they can use to address security, and so it is not realistic to prescribe a detailed set of practices for industry-wide adoption; however, it is reasonable to provide practice guidelines that can be adapted to individual circumstances.
Recommendation 1: All organizations that handle patient-identifiable health care information—regardless of size—should adopt the set of technical and organizational policies, practices, and procedures described below to protect such information. The committee believes the technical and organizational policies, practices, and procedures listed in Box ES.1 can be implemented immediately without too much difficulty or expense. The list should be adopted in its entirety to ensure that measures are taken to protect against the variety of threats to electronic health information and to compensate for the multiple vulnerabilities of health information systems. Nevertheless, each organization—and each department within each organization—will need to determine how best to implement each practice to ensure that an appropriate balance is struck between access and privacy in each location.
The committee believes that adoption of these practices will help organizations meet the standards to be promulgated by the Secretary of Health and Human Services in connection with the Health Insurance Portability and Accountability Act—or can inform the development of such standards. Penalties established by the act for violations of privacy or security are likely to motivate organizations that collect, analyze, and store patient-identifiable health information to implement such practices. Further, the committee hopes that external auditing firms will incorporate an evaluation of privacy and security procedures into their annual audits of health care organizations.
Over time, the technical solutions available to health care organizations for protecting health information will evolve-as will the sophistication of the threat. Health care organizations will have to upgrade their security practices as new technology becomes available. Box ES.2 describes technical measures that health care organizations could reasonably adopt in the future. Their ability to implement the technical practices recommended will depend to a large extent on the general availability of the relevant technology. Some products will become available only if health care organizations demand them.
While individual organizations can take many steps to improve the security of health information they hold, the committee's site visits and experience in other industries suggests that additional efforts must be taken to facilitate greater emphasis on security at the industry level.