BOX ES. 2 Security Practices Recommended for Future Implementation
Strong authentication. Health care organizations should move toward implementing strong authentication practices that provide greater security than individual logon IDs and passwords, such as single-session or encrypted authentication protocols and token-based authentication systems (described in Chapter 4).
Enterprise-wide authentication. Organizations should move toward enterprise-wide authentication systems in which users need to log on only once during each session and can access any of the systems, functions, or databases to which they have access privileges.
Access validation. Health care organizations should use software tools to help ensure that the information made available to users complies with their access privileges. Such tools, now under development, will scan the contents of a medical record to detect and mask particular units of information that a user is not authorized to see.
Expanded audit trails. All organizations that store, process, or collect health information should implement expanded audit trails. By 2001, all health care organizations should be able to maintain logs of all internal accesses to clinical information, especially if they begin to demand audit capabilities today. In the longer term, health care organizations should pursue the use of technologies and products that support interorganizational (ie., global) audit trails that allow all patient-identifiable health information to be traced as it passes through the health care complex.
Electronic authentication of records. To ensure the integrity of data contained in electronic medical records, all health care organizations that use computer-based systems to handle critical records and functions (such as entering physicians' orders) should use technologies for electronic authentication that will be capable of identifying individuals who enter or alter information in the electronic record.
Mechanisms to promote sharing of information about the vulnerabilities of health information systems and about practices for addressing these vulnerabilities could lead to long-term improvements in privacy and security throughout the industry.
Recommendation 2: Government and the health care industry should take action to create the infrastructure necessary to support the privacy and security of electronic health information. The comprehensive protection of electronic health information requires an institutional infrastructure that will develop and promote compliance with industry-wide standards for privacy and security and facilitate greater sharing of security-related information among organizations that collect, process, and store health information Although health care organizations have strong incentives to adopt information technology, they do not necessarily have adequate incentives to develop the infrastructure necessary to promote privacy and security without support from government