Electronic Health Records Vulnerable to Security Breaches


A study of data breaches reported to the California state attorney general’s office in 2012 found that the health care sector was third in the number of data breaches, after the retail sector and finance and insurance sector. And although the data breaches in the health care industry so far have resulted primarily from inadvertent lapses, such as the loss of a laptop or mobile device, some security consultants warn that the personal information in the files is seen as increasingly valuable for identity thieves and others.

Medical records command a much higher black market price than credit card numbers, which is why Rick Kam, president of the data-security consulting firm ID Experts in Portland, Ore., foresees fraudsters paying much more attention to medical information than they have in the past.

Two Kinds of Problems

The problems fall into two general categories, the software itself and human failure to adopt good practices.

Many studies have found very basic vulnerabilities in EHR software, said Laurie Williams, PhD, a computer science professor at North Carolina State University. Her research team’s examination of a pair of EHR systems found they were open to “almost beginner level security attacks.”

Poor security is an endemic problem with software in many industries, and “the software itself is probably not any worse than in other domains,” Williams said. Many other kinds of software contain similar vulnerabilities, but the EHR problems are troubling because they contain such sensitive and personal information. Williams said that if a hacker obtains credit card information, a user can repair the damage by closing the account and getting a new credit card, “but with health records, if someone’s private information gets out, you can’t withdraw that knowledge.”

Potential problems range from identity theft from the release of information such as Social Security numbers to malicious tampering with records themselves. “You could possibly change someone’s blood type and then they’d get a transfusion of the wrong type,” Williams said.

Rubin noted that victims of identity theft can have money stolen and their credit ruined, but medical disclosures pose special dangers. “There are a lot of risks to people having their medical data exposed,” he said. There is a risk about not being able to get a job because [you] have a certain genetic makeup, or just shame from having certain diseases.”

People problems

But the majority of the health care breaches that have happened so far appear to relate more to human practices in health care settings that tend to make matters worse.

“In terms of security management, the health care industry is particularly bad. A lot of the security problems in the health care industry are people management issues as opposed to software issues,” said Avi Rubin, PhD, professor of computer science at Johns Hopkins University and technical director of its Information Security Institute.

Rubin toured hospitals to study their practices and noted a general disregard for computer security, such as passwords commonly posted on computers using sticky notes. In one hospital, a nurse went from computer to computer typing in a particular physician’s password so the physician would not time out. That practice left the machines unattended and unprotected most of the time.

The accepted practice of distributing to patients disks containing their x-rays—along with executable programs for reading them—is dangerous because when patients walk into a facility with these disks, practitioners have no idea what is really on them. They could contain malware that could infect whole systems, Rubin said.

Williams noted that in the interest of easing the transition to electronic records, some practices have taken shortcuts such as having a single log-in ID for doctors and another for nurses, rather than having individual user IDs.

“If they do that, they will have no way to trace who did what. So to use the blood example again, they should be able to go back and see who changed the blood type,” Williams said.

Another advantage of individual user IDs is to track access within a practice, to discourage workers from accessing records they should not access, for example, out of curiosity that a neighbor came in and looking up why, Williams said.

Security tips

EHR software users’ options are limited because they must buy a system certified by government regulators, and Williams and Rubin agreed that the certification process has not paid adequate attention to security. They recommended that practitioners pressure vendors and government regulators to make security a higher priority.

Rubin recommended that practices trying to improve security not try to do it on their own: “They need to have access to a real security professional, whether it is somebody that just consults with them or, if they are a large organization, somebody that works in-house.”

The increasing use of smartphones and other devices offers another avenue for data to be compromised. Physicians and other health care workers are probably leaders in the adoption of these technologies, emphasizing the need for good computer hygiene.

With most health care security breaches still resulting from mistakes such as the loss or theft of laptops, the U.S. Department of Health and Human Services’ cybersecurity website lists 10 tips for improving practices in the small health care environment (Table 1).


Rubin and Williams both stressed that creating a culture of data security awareness is a key step in protecting patient records, which should be considered one more part of patient care in the digital world.