Does the DNS security hole worry the EHR and PHR worlds?

I read a disturbing article in the NY Times last Friday about Dan Kaminsky's talk at the Black Hat conference: he's been beating the drum for a while now, warning of what sounds like a serious security hole in Domain Name Server software offering an open door to hackers of websites containing confidential information and into email (which could allow phishing for usernames and passwords for otherwise protected sites).  The technorati seem to agree that he's identified a serious problem, and it seems that not all affected parts of the internet infrastructure have applied patches or upgraded their software.

Yet another reason to be wary of assurances that if the internet is safe for banking then it's safe for health care information.  Even the latest compact on privacy doesn't count for much in the face of a technical issue of this magnitude.

Providers that have not adopted EHR systems to date could use this sort of news as an additional excuse to try to delay the inevitable.  A study published in the NEJM a couple of months ago found that the reason most often given for lack of EHR in a practice is cost.  (One commentator takes issue with that conclusion.  I've also posted in the past about issues other than cost that stand in the way of EHR adoption.)

On the PHR front, this sort of news could scare off many people from uploading their health data into Google Health or Microsoft's HealthVault.

However, the bottom line is that there is clinical value to using electronic health records and personal health records, and to the extent that providers and patients see that value, the benefit can be weighed against the cost of a potential security breach.  The cost-benefit analysis will vary from person to person, depending on a variety of factors ranging from EHR considerations like the short-term effect of EHR adoption on productivity vs. the clinical benefits that can accrue to patients, to PHR considerations like tolerance for junk mail, a snowbird's desire to keep doctors in two locations up to speed on conditions and treatments, and concerns about being denied employment due to a genetic predisposition to an occupational disease.  (I know that's supposed to be illegal, but, gee, do you think that might happen sometimes anyway?)

Would I prefer to stand firm and insist on perfect online privacy protections for financial and health care information?  Of course!  Is that practical?  Of course not! 

A few years back, my credit card information was inappropriately released by a vendor that apologized semi-profusely and paid for a year's worth of fraud monitoring and reporting.  Have I stopped using credit cards?  No.  The cost would be too great.  Am I concerned that my physician's EHR system could be hacked into?  Well, my thinking on that is that hackers with limited resources probably want to go after something with greater interest, or at least greater value in the marketplace (e.g., Britney Spears' medical records) so I am willing to continue to be part of the online system.

I am resigned to living with some of the burdens of modernity.  Having completed my own cost-benefit analysis, I am not willing to live "off the grid."  Some of you out there may be willing to do so — you'll maintain your privacy, but you won't be able to read HealthBlawg any more.

— David Harlow