BOX ES. 1 Security Practices Recommended for Immediate Implementation
This box summarizes a discussion of practices recommended in Chapter 6 of this report. Readers should read Chapter 16 in full for the complete detail, argumentation, and support for these measures.
Technical Practices and Procedures
Individual authentication of users. To establish individual accountability, every individual in an organization should have a unique identifier (or log-on ID) for use in logging onto the organization's information systems. Strict procedures should be established for issuing and revoking identifiers. Where appropriate, computer workstations should be programmed to automatically log off if left idle for a specified period of time.
Access controls. Procedures should be in place for ensuring that users can access and retrieve only that information that they have a legitimate need to know. Audit trails. Organizations should maintain in retrievable and usable form audit trails that log all accesses to clinical information. The logs should include the date and time of access, the information or record accessed, and the user ID under which access occurred. Organizations that provide health care to their own employees should enable employees to conduct audits of accesses to their own health records. Organizations should establish procedures for reviewing audit logs to detect inappropriate accesses.
Physical security and disaster recovery. Organizations should limit unauthorized physical access to computer systems, displays, networks, and medical records; they should plan for providing basic system functions and ensuring access to medical records in the event of an emergency (whether a natural disaster or a computer failure); they should store backup data in safe places or in encrypted form.
Protection of remote access points. Organizations with centralized Internet connections should install a firewall that provides strong, centralized security and allows outside access to only hose systems critical to outside users. Organizations with multiple access points should consider other forms of protection to protect the host machines that allow external connections. Organizations should also require a secure authentication process for remote and mobile users such as those using home computers. Organizations that do not implement either of these approaches should allow remote access only over dedicated lines.
Protection of external electronic communications. Organizations should encrypt all patient-identifiable information before transmitting it over public networks, such as the Internet. Organizations that do not meet this requirement either should refrain from transmitting information electronically outside the organization or should do so only over secure dedicated lines. Policies should be in place to discourage the inclusion of patient identifiable information in unencrypted e-mail.