Although many have indicated a preference for USB based personal health record along with online based system in our ongoing poll survey,yet there are several pitfalls associated with USB based personal health record application.
They could be either loss or damage of USB key or Security threat due to viral programs which could corrupt the network.
One of the paper on Security Threat Posed by USB-Based Personal Health Records Published in February 2007 Annals of Internal Medicine Volume 146 • Number 4 at www.annals.org highlights this issue.
This paper however does not indicate the type of software or the application that powers these various personal health record programs.
USB (universal serial bus)– based personal health records enable patients to easily transport their health histories to physicians for review. These small, handheld devices (sometimes called “thumb drives” or “flash drives”) contain a database to store personal health information and a software program to display and edit the contents of the database. They are rapidly gaining popularity (1) and have drawn the attention of the popular press (2) and U.S. Congress (3). Recently, they were distributed to Hurricane Katrina victims in New
Orleans as part of the city’s Health Recovery Week (4). These devices sell for less than $100 and are often given free to patients by insurers, employers, hospitals, and health systems.
However, USB-based devices may pose a security threat that could be used to access sensitive data from a physician’s computer.
By simply inserting the device into a USB port, a provider may put all data on that computer, and potentially all data on the network to which the computer is connected, at risk for theft or corruption.
To determine whether USB-based personal health records pose a security threat to provider data.
We identified 5 major USB-based personal health records: the E-HealthKEY (MedicAlert, Turlock, California), Personal HealthKey (CapMed, Newtown, Pennsylvania), Med-Info-
Chip (Med-InfoChip LLC, Boynton Beach, Florida), MedKey (MedKey Corp., San Diego, California), and The Bartlett (PEHR Technologies, Salt Lake City, Utah). We obtained 3 of these devices (MedKey Corp. and PEHR Technologies did not supply a sample of their device), analyzed them to determine their structure, and attempted to modify the software program on each device to perform actions of our choosing. No device was manufactured with protections against this.
We modified the programs on the devices so that, when connected to a computer, they gave the appearance of normal operation but surreptitiously searched for and copied data from the computer to a hidden location on the USB device.
The security threat posed by existing patient-controlled USB devices is serious. Depending on how a USB-based personal health record is modified, the programs on the device could tamper with data (for example, to enter unauthorized prescriptions); spread computer viruses; corrupt the hospital or practice network to which the computer is attached; leave harmful software behind that could, for example, capture usernames and passwords and send them to the person on an ongoing basis; and copy financial or health data—all while the physician is viewing the patient’s health record on the device. Each of the devices we reviewed contains a program that must be used to view the patient record, and no reliable mechanism can verify the integrity of these programs. The only certain way for providers to avoid this type of attack is to avoid accepting such devices. Web-based personal health records, which are also available, are a safer alternative. Because they are viewed through a
Web browser and require no special software to run, they are not subject to this type of attack.
Adam Wright, BS
Oregon Health and Science University
Portland, OR 97239
Dean F. Sittig, PhD
Oregon Health and Science University and
Northwest Permanente Medical Group
Portland, OR 97227
Potential Financial Conflicts of Interest: None disclosed.
1. Attitudes of Americans Regarding Personal Health Records and Nationwide Electronic
Health Information Exchange: Key Findings from Two Surveys of Americans.
New York: Markle Foundation; October 2005.
2. Landro L. Your medical history on a microchip: having key data ready in an emergency.
Wall Street Journal. 27 July 2004:D1.
3. Health Information Technology: Hearing Before the Subcommittee on Technology,
Innovation, and Competitiveness of the Senate Committee on Commerce, Science,
and Transportation, 109th Cong, 1st Sess (30 June 2005) (statement of Senator Mike
4. City sponsors Health Recovery Week: residents to receive free full-service medical
care [press release]. New Orleans, LA: City of New Orleans Mayor’s Office of Communications;2 February 2006.