as much as they are compliant with HIPAA is atrocious from a security viewpoint.
Re: (Score:2)
The quote "To err is human, to really screw up things you need a computer" comes to mind.
Re: (Score:2)
I write for medical newspapers. During the AIDS epidemic, I wrote a story about confidentiality of medical records. At that time, people were losing jobs, losing housing, losing their friends, being disowned by their families who found out they were gay, and generally stigmatized, when people found out they had AIDS. All kinds of people could subpoena medical records for all kinds of reasons (divorce, for example).
I talked to a doctor, who was kind of a gay activist, and one of the few gay doctors treating
Re: (Score:2)
What happens when the patient shows up unconscious in the emergency room?