MedISA Logo

MedISA

Medical Centre Employee Centered Information Security Awareness

Catalogue

As part of the MedISA research, various instruments for measuring Information Security Awareness have been compiled in a catalogue, which can be used for further research and practical applications.

The compiled instruments provide evidence of reliability and validity; however, the scientific quality criteria vary. For more information, please refer to the associated publications.

Cataloguetitles.catalogue | MedISA

Security Awareness Scale for Health Care Information Systems (SAS-HIPAA)

Authors: Mishra, S., Leone, G. J., Caputo, D. J., Calabrisi, R. R.
Publication Title: Security awareness for health care information systems: A HIPAA compliance perspective.
DOI: https://doi.org/10.48009/1_iis_2011_224-236
Date: 2011

Language of Items: English
Number of Items: 27
Reliability: not available
Validity: Content validity


Response Specification: Five-point Likert scale (1 = Strongly agree, 2 = Agree, 3 = Tend to agree, 4 = Disagree, 5 = Strongly disagree). Note: The statistical composition of items depends on the research question. See publication for more details.

Item
In my organization, there is a predefined agreed upon plan for security and privacy compliance efforts.
There is a prevalent security culture where individuals look out for each other in my organization.
Creating security awareness is an ongoing process in my organization.
There is visible leadership about seriousness of security assurance efforts in my organization.
In my organization, there are adequate internal controls (policies, procedures, training, encryption, access restrictions) to provide security and privacy of health records.
Auditing is viewed as a necessary complimentary action to improve the security initiatives in my organization.
Security policies and procedures are easily accessible and comprehendible in my organization.
In my organization, there is an emphasis on establishing open communication channels about security issues without the fear of reprisal.
We emphasize having informal meetings and discussions about importance of managing security and privacy of the records in my organization.
In my organization, security controls (encryption, access control, password policy, segregation of duty) are viewed as a necessary component for security.
Access to the system is based on the role that I play in the organization.
Training about security measures is provided regularly to the staff/personnel in my organization.
In my organization, security policies and procedures are periodically reviewed to assess if the policies meet the changing organizational needs.
There exists a clear structure for disciplinary action in case of noncompliance with policies and procedures in my organization.
In my organization, there is an emphasis on establishing open communication channel about security issues without the fear of reprisal.
I am required to read the security policies frequently (Quarterly, bi-anually, annually) in my organization.
In my organization, I have frequent communication about social engineering issues and am aware of how such tactics can create vulnerability for our system.
In my organization, I understand what information I have access to and why?
I am required to access health information only through approved devices and software in the organization.
I am allowed to use removable storage media from outside on my machine in the organization.
In my organization, I am required to take permission to use social networking sites.
I am aware of the procedure about what to do when my system has malware in my organization.
Access to the system is based on the role that I play in the organization.
I am required to report any misuse of information (that I am in-charge of) or its inappropriate access.
I am aware of the password policy that I have to comply with, in my organization.
I frequently receive communication about acceptable security behavior in my organization.
In my organization, there is an ongoing effort on training and education of employees about security issues.