information security officer to handle the design, implementation, and evaluation of confidentiality and security policies; this person also was the single point of contact for patients or employees to report incidents or concerns related to inappropriate disclosure of health information. In these organizations, the information security officer was a technically knowledgeable manager who reported directly to the chief information officer and served on relevant policy-making committees. For example, one information systems committee developed policy that said protecting patient privacy required the use of audit trails. That organization's information security officer then developed procedures that included a description of how often an audit trail should run, what information should be recorded, and what actions a patient should take in order to review audit trail data. Some organizations may add the duties of an information security officer to those of an existing employee; larger organizations may establish a new position or even a department.

Another role for which an information security officer may be held responsible—and one that requires a strong technical background—is risk assessment. Of the sites visited by committee members, few had formal programs for evaluating the presence and magnitude of various threats to the organization's health information. This is an ongoing activity that, at a strategic level, informs the policy development process, as well as the allocation of financial resources.

An information security officer needs a clear charter of authority from management to avoid conflicts with other departments. For example, an investigation into a breach of policy committed by an employee may become derailed if personnel from human resources believe employee discipline falls solely under their aegis. Although authority should clearly fall in one place or another, cooperation among departments with similar charters supports the overall goal.

Structures for Granting Access Privileges

The process by which users are granted or denied access privileges to an information system is key to maintaining the security of that system. Procedures are necessary for granting access to new users, changing access privileges for users who take on new responsibilities or transfer to different departments, and terminating access privileges for users who resign or whose employment is terminated. New users need privileges granted quickly in order to perform their jobs; transferring or temporary employees need access privileges updated to reflect their changing responsibilities; users who lose or forget their log-on IDs or passwords need a rapid response from the granter of privileges; employees who are terminated should have access privileges revoked promptly. Typically, re-



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement