Strong Authentication. Health care organizations should move toward implementing strong authentication practices that provide greater security than individual log-on IDs and passwords. Authentication systems incorporating single-session or encrypted authentication protocols (similar to the Kerberos protocol described in Chapter 4) are expected to become available in some commercial products as early as 1997 and should be adopted shortly thereafter. Token-based authentication systems that require some sort of card, button, or badge in addition to a user password should also be adopted. Such systems are used widely in the banking industry today (automated teller machines are an example) and are being used experimentally in some health care organizations. Though more costly than a system using log-in IDs and passwords, the additional protection of token-based systems is likely to become necessary in health care organizations, and the price of tokens and readers is expected to drop over the next several years as their use expands in other industries.
Enterprise-wide Authentication. Organizations should move toward enterprise-wide authentication systems in which users need to log on only once during each session and can access any of the systems, functions, or databases to which they have access privileges. Such systems should be generally available in 2001. Because such a system concentrates security for many systems in a single authentication transaction, it must be used in conjunction with other technical and management practices that ensure good password protection.
Access Validation. Organizations that store, process, or collect health information should use software tools to help ensure that the information made available to users complies with their access privileges. It is often difficult to partition medical records in a way that closely matches the access privileges of different types of users. For example, doctors' notes can contain sensitive information that many users with access to clinical information have no need to know. Access controls themselves, whether based on job descriptions or sets of individual user privileges, provide no means of ensuring that the data retrieved by individual users contain no information that they are not privileged to see. Efforts are currently under way to develop tools that will check the information being transmitted to the user to detect and mask information that they have no need to know.
Expanded Audit Trails. Health care organizations should implement expanded audit trails. It is reasonable to expect that by 2001, all health care organizations should be able to maintain logs of all internal accesses to clinical information, especially if they begin to demand audit capabilities