July 23, 2009



Nearly 12,000 Canadians received letters earlier this month telling them that their personal banking and e-mail accounts may have been hijacked by a virus from the Alberta Health Services computer system. They were not alone. Over the last couple of years, sporadic reports of similar incidents have surfaced, exposing the soft underbelly of the information technology that our nation is racing to embrace.

In 2008, hackers unleashed a computer virus that harvested the names, birth dates, and, potentially, credit card numbers of people who donated money to a central Oregon hospital system. Malicious viral attacks earlier that year caused the loss of patient appointment data at three medical institutions in the U.K. In 2005 a computer "worm" struck the Dartmouth-Hitchcock Medical Center, shutting down access to patient medical records across its New Hampshire facilities.

Such instances, when information technologies already in place have come under fire by hackers or their rogue creations, are sobering reminders of the dangers that accompany the adoption of healthcare information technologies (HIT), reminders that deserve attention. While acknowledging the dangers of cyber attacks either directly or indirectly, much of the emphasis at Integrating the Healthcare Enterprise, a global initiative to digitally link the patient records of healthcare services, has been on overcoming barriers to passing this information among different applications, medical specialties, and institutions. Ditto for organizations, such as the Healthcare Information and Management Systems Society and the Society of Imaging Informatics in Medicine, whose members serve as proponents of HIT adoption.

Over the next few years, the Obama administration wants healthcare providers in the U.S. to jump onboard the HIT bandwagon. They'll be asked to show "meaningful use" of IT systems while following regulations written into the Health Insurance Privacy and Accountability Act (HIPAA) to protect the privacy of patient data.

But HIPAA-driven concerns barely scratch the surface of what we have to worry about. In addition to data needed for diagnosis and treatment, medical records contain financial information easily leveraged for identity theft. The vulnerability of healthcare IT to malicious attack opens patients and providers to widespread disruptions in their daily lives. Then there is the broader worry related to national security.

Cyber attacks around the Fourth of July against government websites in the U.S. and South Korea underscore how a nation-or a terrorist group-with limited resources might snarl information technologies. A network of interoperable IT platforms spread across thousands of medical institutions could be fertile ground for a virus or worm designed to feast on it. Such an occurrence could wreak havoc from coast to coast.

System security must be given a place beside interoperability as a key concern in the Obama healthcare initiative. We cannot depend on good will or a sense of fair play by our enemies to keep us safe. Medical records must not become soft targets for those who wish us harm or who draw pleasure from causing damage.