Your organization is responsible for any PII or PHI data that has been extracted from systems youu procure, install, and manage.  The information listed below are basic questions that you, as a business owner can answer.  The answers you provide will assist the owner in making decisions about IT security within their organization.  This information can provide a starting point for a business efforts in addressing their basic system security requirements using Rebnetik as your Security-as-a-Service provider.

Physical

  1. Does your organization employ physical devices to prevent access to ePHI? (i.e. security cameras, door access sensors etc)
  2. Does your organization employ locks for systems that are physically stationed in the office?
  3. Does your organization implement any systems that store or process ePHI located in public spaces? (i.e. kiosk etc)
  4. Does your organization employ a destruction process for any PII or PHI in your office? (shredding, burning, etc)

Administrative

  1. Does your organization have a security process for the PII or PHI data within your organization? (i.e. policies and procedures on handling PII or PHI)
  2. Does your organization analyze and monitor access and storage of PII or PHI?
  3. Does your organization have security officer or personnel that creates policy and procedures?
  4. Does your organization implement procedures that limit the disclosure of PII and PHI and only allow access based on the user’s role?
  5. Does your organization provide security awareness training for staff members including contractors, consultants, and employees?
  6. Does your organization sanction employees that violate its security policies regarding PII and PHI?
  7. Does your organization evaluate its systems that store, access, or manage PHI or PII?

Technical

  1. Does your organization employ encryption at rest and in transport for PII and PHI?
  2. Does your organization employ, implement and manage a endpoint protection solution for all of the systems that access, store, and/or transport PHI and PII?
  3. Does your organization employ a notification system that alerts that PHI or PII has been disclosed without authorization?
  4. Does the organization employ data loss protection on systems that process and store PHI or PII?
  5. Does your organization employ cloud infrastructure solutions for processing and storing PHI or PII?