For example, Kaiser Permanente, one of the nation's largest health care organizations, promises its physicians and other members on its Web site that their data will be secure "from the moment your account information leaves your computer to the time it enters Kaiser Permanente's system" because it's encrypted using SSL.
"The fact that you did encryption doesn't mean you've protected medical information, because access control is the real issue," Elgamal said. "New cybercriminals do not do what the old cybercriminals did. They realize you'll be encrypting the data and instead access the application and steal access rights."
SSL does a good job of securing the connection between two nodes at the transport layer, Elgamal said. But protecting health care information requires additional security technologies. For example, SSL cannot determine whether there is sensitive data or not, nor can SSL protect the information inside the network or at rest on a server.
"It is important to identify what 'strong security' means -- but we can only do that after the requirements have been stated [by the government]," Elgamal said.
For example, a physician logging into an online portal via his laptop to access patient data uses an application to read that information; the application has access to the keys to decrypt the information. Hackers write malware that infects applications and waits for them to decrypt data, which then gives them clear access to the health data.
"So the malware sits on the doctors laptop, waits for him to log in ... and the malware is reading the data at the same time the doctor is," Elgamal said. "They did not need to log in on your behalf. They did not need to crack passwords. They did not need to go to the hard drive and decrypt the data. They sat in the middle of the application."
While security practices around handling eHealth data will be beefed up with bigger fines as well as a requirement to adhere to security best practices under the HITECH Act, some believe efforts may be aimed at the wrong target. Under the HITECH Act, fines for data breaches can go as high as $1.5 million per year.
"The penalties are more severe, even for smaller breaches," said Judy Hanover, an analyst with IDC's Health Industry Insights. "It puts a lot more teeth into HIPPA rules with regard to breaches of patient information, and that's leading to a lot more attention on the security of EHRs."
Elgamal said it's good that the federal government is getting more stringent about security, but ensuring that organizations comply "is not a trivial business to do.