Forgot your password?
Privacy Medicine Security IT Your Rights Online

Americans Trust Docs, But Not Computerized Records 162

Posted by timothy
from the and-scarcely-themselves dept.
Lucas123 writes "A soon-to-be-released survey from CDW shows that Americans trust their physicians to use their health information responsibly, but they're very concerned that once in electronic format, their personal health information may suddenly show up on the Internet. Their fears may not be unfounded. CDW said that survey data showed 30% and 34% of doctors lack basic anti-virus software and network firewalls, respectively. Most amusingly, however, nearly a quarter of the 1,000 patient respondents said they don't even trust themselves with access to their own electronic health records."
This discussion has been archived. No new comments can be posted.

Americans Trust Docs, But Not Computerized Records

Comments Filter:
  • by Rooked_One (591287) on Thursday February 17, 2011 @06:39PM (#35238192) Journal
    You will always have uneducated and educated people. And you will have educated people who aren't computer savvy. This means you will end up with a percentage (probably based on region - I feel sorry for people in the midwest) of doctors who offices are completely unsecure and all it would take is a patient walking in with the appropriate thumb drive at the appropriate time.

    BAM! Access to the doctor's office is now at hand and anyone's records can be had.

    Very few people who would do this sort of activity in other situations are doing it for fun. I can only think doing this to make money would be something that would be a scheme, to mostly blackmail people of a region with the largest percentage of ignorant and uneducated people. Who, ironically enough, are going to be sick more and thus go to the doctor more... But how, or why, to exploit these people who have nothing to give is beyond me.

    But rich people also go to doctors from time to time as well... so what then?
  • by Just Some Guy (3352) <> on Thursday February 17, 2011 @06:43PM (#35238238) Homepage Journal

    The majority of doctor's offices I've been around aren't connected to the Internet at all. For instance, my wife's practice has a WPA2 secured Wi-Fi network so that her laptop (whole-drive TrueCrypt) can talk to the database server that manages her records, and none of the hosts on the WLAN have any form of Internet connection. As it turns out, they do have AV programs (MS Security Essentials), but without any removable media coming into the office and no net connection, it's pretty much just a formality.

    My kid's orthodontist's network has Internet access, but it's a bunch of Macs behind a firewall+NAT and a strict "no personal browsing at the office" policy. (I know this because I bartered net admin chores for dental work :-) ).

    I'm certain there are insecure medical offices, but the doctors I've talked to are so terrified HIPAA that they'll take almost any security tips you give them.

  • by hawguy (1600213) on Thursday February 17, 2011 @06:46PM (#35238268)

    Why doesn't some organization come up with a set of standards and best practices to ensure that HIPAA protected data is actually protected as it should be? I'm thinking something like the PCI security council started by the credit card companies that mandates a set of rules and best practices that have to be followed for all merchants that handle credit cards.

    Following the PCI standard doesn't guarantee data security, but it is a big step in the right direction. Doctors need the same kind of prodding to get them to implement real security controls and not just say "Oh, well i checked the WEP encryption box on my Wifi router, so all of my data is encrypted and safe - I know it's safe because I backed up my patient records to my iPhone".

  • Dr's are tech idiots (Score:5, Interesting)

    by Ludedude (948645) on Thursday February 17, 2011 @07:09PM (#35238624)

    I work for a large regional provider of EMR hardware and software and I can tell you first hand that you should be afraid, very afraid, of anything your Dr. does with health records that involve a computer. Anti-virus is the tip of the iceberg. You install it for them and their brother in law who's a burger flipper helpfully uninstalls it to "speed things up." Hilarity ensues. Entire offices are implementing EMR that refuse separate usernames and passwords because it's "just too damn hard to remember all that" so everyone logs in as user with some simple password; that's if they even bother to log in or off at all. Of course they have to have admin rights because it's their hardware and they know what's best.

    Since most of the offices that are being force-fed EMR because of the lure of up to $44,000 in "stimulus" funds [] are smaller practices, they don't have domains that can be used to enforce universal security policies.

    The larger ones, sure, but most of them already use EMR and have on site servers etc. along with the requisite firewalls and VPNs. The vast majority of the new ones though are being sold "cloud" based systems with no local servers at all, so it's a friggin' free for all in terms of security (or lack thereof). They're just lining up for a swipe at the stimulus golden ring but half of them shouldn't even be entrusted with anything as complicated as a TV remote, let alone computer systems.

"Trust me. I know what I'm doing." -- Sledge Hammer