Insider-Outsider Threats to Patient Data 2019

Question Title

* 1. What was the nature of your most recent health data security breach?

Lost or stolen computing device

Unintentional employee action

Third party action / snafu

Criminal attack

Technical systems glitch

Malicious insider

Intentional non-malicious employee action

Other (please specify)

Question Title

* 2. How was the data breach discovered by hospital management?

Audit/assessment

Employee detected/alerted

Patient complaint

Accidental

Legal complaint/lawsuit

Loss prevention

Law enforcement

Other (please specify)

Question Title

* 3. What hospital security threats are of most concern?

Employee negligence

Use of public cloud services

Mobile device insecurity

Cyber attacks

Employee-owned mobile devices

Insecure mobile applications

System failure

Malicious insiders

Identity thieves

Insecure medical devices

Disgruntled ex-employees

Other (please specify)

Question Title

* 4. Are hospital employees permitted to use their personal mobile devices to connect to hospital networks?

Yes

Question Title

* 5. What measures are in place to ensures mobile devices are secure enough to connect to the hospital network?

Limit access from devices to critical systems

Require users to read and sign an acceptable use policy

Limit or restrict the download of PHI

Scan devices for viruses and malware while they are connected

Require anti-virus/anti-malware software to reside on all mobile devices

Scan devices for viruses and malware prior to connection

Scan devices and remove apps that present a security threat

None of the steps are done

Other (please specify)

Question Title

* 6. What types of health information is processed and/or stored in the cloud?

Email applications

Productivity applications

Accounting or financial information

Employee information including payroll data

Administrative and scheduling information

Patient Billing information

Patient medical records

Clinical trial and other research information

None of the above

Other (please specify)

Question Title

* 7. What describes your hospital/healthcare organization's Post-Incident risk assessment process?

Manual process or tool was developed internally

Ad-hoc process

Automated Process that was developed internally

Free tool that was developed by an external vendor or entity

Automated Process that was developed by a third party

Other (please specify)

Question Title

* 8. Which business associates present the greatest risk to patient privacy and security?

IT service provider

Claims processor

Benefits management

Pharmacy benefits manager

Data analysis

Consulting services

Accounting services

Legal Services

Outsourcing vendor and managed services providers

Other (please specify)