Observed Technological Practices At Studied Sites

Through its site visits and subsequent deliberations, the committee sought to determine what practices were currently in place in health care organizations, and whether these were prudent practices, as defined primarily in other non-health care settings. Most health care systems are very heterogeneous, meaning that excellent security practices may be in effect in some localized subsystem, but may be entirely missing in other parts of the organization (possibly violating the principle of balance). Thus, summary reporting on the security practices of a widely distributed organization is only a superficial approximation of the range of practices in force.

The committee examined a range of technological practices and mechanisms that can be organized into the following main areas:

  • Authentication;
  • Access control;
  • Audit trails;
  • Physical security of communications, computer, and display systems;
  • Control of external communications links and access;
  • Exercise of software discipline across the organization;
  • System backup and disaster recovery procedures; and
  • System self-assessment and maintenance of technological awareness.

These types of practices address different combinations of the five key functional areas of technological intervention listed above (Table 4.1). Authentication, for example, supports accountability, perimeter identification, access control, and comprehensibility. Physical security addresses system availability and perimeter identification. As a result, combinations of these practices are necessary for robust security.

These security considerations are focused on protecting information within provider institutions and do not address the problems of unrestricted exploitation of information (e.g., for data mining) after it has passed outside the provider institution to secondary payers or to other stakeholders in the health information services industry. A relatively new technological approach (rights management software) is discussed below in ''Control of Secondary Users of Health Care Information" that may help in controlling the use of information both across and within organization boundaries.

The following sections discuss in more detail the eight categories of



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement