standards. The decentralization of standards-making activities has instead tended to impede the dissemination and application of standards in the health care industry.
The committee recommends that the health information security standards subcommittee be empowered to advise and offer recommendations to the Secretary of Health and Human Services regarding (1) uniform standards of privacy and security that would apply to all users of health information, whether providers, payers, benefits managers, or researchers; (2) exchanges of health information between and among health-related organizations; (3) limits on the types of health information that different types of organizations should be allowed to collect (e.g., determining how much information the insurance industry needs for fraud detection) and how long such information may be kept; and (4) acceptable and unacceptable uses of health information for different types of organizations. It should be formed as a standing committee that will develop revised standards as the uses of health care information change and new technologies become available.
Recommendation 2.2: Congress should provide initial funding for the establishment of an organization for the health care industry to promote greater sharing of information about security threats, incidents, and solutions throughout the industry. Little is known about the extent of violations of privacy and security in the health care industry, in part because the health care industry lacks a formal mechanism for sharing information about the types of attacks and breaches of privacy that organizations have experienced, and mechanisms for improving privacy and security. Establishment of an organization to facilitate information exchanges would provide a means for improving the security of health care organizations as they move into a more networked environment and would provide a sounder basis for making policy. As with the computer emergency response team (CERT Coordination Center) at Carnegie Mellon University, which facilitates information sharing among the Internet community, such an organization would allow sharing of effective technical practices for authentication, access control, encryption, and disaster recovery, as well as organizational practices such as consent statements, employee education, audit trail analysis, provision of access to referring physicians, definitions and enforcement of need-to-know scenarios, confidentiality committee structures, and policies and procedures for exchanging clinical data between disparate provider organizations. At a time when the industry is entering a period of rapid computerization and profound restructuring, and hence facing new problems, a forum for exchange of information has obvious benefits.
The organization, nominally called Med-CERT, would (1) acquire re-