can see them or if they are sent across communication lines in an unencrypted form.

Log-in credentials (accounts, passwords, physical tokens, etc.) must be linked closely to the user's employment status or relationship to the organization. Often information is slow to propagate through the organization to individual system managers when the status of a user changes: students and temporary workers come and go and employees terminate or are terminated. Leaving system accounts accessible after a user no longer has rights of access is a major source of security vulnerability.

Authentication Technologies Observed on Site Visits

As might be expected with the rapidly evolving computing environments of today's health care organizations and the integration of many legacy information systems with more modern ones, there is little uniformity in the use of authentication methodologies. Many systems are dependent on the authentication procedures built in by the vendor, and the lengths and formats of valid account names and passwords are often incompatible.

The most common practice in the sites visited was the use of unique account IDs (generally assigned by a system administrator) and conventional unencrypted passwords for each individual user. Often some attempt was made to ensure that users chose difficult-to-guess passwords and that passwords were changed every few months, but enforcement was lax. In many environments, users must remember multiple passwords, depending on which information server they are accessing, and the trade-off is user convenience (not forgetting passwords) versus security. In situations with complex or rapidly changing passwords, users are often tempted to write down the codes for easy reference, most often in personal notebooks but sometimes on slips attached to their workstations, although the committee did not observe passwords written openly during its site visits. Where password changes are required periodically and the new password is not allowed to be the same as the previous one, the most common practice was to have two easy-to-remember passwords that the user alternated between at change intervals. Controls over passwords and account deactivation were most rigorous in centrally controlled systems and became much more relaxed in more decentralized and loosely affiliated groups.

The strongest practice observed was the experimental use of centrally issued user token cards (magnetic strip swipe cards) in conjunction with a user's personal identification number (PIN). This scheme was applied to only one of the clinical information systems in the organization, and the software to support it was written in-house. User acceptance was high



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement