E1) What parts of the information system were supplied by vendors, and which are "home grown"?
A1) What components exist as part of the electronic medical record: problem list, medications, lab results, visit history, patient-provider relationships, bedside (clinical) measurements, full-text clinical notes, images, demographic information, including employer, financial, insurance, next of kin?
B1) Are medical records kept under a master patient identifier? B2) If not, what combination of attributes is used to identify patients? B3) If so, is the master key the SSN? B4) If the SSN is not used as the primary identifier, is it nevertheless commonly available in the medical record?
C1) How is ownership of the information contained in the record determined and managed? C2) Who is responsible for ensuring the integrity and quality of information in the patient record?
D1) What technical and non-technical means are used to ensure the integrity of data in the electronic medical record? D2) Are digital signatures or time stamps used?
E1) What types of uses are made of the electronic patient record? E2) How does medical information flow through the organization for 1) routine medical purposes (e.g., emergency room visits, outpatient visits, inpatient stays); and 2) non-routine visits (e.g., special treatment of data for particular classes of individuals, such as celebrities or criminals)?
F1) How do you respond to unusual requests for information: research projects, subpoenas, etc.? F2) How do you handle requests arriving via telephone?
A1) What do you perceive to be the threats to the system, both internal and external? A2) Are current users aware of the potential threats?
B1) What internal and external threats is your system designed to protect against? B2) Did you perform a formal threat analysis?
C1) What are the vulnerabilities of the current system? C2) What threats have not been adequately addressed? C3) What types of problems have you experienced to date-hackers, system crashes, etc.?
D1) What types of security threats have arisen to date? D2) How well does/did the system handle these threats? D3) What has been learned from such experiences?
A. General Issues
1a) What general types of physical security and security technol-