The Cyber Security game from the ONC raised some hackels in the audience when it indicated that the right answer to a patient request to copy their patient records on to a USB they provided was the WRONG answer. Instead the recommendation is for the practice to provide the data on a USB drive they provide. This seems bizarre. What is driving that line of thought. If you follow this to the logical conclusion then BlueButton data should be encrypted and shouldn't be able to be requested by the patient and returned in real time. May be the driver of this decision was to prevent trojan horse or malware being introduced to the practice. But if this is not the issue then this seems to be a crazy road block that does not enhance data security from the patient perspective. Copying the data to a patient's USB drive has to be more secure than printing the record and paper and handing to the patient. Thoughts?