The mechanism for accomplishing emergency access is also dependent on the local resources and policies. One approach that I find appealing it to allow authorization of the emergency access by a different legitimate user. In such a situation, if a user has lost their key, forgotten their PIN, or cannot access the system for some other reason, a third party that is themselves a legitimate user may step in an authorize access to the system for the user. The ability to authorize access by others should be severely restricted by policies in order to prevent abuse. A factor that can be used to enforce this is to insist that both users share responsibility for actions taken under such a situation, and to label all entries made under such an access, to be verified later when the user is reinstated in the system.
In order to provide a continuing sanction against improper use of information in a medical information system, we need to combine legal sanctions with access control. These legal sanctions can only be enforced if there is an adequate trail of evidence that documents the misuse of information. An important part of this trail of evidence can be found in properly constructed access logs. Whenever a part of the record for an individual is accessed, a log entry should be made that records exactly what information was accessed, who accessed it, where they accessed it from, and for what purpose. Such logs may themselves become a large database, but they should be considered as important as the primary medical information database. Access to these logs needs to be protected in a manner similar to the primary record, because access patterns to records may in themselves convey information about patients (e.g., if they are seeing an HIV specialist).
The notion of a digital signature can prove extremely useful to guarantee the accuracy of audit trail logs. For example, if it is claimed that a record was accessed by a particular user, it makes sense to demand that a digital signature be created by that user in order to provide access, and this digital signature should then be countersigned by the authority that provided access to the records. In this way, the audit logs cannot later be tampered with by either party in order to make it appear that access either did or did not occur.