4. What kind of information about your medical cannabis patients do you collect, store, and share? Select the answer that most closely matches your medical cannabusiness.
A. Names, mailing addresses, phone numbers only
B. All of the A items, plus their email addresses, Social Security Numbers and credit card numbers
C. All of the A and B items, plus their medical records, qualifying conditions, account numbers and insurance information.
D. All of A, B and C items, plus their social media IDs/accounts, cannabis program/registry information, physician information, treatment information and other information (photos, videos, etc.)
5. Select one of the following which best describes your medical cannabusiness's access to your client's health information:
A. You store the health information on your own systems (e.g. servers, desktop computers, laptops, USB drives, external hard drives, etc.) and you also do business processing with the health information, which *IS* encrypted.
B. You store the health information on your own systems (e.g. servers, desktop computers, laptops, USB drives, external hard drives, etc.) and you also do business processing with the health information, which is *NOT* encrypted.
C. You store most of the health information for your clients in a type of data warehouse, or cloud service, that is a contracted vendor, but you do not access the data to do any business processing, and the data *IS* encrypted. Health information in your possession is never stored on endpoints (e.g. laptops, USB drives, etc.).
D. You store most of the health information for your clients in a type of data warehouse, or cloud service, that is a contracted vendor, but you do not access the data to do any business processing, and the data *is* encrypted.
6. Do you have up-to-date and easily accessible, by all your employees, documented privacy and information security policies and procedures, that cover operational, technical and physical security requirements used in your medical cannabusiness? Select the answer that most closely matches your medical cannabusiness.
A. Yes, we keep our documented information security and privacy policies and procedures updated, they cover all areas of information security, and all our employees can easily get access to them (e.g. on our intranet, in a printed manual, etc.).
B. We have information security and privacy policies and procedures documented, but it has been more than a year since they were updated. They also probably don't cover all topics, and may not be easily accessible.
C. We have a few information security and privacy policies and procedures documented, but we've never updated them. They also don't cover all topics, and our employees may not know about them.
D. We don't have any documented information security and privacy policies or procedures.
7. Have you provided information security and privacy training to all your workers in the past year, and do you provide some type of regular medical cannabis patient data security update or medical patient data privacy reminder, for all your medical cannabusiness workers? Select the answer that most closely matches your medical cannabusiness.
A. Yes, we do both regular training and send out frequent awareness reminders.
B. We provide training once every year or two, and sometimes awareness reminders, but not really regularly according to any policy.
C. We have provided maybe one training session, and may one or two awareness reminders. Not recently, though.
D. No. We do not provide information security or privacy training or awareness messages.
8. When did you perform your most recent information security risk assessment? NOTE: This compliance assessment you are currently taking is NOT a full security risk assessment, so do not count this as your most recent security risk assessment. Also, be mindful that this question refers to the technical, operational and physical security risks to your medical cannabis patient information. Select the answer that most closely matches your medical cannabusiness.
A. Less than 12 months ago
B. 1-2 years ago
C. 3-5 years ago
D. More than 5 years ago or we have never done an information security risk assessment.
9. Do you require all types of sensitive information (including personal information and other types of health information) for your medical cannabis patients to be encrypted when it is sent through public networks and when it is stored on mobile computers and mobile storage devices? Remember: their sensitive information includes health information and all other types of personal data. Select the answer that most closely matches your medical cannabusiness.
A. Yes, we encrypt personal and health data when collecting it, storing it, and transmitting it.
B. We encrypt data when transmitting, and in some, but not in most, places where it is stored.
C. We sometimes encrypt data when collecting it and transmitting it, but in many cases we do not. We have no formal policies or procedures for when to use encryption.
D. No, we either do not use encryption, or we do not know if encryption is used.
10. Do you require patient, health and other sensitive information, in all forms (on digital storage drives, in computing devices, in smartphones, on print materials or whiteboards, etc.) to be disposed of using secure methods? Select the answer that most closely matches your medical cannabusiness.
A. Yes, we dispose of all forms of personal and health data using secure methods, following documented policies and procedures.
B. We dispose of most forms of personal and health data using secure methods, but have not established secure methods for all forms.
C. We sometimes dispose of information securely, but it is pretty much hit or miss. We probably don’t dispose of much information, in all forms, securely.
D. No, we pretty much just throw any trash into the trash can, dumpster out back, etc.
11. Do you require all third-party businesses whom you have outsourced any medical cannabusiness activities involving patient and health information, or other confidential information to sign a security and privacy agreement, such as those required by HIPAA? And have each of those entities provided some type of assurances to you (E.g. a copy of a recent risk assessment, copies of their information security and privacy policies, logs of their most recent security training, etc.) that validate they have strong information security and privacy practices implemented in their businesses? Select the answer that most closely matches your medical cannabusiness. Be mindful that BAs in the medical cannabis space can be/are not limited to: other medical cannabis dispensaries, delivery service vendors, data storage companies, security firms, medical billers, email vendors, seed-to-sale vendors, payment processors, patient certification centers, laboratories, referring physicians and/or state regulating agencies.
A. We do not outsource any activities that involve sharing patient or health information.
B. Yes, we require all third-party businesses we contract to have comprehensive security and privacy programs in place, and they also sign an agreement listing the security requirements they must follow.
C. We ask them if they have security in place, but it is not anything formal.
D. No, we assume they have security controls in place, or haven't thought about it, or don't think we are responsible for any security controls within another business that we use.
12. Has your medical cannabusiness implemented security controls on systems and networks that host, process and/or transfer sensitive and personal information, including the use of anti-malware tools, and controls for protecting network devices from unauthorized access and data theft? Are connections to your computers, supporting systems and networks logged and monitored? Select the answer that most closely matches your medical cannabusiness.
A. Yes, we have security controls implemented for monitoring/logging, authorization, access controls, and other risk reducing tools.
B. We have some anti-malware tools in place on our systems and personal computers, but we need to implement more to cover everything that you've mentioned.
C. We use a managed services provider (MSP) to do all our computing activities, so they need to have anti-malware in place, not us.
D. No, we don't have any of these types of security controls in place.