Information Security & Compliance Starts with Risk Evaluation!

9 Questions

5 Minutes

Know how well you are protecting your patients’ information and privacy in key risk areas,

and how to improve where you have security and privacy risks!

All organizations, including medical cannabis dispensaries (cannabusinesses) are legally and ethically obligated to protect the personal information they collect, store and process, to ensure unauthorized access to the information cannot occur, and to ensure the personal information is not misused.

Data protection legal requirements, including HIPAA, generally define health information to be any information that can be associated with an individual relating to the past, present, or future physical or mental health, and information about the condition of an individual held or maintained by businesses covered by these laws.

Below is a free information security and privacy risk evaluation to help cannabusinesses to quickly identify where there are major risks to personal information within their business.

Before you start, please review the following statement:

By participating in this survey, I agree to not re-post this evaluation, or similar versions of it, to any other business sites to be re-used there without explicit written permission from Rebecca Herold or SIMBUS, who own the intellectual property rights to the content and delivery mechanism respectively.

I also give permission to send the results to my email address, which I will provide at the end, and to allow SIMBUS to incorporate my non-identified answers into generic, bulk summary results.

By taking this free evaluation you are indicating that you understand and agree to these terms.

NOTE: This evaluation is not written for, and must not be taken by, children 13 years of age or younger.

Basic Information About Your Business
  • 1. If your medical cannabusiness(es) are in the USA, in what state(s) do you operate? If outside of the USA, in what country do you operate? This will help us aggregate answers and provide tallies to determine how patient privacy activities vary throughout the globe.
    2. Is your business located within a stand-alone building, dedicated storefront, etc.? Or, is it within a mall-type area with many others within the same building? Or within your own home? Or, some other type of location? Please provide a brief description.
    3. Do you dispense medical cannabis to primarily children (ages through 17 years old), adults, or an even mix of both?
Info Security & Privacy
  • 4. What kind of information about your medical cannabis patients do you collect, store, and share? Select the answer that most closely matches your medical cannabusiness.
    A. Names, mailing addresses, phone numbers only
    B. All of the A items, plus their email addresses, Social Security Numbers and credit card numbers
    C. All of the A and B items, plus their medical records, qualifying conditions, account numbers and insurance information.
    D. All of A, B and C items, plus their social media IDs/accounts, cannabis program/registry information, physician information, treatment information and other information (photos, videos, etc.)
    5. Select one of the following which best describes your medical cannabusiness's access to your client's health information:
    A. You store the health information on your own systems (e.g. servers, desktop computers, laptops, USB drives, external hard drives, etc.) and you also do business processing with the health information, which *IS* encrypted.
    B. You store the health information on your own systems (e.g. servers, desktop computers, laptops, USB drives, external hard drives, etc.) and you also do business processing with the health information, which is *NOT* encrypted.
    C. You store most of the health information for your clients in a type of data warehouse, or cloud service, that is a contracted vendor, but you do not access the data to do any business processing, and the data *IS* encrypted. Health information in your possession is never stored on endpoints (e.g. laptops, USB drives, etc.).
    D. You store most of the health information for your clients in a type of data warehouse, or cloud service, that is a contracted vendor, but you do not access the data to do any business processing, and the data *is* encrypted.
    6. Do you have up-to-date and easily accessible, by all your employees, documented privacy and information security policies and procedures, that cover operational, technical and physical security requirements used in your medical cannabusiness? Select the answer that most closely matches your medical cannabusiness.
    A. Yes, we keep our documented information security and privacy policies and procedures updated, they cover all areas of information security, and all our employees can easily get access to them (e.g. on our intranet, in a printed manual, etc.).
    B. We have information security and privacy policies and procedures documented, but it has been more than a year since they were updated. They also probably don't cover all topics, and may not be easily accessible.
    C. We have a few information security and privacy policies and procedures documented, but we've never updated them. They also don't cover all topics, and our employees may not know about them.
    D. We don't have any documented information security and privacy policies or procedures.
    7. Have you provided information security and privacy training to all your workers in the past year, and do you provide some type of regular medical cannabis patient data security update or medical patient data privacy reminder, for all your medical cannabusiness workers? Select the answer that most closely matches your medical cannabusiness.
    A. Yes, we do both regular training and send out frequent awareness reminders.
    B. We provide training once every year or two, and sometimes awareness reminders, but not really regularly according to any policy.
    C. We have provided maybe one training session, and may one or two awareness reminders. Not recently, though.
    D. No. We do not provide information security or privacy training or awareness messages.
    8. When did you perform your most recent information security risk assessment? NOTE: This compliance assessment you are currently taking is NOT a full security risk assessment, so do not count this as your most recent security risk assessment. Also, be mindful that this question refers to the technical, operational and physical security risks to your medical cannabis patient information. Select the answer that most closely matches your medical cannabusiness.
    A. Less than 12 months ago
    B. 1-2 years ago
    C. 3-5 years ago
    D. More than 5 years ago or we have never done an information security risk assessment.
    9. Do you require all types of sensitive information (including personal information and other types of health information) for your medical cannabis patients to be encrypted when it is sent through public networks and when it is stored on mobile computers and mobile storage devices? Remember: their sensitive information includes health information and all other types of personal data. Select the answer that most closely matches your medical cannabusiness.
    A. Yes, we encrypt personal and health data when collecting it, storing it, and transmitting it.
    B. We encrypt data when transmitting, and in some, but not in most, places where it is stored.
    C. We sometimes encrypt data when collecting it and transmitting it, but in many cases we do not. We have no formal policies or procedures for when to use encryption.
    D. No, we either do not use encryption, or we do not know if encryption is used.
    10. Do you require patient, health and other sensitive information, in all forms (on digital storage drives, in computing devices, in smartphones, on print materials or whiteboards, etc.) to be disposed of using secure methods? Select the answer that most closely matches your medical cannabusiness.
    A. Yes, we dispose of all forms of personal and health data using secure methods, following documented policies and procedures.
    B. We dispose of most forms of personal and health data using secure methods, but have not established secure methods for all forms.
    C. We sometimes dispose of information securely, but it is pretty much hit or miss. We probably don’t dispose of much information, in all forms, securely.
    D. No, we pretty much just throw any trash into the trash can, dumpster out back, etc.
    11. Do you require all third-party businesses whom you have outsourced any medical cannabusiness activities involving patient and health information, or other confidential information to sign a security and privacy agreement, such as those required by HIPAA? And have each of those entities provided some type of assurances to you (E.g. a copy of a recent risk assessment, copies of their information security and privacy policies, logs of their most recent security training, etc.) that validate they have strong information security and privacy practices implemented in their businesses? Select the answer that most closely matches your medical cannabusiness. Be mindful that BAs in the medical cannabis space can be/are not limited to: other medical cannabis dispensaries, delivery service vendors, data storage companies, security firms, medical billers, email vendors, seed-to-sale vendors, payment processors, patient certification centers, laboratories, referring physicians and/or state regulating agencies.
    A. We do not outsource any activities that involve sharing patient or health information.
    B. Yes, we require all third-party businesses we contract to have comprehensive security and privacy programs in place, and they also sign an agreement listing the security requirements they must follow.
    C. We ask them if they have security in place, but it is not anything formal.
    D. No, we assume they have security controls in place, or haven't thought about it, or don't think we are responsible for any security controls within another business that we use.
    12. Has your medical cannabusiness implemented security controls on systems and networks that host, process and/or transfer sensitive and personal information, including the use of anti-malware tools, and controls for protecting network devices from unauthorized access and data theft? Are connections to your computers, supporting systems and networks logged and monitored? Select the answer that most closely matches your medical cannabusiness.
    A. Yes, we have security controls implemented for monitoring/logging, authorization, access controls, and other risk reducing tools.
    B. We have some anti-malware tools in place on our systems and personal computers, but we need to implement more to cover everything that you've mentioned.
    C. We use a managed services provider (MSP) to do all our computing activities, so they need to have anti-malware in place, not us.
    D. No, we don't have any of these types of security controls in place.
Final Step: Please enter your name & email so we can let you know when we have more helpful information security and privacy tools available for you to use.
  • Contact Name  (Optional,but we use this to personalize your printable report)
  • Email Please leave your email so we can send you the free report (You will receive no additional emails from us)