Software discipline. Organizations should exercise and enforce discipline over user software. At a minimum, they should install virus-checking programs on all servers and limit the ability of users to download or install their own software. These technical practices should be supplemented with organizational procedures and educational campaigns to provide further protection against malicious software and to raise users' awareness of the problem.

System assessment. Organizations should formally assess the security and vulnerabilities of their information system on an ongoing basis. For example, they should run existing "hacker scripts" and password "crackers" against their systems monthly.

Organizational Practices

Security and confidentiality policies. Organizations should develop explicit and clear security and confidentiality policies that express their dedication to protecting health information. These policies should dearly state the types of information considered confidential, the people authorized to release the information, the procedures that must be followed in making a release, and the types of people who are authorized to receive information,

Security and confidentiality committees. Organizations should establish formal points of responsibility (standing committees for large organizations, a single person or a small committee for small organizations) to develop and revise policies and procedures for protecting patient privacy and for ensuring the security of information systems.

Information security officers. Organizations should identify an information security officer who is authorized to implement and monitor compliance with security policies and practices. The information security officer should maintain contact with relevant national information security organizations.

Education and training programs. Organizations should establish programs to ensure that all users of information systems receive some minimum level of training in relevant security practices and knowledge regarding existing confidentiality policies before being granted access to any information systems

Sanctions. Organizations should develop a clear set of sanctions for violations of confidentiality and security policies that are applied uniformly and consistently to all violators, regardless of job title. Organizations should adopt a zero-tolerance policy to ensure that no violation goes unpunished.

Improved authorization forms. Health care organizations should develop authorization forms that will improve patients' understanding of health data flows and limit the time period for which authorizations are valid. The forms should list the types of organizations to which identifiable or unidentifiable information is commonly released.

Patient access to audit logs. Health care providers should give patients the right to request audits of all accesses to their electronic medical records and to review such logs.

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement