NRC recommends tighter data security

After two years of study, the National Research Council has handed down recommendations on tightening the security of electronic data. The council found the health care industry is behind the times in automation security, both in terms of what it has done and the priority given privacy issues.

The report outlines a series of technical and organizational practices it says health care institutions should install immediately to provide minimal security. These include:

Individual authentication of users. Everyone in your organization should have his or her own unique identifier for logging on.

Access controls. Those who use information systems should have access only to the information they need.

Audit trails. These should be installed on all automated systems to record everyone who accesses clinical information.

Physical security and disaster recovery. Procedures should be in place to have records available in an emergency, such as a natural disaster or computer failure.

Protection of remote access points. If you have centralized Internet access, have a strong firewall that limits outside access to critical users only.

Protection of external electronic communications. Encrypt all patient-identifiable information before transmitting it over the Internet or other public networks.

Software discipline. Use virus-checking programs on all services and limit the ability of staff to download or install their own software.