tion electronically outside the organization or should do so only over secure dedicated lines.8 Policies should be in place to discourage the inclusion of patient identifiable information in unencrypted e-mail.

Software Discipline. Organizations should exercise and enforce discipline over user software. At a minimum, they should immediately install virus-checking programs on all servers and limit the ability of users to download or install their own software. Census software or regular audits can be used to ensure compliance with such policies. Current technological tools for checking software downloaded from the Internet are limited; hence, organizations will have to rely on organizational procedures and educational campaigns to protect against viruses, Trojan horses, and other forms of malicious software and to raise users' awareness of the problem.

System Assessment. Organizations should formally assess the security and vulnerabilities of their information systems on an ongoing basis. At a minimum, they should run existing "hacker scripts" and password "crackers" against their systems on a monthly basis. During their annual audits, external auditors should require each organization to demonstrate that it has procedures in place for detecting system vulnerabilities and that it conducts formal vulnerability assessments.

Organizational Practices for Immediate Implementation

Security and Confidentiality Policies. Organizations should develop explicit security and confidentiality policies that express their dedication to protecting health information. These policies should clearly state the types of information considered confidential, the people authorized to release the information, the procedures that must be followed in making a release, and the types of people who are authorized to receive information. They should clearly reference relevant state and federal legislation regarding the confidentiality of health care information.


Organizations that prohibit the use of external communications systems to transfer patient-identifiable health information will have to recognize that users may attempt to find other ways to communicate information outside the institution, whether through floppy disks or printouts that can be scanned and entered into another information system. Other policies and practices (some of which are outlined below in this chapter) are needed to address such flows of information, although they will continue to be difficult to detect and prevent.

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement