• sort through audit data and flag some records for more thorough analysis.
  • Tools for rights enforcement and management. The primary unsolved technical problem today relates to secondary recipients of information: today's access control tools can effectively limit primary (first-person) access to data stored on-line, but they are ineffective in controlling the subsequent distribution of data. Work on electronic watermarking (or digital fingerprinting) may provide tools with which the passage of data through a network can be tracked if not prevented. Work is also under way to develop tools that provide fine-grained access control for information. Such tools limit not only the types of information that certain recipients can receive but also the types of actions recipients can take on such information, and they can be used to make audit trail entries on each access action. For example, they may prevent recipients from directly printing the information, storing it on their own computer systems, or forwarding it to another user.17 More effective tools for rights enforcement and management would help to control secondary distribution of data.
Testbeds for Privacy and Security

Recommendation 5.3: The Department of Health and Human Services should fund experimental testbeds that explore different approaches to access control that hold promise for being inexpensive and easy to incorporate into existing operations and that allow access during emergency circumstances. Today, the trade-offs between the benefits and cost of greater access to electronic health information are not well understood, with the result that decision makers in health care organizations lack a sound analytical basis from which to determine the appropriate level of attention to protecting information. Research is needed that better explicates the costs and benefits of various levels and types of information protection so that decision makers need not function in a vacuum. The Internet Engineering Task Force has been successful in developing standards through a process of trial-and-error development of representative networked systems. Such an approach may prove useful for developing privacy and security standards in health care and may


Of course, it is fundamentally impossible to prevent redistribution entirely. For example, nothing can prevent the recipient of data from photographing a screen and distributing the screen image. Still, making redistribution more difficult is a meaningful step to take.

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement