MedISA
Medical Centre Employee Centered Information Security Awareness
Catalogue
As part of the MedISA research, various instruments for measuring Information Security Awareness have been compiled in a catalogue, which can be used for further research and practical applications.
The compiled instruments provide evidence of reliability and validity; however, the scientific quality criteria vary. For more information, please refer to the associated publications.
The compiled instruments provide evidence of reliability and validity; however, the scientific quality criteria vary. For more information, please refer to the associated publications.
Security Awareness Scale for Health Care Information Systems (SAS-HIPAA)
Response Specification: Five-point Likert scale (1 = Strongly agree, 2 = Agree, 3 = Tend to agree, 4 = Disagree, 5 = Strongly disagree). Note: The statistical composition of items depends on the research question. See publication for more details.
| Item |
|---|
| In my organization, there is a predefined agreed upon plan for security and privacy compliance efforts. |
| There is a prevalent security culture where individuals look out for each other in my organization. |
| Creating security awareness is an ongoing process in my organization. |
| There is visible leadership about seriousness of security assurance efforts in my organization. |
| In my organization, there are adequate internal controls (policies, procedures, training, encryption, access restrictions) to provide security and privacy of health records. |
| Auditing is viewed as a necessary complimentary action to improve the security initiatives in my organization. |
| Security policies and procedures are easily accessible and comprehendible in my organization. |
| In my organization, there is an emphasis on establishing open communication channels about security issues without the fear of reprisal. |
| We emphasize having informal meetings and discussions about importance of managing security and privacy of the records in my organization. |
| In my organization, security controls (encryption, access control, password policy, segregation of duty) are viewed as a necessary component for security. |
| Access to the system is based on the role that I play in the organization. |
| Training about security measures is provided regularly to the staff/personnel in my organization. |
| In my organization, security policies and procedures are periodically reviewed to assess if the policies meet the changing organizational needs. |
| There exists a clear structure for disciplinary action in case of noncompliance with policies and procedures in my organization. |
| In my organization, there is an emphasis on establishing open communication channel about security issues without the fear of reprisal. |
| I am required to read the security policies frequently (Quarterly, bi-anually, annually) in my organization. |
| In my organization, I have frequent communication about social engineering issues and am aware of how such tactics can create vulnerability for our system. |
| In my organization, I understand what information I have access to and why? |
| I am required to access health information only through approved devices and software in the organization. |
| I am allowed to use removable storage media from outside on my machine in the organization. |
| In my organization, I am required to take permission to use social networking sites. |
| I am aware of the procedure about what to do when my system has malware in my organization. |
| Access to the system is based on the role that I play in the organization. |
| I am required to report any misuse of information (that I am in-charge of) or its inappropriate access. |
| I am aware of the password policy that I have to comply with, in my organization. |
| I frequently receive communication about acceptable security behavior in my organization. |
| In my organization, there is an ongoing effort on training and education of employees about security issues. |