Is Cloud Storage Raining Your Private Medical Records?

The idea of centralized storage of private medical data is a hallmark of interoperability – or, the sharing of medical information between providers – in the new push for electronic health records (EHR) and is central to Health Informatics. However, it turns out that just because data is “in the cloud” does not mean it is safe.

It appears that cloud computing may be raining on Oregon Health and Science University (OHSU). Today we learned that “physicians-in-training” in the Plastic Surgery department, looking for a way to share medical data, put private medical information on a spread-sheet in Google Docs. (see the story here, here, and OHSU’s apology here).

Now, before we go tearing into the physicians and which is obviously a breach for otherwise crème-de-la-crème medical students, we need to consider two very critical aspects of this event. First, how our culture has grown to not only accepts but relies on mobile technology. And Second, who has access to my cloud based information.

Clearly, as the use of mobile devices has exploded onto or culture, it has become a thing upon which we not only depend, but also expect to be able to use. Unfortunately, mobile tech has become so commonplace that we are now failing to be concerned about its security. It just seems to be there, and it’s probably safe after all. In fact, had the data been de-identified (that is, all identification information removed), the whole situation would have been fine. But that was not the case as over 3,000 people are finding out this morning.

The bigger issue may indeed be the problem of access. Recent news about the government mining of Google data not withstanding (another story entirely), a larger issue is whether or not Google has the rights to “sell” your personal information to “partners and associates” (read: marketers). Here’s the rub: your medical data has value. If a certain company can direct market you for a specific product that will handle your specific condition, then your contact data is very valuable to them and they will pay good money for it. And, if you did not read the EULA (End User License Agreement) on Google Docs (and who does anyway?), you just may have given Google permission to do just that.

Here’s the lesson of the day: Just because it is on-line does not make it safe. And, before storing any data on-line, consider the impact it will have on you if it is compromised. This includes medical data, financial data, personal information, and the pictures of you at that party now on someone’s Facebook page.