EMR and Computer Security: Another cautionary experience

We’re all going full-tilt toward the Electronic Medical Record, and it stands to be pretty useful both to patients and to providers. However, they’re still just very specialized software running on networks, and networks need constant vigilance against intruders, including the bored, curious and malicious.

via Slashdot, here’s the story of a Seattle-area Hospital that had several critical systems shut down by a hacker who installed adware in an unsecured system. They state no-one was harmed (good) and the culprits are going to have to face the music (double-plus good), but as we become more and more interconnected we’re also more and more vulnerable.

I went to a dog-and-pony show for the EMR that our corporation is going to be rolling out soon, and it’s intriguing, but I’d need to do about 50 practice cases to feel comfortable with it before using it ‘live’. The biggest concern I have with any of these systems is that the flow of information is always assumed to be very linear (triage / basic registration info, then nursing assessment, then the doc interaction, the diagnostic tests and therapeutic interventions are ordered, etc.), which isn’t life in the ED. Sometimes all that needs to happen at the same time, and it takes a lot of mental flexibility and teamwork to make that happen. I’m leery a program can be made anywhere nearly as flexible as people.

Also, patients, get used to looking at the top of your doctors’ head (if you’re lucky) or their back, as ‘feeding the computer’ is going to be the norm. Progress, you know.


  1. I just purchased a tablet computer from Motion Computing, which makes a lot of them for the medical industry. I think you’ll be shocked how easy they are to use. Your head will be down no more than if you were taking notes on a piece of paper or writing on a chart.

    Obviously, a lot depends on the software, but I can tell you the ease of a tablet is extremely addicting. Unfortunately, courthouses aren’t nearly as likely to have wireless capabilities, nor are county budgets going to expand to allow them nearly as soon as hospitals will.

  2. I agree – ERs rarely work in a “linear” fashion.

    My only experience with EMRs was quite positive, but that was in a pediatric clinic which definitely worked in a linear fashion.

    Anytime you have to wait to put in orders for labs or meds, it’s a mess. Many, many times I am filling in all the triage information at the same time the doctor is doing the intial H&P because the patient needs to be seen NOW.

    At least in my unit MDs can start their H&Ps and nurses can begin their work BEFORE the patient is actually “in the computer”. By the time the doctor is done assessing, the registration is done and things move pretty smoothly.

    We’re pretty lucky.

  3. I sincerely hope our experience is like yours, Kim.

  4. “Anytime you have to wait to put in orders for labs or meds, it’s a mess. ”

    I work in an EMR supported ED and that seems to be the catch on the EMR system, though fortunately the people involved are more flexible than the system itself. Otherwise, its much much better than the mess of papers that you would other wise wade through. I love it.

  5. Security is a big deal with these systems, particularly if they’re using wireless.

    Wireless is popular, because you can roam anywhere in the department and still work… but the security on wifi MUST be done right. I did a demonstration for some of my colleagues, where I set up an encrypted wireless network and set some computers on it to generate traffic. After setting up a passive wifi sniffer on a laptop, I spent a few hours collecting a few hundred thousand packets, and then executed a statistical attack against the crypto key.

    The attack I used recovered the 128-bit key in less than 60 seconds, and that’s in the hands of a non-professional white-hat attacker. This was also a completely passive attack… somebody could do it from your parking lot and you’d never know.

    Needless to say, there were a lot of questions from the other docs about what they were using on their office networks.

    When dealing with medical records, security is everything… I can only hope your facilities have it adequately locked down.

  6. why do some drs say no sex for 6 weeks after abdominal hysterectomy and some say 3-4 weeks? just curious. not seeking medical advice.

  7. I used to be a patient at Kaiser in Walnut Creek, CA which I think uses EMR. The doc had a keyboard and flat panel monitor mounted on a bar that stuck out from a cabinet. He sat facing me and could look at both me and the monitor without too much adjusting. All my tests and history and Rxs were there for him and he printed out test results for me. I thought it was pretty cool. He typed in my info while I was there which probably saved him time later, and, now that I think about it, probably gave me more time to ask questions.

  8. “Also, patients, get used to looking at the top of your doctors’ head (if you’re lucky) or their back, as ‘feeding the computer’ is going to be the norm. Progress, you know.”

    Maybe all the EM docs just need scribes…