tion electronically outside the organization or should do so only over secure dedicated lines.⁸ Policies should be in place to discourage the inclusion of patient identifiable information in unencrypted e-mail.

Software Discipline. Organizations should exercise and enforce discipline over user software. At a minimum, they should immediately install virus-checking programs on all servers and limit the ability of users to download or install their own software. Census software or regular audits can be used to ensure compliance with such policies. Current technological tools for checking software downloaded from the Internet are limited; hence, organizations will have to rely on organizational procedures and educational campaigns to protect against viruses, Trojan horses, and other forms of malicious software and to raise users' awareness of the problem.

System Assessment. Organizations should formally assess the security and vulnerabilities of their information systems on an ongoing basis. At a minimum, they should run existing "hacker scripts" and password "crackers" against their systems on a monthly basis. During their annual audits, external auditors should require each organization to demonstrate that it has procedures in place for detecting system vulnerabilities and that it conducts formal vulnerability assessments.

Security and Confidentiality Policies. Organizations should develop explicit security and confidentiality policies that express their dedication to protecting health information. These policies should clearly state the types of information considered confidential, the people authorized to release the information, the procedures that must be followed in making a release, and the types of people who are authorized to receive information. They should clearly reference relevant state and federal legislation regarding the confidentiality of health care information.