Although only limited network intrusions have been detected to date in the health care settings visited by committee members, this occurrence is very common in other settings—commercial, academic, and government. Because health care organizations are moving rapidly toward network-based distributed computing systems (as stated above, one organization already has more than 20,000 workstations in its network system), the committee believes strongly that it is prudent for health care settings to adopt good practice in evaluating system threats and vulnerabilities. Steps that should be taken include aggressively staying current with standards and technologies for security management and with the vulnerability experiences reported by other sites (e.g., through the CERT Coordination Center registry). A health organization-focused CERT-like group would provide a focal point for collecting and coordinating the dissemination of information about security problems and solutions. Such a forum would also serve to educate and share experiences among managers, administrators, and technical personnel and even to promote the establishment of standards for technology and procedures across health care organizations.
Sites should continuously appraise their system architectures, hardware and software technologies, and procedures to eliminate outdated components and practices in favor of more effective solutions. Sites should regularly exploit the same tools that intruders use to probe vulnerabilities in their systems, including network service script sets such as SATAN and password-cracking programs, and they should routinely use software protection tools such as virus detection software and software checksum protection (e.g., tripwire).
System administrators at most of the sites visited by the committee were broadly aware of these practices but, except for one site, did not have them in place in any operational sense. System groups tended to react in response to perceived or detected problems rather than to maintain proactive vigilance. Sites with the weakest practices simply discounted this class of threats or placed it at such low priority that no financial or staff resources were allocated to deal with it. It is unlikely that such sites would even know if intrusions into their systems had occurred.
Table 4.2 summarizes the various security tools, operations, and procedures the committee observed at the six health care sites visited. A check mark indicates that the security feature is actively supported at that site with state-of-the-art technologies and operational practice in such a way that the site could serve as an example for others to follow. Absence