Cybersecurity Checklist

Identify: Risk Assessments & Management Yes No N/A
1. Risk assessments are conducted frequently (e.g. annually, quarterly).
2. Cybersecurity is included in the risk assessment.
3. The risk assessment includes a review of the data collected or created, where the data is stored, and if the data is encrypted.
4. Internal “insider” risk (e.g. disgruntled employees) and external risks are included in the risk assessment.
5. The risk assessment includes relationships with third parties.
6. Adequate policies and procedures demonstrate expectations of employees regarding cybersecurity practices (e.g. frequent password changes, locking of devices, reporting of lost or stolen devices, etc.).
7. Primary and secondary person(s) are assigned as the central point of contact in the event of a cybersecurity incident.
8. Specific roles and responsibilities are tasked to the primary and secondary person(s) regarding a cybersecurity incident.
9. The practice has an inventory of all hardware and software.
Protect: Use of Electronic Mail Yes No N/A
1. Identifiable information of a patient is transmitted via email.
2. Authentication practices for access to email on all devices (computer and mobile devices) is required.
3. Passwords for access to email are changed frequently (e.g. monthly, quarterly).
4. Policies and procedures detail how to authenticate patient instructions received via email.
5. Email communications are secured. (If the response is no, proceed to the next question.)
6. Employees and patients are aware that email communication is not secured.
Protect: Devices Yes No N/A
1. Device access (physical and digital) is permitted for authorized users, including personnel and patients.
2. Device access is routinely audited and updated appropriately.
3. Devices are routinely backed up and underlying data is stored in a separate location (i.e. on an external drive, in the cloud, etc.)
4. Backups are routinely tested.
5. The physician practice has written policies and procedures regarding destruction of electronic data and physical documents.
6. Destruction of electronic data and physical documents are destroyed in accordance with written policies and procedures.
Protect: Use of Cloud Services Yes No N/A
1. Risk assessments are conducted frequently (e.g. annually, quarterly).
2. As part of the due diligence, the physician practice has evaluated whether the cloud service provider has safeguards against breaches and a documented process in the event of breaches.
3. The physician practice has a business relationship with the cloud service provider and has the contact information for that entity.
4. The physician practice is aware of the assignability terms of the contract.
5. The physician practice understands how the practice’s data is segregated from other entities’ data within the cloud service.
6. The physician practice is familiar with the restoration procedures in the event of a breach or loss of data stored through the cloud service.
7. The physician practice has written policies and procedures in the event that the cloud service provider is purchased, closed, or otherwise unable to be accessed.
8. The physician practice solely relies on free cloud storage.
9. The physician practice has a back-up of all records off-site.
10. Data containing sensitive or personally identifiable information is stored through a cloud service.
11. Data containing sensitive or personally identifiable information, which is stored through a cloud service, is encrypted.
12. The physician practice has written policies and procedures related to the use of mobile devices by staff who access data in the cloud.
13. The cloud service provider (or its staff) may access and/or view the physician practice’s data stored in the cloud.
14. The physician practice allows remote access to its network (e.g. through use of VPN).
15. The physician practice has written policies and procedures related to the termination of VPN access when an employee resigns or is terminated.
Protect: Use of Physician Practice Websites Yes No N/A
1. The physician practice relies on a parent or affiliated company for the construction and maintenance of the website.
2. The physician practice relies on internal personnel for the construction and maintenance of the website.
3. The physician practice relies on a third-party vendor for the construction and maintenance of the website.
4. If the physician practice relies on a third party for website maintenance, there is an agreement with the third party regarding the services and the confidentiality of information.
5. The physician practice can directly make changes to the website.
6. The physician practice can directly access the domain renewal information and the security certificate information.
7. The physician practice’s website is used to access client information.
8. SSL or other encryption is used when accessing patient information on the physician practice’s website.
9. The physician practice’s website includes a client portal.
10. SSL or other encryption is used when accessing a patient portal.
11. When accessing the patient portal, user authentication credentials (i.e., user name and password) are encrypted.
12. Additional authentication credentials (i.e., challenge questions, etc.) are required when accessing the patient portal from an unfamiliar network or computer.
13. The physician practice has written policies and procedures related to a denial of service issue.
Protect: Custodians & Other Third-Party Vendors Yes No N/A
1. The physician practice’s due diligence on third parties includes cybersecurity as a component.
2. The physician practice has requested vendors to complete a cybersecurity questionnaire, with a focus on issues of liability sharing and whether vendors have policies and procedures based on industry standards.
3. The physician practice understands that the vendor has IT staff or outsources some of its functions.
4. The physician practice has obtained a written attestation from the vendor that it uses software to ensure patient data is protected.
5. The physician practice has inquired whether a vendor performs a cybersecurity risk assessment or audit on a regular basis.
6. The cyber-security terms of the agreement with an outside vendor is not voided because of the actions of an employee of the physician practice.
7. Confidentiality agreements are signed by the physician practice and third-party vendors.
8. The physician practice has been provided enough information to assess the cybersecurity practices of any third-party vendors.
Protect: Encryption Yes No N/A
1. The physician practice routinely consults with an IT professional knowledgeable in cybersecurity.
2. The physician practice has written policies and procedures in place to categorize data as either confidential or non-confidential.
3. The physician practice has written policies and procedures in place to address data security and/or encryption requirements.
4. The physician practice has written policies and procedures in place to address the physical security of confidential data and systems containing confidential data (i.e., servers, laptops, tablets, removable media, etc.).
5. The physician practice utilizes encryption on all data systems that contain (or access) confidential information.
6. The identities and credentials for authorized users are monitored.
Detect: Anti-Virus Protection and Firewalls Yes No N/A
1. The physician practice regularly uses anti-virus software on all devices accessing the practice’s network, including mobile phones.
2. The physician practice understands how the anti-virus software deploys and how to handle alerts.
3. Anti-virus updates are run on a regular and continuous basis.
4. All software is scheduled to update.
5. Employees are trained and educated on the basic function of anti-virus programs and how to report potential malicious events.
6. If the alerts are set up by an outside vendor, there is an ongoing relationship between the vendor and the physician practice to ensure continuity and updates.
7. A firewall is employed and configured appropriate to the physician practice’s needs.
8. The physician practice has policies and procedures to address flagged network events.
Respond: Responding to a Cyber Event Yes No N/A
1. The physician practice has a plan and procedure for immediately notifying authorities in the case of a disaster or security incident.
2. The plans and procedures identify which authorities should be contacted based on the type of incident and who should be responsible for initiating those contacts.
3. The physician practice has a communications plan, which identifies who will speak to the public/press in the case of an incident and how internal communications will be managed.
4. The communications plan identifies the process for notifying patients.
Recover: Cyber-insurance Yes No N/A
1. The physician practice has considered whether cyber-insurance is necessary or appropriate for the practice.
2. The physician practice has evaluated the coverage in a cybersecurity insurance policy to determine whether it covers breaches, including; breaches by foreign cyber intruders; insider breaches (e.g. an employee who steals sensitive data); and breaches as a result of third-party relationships.
3. The cybersecurity insurance policy covers notification (patients and regulators) costs.
4. The physician practice has evaluated whether the policy includes first-party coverage (e.g. damages associated with theft, data loss, hacking and denial of service attacks) or third-party coverage (e.g. legal expenses, notification expenses, third-party remediation expenses).
5. The cybersecurity insurance policy covers fraudulent wire transfer, social engineering and cyber extortion.
6. The exclusions of the cybersecurity insurance policy are appropriate for the physician practice’s business model.
7. The physician practice has put into place all safeguards necessary to ensure that the cyber-security policy is not voided through investment adviser employee actions, such as negligent computer security where software patches and updates are not installed in a timely manner.
Recover: Disaster Recovery Yes No N/A
1. The physician practice has a business continuity plan to implement in the event of a cybersecurity event.
2. The physician practice has a process for retrieving backed up data and archival copies of information.
3. The physician practice has written policies and procedures for employees regarding the storage and archival of information.
4. The physician practice provides training on the recovery process.

Personal Details

Do you check your patients insurance eligibility status?



Get paid Three times faster with our 24/7 medical billing services.

Work with medical billers who understand your EHR's billing process backwards and forwards

Avail Free RCM Audit Worth $2,000! Check out 19 different KPI reports that stops your cash flow.