Imagine this scenario: A clinician needs critical data about a dying patient. The clinician fumbles with a hardware token and mistypes his eight-character, alphanumeric, mixed-case non-English password and token PIN three times and is locked out for five minutes. He grabs a wireless laptop and asks another clinician to authenticate because he's locked out. Seconds pass as the laptop uses EAP-FAST authentication and a supplicant checks for antivirus updates and patches. A new Microsoft patch is missing, and the clinician is denied access until it's downloaded and the machine is rebooted. Then the antivirus software scans to ensure that the modified desktop is uninfected. After five minutes, the clinician gets access to the needed data.

Although this example is a bit extreme, it does illustrate that security is a balance between complete protection and ease of use.

Security is one of my top priorities in 2006. I can no longer trust internal users or home access via the Internet. The balance needs to swing toward protection, away from ease of use. Alas, Blanche, we can no longer depend on the kindness of anyone.

-- John D. Halamka is CIO at CareGroup Health System, CIO and associate dean for educational technology at Harvard Medical School, chairman of the New England Health Electronic Data Interchange Network, CIO of the Harvard Clinical Research Institute and a practicing emergency physician. Contact him at jhalamka@caregroup.harvard.edu.