1. Establish a governance framework that defines roles, responsibilities, policies, procedures, and accountability.
2. Use hardened terminals hosted on a trusted network, and continually scan them for viruses and malware.
3. Limit employee access to data needed for their jobs, provide unique access credentials, and use electronic signatures.
4. Locate PCs and other access devices in secure places. Use an inventory system to track mobile devices, encrypt all content, and have a policy for retiring devices.
5. Use data-loss prevention tools, have auditable logs on traffic and downloads, and monitor these.
6. Have business associate agreements with strict rules regarding use and disclosure of personal information.
7. Encrypt all EHR data during transport; filter all communications for sensitive data.
8. Make sure data shared with researchers is anonymized or scrubbed.
9. Have a backup and recovery plan that includes security considerations.
10. Know the rules for retiring data, and make sure it's being completely erased from hard drives and formatted disks.