The trusted computing base is the sum total of all hardware, software and procedural components which, singly or in combination, could break the security policy. Its design is a matter for the system supplier, but experience shows that the smaller it is, the better. Small security systems are cheaper to evaluate, and reduce the likelihood of bugs that compromise security.
Procedural mechanisms such as password administration, configuration management and backup are an integral part, and when assessing a system the evaluator must ask whether it is likely to be operated securely by a clinician whose computer skills and administrative tidyness are less than average. Lazy and careless clinicians exist, so if it is more convenient to run the system insecurely, a positive evaluation may not be issued. Evaluators should also take into account human design issues such as the quality of manuals and training, and the use of integrity checks on manual data entry.
The level of evaluation should depend on the exposure. We suggest ITSEC level E2 for up to 50,000 patient records, and E4 for 50,000 --- 1,000,000 patient records. Systems which contain personal health information on significantly more than 1,000,000 people should not be built.
Finally, when a system is being installed by a purchaser, the responsible clinicians must ensure that all relevant training has been completed and any necessary plans, procedures and materials --- from a disaster recovery plan through informative leaflets to patient consent forms --- have been drawn up and tested before patient identifiable clinical information is input to the system. The decision to expose the information in this way should be a conscious professional decision to accept the residual risk, and it should be noted in writing by the responsible clinicians. Only once this accreditation exercise has been completed should a system be furnished with the key material needed to communicate with other systems.