ing widely supported and tested standards wherever possible is to be desired.
As in other areas, with the rapidly evolving computing environments of today's health care organizations and the integration of many modern and legacy information systems, there is little uniformity in the control of software systems, and few vendor tools exist to help with this problem. Controls over system software were most rigorous in closed, centrally managed mainframe and server systems and became much more relaxed in more decentralized and loosely affiliated groups. In some sites visited, the committee observed that local workstation floppy drives had been disabled to prevent unauthorized software loading. In general, this was done incompletely, however, and in one site the administrators claimed that drives had been disabled but site visitors were able to mount a floppy disk on a machine in a public area. Another of the sites regularly runs a network software census program to keep track of what software (by name at least) is running on each workstation in the organization. None of the sites visited audited installed software to determine if unauthorized changes had occurred. Also, whereas most sites have experienced problems in the past with imported software viruses, no site regularly runs antivirus software across systems to prevent problems. Rather, antivirus software is used after the fact to clean up virus problems once they are detected. Most sites are wary of the general use of Web-related tools because these make software loading from network sites a matter of clicking a mouse button. In those sites running Web software with Internet connectivity, none has disabled downloading external files by internal personnel; they depend entirely on employee ethics, knowledge, and good judgment to protect software resources.
The weakest practices observed by the committee included essentially uncontrolled software content for workstations, especially in open research areas. At least one incident has been reported in which a student intern loaded break-in scripts onto an internal workstation and experimented with them (causing no apparent damage), but no routine software census procedures have been put in place even after this incident.
Industrial, academic, and government organizations all face major problems in managing software systems across distributed computing environments. For the longer term, the committee recommends strong support for the development of standards and the deployment of vendor-