FTC reminds us that storing data in the cloud has drawbacks
FTC reminds us that storing data in the cloud has drawbacks
[Editor's Note]
This point raised by the article below re: risks to consumer’s private data being “in the cloud” is very applicable to the entire Health IT / EMR / Personal Health Record discussion.
It’s not clear to me if in the rush to “digitize healthcare” enough attention (and priority) has been paid to protecting consumers’ privacy.
If somebody hacks into your bank account and steals US$1,000 from you that is clearly a bad outcome. But you can recover from that. Money is replaceable via a bank refund or a credit card protection plan.
But if your electronic medical record (“EMR”) is hacked whereby all future employers (and significant others) can find out about your {mental health issues} / {abortion while in college} / {paternity test results} that is not a recoverable incident.
Using paper-based records it would take a bit of work to illegally copy the records of 100 patients. Using an EMR, you can copy the records of thousands of patients in minutes onto a USB drive.
http://www.lasvegassun.com/news/2009/nov/20/umc-has-patient-privacy-leak/
“Private information about accident victims treated at University Medical Center has apparently been leaking for months, the Sun has learned, allegedly so ambulance-chasing attorneys could mine for clients.
Sources say someone at UMC is selling a compilation of the hospital’s daily registration forms for accident patients. This is confidential information – including names, birth dates, Social Security numbers and injuries – that could also be used for identity theft.
Hospital officials knew of rumors of the leaks since the summer, but doubted them until provided evidence Thursday by the Sun. Now they’re scrambling to catch up to a crisis that may affect hundreds, if not thousands, of patients….”
[/]
The Federal Trade Commission worries that consumers don’t really understand the privacy implications to storing some of their most crucial data in the cloud, and it wants the FCC to think about such issues when finalizing its national broadband plan.
By Nate Anderson | Last updated January 6, 2010 11:47 AM
Take Google’s new Nexus One phone as a case study of the pros and cons of storing life details on remote servers. Nexus One phones can back up their complete settings to Google’s servers, including data such as “Wi-Fi passwords, bookmarks, a list of the applications you’ve installed, the words you’ve added to the dictionary used by the onscreen keyboard, and most of the settings that you configure with the Settings application.” Get a new phone and the data transfers easily.
But that data is now sitting on servers outside of your control, where it can be accessed far more easily by Google itself, hackers, and law enforcement than it ever could if kept within the device. Once data passes over the network, it gets much easier to access in realtime; once it is stored on a remote server, it gets much easier to access at any time.
And those are just the phone settings. Google also has access to search history data, anything stored in Google Docs or Spreadsheets, complete schedules stored in Google Calendar, and recent Maps searches. Combine them all, and companies like Google become one-stop shops for authorities looking for personal information.
Such issues have raised concerns at the Federal Trade Commission (FTC), especially since many consumers aren’t really aware of the data security issues raised by storing information on remote servers. “For example, the ability of cloud computing services to collect and centrally store increasing amounts of consumer data, combined with the ease with which such centrally stored data may be shared with others, create a risk that larger amounts of data may be used by entities in ways not originally intended or understood by consumers,” said the FTC in a letter (PDF) this week. {http://fjallfoss.fcc.gov/ecfs/document/view?id=7020352132}
That letter was directed at the Federal Communications Commission (FCC), which is currently drawing up a national broadband plan that will be submitted to Congress next month. In advance of the plan’s release, the FTC wants to make sure that the FCC “considers technologies such as cloud computing and identity management in implementing a national broadband plan.”
That means publicly recognizing the FTC’s growing expertise on issues on online privacy and data security. “Accordingly, we recommend that the Broadband Plan recognize the FTC’s law enforcement, consumer education, and ongoing policy development efforts in light of its years of experience in online, and offline, consumer protection,” concludes the letter.
The FTC is in the middle of a set of hearings on these issues; the next one takes place on January 28.