Security from prying eyes, that is.
I didn't include security of data from placement into /dev/null (that is, destruction).
There's this email, received by East coast physicians not long ago from a claims processing company (identities redacted):
As you may be aware, we experienced a significant problem with our computer system during a software maintenance function on XX/XX/2010.
In addition to the network issue, we discovered that the redundant back-up systems were not operating as reported. ["Reported" when, and by whom, one wonders? - ed.]
We had two on-site back-up systems that were monitored daily and which were historically reported as successful. We have since learned that these internal back-up functions were not operating as reported and the on-site back-ups were not entirely successful. [Meaning, they were not successful, period - ed.]
Also, our software vendor, [major EHR vendor], was providing two additional remote back-ups on servers located in [city, state] and [city, state]. [EHR vendor] has informed us that these remote back-ups were not initiated as represented. [Meaning, they screwed up - ed.] Therefore, when our computer network system malfunctioned, there was no readily available back-up data on-site or at the remote redundant back-up servers.
Please be aware that we have replaced hardware components and were able to recreate the data bases and we are billing. However, we are still unable to access data that was stored on our servers prior to XX/XX/2010.
[EHR vendor] is diligently working to retrieve the data from the hard drives, back-up tapes, and through other means. Please be assured that all files will be restored, if the files cannot be fully restored electronically, then they will be fully restored manually.
At [our claims processing company], we are truly saddened by the fact that we have disappointed clients and we sincerely apologize for any inconvenience experienced by you, your staff, or your patients.
We have always appreciated your loyalty as a valued client and will continue to keep you informed of the progress.
The levels of information technology and data management incompetence exhibited in this message are stunning.
The confidence it imparts regarding the safety of our critical medical data from destruction, and its availability when truly needed, is less than stellar.
A major problem is that the health IT industry has no accountability.
I believe the Food, Drug and Cosmetic Act needs to be amended to become the "Food, Drug, Cosmetic, and Cybernetic" Act.