NOV 14, 2011 3:58pm ET

No Security for Health Information


The daily stories of personal health information being stolen or lost cannot be a surprise to anyone by now.  And PHI in EHRs or health information exchanges will continue to be released unauthorized, or stolen, because there's no real enterprise-class information management architecture in any of the HIE or EHR products that we know of.

In fact, the health care I.T. industry is riddled with very poorly designed systems from an information management and security perspective compared with, say, the world of finance.  Relatively speaking, we read about almost no leakage of financial information compared with health information, especially if you compare the relative value of financial information vs. health information.

If you give a thief a choice of details of 10,000 brokerage accounts or commercial bank records, vs. 10,000 medical records, guess which he'd rather have?

So why do health records "go wild" so often? Because they're so easy to steal.  What makes health information so easy to get to, and financial records so hard, is the very nature of the underlying technology and data access architecture in the applications and databases. 

Most EHR data is in Windows-based client/server applications. These applications have direct access to the database. Once you probe that database or steal a client (Windows) that has a copy of the information, there's basically no way to protect it -- encryption is a joke.

Most financial information sits on a mainframe computer in a secure data center and is stored in robust database software, which is shielded from the application by well-defined and managed transaction management software.  The only way to get to the information is via a secure, managed, controlled, specific transaction.  Incidentally, when there's a release of financial information into the wild it's typically because somebody thought it was a good idea to allow it to be put on a PC.

Until the health care industry adapts the same enterprise-class data architecture found in almost all financial systems, health information will be easy pickings for thieves.

And don't get me started on HIPAA, which is like parking your car at the mall with the doors unlocked, windows rolled down, keys in the ignition, engine running, full tank of gas, with a post-it on the steering wheel that reads "Please don't steal my car or you will be in BIG trouble."

Rob Tholemeier is a research analyst for Crosstree Capital Management in Tampa, Fla., covering the heath I.T. industry. He has over 25 years experience as an information technology investor, research analyst, investment banker and consultant, after beginning his career as a hardware engineer and designer.


Comments (7)
Exactly, the physician I work for had his PHI stolen by an employee and faxed out of the office with malicious intent. Good luck finding someone to report it to. We send a complaint to one goverment agency, they send it back and tell us to send it to another, who sends it back and so and so on. Any suggestions?
Posted by VIRGINIA S | Thursday, November 17 2011 at 12:34PM ET
Having more than 35 years of IT and Telecom experience, with much of the IT being in secure applications like airline ticketing and reservations systems, I have been appalled during my last 15 years while working in healthcare IT.

To summarize in a single sentence: "we never did it like that before, so why should we spend the money to change it now." The other excuse I hear regarding implementation of IT security is, "we will worry about it when we get caught."

These are wrong attitudes to take. These are the attitudes which are most responsible for preventing the ability to properly secure PHI.
Posted by chicagonettech | Thursday, November 17 2011 at 6:51PM ET
I both agree and don't agree. The issue with security in private medical practices is that the people entrusted with that information are the lowest paid people in the office. They get no training, and the incentives placed before them to perform certain tasks do not include becoming stalwart guardians of data. It is the absence of any awareness of appropriate security measures that should be taken as a part of running a business that is the root cause of security breaches.

As for Windows being a security sieve, I sincerely doubt that is the case. If one goes to the typical brokerage company office and looks at the machines that are used by investment professionals to connect to their back office mainframes, he will discover that they are Windows machines. When properly configured by people who know what they are doing, there is no essential difference in the security available by running a Windows machine versus a Linux or Mac. No operating system is inherently better than any other. The only difference is whether that system is understood to be a better target by those who write malware, the word "better" meaning that there are many more people who use it thus creating more opportunities to do bad things to more people. Make no mistake, every system has its fatal and dangerous flaws, but at least Microsoft has worked with every credible security company to find and close all open doors to their system, unlike the purveyors of Linux, Unix, Mac OS, and others.

What no system maker cannot control is user behavior. Even in the financial world, security breaches can be done easily enough. For instance, screen prints, downloads to thumb drives, handwritten notes, and the like are all means of handing over data to those who should not see it. The wholesale loss of data is more difficult because of the transaction-oriented nature of access as noted by the author, but again, most security breaches do not occur because of software flaws; they occur because of breaches of personal honesty or diligence.

One remark about encryption by the author cannot be allowed to let slide. Encryption, if used and if the key is kept securely away from people who should not see it, can be an effective tool to prevent data loss. For instance, could you decrypt the following:


Here's a hint, the contents are topical and personal. If it's such a joke, then the decryption should be on its way quickly, shouldn't it? I think the typical thief would have a hard time with even this simple example that uses a single key, let alone the more complex methods that use multiple keys that are conditioned on circumstance, time of day, location in a building, and any number of other potential options for encryption.

Here's what I do think is the problem with medical data: The people in charge are doctors, not data specialists. People in charge assert their dominance often by simply saying no to good ideas just for the purpose of showing that they can obstruct whatever they wish. Getting executives, doctors, and medical professionals to think like process-oriented data people is the real challenge. Handling data is not like handling a patient's complaint. Changing medical data security requires hospital administrators and physicians to think using a different paradigm of problem solving.
Posted by rdefazio | Friday, November 18 2011 at 2:49PM ET
Mr. rdefazio,

That information that is being accessed in a "typical" brokers office by a "Windows" machine is not actually on that machine or even on a local Windows server. That data is in the mainframe, in a secure datacenter, access via a tightly controlled and monitored fixed transaction processing system (typically CICS) and using secure terminal protocols. What you see on that screen is just a window by window display of highly selected information from the database via those specific protocols and transaction. The access of the information is tightly monitored and controlled. The broker is not allowed to down load that data and take it home. The really best systems do not even allow "screen print."

Could one do the same sort of architecture with Microsoft technology, maybe, but my point is they, for the most part, do not.
Posted by Rob T | Friday, November 18 2011 at 8:50PM ET
Did you report it to your state and the OCR? We get immediate feedback when we follow the protocol set out by our state (California) and the OCR guidelines. If it was his personal PHI, he should report it directly to the OCR. If it was patient information, and it was over 500 patients....well, you will want to visit.
Posted by Alexis P | Friday, December 09 2011 at 5:12PM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.

Blog Archive for Rob Tholemeier

An X Prize for Health Care
EHR Beyond Meaningful Use: Productivity -- Part 3
EHR Beyond Meaningful Use: Productivity--Part 2
EHR Beyond Meaningful Use: Productivity -- Part 1
Get a Job

More from Rob Tholemeier »

Blog Index »

loading time...

Stay Connected


HDM Clinical Visionary John Showalter has seen the future of predictive analytics, and it starts right now.

Already a subscriber? Log in here
Please note you must now log in with your email address and password.