Tech RX

Simple tips for keeping medical data secure

With the push for electronic health records, medical data have become increasingly vulnerable to security breaches.


With the push for electronic health records, state-run prescription monitoring programs, and greater use of information technology in patient-physician communication, medical data have become increasingly vulnerable to security breaches. In 2009, for example, a hacker who illegally accessed the online system of the Virginia Prescription Drug Monitoring Program claimed to have stolen 8.3 million patient records and demanded $10 million in ransom, The Washington Post reported.

Known as the “Wall of Shame,” a U.S. Department of Health and Human Services Web page lists nearly 300 hospitals, insurance companies and medical practices that have reported security breaches affecting at least 500 patients. Many of these breaches involve the theft or loss of laptop computers and other portable electronic devices.

“The vast majority of breaches of patient information are not by hackers,” says Farzad Mostashari, MD, the Obama administration’s national coordinator for health information technology.
“Everyone assumes it is someone from another country trying to crack into your database. But most of the time it’s someone leaving a laptop in the car or putting data on a thumb drive that isn’t encrypted.”

Thomas G. Zimmerman, DO, a health information technology consultant, says that physicians need to take steps to ensure data security. But while electronic health records increase the risk of patient privacy violations, the hazard is not new, he notes, given that sensitive patient data, including diagnoses and social security numbers, have been transmitted electronically to third-party payers for more than three decades.

“The benefits of electronic health records outweigh the risks,” Dr. Zimmerman says. “But it is important to be cognizant of the risks and address them.”

Although EHR vendors instruct practices in patient-record security, he advises physicians to embrace a number of additional safeguards.

Simple safeguards

In practices that have adopted EHRs, laptop computers are sometimes left unattended in examination rooms or used in open workstations in public areas. To prevent security violations in these situations, computers should log-off users automatically after a very brief period of inactivity, such as two minutes for a computer at a nurse’s station, five minutes for a stationary computer in an examination room, and 10 minutes for a laptop that remains in a physician’s possession, Dr. Zimmerman suggests.

“A lot of users de-activate the automatic log-off feature because they resent having to re-enter their user ID and password, but this is a big mistake,” Dr. Zimmerman warns. This feature can often be modified to meet the needs of different users. For example, physicians who use a computer while examining patients may need a longer period of continuous access despite inactivity than nurses and practice-management employees.

To prevent furtive glimpses of patient data, Dr. Zimmerman recommends using computer privacy filters on laptop and desktop monitors so that only someone directly in front of a monitor can see the image on the screen. In addition, he says, practices should de-activate USB ports and CD burners on computers accessing EHRs to prevent unauthorized copying of patient records.

Medical practices, moreover, need to make sure that all of their HIT systems have up-to-date antivirus protection. And internal wireless networks require robust encryption to ensure security, says Dr. Zimmerman, who is a trustee of the American Osteopathic Association of Medical Informatics.

Thorough employee training on the use of EHRs is critical, Dr. Zimmerman stresses. “Make sure that everyone signs an agreement to keep user ID and log-on information confidential,” he says. “Don’t let anyone log on under another person’s name. Make a point that staff members will be held responsible for everything done under their user IDs.”

Because good EHR systems have secure channels for physician-patient interactions, physicians should avoid communicating with patients by email. “I see a lot of patients who like to use email for medical questions, and I have to remind them not to,” he says. EHRs’ patient portals are often as easy to use as online banking systems, he says.

EHR systems are in some ways more secure than paper patient charts, according to Dr. Zimmerman. “EHR systems keep track of who is seeing what data,” he explains. “With paper charts, you never really know who is accessing them unless you have a very elaborate video security camera system.”

Additional resources

Physicians can learn more about HIT security on the website of the Office of the National Coordinator for Health IT, which features the publication Reassessing Your Security Practices in a Health IT Environment: A Guide for Small Health Care Practices.

“It is part of our core responsibility as physicians to safeguard patient information, but we need to be able to communicate,” Dr. Mostashari says. “With industry, we have come up with secure channels of communication, which are increasingly available to providers.”


  1. Chris Burritt

    I second the above comment. It is often stated as fact despite studies showing quite the opposite. From what I have read so far the risks are real and the benefits are largely theoretical. Perhaps a decrease in third party involvement could improve the patient-physician relationship and decrease privacy breeches.

  2. Debra

    I agree oftentimes breaches occur from improper logging off of personal computers/laptops, it is unconscionable of anyone leaving either unattended or the least not having a screen time-out setting. With society being almost solely technology and attempts being made to reduce unwarranted hospital or doctor’s visits, I see doctor -patient email communication an acceptable tool and if there are glitches with this method in the delivery of health care, it needs to be addressed.

Leave a comment Please see our comment policy