Admit it, you'd like to know what's in Michael Jackson's electronic health record. Considering the decades of media coverage surrounding his oft-changing appearance, combined with the mysterious circumstances of his death, and investigation of his doctors, there are bound to be some juicy secrets held within. Is it only a matter of time before a breach of this magnitude becomes the latest proof of the failures of EHR security?

Before defending current security standards, or deterrents imposed by recent punishments of hospital staffs, consider this: Michael Jackson's death certificate has already been illegitimately viewed at least a "half-dozen" times by Los Angeles County Coroner staff. In some cases staff members actually printed copies before the document was released to the public.

While not breaking the law, staff members did break internal rules established for utilization of the Electronic Death Registration System, which is open to any employee with a state-issued password, including the coroner's offices, funeral homes, hospitals, and county and state registrar's offices.

However, Mr. Jackson's record had been "locked" within the system, meaning access should have been granted only to those with the rank of captain or higher. But, according to the article, "vulnerabilities discovered in the computer system might have allowed employees unauthorized access. [Craig Harvey, Chief Coroner Investigator] declined to say what those weaknesses were."

This news marks an unsettling trend in the security of electronic information. It is not only hospital staff that have illegally accessed electronic information. And in fact, any MD that brings work home in the form of a laptop, and allows access to that machine by family or friends, or uses that machine for personal endeavors, risks the security of any confidential information contained within.

Despite HIPAA, and the newest security technologies, illegal access to patient data remains on the forefront of the EHR debate. Some argue there needs to be an industry standard developed for EHR security, similar to the PCI DSS that governs credit card transactions.

But are technology standards the only solution? What about the behavior and training of medical staff? Even the most secure system in the world is threatened by the careless actions of authorized users.