"There are way too many participants in these health care data exchanges," he said. "There are participants in the health care industry that you would not think of that get data -- and sometimes lots of it -- and not every participant in the ecosystem is acquiring (EHR) technology at the same time."
Elgamal and other experts say that the applications with access to sensitive data need protection. That means ensuring there are application access controls, audit trails, regularly updated malware protection.
According to the Open Security Foundation, which tracks U.S. data breaches, 27% of all breaches involve stolen PCs and laptops, 16% involve direct hacks and 13% involve malware over the Web. The medical industry currently makes up 12% of all data breach incidents, with general business breaches making up nearly 50%.
Robert Grapes, chief technologist of the security software vendor Cloakware Inc., said IT managers should think of their health records systems as a house, with application access controls as the front door. Those EHR systems also need to track who's in the house and what rooms they've been in. That way, any changes to data are not only authorized, but logged.
"Today the norm is encryption, access control and some data integrity. Those are building blocks of most systems. It's served us well, but as the range of attacks gets more sophisticated, the opportunity for more malicious behavior increases," he said.
Grape also said IT managers must also focus on application renewability, or upgrading software to ensure that if an application is hacked, the intruder will only have access to a limited amount of data.
"For example, take Adobe Reader. If you've not upgraded your version and it's been out there for years, the data created by it is years old. If I can renew my software every month, I'm breaking the attacker's business model.... It makes it harder to get a big reward because the new or patched version of the software is all that's available to him."
Grapes also recommends practicing good encryption key management, including offsite backup of keys in case data must be accessed years down the line.
One incentive for IT managers to improve security involves the HITECH Act's requirement to report data breaches to the public. For example, in Novemberm, health insurer Health Net of the Northeast Inc. reported it had lost a hard drive with seven years worth of personal financial and medical information on about 1.5 million customers. Health Net waited six months to report the data breach.
Under the new HITECH Act, data breaches effecting 500 pwoplw or more will be posted on the HHS Web site for all to see, according to Nagraj Seshadri, a security technologist with security vendor Sophos Plc.
"That's a pretty big incentive for people to keep data breaches from happening," Seshadri said.
Lucas Mearian covers storage, disaster recovery and business continuity, financial services infrastructure and health care IT for Computerworld. Follow Lucas on Twitter at @lucasmearian or subscribe to Lucas's RSS feed . His e-mail address is lmearian@computerworld.com.