threats outlined above. Health care organizations must therefore assess their information systems to determine the types of threats to which they are most vulnerable and must then implement the necessary organizational and technical mechanisms. Although the precise implementation will vary from one institution to another, some general rules of thumb apply across organizations (Table 3.2). Specific ways of implementing the types of mechanisms identified are outlined in Chapters 4 and 5.

Threat 1 can best be countered by organizational mechanisms that detect and deter abuses. More sophisticated technology per se can do little to prevent this kind of disclosure. Simple procedural measures appear to be most appropriate—for example, reminders about behavioral codes, confirmation of actions that might route or access information erroneously, or screen savers and automatic log-outs to prevent access to unattended displays. Chapter 4 examines the possibility of extending these procedures by maintaining patient anonymity through the use of coded patient identifiers (pseudonyms) in most of the care process.

The principal countermeasure for threat 2 is deterrence: appeals to ethics, education about what constitutes fair practice, and the imposition of sanctions after an incident occurs. Technology can also play a role in controlling inappropriate access to patient information. Strong user authentication, based on cryptographic techniques, can effectively control access to health information networks and computer systems-at least to the extent that system users protect their identifying data and make appropriate use of the information they are authorized to access. The use of encryption can place significant obstacles in the way of potential abusers, requiring them to obtain special data (keys) to make patient information legible. Properly analyzed audit records of accesses are another powerful tool to deter abuse.

A combination of obstacles and deterrence is necessary to counter threat 3. These include reasonable obstacles to prevent unauthorized access without interfering with authorized use and the deterrence steps used against threat 2. Audit trails are particularly effective at deterring this type of threat.

The countermeasures for threat 4 rely heavily on deterrence, supplemented with strong technical obstacles. Attackers run the risk of immediate identification and apprehension and have the potential of leaving physical evidence of intrusion (e.g., surveillance tapes) that can be used in prosecution. The obstacles that can be placed in the way of threat 4 include both technical security measures such as strong identification and authentication mechanisms and physical security measures such as requiring badges, and challenging strangers.

Countermeasures against threat 5 are based purely on the obstacle approach. In this case, the threat is not readily identifiable; its physical



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement