reviewing audit logs both in response to requests from individual patients and through more formal means (e.g., random sampling). The goal of this practice should be to deter users from attempting to access information inappropriately rather than to detect a large percentage of actual breaches. All organizations (whether providers or others) should begin to plan for future implementation of more rigorous audit trails as described below in the section of practices for future implementation. One dimension of planning would be to demand that vendors provide information systems that support audit trails.
Physical Security and Disaster Recovery. Organizations should immediately take steps to limit unauthorized physical access to computer systems, displays, networks, and medical records. For example, computer terminals should be positioned and located so that they cannot be used or viewed by unauthorized users; unauthorized personnel should not have access to the locations in which records (paper or electronic) are stored. Procedures should be developed regarding paper printouts of electronic medical records and the destruction of printouts that will not be incorporated into the formal record. As part of their program for ensuring physical security, organizations should develop and implement plans for providing basic system functions and ensuring access to medical records in the event of an emergency (whether a natural disaster or a computer failure). These plans should be practiced not less than once a year to ensure that they provide rapid recovery and that staff are adequately trained. Disaster recovery plans should include regular backups of clinical information so that it can be restored if the primary data are destroyed or invalidated. Many organizations run daily, weekly, and monthly backups so that data can be recovered from both recent and archival files. Health care organizations should ensure that contractors used to transport and store backup tapes have adequate policies in place for safeguarding the information and protecting integrity. Backup tapes stored in off-site locations represent a significant vulnerability that is often overlooked. Backup tapes stored off-site should be subject to strong physical security to prevent unauthorized access or should be encrypted so that they cannot be read while they are being transported or stored.
Protection of Remote Access Points. Organizations must protect their information systems from attackers who try to gain entry through external communication points, such as the Internet or dial-in telephone lines. Organizations with centralized Internet connections should immediately install a firewall that provides strong, centralized security and allows outside access to only those systems critical to outsider users. Organizations with multiple access points should consider other forms of protec-