Those ubiquitous handheld USB (universal serial bus) flash drives that double as key fobs, and have grown popular as a convenient way to store and transport digital personal health records, can be used to steal or corrupt data in the health care provider computer networks they plug into, two Oregon Health & Science University medical informatics specialists have discovered.

In a Clinical Observation Letter published today (Feb. 20) in the Annals of Internal Medicine, Adam T. Wright, Oregon Health & Science University Ph.D. candidate and fellow in medical informatics, and Dean F. Sittig, Ph.D., OHSU adjunct professor of medical informatics and clinical epidemiology, warn that the "security threat posed by existing patient-controlled USB devices is serious."

Sometimes called "thumb drives," such devices contain a database to store personal health information and a software program to display and edit the contents of the database. Selling for less than $100 apiece, they are often given free to patients by insurers, employers, hospitals and health systems. They were distributed recently to Hurricane Katrina victims in New Orleans as part of the city's Health Recovery Week.

"Depending on how a USB-based personal health record is modified, the programs on the device could tamper with data (for example, to enter unauthorized prescriptions); spread computer viruses; corrupt the hospital or practice network to which the computer is attached; leave harmful software behind which could, for example, capture usernames and passwords and send them to the person on an ongoing basis; and copy financial or health data, all while the physician is viewing the patient's health record on the device," Wright and Sittig reported.

The devices Wright and Sittig analyzed were defenseless against modifications that can turn them into digital Trojan horses. "The only certain way for providers to avoid this type of attack is to avoid accepting such devices," the OHSU specialists asserted in their letter.

The two researchers were able to alter the software programs on the devices they tested so that, when plugged in, they surreptitiously searched for and copied data from the host computer to a hidden location on the USB device. Wright and Sittig tested three of the five major USB-based personal health records devices on the market – the E-HealthKEY produced by MedicAlert, the Personal HealthKey by CapMed and Med-InfoChip by Ned-InfoChip LLC.

Each of the devices, Wright and Sittig found, contained a program that must be used to view the patient record. There are no reliable mechanisms, they said, to verify the integrity of these programs. Web-based personal health records are a "safer alternative," the Wright-Sittig letter advised, because they are viewed through a Web browser and require no special software to run.

The Annals of Internal Medicine is published by the American College of Physicians whose 120,000 members include physicians in general internal medicine and related subspecialties as well as medical students.

Wright, who holds an undergraduate degree from Stanford University in mathematical and computational science, was a business process engineer at Intel Corp. He expects to receive his Ph.D. in medical informatics from OHSU in June. Sittig, in addition to serving on the OHSU faculty, is director of applied research in medical informatics for Northwest Permanente, PC. He is the founding editor of The Informatics Review and founding member of the Improve-IT Institute, which is dedicated to improving the effectiveness of healthcare through measurement and evaluation.