02:44 PM
John Foley
John Foley
Connect Directly

'Illegal, Unethical, Untrustworthy' Clouds

When word got out that medical researchers were contemplating ways to employ cloud computing, privacy rights watchdog Deborah Peel sounded an alarm. Is Peel right to be worried? Or does this potential storm cloud have a HIPAA-compliant lining?

When word got out that medical researchers were contemplating ways to employ cloud computing, privacy rights watchdog Deborah Peel sounded an alarm. Is Peel right to be worried? Or does this potential storm cloud have a HIPAA-compliant lining?The controversy was touched off when Harvard Medical School, along with and a few other sponsors, held an invitation-only symposium to discuss potential uses of computing in health care and biomedicine. As my colleague Marianne Kolbasuk McGee reports, the forum was exploratory in nature, and speakers acknowledged that thorny questions over data security and patient privacy will have to be addressed.

But there also was optimism over this new way of doing things. "It's like a virtual lab," said Peter Tonellato, senior research scientist at Harvard Medical School's Center for Biomedical Informatics, adding that cloud computing "fits the vision of ubiquitous access to the lab on the Web regardless of location." Tonellato predicted that many research organizations will transition to private/public cloud infrastructures for elasticity and cost-efficiency. In fact, Harvard's Laboratory for Personalized Medicine already is using Amazon Web Services to develop genetic testing models, as described here.

This news, however, didn't sit well with Peel, who is the founder and chair of Patient Privacy Rights, a self-described "guardian" of health privacy rights. "Clouds by their nature do not have patient or consumer control over personal data built in. That makes such systems illegal and unethical," Peel writes in response to our article. She argues in favor of consumer-led certification.

Peel's not alone in sounding a note of caution. Many IT departments are evaluating the privacy, security, and governance issues of public compute clouds, and some will decide it's a route they're not willing to take. (See Bob Evans' related post on InformationWeek's Global CIO blog.)

What's the answer? Clearly, there will be scenarios where those responsible will determine that sensitive health-related data needs to be stored behind the firewall and not in the cloud. However, there will be other situations where health data can be processed and stored in the cloud, and we're beginning to see examples. On its Web site, Amazon offers case studies of HIPAA-compliant applications that have been deployed on AWS. On one example, TC3 Health minimizes the amount of "protected health information" that goes into Amazon's cloud, while encrypting any data that does go there. In another, health records service provider MedCommons has architected its application to include identity management, activity logs, and other protective measures.

Health care is just one industry where the security, privacy, and governance implications of cloud computing have yet to be thoroughly tested or answered. Financial services companies, schools, and public agencies face many of the same issues. As more organizations experiment with and move applications in the cloud, they should be prepared to hear from the likes of Deborah Peel.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
2014 Next-Gen WAN Survey
2014 Next-Gen WAN Survey
While 68% say demand for WAN bandwidth will increase, just 15% are in the process of bringing new services or more capacity online now. For 26%, cost is the problem. Enter vendors from Aryaka to Cisco to Pertino, all looking to use cloud to transform how IT delivers wide-area connectivity.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of September 25, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.