Finding 7: Adequate protection of health care information depends on both technical and organizational practices for privacy and security. Although no set of mechanisms can make organizations impervious to malicious attack or inadvertent breaches of security, a suitably crafted set of technical and organizational practices can be designed to protect health information effectively. Technologies such as tokens, log-in IDs, and passwords can be used to authenticate, or verify the identification of, users. Access control techniques can be used in combination with a well-managed information repository to limit the types of data that individual users can read, enter, or alter and the types of functions they can perform. Audit trails can record all transactions that access patient information. Encryption can be used to protect log-in IDs, passwords, databases, or information transmitted over open communications systems. Public-key cryptography tools can ensure information integrity, user authentication (for digital signatures and nonrepudiation), and audit trails. The use of these technical measures can provide reasonable security for most health care applications but does not guarantee invulnerability against all technical attacks.
Organizational policies and practices are at least as important an element of security. Organizations need explicit policies governing the privacy and security of health information. Practices and procedures flow from these policies. The health care industry employs millions of workers who routinely handle patient-identifiable information as part of their jobs. They have more opportunities to disclose information inappropriately than do outsiders, and their jobs are challenging and frequently changing. Organizational mechanisms are needed to ensure that employees, medical staff, contractors, and vendors properly protect health information. Policies are needed to specify the formal structures, ensure responsibility and accountability, establish procedures for releasing information and assigning access privileges, create sanctions for breaches of security at any level of the organization, and require training in the privacy and security practices of an organization. The culture of the organization—dependent on, but not necessarily determined by, its senior leadership—establishes the degree to which employees take their security and confidentiality responsibilities seriously. Commitment of organizational resources not only helps establish organizational culture but also ensures that funds are available for salaries of security officers and staff, for procurement of adequate technical security mechanisms (e.g., firewalls), and for studying vulnerabilities and required practices.