cluding workstations, servers, and displays, so they cannot tamper with or derive information from the equipment. These controls can include such practices as positioning monitors and keyboards so they cannot be seen easily by anyone other than the user, or locating workstations that are used only intermittently (e.g., those in an examination room or an interview room near the main lobby) behind locked doors. Physical security is not a substitute for other security measures such as authentication and access control, but it can supplement these practices by limiting exposure of the information systems to unauthorized users.

The ability to implement strong physical security depends on knowledge of the inventory and configuration of communications and computing equipment in an organization so that appropriate controls can be implemented. For example, to manage internal network security properly, system managers must know the configuration, composition, and layout of network communications facilities within an organization so they can identify potential areas of vulnerability. These issues become especially important as the number of devices in a typical health care organization grows to tens of thousands and operational control over configurations, locations, connectivity, software census, and so forth becomes increasingly complex.

Physical security also requires that outdated computing equipment be disposed of properly.10 Given that the average time to turn over computing equipment in the rapidly evolving marketplace is between 1.5 and 3 years, the proper disposal of equipment, media, and other materials that contain confidential information is essential. Sending a machine to an external contractor for repair with a disk that contains patient-specific information raises potential security problems. Deleting all files on a disk without degaussing or ''wiping" the surface11 leaves the contents of the disk intact for recovery by disk data structure analysis and reconstruction programs, potentially revealing confidential information previously stored on the disk. Similarly the disposal of backup tapes, floppy disks,


In one instance, a commercial typing service that had been under contract to a local hospital went out of business. Its computer disks eventually were offered for sale at a local second-hand merchant-complete with patients' medical information that had never been erased. See Flaherty, David H. 1995. "Privacy and Data Protection in Health and Medical Information," notes for presentation to the 8th World Congress on Medical Informatics, Vancouver, B.C., Canada, July 27 (available on-line at health.html).


Degaussing refers to a procedure in which the magnetically recorded ones and zeros that are the physical embodiment of data stored on a disk are erased. Wiping refers to a procedure in which random bits are written over the deleted data several times. Degaussing or wiping are not typically performed when a file is deleted by the operating system (this is the basis for "undelete" commands that recover deleted files).

The National Academies of Sciences, Engineering, and Medicine
500 Fifth St. N.W. | Washington, D.C. 20001

Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement