tion is limited to people with a legitimate need to know. Audit logs can be used to keep a record of accesses to electronic records to detect abuse. Encryption can be used to keep health information secret as it is transmitted between users. Although none of these measures can guarantee absolute security, they provide a wide range of tools to ensure authorized access and use of health information. As a result, EMRs should not be viewed as a way of undermining patient privacy but as a means of enhancing patient privacy by improving the security of health information.

Finding 2: Health care organizations need to take a more aggressive approach to improving the security of health information systems in order to better protect electronic health information. Little is known about the extent of existing violations of privacy and security in the health care industry. Although some sites were aware of some cases in which authorized users had intentionally or unintentionally released health information inappropriately (from both electronic and paper record systems), the sites visited as part of this study reported no incidents in which outside attackers breached system security and produced large-scale violations of patient privacy. Most health care organizations therefore continue to perceive insider abuse as the primary problem to be solved; however, evidence from other industries indicates that organizations with Internet connections or other kinds of remote access (e.g., modem connections) are prone to outsider attacks.1 As health care organizations put more information on-line and begin to transmit patient information electronically, they will have to ensure that adequate security protections have been developed to protect against new vulnerabilities.

Finding 3: Health care organizations have been slow to adopt strong security practices, due largely to a lack of strong management and organizational incentives; no major breach of security has occurred that has catalyzed such efforts. Thus, the information technology vendor community has not found a market for providing security features in health information systems. Although health care organizations are committed to ensuring privacy and security, the need to ensure access to information for the provision of care often works against having strong access controls and other security mechanisms. For example, hospitals often choose to allow physicians to access the health records of all patients, rather than


According to one recent survey, nearly 25 percent of attacks against information systems that led to significant loss were due to outsiders. More than 50 percent of the survey's 1,320 respondents reported significant losses within the past two years. See Violino, Bob. 1996. "The Security Facade: Are Organizations Doing Enough to Protect Themselves? This Year's IW/Ernst & Young Survey Will Shock You," Information Week, October 21.

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement