As outlined in preceding chapters of this report, patient privacy and the security of electronic health information would be greatly improved by the use of several technologies that are currently under development. The committee has identified three sets of research areas that must be pursued: (1) technologies relevant to computer security generally; (2) technologies specific to health care concerns; and (3) testbeds for a secure health care information system.
Recommendation 5.1: To facilitate the exchange of technical knowledge on information security and the transfer of information security technology, the Department of Health and Human Services should establish formal liaisons with relevant government and industry working groups. Many of the technologies that could be used to better protect health information will be developed by the computer security community regardless of the needs or demands of the health care industry. Technologies for authentication, authorization, encryption, and system reliability, for instance, apply to many areas in which information security is relevant and will continue to receive attention from researchers and technologists. Biometric identifiers are the basis for approaches to very strong authentication. Public-key cryptography can be used to solve some privacy and integrity problems but requires an administrative infrastructure to be effective; thus, promotion of a public-key infrastructure would facilitate the greater use of public-key cryptography and its applications to more secure communications and data storage. Better methods to validate software packages and authenticate their sources will be needed in a computing environment based on widespread connectivity through the Internet and remotely executable programs (e.g., Java "applets") to protect against computer viruses and Trojan horse attacks. Although the Department of Health and Human Services is represented in many nongovernment efforts that promote health information standards, the committee believes that the health care community has not connected adequately to the information security community. For example, a consortium for developing biometric identification techniques has recently been formed but lacks representation from health-related government organizations. The health care community must be better aware of developments outside health care and must be prepared to adopt relevant solutions developed for other industries.