Computer Viruses and Other Computer Sabotage

Computer viruses and other forms of computer sabotage pose real threats to the integrity of computer-based patient record systems. Viruses or other forms of sabotage can result in the alteration or destruction of data or the creation of false data on the system; they can also cause the system to slow down or crash or otherwise make patient records inaccessible, either temporarily or permanently.

Sabotage can be carried out by both insiders and outsiders and by both authorized and unauthorized system users. Health care providers cannot discount the possibility of sabotage by disgruntled employees. In fact, the biggest threat to system integrity and patient record confidentiality comes from employees and other insiders.

The risk of viruses or other sabotage from the outside can be substantially reduced by eliminating all networking and electronic data sharing with outside computers and by not using any disk from an outside source. Such isolation of a system is generally infeasible, however, and would rule out hospital-physician office linkages and other networking for which there may be important clinical or research reasons. Antivirus software can aid in blocking or detecting viruses and other sabotage.

Software vendors have been known to sabotage a system when payment has been withheld for a system's failure to meet contractual standards. Therefore, a system purchaser or lessor should consider insisting that vendors indemnify the purchaser against all damage and losses resulting from keylocks, viruses, worms, bombs, and the like inserted into software by the vendor or its agents, and from other computer sabotage by the vendor or its agents.

Providers using computer-based record systems have a legal obligation to take security measures that are reasonable, at least by current standards. Currently available security technology for networked patient record systems is insufficient to give providers total assurance that the confidentiality of their records will not be breached or that the integrity of patient records on the system cannot be destroyed. One catastrophic incident involving a computer-based patient record system could set the legal status of computer-based record systems back decades. Therefore, development of improved security technology is of utmost importance.

Potential for Inaccessibility

Medicare, the JCAHO, and most state hospital licensure laws require that medical records for current hospital patients be readily accessible and stored in a way that permits prompt retrieval of information. Keeping computer-based patient records available means minimizing system downtime and having adequate backup mechanisms.

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement