and was enhanced by the fact that the swipe card served other uses such as parking lot or building entry authentication. Other examples of strong authentication technologies included localized use of encrypted password-checking schemes for modem dial-up services, although subsequent communications across the network were generally unencrypted. Such examples of good authentication technology usage were rare and were not deployed organization-wide across information resources.

One weak practice observed by the committee was the use of systems in a few sites where the user ID and authentication functions were combined into a single PIN. Each user had a different PIN, but the PIN was so short that a large fraction of all possible PINs was being used, and it was relatively easy for an unauthorized user to guess a usable PIN. An even weaker practice observed at one site was the use of common shared log-in accounts for large classes of providers with shared (and widely known) passwords—e.g., a common account password shared by all physicians and another by all nurses (passwords such as "doc"). Such systems provide almost no protection and depend entirely on the ethical integrity of the entire population of providers, administrators, patients, and visitors—a practice workable in only the most fortunate of organizations.

Some sites use a location-based authentication system. For health care systems, the committee believes that authentication based solely on the location of the user is very weak and should be used only under very exigent and carefully controlled circumstances. First of all, with the proliferation of personal computers and the use of high-speed packet-switched communications systems, many users move from machine to machine in the course of their workdays and there is no single applicable location. Second, network addresses change often enough to make it difficult to keep the location database up-to-date and validated. Third, it is relatively easy to fake (Internet) addresses in current communications systems so that apparent location is not a useful or verifiable criterion for identification. Location-based denial of access is used in some sites and may be a helpful adjunct to access control (see below), but it is not sufficient for authentication.

Authentication Technologies Not Yet Deployed in Health Care Settings

In addition to procedures that strengthen the use of passwords by requiring users to change them frequently, employing codes that are hard to guess, and instituting incentives or sanctions against sharing them, a number of technological schemes are available to strengthen the use of passwords. These are not in general use in the health care industry but include single-session passwords (those that are valid for one log-on session only), encryption technologies (either secret or public key), and



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement