In order to design a security system, it is important to know what the potential threats are so that appropriate counter-measures can be taken. It is impossible to predict every potential threat that may exist to a system, but it is also far too expensive and impractical to plan a security system that will protect against every conceivable threat. It is an axiom of computer security that the only completely secure computer is the one that has never been turned on.
Just because it may be possible to subvert a system does not mean that it is a credible threat. An example is provided by the Data Encryption Standard (DES), which is an encryption method proposed by NIST (then the National Bureau of Standards). This has become the standard method of protecting unclassified government information as well as the standard method of protecting banking information worldwide. Rumors have swirled around it's design from the very beginning because of suspicion that the National Security Agency crippled the design back in the mid 70's. Lately, a cult belief has developed that DES is completely insecure, but the fact of the matter is that as far as anyone knows, single key DES can only be broken by a determined and fairly rich adversary [8]. As far as anyone knows, triple key double encryption DES can only be broken if it is used improperly.
The kinds of threats that exist for systems vary, depending on the type of system that is deployed. I am most interested in focusing on systems that exchange information with other systems outside of their administrative domain, that are accessible from multiple physical sites, and from multiple access points. In my opinion this is the direction that computerized medical record systems will move in the future, and this is the most interesting system to try and secure. Such systems are much more usable, but have many more avenues of attack against them. For even the simplest closed systems, I believe that the biggest security threats for medical record systems will come from: