NOV 14, 2011 3:58pm ET

No Security for Health Information


The daily stories of personal health information being stolen or lost cannot be a surprise to anyone by now.  And PHI in EHRs or health information exchanges will continue to be released unauthorized, or stolen, because there's no real enterprise-class information management architecture in any of the HIE or EHR products that we know of.

In fact, the health care I.T. industry is riddled with very poorly designed systems from an information management and security perspective compared with, say, the world of finance.  Relatively speaking, we read about almost no leakage of financial information compared with health information, especially if you compare the relative value of financial information vs. health information.

If you give a thief a choice of details of 10,000 brokerage accounts or commercial bank records, vs. 10,000 medical records, guess which he'd rather have?

So why do health records "go wild" so often? Because they're so easy to steal.  What makes health information so easy to get to, and financial records so hard, is the very nature of the underlying technology and data access architecture in the applications and databases. 

Most EHR data is in Windows-based client/server applications. These applications have direct access to the database. Once you probe that database or steal a client (Windows) that has a copy of the information, there's basically no way to protect it -- encryption is a joke.

Most financial information sits on a mainframe computer in a secure data center and is stored in robust database software, which is shielded from the application by well-defined and managed transaction management software.  The only way to get to the information is via a secure, managed, controlled, specific transaction.  Incidentally, when there's a release of financial information into the wild it's typically because somebody thought it was a good idea to allow it to be put on a PC.

Until the health care industry adapts the same enterprise-class data architecture found in almost all financial systems, health information will be easy pickings for thieves.

And don't get me started on HIPAA, which is like parking your car at the mall with the doors unlocked, windows rolled down, keys in the ignition, engine running, full tank of gas, with a post-it on the steering wheel that reads "Please don't steal my car or you will be in BIG trouble."

Rob Tholemeier is a research analyst for Crosstree Capital Management in Tampa, Fla., covering the heath I.T. industry. He has over 25 years experience as an information technology investor, research analyst, investment banker and consultant, after beginning his career as a hardware engineer and designer.


Comments (7)
Exactly, the physician I work for had his PHI stolen by an employee and faxed out of the office with malicious intent. Good luck finding someone to report it to. We send a complaint to one goverment agency, they send it back and tell us to send it to another, who sends it back and so and so on. Any suggestions?
Posted by VIRGINIA S | Thursday, November 17 2011 at 12:34PM ET
Having more than 35 years of IT and Telecom experience, with much of the IT being in secure applications like airline ticketing and reservations systems, I have been appalled during my last 15 years while working in healthcare IT.

To summarize in a single sentence: "we never did it like that before, so why should we spend the money to change it now." The other excuse I hear regarding implementation of IT security is, "we will worry about it when we get caught."

These are wrong attitudes to take. These are the attitudes which are most responsible for preventing the ability to properly secure PHI.
Posted by Bruce B | Thursday, November 17 2011 at 6:51PM ET
Add Your Comments:
You must be registered to post a comment.
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.

Blog Archive for Rob Tholemeier

An X Prize for Health Care
EHR Beyond Meaningful Use: Productivity -- Part 3
EHR Beyond Meaningful Use: Productivity--Part 2
EHR Beyond Meaningful Use: Productivity -- Part 1
Get a Job

More from Rob Tholemeier »

Blog Index »


Unlike some other major industries, health care incorporates geospatial data only sparingly. But that could change quickly with population health a priority.

Login  |  My Account  |  White Papers  |  Web Seminars  |  Events |  Newsletters |  eBooks
Already a subscriber? Log in here
Please note you must now log in with your email address and password.