For the Record: Protecting Electronic Health Information

Questions? Call 800-624-6242

About | Ordering | New

LoginRegister

| Items in cart [0]

HARDBACK
price:$32.95
add to cart

Rights & Permissions

Free PDF Access

Free Resources

Related Titles

For the Record: Protecting Electronic Health Information (1997)
Computer Science and Telecommunications Board (CSTB)

Citation Manager Export the bibliographic data for this book in your chosen format
Web Search Builder Use this book's key terms to search within this book, across our collection, or across the Web.
Skim This Chapter Skim this chapter and use this chapter's key terms to search within this book.
Reference Finder Paste in your own text to find books that relate to your topic.

Citation Manager

. "4 Technical Approaches to Protecting Electronic Health Information." For the Record: Protecting Electronic Health Information. Washington, DC: The National Academies Press, 1997.

Please select a format:

Page
84


E-mail Share on facebook Facebook Share on delicious Delicious Share on stumbleupon Stumble Share on twitter Twitter More Sharing ServicesMore

The following HTML text is provided to enhance online readability. Many aspects of typography translate only awkwardly to HTML. Please use the page image as the authoritative form to ensure accuracy.

Observed Technological Practices At Studied Sites

Through its site visits and subsequent deliberations, the committee sought to determine what practices were currently in place in health care organizations, and whether these were prudent practices, as defined primarily in other non-health care settings. Most health care systems are very heterogeneous, meaning that excellent security practices may be in effect in some localized subsystem, but may be entirely missing in other parts of the organization (possibly violating the principle of balance). Thus, summary reporting on the security practices of a widely distributed organization is only a superficial approximation of the range of practices in force.

The committee examined a range of technological practices and mechanisms that can be organized into the following main areas:

Authentication;
Access control;
Audit trails;
Physical security of communications, computer, and display systems;
Control of external communications links and access;
Exercise of software discipline across the organization;
System backup and disaster recovery procedures; and
System self-assessment and maintenance of technological awareness.

These types of practices address different combinations of the five key functional areas of technological intervention listed above (Table 4.1). Authentication, for example, supports accountability, perimeter identification, access control, and comprehensibility. Physical security addresses system availability and perimeter identification. As a result, combinations of these practices are necessary for robust security.

These security considerations are focused on protecting information within provider institutions and do not address the problems of unrestricted exploitation of information (e.g., for data mining) after it has passed outside the provider institution to secondary payers or to other stakeholders in the health information services industry. A relatively new technological approach (rights management software) is discussed below in ''Control of Secondary Users of Health Care Information" that may help in controlling the use of information both across and within organization boundaries.

The following sections discuss in more detail the eight categories of