The health-care system is a long way away from that, says Jim Klein, a vice president and research director for Gartner. Even in areas where local health departments do accept information electronically, he estimates that only about 5 percent of hospitals have fully automated medical records. And if patient information is entered electronically at some point, there’s often no consistency as to whether, say, the red blood cell count is keyed in as RBC or RB.

This lack of automation and standardization means that the disease reporting process is not only spotty but also slow. A doctor’s office might wait until the end of the month to mail its stack of forms to the local health department. From there, the forms could take another month to be processed, analyzed and sent on.

Needless to say, that’s just not fast enough for bioterrorist incidents, which doctors say they must respond to in hours, not weeks. Anthrax, for instance, should be treated in the first couple days after exposure. By day six, when a victim is sick enough to go to the emergency room, she might be too sick to be saved.

"Epidemiology is good and gets you to disease recognition, but unfortunately [the recognition comes] a month or two after the information is worth anything," says Dr. Michael Allswede, an emergency room physician and clinical associate professor at the University of Pittsburgh School of Medicine, who was also a U.S. Army medical company commander in Desert Storm.

It gets worse. Even if all the information available about disease diagnoses were collected and analyzed in real-time, that still wouldn’t be enough to short-circuit a biological attack. That’s because the information we possess under current law and practice is insufficient. Doctors have no reason or obligation to report many of the early warning signs of bioterrorism, the flu-like symptoms that could be public health officials’ first hint that something has gone wrong. In fact, the Health Insurance Portability and Accountability Act (HIPAA) prevents doctors from sharing any kind of personally identifiable patient information with a third party, except in cases when the public health departments need to know about a legally reportable disease. In other words, a doctor is legally obligated to notify public health that a certain patient has anthrax, but legally forbidden from notifying public health that a specific patient has the symptoms of anthrax.

Nevertheless, a few local health departments are starting to gather symptom information that could give early warning about the outbreak of a disease. But this "syndromic surveillance," as it’s known, is being held back not just by technological challenges but by political ones, as health-care providers grapple with the line between trend information—perhaps including a patient’s age, gender and ZIP code along with his symptoms—and the personally identifiable information protected by the HIPAA legislation.