Study urges controls on access, accountability

Report raises the bar on confidentiality

The emphasis on the development and installation of patient records and data automation has left security precautions as too much of an afterthought, according to a national report on confidentiality.

The report prepared by the Computer Sciences and Telecommunications Board of the National Research Council in Washington, DC, concluded that the health care industry has spent its energy and resources on expanding its use of automated systems "rather than protecting them from snoops."

Solutions are available to enhance security, says Paul D. Clayton, chairman of the study panel and also chairman of the department of medical informatics and director of clinical information services at Columbia Presbyterian Medical Center in New York City. "But today there are no strong incentives to safeguard patient information because patients, industry groups, and government regulators aren’t demanding protection."

The report outlines a series of both technical and organizational practices it says health care institutions should initiate immediately to provide minimal security. These are:

Technical practices

Individual authentication of users.

Everyone in your organization should have his or her own unique identifier for log-on. Strict procedures should be created for issuing and revoking those passwords. When appropriate, individual PCs should be programmed to log off if left idle for a certain period of time. Passwords should be changed frequently, should not be easily guessed, and sanctions should be outlined for those who use another person’s access code.

Access controls.

Those who use information systems should have access only to the information they need. Define these terms narrowly. For instance, rather than basing access on titles such as "physician" or "nurse," make them more specific, such as "cardiologist" or "emergency department nurse."

Audit trails.

These should be installed on all automated systems to record everyone who accesses clinical information. These logs should include what data were accessed, what time they were accessed, and who accessed them. Organizations that provide health care to their own employees should allow workers to conduct audits of their own health records.

Physical security and disaster recovery.

Procedures should be in place to have records available in an emergency, such as a natural disaster or computer failure. Backup data should be stored in safe places or in encrypted form. If you use a vendor to store your records, make sure it uses proper security procedures.

Protection of remote access points.

If you have centralized Internet access, have a strong fire wall that limits outside access to critical outside users only. If you have multiple access points, consider other forms of protection. Require a secure authentication process for remote users, such as those with home computers. If you do not have these safeguards, allow remote access only over dedicated telephone lines.

Protection of external electronic communications.

Encrypt all patient-identifiable information before transmitting it over the Internet or other public networks. If you can’t do this, refrain from transmitting information outside the organization, or do it only over dedicated lines. Have policies to discourage the use of patient identifiable information in unencrypted e-mail.

Software discipline.

At least use virus-checking programs on all services, and limit the ability of staff to download or install their own software.

System assessment.

Assess the security and vulnerabilities of your information systems continually. For instance, run existing "hacker scripts" and password "crackers" against your system on a monthly basis.

Organizational practices

Security and confidentiality policies.

Develop explicit and clear policies that express a dedication to protecting health information. Policies should clearly specify:

— the types of information considered confidential;

— the people authorized to release the information;

— the procedures that must be followed in making a release;

— the types of people who are authorized to receive information.

Security and confidentiality committees.

Create formal points of responsibility (such as a standing committee for a large organization or single person for a small one) to develop and revise policies and procedures.

Information security officers.

Identify someone who is authorized to implement and monitor compliance with policies and practices.

Education and training programs.

Establish programs to make sure all information system users receive a minimum level of training in security and confidentiality before they are granted access to any information systems.


Have a clear set of sanctions for violations, and make sure they are applied uniformly and consistently to everyone, regardless of title. Organizations should adopt a zero-tolerance policy to ensure that no violation goes unpunished. Employees fired for willful violations should be reported to the appropriate licensing boards. Negligent — but not willful — violations should carry lesser sanctions.

Improved authorization forms.

Develop authorization forms that improve patients’ understanding of health data flows, and limit the time period for which those authorizations are valid. The forms should list the types of organizations to which identifiable or unidentifiable information is commonly released.

• Patient access to audit logs.

Patients should have the right to review audits of everyone who accessed their electronic medical records.

Aside from those immediate measures, the report also identified several steps that should be taken in future years as the technology becomes available. Those are:

• Strong authentication.

This involves even tighter log-on and access security, including single-session or encrypted authentication protocols, and log-ons that require use of a token such as a card or badge.

• Enterprisewide authentication.

By the year 2001, systems should be available to allow users to log on only once during each session and reach any system they have access to.

• Access validation.

Tools are being developed that would allow hospitals to allow certain people access only to certain information in a medical record.

• Expanded audit trails.

By the year 2001, organizations should be able to keep logs of all internal access to clinical information. In the longer term, look for technology that allows you to know everyone who accessed patient-identifiable health information as it passes through the health system.

• Electronic authentication of records.

All electronic medical record systems brought on-line after 1999 should be able to identify the log-on of any user who enters or modifies data.

Here are some of the available resources on confidentiality issues:

• Copies of "For the Record: Protecting Electronic Health Information" are available from: National Academy Press, 2101 Constitution Ave. NW, Box 285, Washington, DC 20055. Telephone: (800) 624-6242. In the Washington Metropolitan area call (202) 334-3313. Internet:

• A variety of security materials, including a free risk self assessment quiz, is available from Irongate, 7 Mt. Lassen Drive, Suite C 126, San Rafael, CA 94903. Telephone: (415) 491-0910. The materials are available at Internet site:

• The Computer-based Patient Record Institute has materials available, including security guidelines for computer-based patient record systems, guidelines for establishing security policies, guidelines for managing security programs, and sample confidentiality statements and agreements for employees, physicians, and vendors. The CPRI is at: 1000 E. Woodfield Road, Suite 102, Schaumburg, IL 60173-4742. Telephone: (847) 706-6746. The materials are available at Internet site: