Based on the committee's site visit review, all sites were acquainted with the threats from external access, and almost all of those sites with Internet connections used effective firewall technology to control unauthorized users. Expert attention was not always given to these issues though. One site claimed not to have an Internet connection but nevertheless was able to receive electronic mail from Internet sites. Sites without current Internet connection had plans to install a firewall along with any future connection. In those sites with extensive network connectivity, even if firewall technologies were used, limited effort was applied to monitoring break-in attempts, even though system administrators acknowledged that break-ins were feasible.
Connections from remote organization networks were much less carefully managed in that authenticated access to remote site networks was not ensured, yet once connected remotely, an intruder would have no problem connecting to any organization network or machine. Dial-up installations tended to use dated equipment and therefore provided little security protection against unauthorized use. One of the sites with quite up-to-date practices had a dial-in access system that uses commercially available cryptographic tools for user authentication; another site was experimenting with this technology. Some sites used a modem callback scheme, which offers improved security but may be subverted in some settings by not hanging up the line before callback. Also, in an era of portable laptop computers and increasingly mobile health care providers, it is very difficult to maintain callback lists adequately to allow bona fide access from needed sites. In the strongest sites, modem equipment was being upgraded to more modern and secure authentication technologies that do not depend on caller location, and old equipment normally was left inoperable unless specific arrangements were made for manual activation for a particular need (e.g., access by a remote service technician).
Firewall Technologies. More extensive use of firewall systems between geographically and administratively distinct sections of an organization intranet should become commonplace, along with more conscientious monitoring of firewall performance. Current firewall systems are often difficult to configure and maintain, however. Vendor refinement of these products should be strongly encouraged along with Internet and commercial research into improved tools to prevent and to detect misuse.
Wireless Communication Technologies. Only one site visited was experi-