of their functional benefits for protecting patient privacy and their costs: the cost of impeding or preventing clinicians from accessing information relevant to their decision making; the cost of purchasing and integrating them into the information system environment; the cost of ongoing management, operations, and maintenance of the evolving information system; the cost of user frustration with suboptimal interfaces and procedures; and the cost of user time lost in satisfying security requirements. They must also attempt to implement a balanced approach to protecting against threats to information security and the risks posed by violations. For example, if there are two equally likely and costly threats—e.g., power outages and insiders divulging information—resources should be allocated to protect approximately equally against these threats.2

Individual technologies vary widely in terms of these cost-benefit characteristics, and as new technologies are developed and reduced to commercial practice, their characteristics change with time. System managers must choose a set of technological interventions that provide effective protection against perceived threats to system security but impose acceptable overall costs. This choice is difficult at best and requires ongoing updates of threat models; evaluations of technologies; reconsideration of integration and operation strategies; and education of management, systems staff, and users. This trade-off almost never includes any direct input from patients—one of the main stakeholder groups whose privacy is at risk—or sometimes even from health care providers—another deeply affected stakeholder group. Patient preferences and utilities are represented only implicitly, and patients can voice their assessment of system design only indirectly by their decisions about where to go for care or by their pursuit of legal redress for damages resulting from lost privacy.

This chapter addresses the technological aspects of privacy and security in health care information systems. It outlines the types of technical security tools that can help manage security risks and then describes the types of tools used by health care organizations. It examines technological issues associated with patient identifiers and other means of linking patient records, and discusses the role of rights management technologies in imposing accountability and control on secondary uses of health information. Finally, the chapter examines obstacles that impede the more widespread use of advanced technical security practice in the health care industry.


This statement does not minimize the difficulty of developing a quantitative metric of likelihood. Given the limited data available on violations of privacy and security, it is far more difficult to determine the likelihood of an insider leaking information than to estimate the likelihood of power outages based on good data obtained from the power company.

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement