Questions for NCVHS Hearings on Security - August 5-6, 1997

Not all questions are applicable to all participants or their organizations. However, this lengthy set of questions illustrates the scope and complexity of the security issues to be addressed by the Committee. We welcome your written comments on as many of these issues as possible.

Policies and Procedures

• What policies and procedures should be employed to safeguard information?
• How should these policies and procedures be communicated to internal and external users as well as consumers?
• How frequently are policies reviewed?
• Do employees, agents, independent contractors, medical staff, and vendors sign confidentiality statements?
• What are the consequences of a security breach by an individual? What type of disciplinary action is taken?
• How do you protect employee health information, particularly if you self- administer a benefit plan?
• How do you monitor electronic files to detect unauthorized changes or systematic corruption?
• How do you protect backups? What abilities do you have to recover files that become corrupted or lost?

Organizational Commitment

• What approaches have been successful in your organization in obtaining upper management commitment to data security? What approaches have been less than successful?
• Who is accountable to manage the information security program in your organization?
• What level of authority should review and approve policies?
• Has your organization assigned staff dedicated to information security? Please describe the reporting structure for information security at your organization.
• How do you determine who can have access to health information? Do you have different classes of access based on the sensitivity of the health information (e.g., more restrictive access to HIV status or mental health diagnoses)?
• Has cost been a factor in limiting your information security program? How would you determine the appropriate cost of security?
• What factors should be considered in assessing the costs and benefits of security? How should these factors be weighted?
• Based on your experience, what are the impediments to implementing health information security measures?
• How would federal legislation or regulations requiring the protection of health information affect the information security program at your organization?

Training

• What are the objectives of your data security training program?
• Who receives training in information security?
• How is training delivered?
• Is training customized to user class?
• How often is training repeated?

Technical Practices

• Are unique passwords used?
• Are tokens, smart cards, or biometrics used for authentication?
• Is access control handled through technology or through policy?
• How do you protect remote access points?
• Is encryption used for internal or external transmissions?
• If you use encryption, do you use it for your password, your patient identifier, your clinical information, or the entire patient record message?
• When you use encryption, do you use secure socket layer (SSL), data encryption standard (DES), or another encryption standard? Why did you select this particular encryption standard?
• What are the initial and ongoing costs associated with encryption?
• Do you transmit or plan to transmit patient identifiable information over the Internet? How is the information safeguarded?
• What physical security measures do you use?
• Are different security practices required for a private network?
• What type of unique identifier do you use to identify patient information?
• Do you use electronic signatures? If yes, explain the applications, the type of technology used, and liability issues, if any.

Patient Awareness/Authorization

• Are patients informed of your organization's policies and procedures on information security? If so, how? Do you have specific educational tools that you use to educate patients/consumers?
• Do patients review their information? How do patients amend incorrect information (particularly if maintained electronically)?
• Do patients have access to the audit trail of all those who have looked at their patient record?
• Can patients request that their information not be computerized?

Vendors and Data Security Consultants

• What security features do your products employ?
• What security features are customers asking for?
• Is cost a factor?
• Can security technology being used in other industries be integrated into your products?
• How do you help a client identify their data security risks, threats, and exposures?
• How do you help a client develop an effective data security strategy, design, or architecture?
• How do you avoid technology-dependent security procedures and systems?

SDOs/Accreditation Organizations

• What standards presently exist regarding security?
• Are the existing standards adequate for adoption by the Secretary of HHS?
• What standards must organizations meet in order to be accredited by your organization?
• What plans are underway to address security requirements?
• Do you feel that there is a need for the federal government to provide leadership in this area?