Internal Prospective Medical Customer Assessment Form Please fill out the following assessment form for the prospective medical customer: Company DemographicsCompany Name *Street Address *Address Line 2City *State/Province *ZIP / Postal Code *Main Office Phone Number *Main Fax NumberWebsiteCompany Tax IDTax RegionTax ExemptYesNoNumber of Offices/LocationsCyber InsuranceUnknownYesNoCyber Insurance CarrierIf customer responded "Yes."Primary Contact DemographicsPrimary Contact First Name *Last Name *SuffixTitle *Email Address *Location Office NameStreet AddressEnter if different from Primary location.Address Line 2CityState/ProvinceZIP / Postal CodePhone Number *ExtensionFax NumberMobile NumberMedical DemographicsLegal Practice NameSpecialtyGroup Tax IDPractice NPI NumberNumber of PhysiciansNumber of MidlevelsBilling CompanySoftware/ApplicationsPractice Management (PM) Application NameVersion NumberCloud-BasedYesNoSupport ContactData Backup and FrequencyApplication Pain PointsElectronic Health Record (EHR) Application NameVersion NumberCloud-BasedYesNoSupport ContactData Backup and frequencyApplication Pain PointsPicture Archiving & Communication System (PACS) Application NameVersion NumberCloud-BasedYesNoSupport ContactData Backup and FrequencyApplication Pain PointsOther Application NameVersion NumberCloud-BasedYesNoSupport ContactData Backup and FrequencyApplication Pain PointsAdditional Software NotesElectronic Data HandlingTypes of Electronic Data Processed/StoredConfidential Client InformationIntellectual property assets including trade secretsProtected Health InformationSecuritiesOther dataWhat types of electronic data does your company process, transmit, and/or store on its computer systems?Personally Identifiable InformationCredit/Debit Card InformationDriver's License NumbersEmail AddressesFinancial/Bank AccountsSocial Security NumbersDoes your company process, transmit, and/or store Personally Identifiable Information such as Social Security, Driver’s License numbers, Financial/bank account, Credit/debit card information, Email addresses?Data Privacy and ProtectionAccess RestrictionsYesNoDoes your company restrict employee access to customer files and personally identifiable information of employees to those whose job role requires this information on a need-to-know basis?Encryption of Private DataYesNoIs all data that is to be secured in accordance with government regulations and/or industry guidelines encrypted?Customer Data and Web-based SystemsYesNoDoes your company require the transmission of customer data that includes one or more the following as part of your internet-based web services: Contact information, Credit/debit card numbers, and/or Social Security numbers? Customer Opt-Out Preference ReadinessYesNoN/AAre your company’s information systems and business processes readied to ensure that customer preferences associated with the opt-out of sharing of non-public, personal information with non-affiliated third parties can be successfully honored?Regulatory ComplianceGramm-Leach-Bliley Act (GLBA)Health Insurance Portability & Accountability Act (HIPAA)Payment Card Industry Data Security Standard (PCI DSS)Is your company in compliance with one or more of the following data protection regulations: GLBA, HIPAA, and/or PCI DSS? If so, please indicate which of the regulation’s compliance standards have been met by your companyAreas of Concern, Challenges and SuggestionsSecurity Policies and ProceduresImplemented Security PolicyYesNoDoes your company have a written information system and network security policy in place that applies to employees, independent contractors, and third-party vendors?IT Risk Assessment PracticesYesNoDoes your company perform an IT security risk assessment annually and upgrade risk controls to mitigate identified security risks?Security Policy TrainingYesNoDoes your company provide employees, independent contractors, and third-party vendors security policy awareness training on an annual basis?Security Incident ReportingYesNoDoes your company have a security incident reporting process to enable the escalation of security incidents and possible breaches of information?Areas of Concern, Challenges and SuggestionsSecurity Audits and Controls TestingSecurity/Privacy Compliance AssessmentYesNoHas your company undergone an information security and/or privacy compliance assessment?Who performed the assessment?Data the assessment was performed?Assessment TypeMitigation actions implementedYesNoData Security Control TestingYesNoAreas of Concern, Challenges and SuggestionsNetwork ClosetNetwork Closet/Cabinet DesignBrief description of appearance and design of the server room.Closet/Cabinet LockedYesNoEquipment LayoutIs the equipment laid out in an orderly manner? What is the organization scheme used or are devices placed randomly?Wiring/CablingBrief description of the cabling. Is cable management employed? Attach photo if appropriate.All Devices LabeledYesNoPartially Labeled/Needs WorkAre all devices clearly labeled? Are labels accurate and updated when devices are re-provisioned?Battery Backup/UPSYesNoMake and ModelNumber of BatteriesNetwork MonitoringYesNoUnknownRack Mounted or Floor ModelRack MountedFloor ModelClimate (Temp/Humidity)What is the general temperature and humidity of the server room? How is it controlled?Remote Access Control (DRAC, iLO, etc.)Is low-level remote access to the servers available? Can the server room devices and servers be managed remotely?ServersVirtual ServersYesNoQuantity of Virtual ServersRoles of ServersOperating System of Virtual ServersPhysical ServersYesNoQuantity of Physical ServersRoles of ServersOperating System of Physical ServersQuantity of SwitchesSwitchesMake and ModelPort DensityPOEYesNoUnknownRack MountedYesNoLayerLayer 2Layer 3Areas of Concern, Challenges and SuggestionsNetwork Firewall/SafeguardsOn-Prem Managed FirewallYesNoFirewall Make and ModelElimination of Factory Default SettingsYesNoAre vendor/factory default settings in network and computing system components replaced with settings that ensure that the systems are securely configured?Firewall at InternetYesNoDoes your company have a firewall established at each Internet connection?Firewall Rules Review ProcessEvery 30 DaysQuarterlyAnnuallyNeverHow often are the rules within implemented firewalls reviewed?Network Change ManagementYesNoDoes your company have a network change management policy and process to ensure the network is always configured to be secure?Remote AccessYesNoDo you allow remote access to your network ?Security Standards for Remote Access EquipmentYesNoDo you require that any systems that are used to access your company’s IT system remotely are at least as secure as your company’s system?Remote Access SecurityRemote Access Authentication using industry accepted two-factor methods and/or certificates.Virtual Private Networks from Equipment Using Personal FirewallsBoth remote Access Authentication using industry accepted two-factor methods and/or certificates and Virtual Private Networks from Equipment Using Personal Firewalls.OtherRemote Access Security – Are connections from remote users, laptops, and mobile devices into your company’s network secured with one more of the following methods?Areas of Concern, Challenges and SuggestionsEndpoints/WorkstationsDigital SignageQuantity of Digital SignagePostage MeterQuantity of Postage MetersPrinters/MFPQuantity of PrintersQuantity of MFPsNetwork ScannersQuantity of Network ScannersWorkgroup SwitchesQuantity of Workgroup SwitchesMonitorsAverage size, dual, average make and model.Quantity of DesktopsRun Computer Data Collector on each desktop.Quantity of Unsupported OS DesktopsAreas of Concern, Challenges and SuggestionsMobile ComputingBYOD or Company ProvidedDescribe the company's mobile device policy. Is the company using a MDM solution? BYOD devices or standardized company devices.Types of DevicesQuantity of LaptopsLaptop HDD EncryptionYesNoSome LaptopsHDD Encryption SolutionQuantity of Unsupported OS LaptopsRequired LOB Access from Mobile DevicesList essential line of business applications that require mobile access.External Access MethodsBeyond mobile phones, what other methods for external access are available?Internal Access MethodsAreas of Concern, Challenges and SuggestionsFileShare SystemFileShare SolutionStorage AvailabilityFile Redirects Implemented for UsersYesNoFileShare System Pain PointsSystem Access SafeguardsUse of Strong PasswordsYesNoDoes your company employ the use of “Strong” user password protection that include non-alphanumeric characters, at least eight (8) characters in length, at least one (1) upper case letter, contain at least one (1) lower case letter, contain one number, contain one special character such as #, !, @, ?, or ^, must be different from previous passwords, and an expiration period length of between 45-90 days?Removal of Outdated User AccountsYesNoDoes your company have a policy of periodically reviewing computer accounts and removing accounts for employees no longer with the company or for vendor/service provider employees that no longer require IT system access?Physical Security ControlsYesNoDoes your company have physical security controls in place to control access to company computer systems?System Access Control PoliciesYesNoDoes your company have access control policies and procedures in place to authorize and control access to business-critical computers systems and those systems that store sensitive data?Areas of Concern, Challenges and SuggestionsComputer Equipment SafeguardsAnti-malware/Antivirus DeploymentYesNoAnti-malware/Antivirus SolutionScans on Email File DownloadsYesNoUnknownAre antivirus scans performed on all email attachments, downloads, and files before opening?Infected File Quarantine ProceduresYesNoUnknownAre any files that are identified as infected during antivirus and antispyware scans quarantined and/or deleted?Current Software Versions, Updates, and PatchesYesNoUnknownDoes your company use the most current versions, updates, and patches available from the third-party suppliers of antivirus, antispyware, firewall, and software security protection software on all workstations, laptops, mobile devices, and business critical servers to prevent security breaches and authorized access?Security Software UpdatesYesNoUnknownAre security software updates and patches check weekly and applied within 30 days?Disabling of Unnecessary Services and PortsYesNoUnknownAre unnecessary services and ports on computers and the network disabled?Virus NotificationsYesNoUnknownDoes the company automatically receive virus information/notifications from Cert or from similar agencies and/or industry organizations?Areas of Concern, Challenges and SuggestionsSystems MonitoringSecurity MonitoringWeb Activity Monitoring SoftwareIntrusion Detection SystemsSecurity Vulnerability ScansEmail Monitoring SoftwareLog File MonitoringPenetration TestingOtherDoes your company use technologies and/or testing techniques to monitor and/or test IT system security? Suspicious Activity MonitoringYesNoUnknownAre business critical applications, security systems, and network activity logs periodically reviewed for suspicious activity?Unauthorized Access DetectionYesNoUnknownAreas of Concern, Challenges and SuggestionsSystems Backup and RecoveryBusiness Continuity/Recovery PlanYesNoDoes your company have a business continuity/disaster recovery plan that incorporates procedures to restore computer operations after a disruptive event?Business Continuity/Recovery SolutionBackup and Recovery Process TestingYesNoAre all mission critical systems backup and recovery procedures tested on an annual basis?Time to Restore Computer Operations0-12 Hours12-24 Hours24 HoursGreater than 24 HoursWhat period of time is necessary to restore computer system operations after an attack on your company’s IT environment or as a result of data loss and/or corruption?Offsite BackupYesNoN/ALast Time Restore TestedOnsite BackupYesNoN/ALast Time Restore TestedAreas of Concern, Challenges and SuggestionsCurrent Service ProviderInternet ProviderContract ExpirationType of ConnectionSpeed UpSpeed DownTelephone ProviderContract ExpirationTelephony Solution NameVersion NumberVoIPYesNoNumber of PhonesFax Line ProviderNumber of Fax LinesElectronic Fax SolutionEmail SPAM/AV Filtering ServiceIs an external anti-spam or anti-virus server employed to protect incoming and outgoing emails? Describe the service and general satisfaction with the service.Email ProviderContract ExpirationIf Exchange, Version NumberAvailable StorageWebsite HostingWebsite MaintenanceHow and who performs website maintenance? Is it outsourced or in-house?Third Party Service ProvidersIT Service OutsourcingYesNoIs any critical part of your IT network/computer system or Internet access/web presence to others outsourced to any third parties?IT Service Provider/ResourceFinancial Services and Payment Processing ProviderPlease document the Service Provider companies that provide the Financial Services and Payment Processing services to your company that are necessary to operate your company's IT network and systemsCloud, ASP, and SaaS Services ProvidersPlease document the Service Provider companies that provide the Cloud, ASP, and SaaS services to your company that are necessary to operate your company's IT network and systems.Service Provider Security PracticesAre your company’s information security policies, procedures, and training practices required to be complied with by third party service providers and detailed as terms within the written agreements executed with third party service providers and verified as being in force per the terms in the agreement?Indemnification by Service ProvidersDo your company's agreements with third party service providers include terms that provide for indemnification of your company from the unauthorized use or disclosure of stored personal information on the service provider’s network?Service Provider Security AuditsDoes your company perform audits on its vendors and service providers that handle your company’s privacy sensitive data to verify that security protocols are in place to secure the data?Photo UploadsDrag and Drop (or) Choose FilesSubmit
