low, each was observed in an operational setting and reportedly had been implemented at reasonable costs. These practices and procedures will not make health information systems invulnerable to all potential forms of misuse or abuse, nor can they guarantee that the privacy of health information will not be compromised. They would, however, go a long way toward minimizing potential abuse by authorized users (whether intentional or unintentional) and make outsider attacks more difficult.
Described below are technical and organizational practices and procedures that can be implemented immediately without too much difficulty or expense, as well as technical measures that could reasonably be taken in the future as the relevant technologies advance. In each case, the committee has attempted to identify approaches that take into account the specific requirements of health organizations (as opposed to organizations in other industries), balancing the need for privacy and security against the need for access in order to provide care. Each of the practices described for immediate implementation was observed to operate successfully in a health care setting. Of course, the implementation of these policies, practices, and procedures within individual health care organizations will have to be adjusted to accommodate the requirements specific to those institutions and to the various types of departments and settings within them. The demands of an AIDS clinic may be different from those of a large, urban hospital. The demands of a hospital's billing department may be different from those of an emergency room. Thus, although it may be appropriate to program a terminal in the billing department or on a physician's desk, for example, to log-off automatically after a specified period of time, it may not be appropriate for the terminal in an emergency room or an operating room to do so. Organizations will have to take these considerations into account as they develop plans for implementing the policies, practices, and procedures listed below to make sure that they adopt a strategy appropriate to their needs.
Individual Authentication of Users. Every individual in an organization should have a unique identifier (or log-on ID) for use in logging onto the organization's information systems. This approach will make it possible to hold individual users accountable for their actions on-line and to implement access controls based on individual needs. Sanctions should be in place to discipline employees who share their identifiers or fail to log off their workstations. Where appropriate and not detrimental to the provision of care, computer workstations should be programmed to log off automatically if left idle for a specified period of time (though the period of time will have to be adjusted to accommodate local and departmental