2015 Annual Security & Awareness Test

Any comments for the scorer to take into account?

You receive work email on your phone, and you are getting ready to pay at a restaurant. You need to provide a promotion code that's on your phone. The waiter asks to take your phone to scan the information at his kiosk. Which action would keep your email safe? (choose all that apply)

• A.

  Give the waiter your fully unlocked phone, so he can scan the information.

• B.

  Ask the waiter to write down the human readable promotion code from your phone instead of scanning.

• C.

  Ask the waiter to bring the scanner to you, keeping control of your phone.

• D.

  You have separated access of the promotion code app from all parts of your phone that you don't want to be accessed. You give the waiter your phone with access to the promotion code app opened.

• E.

  You have your work email automatically forwarded to your personal email account, so it's okay to give the phone to the waiter.

Someone outside the office says "Hi, I'm a new employee starting today.  Can you let me in since I don't have an access card yet?"  What action should you take?  (choose all that apply)

• A.

  You let the person in, and point them in the direction of where their group sits.

• B.

  You escort them to the receptionist.  If the receptionist isn't there, tell them to have a seat and you find someone to help them.

• C.

  You let the person in, and let office manager know that the person needs an access card.

• D.

  You don't let the person in, and tell them to wait outside the door for someone to come get them.

You want to host an event in the office. It includes people that you don't know. What action should you take?

• A.

  Contact the Office Manager to coordinate the event.

• B.

  Make arrangements on your own. Don't let guests bring mobile phones since they have cameras.

• C.

  Make arrangments on your own. Let people into the office.

• D.

  Make arrangements on your own. Let people in the office, but keep a close watch on them.

Visitors have arrived, but it's after business hours or you can't find the receptionist. In these special cases, visitors don't need to write their names in the log.

• A.

  True

• B.

  False

You need to access a system immediately to complete your work, but have not received approval, credentials, or other access set up yet. What action should you take?  (choose all that apply)

• A.

  You wait for approval and for credentials to be provided.

• B.

  Your supervisor gives you their credentials to access the system, and you use them to do your work.

• C.

  You borrow a co-worker's credentials with their agreement. This ensures that you both have backup credentials, just in case of an emergency.

• D.

  You let your supervisor know that you are delayed because you don't have system access.

• E.

  You find a way to access the system without credentials. Since this increases productivity, you don't tell anyone about this easy way into the system.

You had your password reset, and were provided a temporary password. You were told to change it immediately. What do you do? 

• A.

  You type the temporary password and immediately change the temporary password to meet password standards.

• B.

  You write down the temporary password and continue to use it. No one will know.

• C.

  You write down the password and post it for anyone that might need access to your computer.

• D.

  You type the temporary password in the system and change it to the password you used last month.

You notice an unattended and unlocked work device. What do you do? (choose all that apply)

• A.

  You play it off as insignificant and ignore the situation.

• B.

  You have someone run an audit trail report to determine if any information was inappropriately accessed.

• C.

  You get the owner of the device, and chastise them in front of their peers so everyone can see you take the incident seriously.

• D.

  You don't know how to lock the device, and you can't leave the device unattended.  You have someone find the owner, so the device can be locked.

• E.

  You're familiar with the device, and you lock the device immediately.

You're upgrading to a new version of an open source software, and the change will be better all around. Since the change makes things better and even fixes some of the bugs in a product, you can bypass the change request process.

• A.

  True

• B.

  False

Only supervisors are responsible for knowing security incident or security breach response procedures.

• A.

  True

• B.

  False

You have an unscheduled change that has to be implemented for a customer tonight. It's already past the customer's normal operating hours for the application, so you don't need to notify them.

• A.

  True

• B.

  False

You find confidential data that is not encrypted for storage. What action do you take? (choose all that apply)

• A.

  You find out how to encrypt the data, or ensure someone will encrypt the data.

• B.

  You notify your supervisor or a security champion that you had discovered unencrypted confidential data.

• C.

  You copy the data to another location that is encrypted, and leave the original data untouched.

• D.

  You re-classify the data as public.

From the list below, identify which items are considered PHI.

• A.

  Name: Stuart Holmes

• B.

  Occupation: Retired

• C.

  Age: 94

• D.

  Discharge Date: March 6, 2015

• E.

  Born: May 9, 1920

• F.

  Patient ID: 65446571

• G.

  Lives at: 123 belle Ln Apt 2 Fairyland, WA

• H.

  Marital Status: Married

• I.

  Zipcode: 981 (Seattle, WA zip with population > 20,000)

• J.

  Check Number (Not account number): 4838

You receive an email with PHI. What action do you take? (choose all that apply)

• A.

  Do nothing

• B.

  Contact Security Operations or your manager to find out what to do.

• C.

  Forward the email to others, asking what you should do.

• D.

  Delete the data, and don't tell anyone else.

• E.

  Work with Security Operations or the project owner to ensure the incident is recorded, and the email is properly removed from our systems.

You and others on your team see some data that may be PHI or PII. None of you are sure if you should see or use the data. What action do you take? (choose all that apply)

• A.

  Do nothing. Let someone else on the team figure it out.

• B.

  Check with the project owner to see if the data is part of the project.

• C.

  Ensure the data is encrypted at-rest and in-transit.

• D.

  Delete the data, and don't tell anyone else.

• E.

  Check with the project owner to find out whether the data is PHI or PII.

A server or hard drive with PHI isn't needed anymore. It can be retired or used for a low priority situation. (choose all that apply)

• A.

  Take it to a recycling center, as-is. The recycling center will take care of it.

• B.

  Leave it on the shelf in case someone needs an old server.

• C.

  Delete the files, then recycle the hard drives in a bin that accepts metal.

• D.

  Install a new OS, and it should wipe the hard drive. Then, it's ready to use.

• E.

  Work with Security Operations to figure out next steps.

A customer asks for a report that contains patient information on it. The customer is okay with ePHI or paper format. What should you do?  (choose all that apply)

• A.

  Reassure the customer that you're on it. Email the report right away before you forget. The customer is a top priority.

• B.

  Determine if he has access to encrypted email and if not, request IT to set up an SFTP or other secured communication protocol to transfer the report.

• C.

  Do not tell anyone, but go ahead and fax the report. Chances are slim anything will happen.

• D.

  Encrypt the report and email the report the customer.  And provide the de-crypt key in a separate secured method such as SMS, Skype, or an email with a different subject and hidden in the body of the email.

• E.

  You print the report with standard confidentiality cover sheet, and store it securely until your meeting with the customer tomorrow.

Can I have PHI on my laptop or desktop? I'll have the data stored on an encrypted drive.

• A.

  Though local machines are secured with passwords and drive encrypted, the policy is to never store PHI on them.

• B.

  PHI can be on a laptop or desktop, even unencrypted, as long as the computer stays in the office

• C.

  The laptop is covered under our office insurance policy, so it's okay as long as I'm careful with it.

Your laptop was stolen out of your car, and you don't think it was encrypted. You had temporarily decided to put PHI on the laptop to do some work at home. What do you do? (choose all that apply)

• A.

  Report the issue to security operations, and work with them to provide the information needed to have the situation properly assessed.

• B.

  Review internal procedures and training on handling of mobile devices.

• C.

  Work with HR and Finance to be compensated for the damage to your car caused by the thieves.

• D.

  Report the laptop stolen, but don't mention the PHI. That is SecOps' and IT's job to figure out what they need to do.

• E.

  This will be classified as a data breach and the HITECH Breach Notification Rule will need to be followed. In addition to penalties, notifications would include: patients, media outlets, and the HHS Secretary.

You have a new feature or application, and just need a few patient records to demo it.

• A.

  You get a few records from a current customer's project to use.

• B.

  You get a few records from a past customer's project to use.

• C.

  You create random/fictitious test data to use

• D.

  You ask your peers for their records.

• E.

  You know everything is perfect, and will bypass testing, and just release to production.

Your computer is at your desk, and you need to walk away from your computer for a few minutes. It's okay to leave your computer unlocked.

• A.

  True

• B.

  False

You accidentally left your building access card in a backpack that you loaned to a friend over the weekend.  You get your backpack back and find the building access card.  What do you do? (choose all that apply)

• A.

  Do nothing because you trust your friend.

• B.

  Report it to the Office Manager when you happen to see them next.

• C.

  Your friend doesn't know where your office is, but you still report it to the Office Manager immediately.

• D.

  Your access card doesn't have any identifiers on it, so don't mention it to anyone. And, if you're in an office that requires the card and a PIN, that's extra security and really don't have to report it.

A customer needs us to receive PHI to develop a custom solution.  What do you do?

• A.

  Ensure there's a BAA.

• B.

  Review requirements in the BAA.

• C.

  Bypass getting a BAA because the solution needs to be done fast.

• D.

  Take the customer's data right away because you know the BAA is coming soon.

• E.

  The BAA requirements are going to cause the due date for the solution to be missed, so you skip some of the requirements.

You need to bring up an environment for PHI in AWS.  What will you ensure is done?

• A.

  Only use dedicated instances.

• B.

  Only use encrypted disks, ensuring root level encryption or that processes ensure there is no PHI at root level.

• C.

  Make sure all data is encrypted at-rest.

• D.

  You skip encryption in-transit because it's not an absolute requirement.

If the customer has not provided any requirements or specifications for a secured environment in the BAA, you don't have to worry about encrypting at-rest or in-transit.

• A.

  True

• B.

  False