Recommendation 2.1: The Secretary of Health and Human Services should establish a standing health information security standards subcommittee within the National Committee on Vital and Health Statistics to develop and update privacy and security standards for all users of health information. Membership should be drawn from existing organizations that represent the broad spectrum of users and subjects of health information. The subcommittee should be empowered to advise and offer recommendations to the Secretary of Health and Human Services regarding (1) uniform standards of privacy and security; (2) exchanges of health information between and among health-related organizations; (3) limits on the data collection activities of different types of health-related organizations (e.g., how much information the insurance industry needs for fraud detection, how long such information may be kept); and (4) acceptable and unacceptable uses of health information for different types of organizations.

Recommendation 2.2: Congress should provide initial funding for the establishment of an organization for the health care industry to promote greater sharing of information about security threats, incidents, and solutions throughout the industry. Many sites reported that their attempts to improve security are limited by a lack of good information about the types of threats the industry faces, the types of incidents that have occurred, and the kinds of practices that other organizations have successfully employed. Establishment of an organization to facilitate exchanges of such information would provide a vehicle for improving the security of electronic health information as health care organizations increase their reliance on information technology and would strengthen the knowledge base for making policy in this area. It could be modeled after the computer emergency response team established at Carnegie Mellon University for Internet security (the CERT Coordination Center) and be called Med-CERT.6 To obtain the cooperation of health care organizations, Med-CERT would have to maintain the confidentiality of incident information shared with it.


The CERT Coordination Center is the organization that grew from the computer emergency response team formed by the Defense Advanced Research Projects Agency (DARPA) in November 1988. Its charter is to work with the Internet community to facilitate incident prevention, incident response, and communication during system emergencies. It attempts to raise the Internet user community's awareness of computer security issues and conducts research targeted at improving the security of existing systems. CERTsm is a service mark of Carnegie Mellon University. (Information on CERT is available on-line at

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement