2015 Annual Security & Awareness Test

Give the waiter your fully unlocked phone, so he can scan the information.

Ask the waiter to write down the human readable promotion code from your phone instead of scanning.

Ask the waiter to bring the scanner to you, keeping control of your phone.

You have separated access of the promotion code app from all parts of your phone that you don't want to be accessed. You give the waiter your phone with access to the promotion code app opened.

You have your work email automatically forwarded to your personal email account, so it's okay to give the phone to the waiter.

You let the person in, and point them in the direction of where their group sits.

You escort them to the receptionist.  If the receptionist isn't there, tell them to have a seat and you find someone to help them.

You let the person in, and let office manager know that the person needs an access card.

You don't let the person in, and tell them to wait outside the door for someone to come get them.

Contact the Office Manager to coordinate the event.

Make arrangements on your own. Don't let guests bring mobile phones since they have cameras.

Make arrangments on your own. Let people into the office.

Make arrangements on your own. Let people in the office, but keep a close watch on them.

True

False

You wait for approval and for credentials to be provided.

Your supervisor gives you their credentials to access the system, and you use them to do your work.

You borrow a co-worker's credentials with their agreement. This ensures that you both have backup credentials, just in case of an emergency.

You let your supervisor know that you are delayed because you don't have system access.

You find a way to access the system without credentials. Since this increases productivity, you don't tell anyone about this easy way into the system.

You type the temporary password and immediately change the temporary password to meet password standards.

You write down the temporary password and continue to use it. No one will know.

You write down the password and post it for anyone that might need access to your computer.

You type the temporary password in the system and change it to the password you used last month.

You play it off as insignificant and ignore the situation.

You have someone run an audit trail report to determine if any information was inappropriately accessed.

You get the owner of the device, and chastise them in front of their peers so everyone can see you take the incident seriously.

You don't know how to lock the device, and you can't leave the device unattended.  You have someone find the owner, so the device can be locked.

You're familiar with the device, and you lock the device immediately.

True

False

True

False

True

False

You find out how to encrypt the data, or ensure someone will encrypt the data.

You notify your supervisor or a security champion that you had discovered unencrypted confidential data.

You copy the data to another location that is encrypted, and leave the original data untouched.

You re-classify the data as public.

Name: Stuart Holmes

Occupation: Retired

Age: 94

Discharge Date: March 6, 2015

Born: May 9, 1920

Patient ID: 65446571

Lives at: 123 belle Ln Apt 2 Fairyland, WA

Marital Status: Married

Zipcode: 981 (Seattle, WA zip with population > 20,000)

Check Number (Not account number): 4838

Do nothing

Contact Security Operations or your manager to find out what to do.

Forward the email to others, asking what you should do.

Delete the data, and don't tell anyone else.

Work with Security Operations or the project owner to ensure the incident is recorded, and the email is properly removed from our systems.

Do nothing. Let someone else on the team figure it out.

Check with the project owner to see if the data is part of the project.

Ensure the data is encrypted at-rest and in-transit.

Delete the data, and don't tell anyone else.

Check with the project owner to find out whether the data is PHI or PII.

Take it to a recycling center, as-is. The recycling center will take care of it.

Leave it on the shelf in case someone needs an old server.

Delete the files, then recycle the hard drives in a bin that accepts metal.

Install a new OS, and it should wipe the hard drive. Then, it's ready to use.

Work with Security Operations to figure out next steps.

Reassure the customer that you're on it. Email the report right away before you forget. The customer is a top priority.

Determine if he has access to encrypted email and if not, request IT to set up an SFTP or other secured communication protocol to transfer the report.

Do not tell anyone, but go ahead and fax the report. Chances are slim anything will happen.

Encrypt the report and email the report the customer.  And provide the de-crypt key in a separate secured method such as SMS, Skype, or an email with a different subject and hidden in the body of the email.

You print the report with standard confidentiality cover sheet, and store it securely until your meeting with the customer tomorrow.

Though local machines are secured with passwords and drive encrypted, the policy is to never store PHI on them.

PHI can be on a laptop or desktop, even unencrypted, as long as the computer stays in the office

The laptop is covered under our office insurance policy, so it's okay as long as I'm careful with it.

Report the issue to security operations, and work with them to provide the information needed to have the situation properly assessed.

Review internal procedures and training on handling of mobile devices.

Work with HR and Finance to be compensated for the damage to your car caused by the thieves.

Report the laptop stolen, but don't mention the PHI. That is SecOps' and IT's job to figure out what they need to do.

This will be classified as a data breach and the HITECH Breach Notification Rule will need to be followed. In addition to penalties, notifications would include: patients, media outlets, and the HHS Secretary.

You get a few records from a current customer's project to use.

You get a few records from a past customer's project to use.

You create random/fictitious test data to use

You ask your peers for their records.

You know everything is perfect, and will bypass testing, and just release to production.

True

False

Do nothing because you trust your friend.

Report it to the Office Manager when you happen to see them next.

Your friend doesn't know where your office is, but you still report it to the Office Manager immediately.

Your access card doesn't have any identifiers on it, so don't mention it to anyone. And, if you're in an office that requires the card and a PIN, that's extra security and really don't have to report it.

Ensure there's a BAA.

Review requirements in the BAA.

Bypass getting a BAA because the solution needs to be done fast.

Take the customer's data right away because you know the BAA is coming soon.

The BAA requirements are going to cause the due date for the solution to be missed, so you skip some of the requirements.

Only use dedicated instances.

Only use encrypted disks, ensuring root level encryption or that processes ensure there is no PHI at root level.

Make sure all data is encrypted at-rest.

You skip encryption in-transit because it's not an absolute requirement.

True

False