ogy are used in the system: Kerberos, encryption, private lines, firewalls? 1b) To what extent does cost effectiveness affect decisions regarding security? 1c) What types of tradeoffs must be made between security capability and cost?

2a) Is a single, integrated security solution feasible? 2b) Can vendor products meet local needs, or must systems be tailored for different circumstances? 2c) Are standards available for security systems?

3a) What are 5 areas in which your organization is doing a great job regarding privacy and security?

B. Authentication

1a) What mechanisms are used for individual authentication for access? 1b) Do you have unique login for individual users? If so, what type of key is used? 1c) Who issues the key? 1d) How frequently is the key changed?

2a) How do you verify new users? 2b) How do you terminate access for employees or former employees no longer allowed into the system?

3a) Do you use passwords for authentication? 3b) What types of passwords are used? 3c) Are they selected by users or generated for them? 3d) How frequently are passwords changed? 3e) Are there limitations imposed on the types of passwords users may select?

4a) In practice are passwords routinely shared or posted? 4b) Are methods used to protect against password sharing?

5a) Are mechanisms other than keys and passwords used for authentication, such as smart cards, palm readers, voice recognition systems, address filtering gateways?

6a) Do you have an authentication server? 6b) Is information stored in encrypted form on the server?

7a) Does the information system automatically maintain audit trails of who accessed what information? 7b) What types of audit capabilities are in place? 7c) Who reviews such audit trails, and how frequently? 7d) What fraction of accesses is reviewed, and how thoroughly? 7e) Who determines review policy? 7f) What consequences are there for infractions of policy?

C. Access

1a) Is access to medical records granted to everyone, or is it differentially restricted? 1b) If restricted, is it restricted by specific individual or by role? 1c) Who defines roles in the institution, and who decides what access is appropriate for each role? 1d) How are appropriate access privileges determined? 1e) Are temporary employees given access to systems? If so, how? Who grants that access?



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement