just their own, so that they can be certain to have access to needed information in an emergency. Concerns about the supposed inconvenience of using token-based authentication systems have led many health care organizations to rely on more convenient log-in IDs and passwords for authenticating users of health information systems. Even in cases in which security mechanisms would not necessarily impede provision of care, however, health care organizations have not always implemented strong security. Many organizations do not maintain audit logs of accesses to clinical information, nor have they developed tools or procedures for systematically reviewing the logs.
Lack of security results, in large part, from a lack of strong incentives to improve it. In the absence of a widespread, public catastrophe regarding information security, many health care organizations reported that they believe the risk of a major breach of security is low and that they could survive a major event without significant consequences. Without strong legislation or enforceable industry standards, few penalties will exist for lax security.2 Although patients may sue organizations for damage resulting from alleged breaches of privacy, such suits appear to be infrequent and have not attracted much attention. Hence, most health care organizations have, to date, dedicated the vast majority of their information technology resources to expanding the functionality of health care information systems rather than to protecting the systems that are in place. System security does not improve the financial position of most health care organizations. In the more advanced organizations, security practices do not match those widely found in other industries, and in less advanced organizations, even elementary security practices have not been implemented. Several major vendors of health care information systems reported to the committee that lack of demand by health care organizations has stifled the supply of advanced security features in health care information systems. Since health care organizations do not reward them for including security features in their products, vendors have limited incentive to offer them.
Finding 4: Patients have important roles to play in addressing privacy and security concerns. Patient concerns and expectations often set the standard for health care organizations; health care organizations must anticipate and respond to such expectations in order to survive in an increasingly competitive environment. Thus, patients who are knowledgeable about (1) the consent they give providers to disseminate data,