Ask the Doc: What about online medical records?

May. 13, 2014 @ 11:01 PM

Question: So how private are my medical records on computers?

Answer: How safe are our national secrets over the past two years?

In late April 2014 the FBI released information stating a stolen credit card’s information is worth one dollar on the black market of the Internet.  

They also stated a (one) stolen computerized medical record is worth $20.

Twenty to one.  Think about that.

As a physician, my training from day one of medical school was to learn how to collect first what the patient says, then what is learned through physical exam and testing, assimilate it into an assessment list, and then make a plan based on reasoning, experience, deduction and medical science.  

It is called a SOAP note: S for subjective (what the patient says), O for Objective (what I find), A for Assessment (a list of diagnoses) and P for Plan.  The basic SOAP note has been expanded, stretched and complicated by computers much like the basic Ivory Soap has been overshadowed by the current glitzy soap aisles in the store.  

One thing that has not changed in training is this: As a physician, you guard your patient’s privacy. It is a unique an intensely personal relationship where patients share things they do not share with anyone else.  Maybe it is just a sore throat, or maybe it is from screaming because a marriage is collapsing.  Maybe it is a chronic headache, or maybe this woman who seems to have it all together is being beaten by her husband every night.

As a financial incentive (and threat of non-payment) from the Affordable Care Act in 2008, a larger percentage of this information is now floating around in computer systems along with personal demographic information such as financial identification numbers, Medicare numbers and insurance information.

These records have now become targets by computer hackers (think of them as modern day safe-crackers who never leave home) and they are finding the protection of this information is widely variable and significantly less secure than financial and retail systems.

In the recent Private Industry Notification (PIN) from the FBI to healthcare providers, it stated: “Health data is far more valuable to hackers on the black market than credit card numbers because it tends to contain details that can be used to access bank accounts or obtain prescriptions for controlled substances.”

The FBI seems to be quietly trying to nudge healthcare corporations and physician groups to re-examine their security systems.  

The larger corporations have some of the most elaborate protections on computer access implemented by people who stay up late at night worrying about the endless possibilities of hazards connecting an information system to the Internet.  In order to exist in the current world of Medicare and insurance, this access is required to transmit billing data, and more recently, compliance data including lab results, medications, and preventive health measures.  The biggest problems with security seem to be the smaller corporations and physician offices which have less financial resources to pay for security.  

I have seen medicine grow from paper to pixels, documents to digital, charts to computers and facing-the-patient to staring-at-the-screen. The idea of connecting a computer with personal physician-patient information on it has been uncomfortable to many physicians, some because of privacy, and others because of belligerence.

Even the wealthy, Internet-everything Google, which championed “Google Health” as an Internet center for people to store their medical information and share with their healthcare providers, abandoned it in 2013 because they couldn’t get enough people interested in placing their information on the Internet.  (I signed my yellow Lab up for an account — “Hobbes Littleton, do you know your cholesterol?” — my 125-pound, bacon-eating dog didn’t care).

At $20 a chart, medical records are going to be targeted. Count on it. The FBI has warned the industry, and when a breach occurs, they will no doubt remind us they told us so.

Someone, somewhere will hack into a system, or steal the information with a jump drive, and sell it an make an illicit bounty on the Internet.  But in a malicious side-thought, they will release the pharmacy records of all the men who obtained prescriptions for those, well, those, pills — you know, “The Blue and The Bathtub Pills.”

It will be Pandora’s Pill Box.

Eric J. Littleton, M.D. is a Family Physician in Sevierville, TN.  His new office is located at 958 Dolly Parton Parkway. Topics covered are general in nature and should not be used to change medical treatments and/or plans without first discussing with your physician.  Send questions to