sites, log-in or screen-lock time-outs for unattended machines were eliminated or made very long for the convenience of busy clinical staff who did not want to bother with repeat authentication procedures.

All of the sites the committee visited employ internal local area networks (LANs) to interconnect user client computers with information servers, and they often employ backbone links between multiple LANs within complex campuses or to connect LANs between geographically separate sites. Because physicians are mobile and need to access patient information from hospital and clinic sites and from home in off hours, external network or dial-up modem access is frequently provided as well. About half of the sites already have connections to the Internet, and those that do not are feeling pressures from providers and patients for Internet access.

Each type of external access to health care information resources poses possible security vulnerabilities that could compromise patient privacy. If a remote site uses weak authentication methods—enabling an intruder to easily pose as a trusted physician—and the remote network is connected directly to the information services of another site, the intruder can gain inappropriate access to confidential information. If a campus network is connected directly to the Internet (or to a widely distributed and open intranet), an intruder can install snooping software on an idle workstation and grab cleartext passwords or can exercise more sophisticated break-in scripts to exploit network service vulnerabilities and gain entry to confidential servers.

Although the committee's site visits did not reveal any substantial evidence of intrusions and misuse from this kind of external break-in, ample evidence at other commercial, academic, and government sites indicates that this threat is real and inevitable for health care organizations (see Chapter 3). Such unscrupulous intruders are often undeterred by ethical considerations or threats of audit trails; thus effective technical obstacles are necessary. The strong authentication and authorization technologies discussed above constitute a crucial element of prudent practice. Another important practice is to allow only few, well-defined, and very carefully monitored external access points to organization networks and information resources. One way to control external network access is to use firewall technologies.¹² A firewall is basically a single focused point