The full content of Annals is available to subscribers

Subscribe/Learn More  >
Letters |

Security Threat Posed by USB-Based Personal Health Records

Adam Wright, BS; and Dean F. Sittig, PhD
[+] Article, Author, and Disclosure Information

From Oregon Health and Science University, and Northwest Permanente Medical Group, Portland, Oregon.

Potential Financial Conflicts of Interest: None disclosed.

Ann Intern Med. 2007;146(4):314-315. doi:10.7326/0003-4819-146-4-200702200-00020
Text Size: A A A





Citing articles are presented as examples only. In non-demo SCM6 implementation, integration with CrossRef’s "Cited By" API will populate this tab (http://www.crossref.org/citedby.html).


Submit a Comment/Letter
In Response
Posted on March 20, 2007
David W. Robinson
Emory University School of Medicine
Conflict of Interest: None Declared

In the clinical observations letter "Security Threat Posed by USB- Based Personal Health Records," Mr. Wright and Dr. Sittig claim that (1) USB drives pose a significant security risk to physicians and (2) web- based personal health records are safer.

In order for computer attacks such as those described by the authors to be successful, either the physician's systems lack appropriate anti- virus software or the malware author needs intimate knowledge of both the personal health record program and the physician's computer environment, specifically the program/file-type that is to be infected/stolen. A curious irony is that the need for personal health records is rooted in the lack of interoperability between the various proprietary electronic medical record systems. As such, it seems unlikely that a patient would know how the environment on Dr. X's computer differs from that of Dr. A's without a more serious security breach having already occurred. Also, medical offices have very large databases on their computer systems. It is doubtful that a typical 128 MB USB device could copy even a tiny fraction of the entire database.

In our current day and age it is prudent for everyone, physicians and patients alike, to exercise a certain amount of computer common sense. Just as one should not open an attachment from an unknown e-mail sender, it is unwise to run an unverified program in an unsafe environment. For example, instead of prohibiting the use of USB-based personal health records and all the potential benefits, a physician could open records on a designated stand alone computer that does not store sensitive information.

With regards to claim (2), such a statement is more opinion than scientific research, since no effort to alter a web-based program to perform in a similarly unintended manner was revealed. A physician could conceivably be under a similar hypothetical threat from browsing and retrieving records from an untested web-based electronic health record. The downloaded data could infect the requesting machine with a variety of malware. Moreover, cookies could be implanted and used to transmit other patient data without triggering concern. Even legitimate appearing web- based personal health record sites could be masquerading as a trustworthy entity using phishing techniques.

Security is a serious and valid concern for all users. Some solutions may be safer for physicians, while others are safer for patients. Everyone must assess the choices available, the benefits therein, and how to best protect each other.

Conflict of Interest:

Mr. Robinson and Mr. Morin are affiliated with PEHR Technologies, LLC, Salt Lake City, Utah.

Submit a Comment/Letter

Summary for Patients

Clinical Slide Sets

Terms of Use

The In the Clinic® slide sets are owned and copyrighted by the American College of Physicians (ACP). All text, graphics, trademarks, and other intellectual property incorporated into the slide sets remain the sole and exclusive property of the ACP. The slide sets may be used only by the person who downloads or purchases them and only for the purpose of presenting them during not-for-profit educational activities. Users may incorporate the entire slide set or selected individual slides into their own teaching presentations but may not alter the content of the slides in any way or remove the ACP copyright notice. Users may make print copies for use as hand-outs for the audience the user is personally addressing but may not otherwise reproduce or distribute the slides by any means or media, including but not limited to sending them as e-mail attachments, posting them on Internet or Intranet sites, publishing them in meeting proceedings, or making them available for sale or distribution in any unauthorized form, without the express written permission of the ACP. Unauthorized use of the In the Clinic slide sets will constitute copyright infringement.


Buy Now for $32.00

to gain full access to the content and tools.

Want to Subscribe?

Learn more about subscription options

Forgot your password?
Enter your username and email address. We'll send you a reminder to the email address on record.