Providers can rarely afford to develop their own information systems, and those sold by most vendors do not offer organizational solutions for security controls. Thus, with the push to more distributed systems, providers are forced to put up with multiple, incompatible authentication and authorization technologies or to construct special solutions for parts of their organizations. The tools to manage heterogeneous computing environments in terms of security, reliability, and so forth are not well developed. Standard ways are needed to link component systems together that meet requirements and do not overburden the system administrator. A great deal of technology already exists that can help protect health care information, but much of it has not been brought into routine practice yet. Specific technologies include strong cryptographic tools for authentication, uniform methods for authentication and access control, network firewall tools, more aggressive software management procedures, and effective use of system vulnerability monitoring tools. Some of these technologies—token authentication cards, for example—have been relatively expensive for wide deployment in large organizations. However, the costs of these technologies are decreasing (through volume adoption and competition) at the same time that their usability is improving. The tools to manage software across distributed heterogeneous systems consisting of many thousands of machines and users, including program census management, version control, and integrity control, are poorly developed. Overall the lack of standards for security controls and for vendor products that interoperate between disparate systems means that chief information officers postpone decisions about implementing and enforcing effective security solutions.
The revolution in distributed computing and communications systems that has been brewing since the 1960s and 1970s has taken hold full force in commercial organizations during the past decade. Health care organizations have been among the slowest to adopt these new technologies, however, and existing management and information systems personnel are not fully prepared. The lack of technical understanding, the lack of direct experience with these new tools, the lack of confidence in their management, the lack of a peer group of successful adopters (except for a few academic medical organizations), and uncertainties about reasonable risks and expectations all leave conservative organizational managers hesitant to make decisions. The design, implementation, and opera-