Computer-based medical records hold promise for improving treatment and efficiency, but experts say they are open to attack from hackers, malware, and even nosy employees.
Th e electronic health record (EHR) programs certified for use in medical practices and hospitals are far from secure, but the behavior of many practitioners exacerbates the risks.
“In terms of security management, the healthcare industry is particularly bad,” said Avi Rubin, PhD, professor of computer science at Johns Hopkins University and technical director of its Information Security Institute.
Studies have found EHR software surprisingly vulnerable to potential hackers. A research team that examined a pair of EHR systems found very basic vulnerabilities, said team leader Laurie Williams, PhD, a computer science professor at North Carolina State University. Th e programs were open to “almost beginner level security attacks.”
Williams said that these vulnerabilities are not unusual compared with other kinds of software, but are troubling because the records contain such sensitive and personal information. Williams said that if credit card information is breached, a user can close an account and get a new credit card. “But with health records, if someone’s private information gets out, you can’t withdraw that knowledge,” she said.
Potential problems range from identity theft from the release of information such as Social Security numbers to tampering with records themselves. “You could possibly change someone’s blood type and then they’d get a transfusion of the wrong type,” she said.
EHR software users are at the mercy of the software developers and government regulators because they must buy a certified system, and Williams and Rubin agreed that the certification process has not paid adequate attention to security. They said that practitioners should pressure vendors and government regulators to make security a higher priority.
Rubin toured hospitals to observe their practices and was appalled to find a general disregard for computer security. He often saw passwords posted on computers by sticky notes. In one hospital, a nurse had the job of typing a physician’s password into computers so the physician would not time out, which left the machines unattended and unprotected most of the time. The common practice of distributing to patients disks containing their X-rays— and executable programs for reading them—is dangerous because practitioners have no idea what is really on them when patients walk in with them. The disks could contain malware that could infect whole systems.
Williams noted that in the interest of making the transition to electronic records easier, some practices have been tempted to take shortcuts such as having a single log-in ID for doctors and another for nurses, rather than having individual user IDs. “If they do that, they will have no way to trace who did what. So to use the blood example again, they should be able to go back and see who changed the blood type,” Williams said.
Tips for Improvement
Apparently, hackers have not set their sights on the medical establishment in a big way yet—most healthcare security breaches have resulted from mistakes such as the loss or theft of laptops. Rubin recommended engaging a security professional as a consultant or in-house in the case of larger institutions.
—Seaborg is a freelance writer in Charlottesville, VA, and a regular contributor to Endocrine News