cloud security

Are your medical records safe in the cloud? Despite its popularity, there are hidden risks and costs.

When it comes to your medical records, not much is more important than your privacy. After all, that stuff is really personal. So the growing trend of storing all kinds of data – including our medical records – in the cloud, is troubling.

According to a MobiHealthNews article by Jonah Comstock, "Healthcare providers are turning to cloud-based data storage because of the promise of significant savings." But the cloud isn’t necessarily as secure as other forms of storage. And because providers know that, they’ve got to spend extra money on security, an expenditure that can offset cost savings.

For an organization, the cloud promises less investment in hardware and personnel. When a cloud service maintains your organization's database along with the databases of other companies, economies of scale help keep costs down.

But those savings come at the price of losing control over how the data is managed. And when your medical provider loses control of your data, your privacy could be endangered.

These problems came into the spotlight this Sunday at the mHealth Summit outside of Washington, DC. Joseph Pennell, a Senior Associate at Mayer Brown, and Janet Stiven, a Dykema Gossett PLLC Member, discussed cloud computing security issues. "Typically the cost savings you enjoy in the cloud are correlated with the loss of control,” said Pennell, addressing medical information technology professionals. With the more complex data models, "they probably can’t offer you savings."

The basic rules for how the American medical industry handle private data are enshrined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Although the Act is nearly 18 years old, the government released an omnibus final rule last January, expanding patients' rights and toughening providers' responsibilities. But Stiven doesn't see this as a complete solution. "…just because something’s HIPAA compliant doesn’t mean it’s secure."

At least some IT workers have been aware of the problem since well before the conference. Last July, a Ponemon Institute survey sponsored by WatchDox revealed that 45 percent of the 798 IT and data security workers surveyed identified cloud computing infrastructure as a major security risk. Only mobile devices, identified as such by 69 percent, worried more professionals.

Like so many other problems, medical privacy in the cloud often comes down to human error. Encrypted data is only safe if the required passwords are well protected, and that requires well-trained and conscientious employees.

You also have to worry about the security skills of people working in the other companies that use the same service. A Trojan or other malicious program can spread from one client's office to the cloud server, and from there to other offices. "It’s becoming a weak link in the security chain," warns Stiven.

And what happens to your data when the cloud service that your medical provider depends on closes shop? If the provider doesn't keep a local backup, vital information can get lost.

You trust your medical information with your doctor's office. Your doctor's office trusts it with a cloud-based service you never heard of. That service may be trusting others.

It's enough to make you sick.

Subscribe to the Security Watch Newsletter