1.What are the major components of your organization's mobile device security policy?

All portable media (USBs, CDs, etc) must be protected

Prohibit storage of patient data on mobile devices

All staff must complete education session(s) on the policy

Patient data stored or transmitted from all mobile devices (phones, tablets, etc) must be encrypted

End-point security controls limit use of removable media to approved devices

We do not have a mobile device security policy

Other (please specify)

2.If your organization allows employees and physicians to use personally owned mobile devices for hospital work and patient record access, it:

Requires encryption of the devices

Requires strong passwords

Requires use of automatic timeout function

Imposes a limit on unsuccessful attempts to log-in

Requires installation of remote wiping capability on the devices

Prohibits storage of patient information on the devices

Uses a mandated mobile device management system to manage the devices

Requires users to authorize organization to get access to the device for security checks as needed

Maintains an inventory of personal devices containing personal health information

None of the above

My organization does not allows employees and physicians to use personally owned mobile devices for hospital work and patient record access

Other (please specify)

3.My hospital/health organization currently applies encryption for:

Information sent outside the organization across exposed external networks (Public networks, wireless or cellular networks)

All mobile devices

All backup tapes

All mobile storage media, including USB drives

Information accessible via a virtual private network or portal

All servers/databases

All desktop devices

Other (please specify)

4.How does your organization address security for physicians and other clinicians who have remote access to clinical systems?

Provides access to clinical systems only via a virtual private network

Encrypts all information accessed remotely

Requires use of multi-factor authentication

For access via personal mobile devices, requires use of specific types of devices with specific security functions

We do not require physicians or other clinicians remote access to clinical systems

Other (please specify)

5.To guard against inappropriate access to electronic health records, what type of authentication does your organization require for remote users to gain while they are on the job at one of your facilities?

Username and password

Digital certificate

One-time password with two-factor authentication (token)

Device ID/risk-based authentication (authentication risk measure based on factors such as the device IP, geo-location, and user behaviors)

Biometrics

No authentication

Other (please specify)

6.How does your healthcare organization track who accesses protected health information and/or patient records?

Uses audit functions within our applications

Uses a separate audit tool

Uses data loss prevention application

Other (please specify)