Docstoc

AMC survey

Document Sample
AMC survey Powered By Docstoc
					The survey results are from a survey of 6 AMCs in February/March 2011 by Dave Kirby (Dave@KirbyIMC.com)
and John Parmigiani (jcparmigiani@comcast.net).
The purpose was to assess factors related to information security programs at each institution in a way that could
be used to compare against each other and against various standards (e.g. HIPAA).
The survey is a self-report completed in an interview with the parties listed above.
If you would like to take the survey yourself, please contact one of the surveyors above and we'll help you do so.
If you would like to contact one of the AMCs who was surveyed, contact one of the surveyors above; we will help
you do so.

l
                                                                                  AMC#1 - Rating/Selection




                                                                                                                                      AMC#2 - Rating/Selection




                                                                                                                                                                                            AMC#3 - Rating/Selection




                                                                                                                                                                                                                                                 AMC#4 - Rating/Selection
                                                                                                                 AMC#1 - Comment(s)




                                                                                                                                                                       AMC #2 -Comment(s)




                                                                                                                                                                                                                            AMC#3 - Comment(s)
 AMC Security Practices Survey 2011 v 2/3/2011

 De-identified Survey Results and Analysis - v 4/12/2011
Institutional Profile Section

Choose the appropriate lettered selection or enter requested value




1. Interviewees roles in the institution
a) Information Security Officer
b) Privacy Officer
c) Senior administrator with significant security/privacy role
d) Risk Management
e) Internal Audit                                                                                                Med School
f) Other (make a note of others involved in the interview and their roles)                                       and hospital
                                                                                  a                              is scope             c                                                     a                                                    a

2. Number of employees plus faculty at your AMC (use your covered entity                                         AMC is
boundaries as a guide)                                                                                           affiliated with
a) 100-1000                                                                                                      several other
b) 1000-10000                                                                                                    major
c) 10000-20000                                                                                                   hospitals in
d) 20000+ (make a note of your estimate)                                                                         the region
                                                                                  c                              and overseas b                                                             b                                                    b
3. Number of patient visits per year in your clinical facilities (inpatient and
outpatient)

a) 10,000-50,000
b) 50,000-200,000
c) 200,000-400,000
d) 500,000-800,000
e) 800,000+ (make a note of your estimate)
                                                                                  e                                                                                    unk                  a                                                    e
4. Number of sites for your AMC (of any size):
a) 1-5
b) 5-10
c) 10-30
d) 50-100
e) 100+ (comment on the approximate number)

                                                                                  d                                                   b                                                     a                                                    d
5. Number of sites with >50 employees:
a) 1-5
b) 5-10
c) 10-30
d) 50-100
e) 100+ (make a note on the approximate number)
                                                                                  b                                                   b                                                     b                                                    c
6. Number of all AMC faculty members
a) 50-100
b) 100-200                                                                                                       2500 on one
c) 300-500                                                                                                       campus ;
d) 500-900                                                                                                       2500 on                                               25 % or
e) 1000+ (make a note of your estimate)                                                                          another                                               more of
                                                                                  e                              campus      N                                         their time c                                                              e




7. Key staff – please provide data for each lettered areas below:
                                                                                                                 central IT in
                                                                                                                 hosp 500,
                                                                                                                 med schools
                                                                                                                 central 200;
a) Approximate number of employees with IS as job role                                                       650 dept 50                                         180                                                   90                                                   350




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                          2 of 57                                                                                                                                                                                         9/8/2012
                                                                                  AMC#1 - Rating/Selection




                                                                                                                                         AMC#2 - Rating/Selection




                                                                                                                                                                                                  AMC#3 - Rating/Selection




                                                                                                                                                                                                                                                          AMC#4 - Rating/Selection
                                                                                                                    AMC#1 - Comment(s)




                                                                                                                                                                             AMC #2 -Comment(s)




                                                                                                                                                                                                                                     AMC#3 - Comment(s)
 AMC Security Practices Survey 2011 v 2/3/2011

De-identified Survey Results and Analysis - v 4/12/2011




                                                                                                                                                                           policy,
                                                                                                                                                                           auditing
                                                                                                                                                                           (primarily
                                                                                                                                                                           applicatio
                                                                                                                                                                           ns), and
b) Approximate number of FTEs* with security as their primary job role                                         10                                                        2 education                                           40                                                       4




c) Approximate number of FTEs* with security as a secondary job role.                                          40                                                      40                                                      50                                                     3.25
                                                                                                                                                                          varies by
                                                                                                                                                                          applicatio
                                                                                                                                                                          ns and
                                                                                                                                                                          periodic
d) Approximate percentage of time that typical system admin spends on security                                                                                            requireme
related duties                                                                                               20% a guess                                              20% nts                                                  5%                                                       5



e) Approximate number of system admins                                                                         70                                                      24                                                                                                              20
                                                                                                                                                                           2 on
                                                                                                                                                                           clinical                                               30 people
                                                                                                                                                                           side/ 2 on                                             reporting to
f) Approximate number of employees with IS roles who are in the central IT                                                                                                 academic                                               ISO (28 are
department. (as opposed to at the department/college/site level)                                              600                                                        4 side                                                40 contractors)                                        250
                                                                                                                                                                                                                                  most are
g) Approximate percentage of FTEs with IS roles who are contractors (as                                           50                                                                                                              contractors/h
opposed to employees).                                                                                          5 contractors                                            5                                                        eavily
                                                                                                                                                                                                                               75 managers/HI                                          20
                                                                                                                                                                           some                                                   PAA
                                                                                                                                                                           time spent                                             Advisory
                                                                                                                                                                           by                                                     Council- incl.
h)   Approximate FTEs that focus on oversight of security program                                              10                                                          CIO/ISO
                                                                                                                                                                         2 some                                                11 members                                             1.25
                                                                                                                                                                           time spent
                                                                                                                                                                           by
                                                                                                                                                                           CIO/ISO';
i)   Approximate FTEs that focus on operations of security program                                             20                                                        2 may be a                                            35                                                      2.8
                                                                                                                                                                                                                                  added a
                                                                                                                                                                                                                                  Privacy
j) Approximate FTEs have been added or do you anticipate adding to your AMC                                                                                                                                                       Assurance
primarily to support HITECH's security impact on your AMC.                                                      4                                                        0                                                      4 Team                                                  5

8. Hardware infrastructure profile
                                                                                                                                                                           8,000
                                                                                                                                                                           managed;
                                                                                                                                                                           2,000
a) Approximate number of fixed workstations routinely attached to your AMC-                                       a guess 8000-                                            unmanag
internal network.                                                                                            9000 10000                                             10,000 ed                                                6,000                                                   25000
                                                                                                                  90% for                                                                                                         vast majority
                                                                                                                  hosp; 60%                                                                                                       managed by
b) Approximate percentage of these fixed workstations whose security                                              for univ                                                                                                        IT (clinical
configurations are managed by approved IT personnel.                                                           75 (3000 ws)                                              1                                                     85 side -                                               56
                                                                                                                                                                           state-wide
                                                                                                                                                                           operation
c) Approximate number of mobile devices routinely attached to your AMC-                                                                                                    s need
internal network.                                                                                            2000 or more                                            1,000 connectivi                                        1,500                                                   9000
                                                                                                                                                                                                                                  encrypted,
                                                                                                                                                                                                                                  remote-
d) Approximate percentage of these mobile devices whose security configurations                                   just                                                                                                            wipeable
are managed by approved IT personnel.                                                                          15 blackberries           N                                                                                     67 (67%)                                                66


                                                                                                                                                                          700
                                                                                                                                                                          Windows/
e) Approximate number of servers routinely attached to your AMC-internal                                                                                                  100 Non-
network.                                                                                                     1000                                                     800 Windows                                            1100                                                     650
f) Approximate percentage of these servers whose security configurations are
managed by approved IT personnel.                                                                              85                                                     100                                                      99                                                      95




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                          3 of 57                                                                                                                                                                                                    9/8/2012
                                                                                           AMC#1 - Rating/Selection




                                                                                                                                                AMC#2 - Rating/Selection




                                                                                                                                                                                                    AMC#3 - Rating/Selection




                                                                                                                                                                                                                                                          AMC#4 - Rating/Selection
                                                                                                                           AMC#1 - Comment(s)




                                                                                                                                                                               AMC #2 -Comment(s)




                                                                                                                                                                                                                                     AMC#3 - Comment(s)
 AMC Security Practices Survey 2011 v 2/3/2011

 De-identified Survey Results and Analysis - v 4/12/2011
                                                                                                                                                                                                                                   all start out
                                                                                                                                                                                                                                   as
g) Approximate percentage of these servers whose security configurations are part                                                                                                                                                  standardized
of standardized builds.                                                                                               80                        N                                                                              100 builds but                                        95
                                                                                                                           medical                                                                                                   heavily
                                                                                                                           devices -                                                                                                 outsourced;
                                                                                                                           significant                                                                                               CIO
                                                                                                                           number; 700;                                                                                              responsible
                                                                                                                           FDA issues;                                                                                               for Strategy
9. List any other characteristics about your AMC that you think are relevant to your                                       single                                                                                                    and Policy;
security program’s design and may be different than most AMCs.                             a                               purpose;     a                                                           a                                contractor           a

Security Section
For Likert-scale items choose:
5-strongly agree,
4- mostly agree
3- neither agree or disagree,
2- mostly disagree,
1-strongly disagree,
N- other/don’t understand

For other items, provide value requested



1.   Tell us about your current accountability process for security measures.


a.   You have an executive who senior management deems accountable for security                                       4                                                    5                                                     5                                                   4

b. You have an Information Security Officer who is empowered to and accountable                                                                                              CIO for
for leading the development, implementation, and operation of security measures                                       5                                                    5 20+ years                                           5                                                   4
                                                                                                                                                                             24-25
                                                                                                                                                                             HIPAA
                                                                                                                                                                             policies,
                                                                                                                                                                             but need
c. You have a set of written and approved policies that meets the requirements of                                                                                            to be
the HIPAA Security Regulation.                                                                                        5                                                    4 reviewed                                            5                                                   5

d. There is adequate staffing and other resource available for the security mission                                   3                                                    4                                                     5                                                   2
e. Your organization’s overall culture is moving to (or at) a point that is supportive
of the types of measures that HIPAA will require.                                                                     4                                                    4                                                     5                                                   4
f. You routinely consider security issues at the optimal time in the process of
acquiring and implementing systems.                                                                                   3 as relates to                                      4                                                     5 annual                                            2
                                                                                                                        PHI; he                                                                                                    training;
                                                                                                                        reports to                                                                                                 departmental
                                                                                                                        CIO of both                                                                                                rounding; tip-
                                                                                                                        orgs; to CEO                                                                                               of-the-
g. Your Information Security Officer is responsible for security in the                                                 on hosp;                                                                                                   month;
educational, research, and healthcare functions in your AMC.                                                          4 through SVP                                        5                                                     5 updates                                           5
                                                                                                                                                                             plus one,
h.   The number of FTEs who directly report to your ISO.                                                              9                                                    2 Dir.                                                5 30 fte
                                                                                                                                                                                                                                   academic                                          0
                                                                                                                                                                                                                                   side as
                                                                                                                                                                                                                                   enterprise-
i. You designate staff who report to sub-units (e.g. departments) to carry out some                                     their admin is                                                                                             wide policies
security functions in the sub-unit. Note the approximate number of these staff.                                       1 in their depts                                     5 work w/ 30                                          2 but some
                                                                                                                                                                                                                                   extensive                                         3
                                                                                                                                                                             audit,                                                linkages,
                                                                                                                                                                             complianc                                             especially in
j. You use direct or dotted-line reporting structures in audit, compliance, legal, etc                                                                                       e, legal,                                             incident
to support security needs.                                                                                            4                                                    5 and                                                 5 reporting,
                                                                                                                                                                                                                                   HIPAA/PCI/                                        1
                                                                                                                        risk analysis                                                                                              CMIA/SAS-
                                                                                                                        is where they                                                                                              70 -
k. Your policy structure for all security-related needs is integrated (e.g. one set that                                all come                                                                                                   responsibility
covers HIPAA, FERPA, 21 CFR part 11, 42 CFR part 2, FISMA, PCI)                                                       3 together                                           4                                                     5 of ISO; ISO                                       3


                                                                                                                           reports to
                                                                                                                           two sides of
                                                                                                                           org
l.   Other                                                                                 a                               separately;




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                   4 of 57                                                                                                                                                                                        9/8/2012
                                                                                   AMC#1 - Rating/Selection




                                                                                                                                       AMC#2 - Rating/Selection




                                                                                                                                                                                           AMC#3 - Rating/Selection




                                                                                                                                                                                                                                               AMC#4 - Rating/Selection
                                                                                                                  AMC#1 - Comment(s)




                                                                                                                                                                      AMC #2 -Comment(s)




                                                                                                                                                                                                                          AMC#3 - Comment(s)
 AMC Security Practices Survey 2011 v 2/3/2011

De-identified Survey Results and Analysis - v 4/12/2011
2.   Tell us about how you keep up with your systems.

                                                                                                                one entry
                                                                                                                point on hosp
                                                                                                                side; many
a. You have a high-level system inventory that lists every system in the AMC and                                entries on
(at minimum) who manages it.                                                                                  4 MS side                                           4                                                   5                                                   4

                                                                                                                                                                    very
                                                                                                                                                                    deliberate                                          at
                                                                                                                                                                    process                                             applications-
                                                                                                                                                                    with                                                level at a
b. You update your system inventory via a process that keeps up with the arrival                                capture on                                          greater                                             PMO
and departure of systems as it happens.                                                                       4 hosp side;                                        5 granularity                                       5 process                                           3
                                                                                                                                                                                                                        real-time -
                                                                                                                                                                                                                        application
                                                                                                                                                                                                                        have
                                                                                                                                                                                                                        business
                                                                                                                                                                                                                        sponsor,
                                                                                                                survey                                                                                                  acquisition
c.   You update your inventory via a periodic survey process.                                                 4 annually                                          5                                                   5 process                                           2

d.   All major systems are under control of the central IT department.                                        4                                                   4                                                   5                                                   4




e    Other

3. Among your systems containing ePHI, list the top 10 information systems and
their primary function
 (e.g. System: IDX Usage: Registration for the entire AMC)

System




                                                                                                                                                                      CIS
                                                                                                                                                                      (Clinical
                                                                                                                                                                      Informatio
                                                                                                                                                                      n
                                                                                                                                                                      Services)--
                                                                                                                                                                      EMR
                                                                                                                                                                      system to
                                                                                                                                                                      be                                                  EPIC - EMR
                                                                                                                                                                      replaced                                            in adult
                                                                                                                  System                                              by EPIC                                             hospital




                                                                                                                                                                      IDX -
                                                                                                                                                                      Web--
                                                                                                                                                                      patient
                                                                                                                                                                      schedulin                                           Cerner -
                                                                                                                  Siemens -                                           g                                                   EMR in
                                                                                                                  Reg Bill -                                          software/a                                          children's
                                                                                                                  Eagle                                               pplication                                          hospital




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                           5 of 57                                                                                                                                                                                    9/8/2012
                                                          AMC#1 - Rating/Selection




                                                                                                          AMC#2 - Rating/Selection




                                                                                                                                                          AMC#3 - Rating/Selection




                                                                                                                                                                                                          AMC#4 - Rating/Selection
                                                                                     AMC#1 - Comment(s)




                                                                                                                                     AMC #2 -Comment(s)




                                                                                                                                                                                     AMC#3 - Comment(s)
 AMC Security Practices Survey 2011 v 2/3/2011

De-identified Survey Results and Analysis - v 4/12/2011




                                                                                                                                     PREMISE-                                        STRIDE -
                                                                                                                                     -                                               translational
                                                                                                                                     patient/be                                      research in
                                                                                                                                     d                                               School of
                                                                                     Eclipsys                                        placement                                       Medicine

                                                                                                                                     BAR--
                                                                                                                                     Billing and
                                                                                                                                     Accounts
                                                                                                                                     Receivabl
                                                                                                                                     e
                                                                                     IDX (Univ                                       Managem                                         RIS -
                                                                                     side)                                           ent                                             Radiology




                                                                                                                                     DMF--
                                                                                                                                     Denial
                                                                                                                                     Managem
                                                                                                                                     ent
                                                                                                                                     System -
                                                                                                                                     general
                                                                                                                                     claims
                                                                                                                                     handling                                        GE PACS -
                                                                                     Allscripts -                                    applicatio                                      Radiology
                                                                                     touchworks                                      n                                               Imaging




                                                                                                                                     HPA--
                                                                                                                                     financial
                                                                                     Cerner labs                                     database                                        MISIS - Lab

                                                                                                                                     Centricity--
                                                                                                                                     Diagnosti
                                                                                     GE radiology                                    c Image                                         Varian -
                                                                                     (Imagecast);                                    Managem                                         Radiation
                                                                                     PACS                                            ent Tool                                        Oncology
                                                                                                                                     McKesso
                                                                                                                                     n
                                                                                                                                     AcuDose--
                                                                                                                                     pharmace
                                                                                                                                     utical
                                                                                     Streamline                                      managem                                         Spheris -
                                                                                     (EMR)                                           ent                                             Dictation
                                                                                                                                     Vascubas
                                                                                                                                     e--
                                                                                                                                     vascular
                                                                                                                                     surgery
                                                                                     Cerner -                                        managem
                                                                                     pharms                                          ent
                                                                                                                                     PeopleSof
                                                                                     inhouse-                                        t--
                                                                                     results                                         HR/perso
                                                                                     review                                          nnel mgt.
                                                                                                                                     Patient
                                                                                                                                     On Line--
                                                                                                                                     self-
                                                                                                                                     managem
                                                                                     Amalgam -                                       ent by
                                                                                     Microsoft                                       patient




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                  6 of 57                                                                                                                                                                    9/8/2012
                                                                                         AMC#1 - Rating/Selection




                                                                                                                                             AMC#2 - Rating/Selection




                                                                                                                                                                                                      AMC#3 - Rating/Selection




                                                                                                                                                                                                                                                          AMC#4 - Rating/Selection
                                                                                                                        AMC#1 - Comment(s)




                                                                                                                                                                             AMC #2 -Comment(s)




                                                                                                                                                                                                                                     AMC#3 - Comment(s)
 AMC Security Practices Survey 2011 v 2/3/2011

 De-identified Survey Results and Analysis - v 4/12/2011
4 For these top 10 systems as a group, tell us about your current and
anticipated ways in which you audit your security practices?
                                                                                                                                                                                                                                   vulnerability
                                                                                                                                                                                                                                   management
a. You have a routine process in which the level of practice of security measures by                                                                                                                                               / access
managers, technical administrators, and users is assessed.                                                          3                                                    4                                                       5 control                                           3
                                                                                                                                                                           series of
                                                                                                                                                                           governan
                                                                                                                                                                           ce bodies                                               depending
                                                                                                                                                                           that deal                                               on the
                                                                                                                                                                           with                                                    severity is
                                                                                                                                                                           informatio                                              examined for
                                                                                                                                                                           n security                                              tactical and
b. You have a routine process in which the assessment information is reviewed by                                                                                           and                                                     strategic
middle and senior management.                                                                                       3                                                    4 privacy                                               5 action                                            2
c. You have a routine process in which negative deviations of practice from policy
stimulate corrective measures.                                                                                      4                                                    4                                                       5                                                   2



                                                                                                                                                                           needs to
                                                                                                                                                                           be
d.   You routinely write and keep audit logs of security-related system events.                                     4                                                    3 reviewed                                              5                                                   4




e.   You periodically review audit logs for attempts to breach your security policies.                              4                                                   2.5 unk                                                  5                                                   2

                                                                                                                                                                                                                                     set of
                                                                                                                                                                                                                                     business
                                                                                                                                                                                                                                     rules in place
                                                                                                                                                                                                                                     to access
                                                                                                                                                                                                                                     inappropriate
f. You audit read access to protected health information looking for inappropriate                                                                                                                                                   use and
use of authorized privileges by electronic system users when concern is focused on                                                                                                                                                   unauthorized
the access activities of a particular individual (i.e. for cause.)                                                  4                                                   2.5 unk                                                  5   accesses                                        5
                                                                                                                                                                                                                                     both things
                                                                                                                                                                                                                                     for cause
g. You audit read access to protected health information looking for inappropriate                                                                                                                                                   and
use of authorized privileges by electronic system users by doing random audits of                                                                                                                                                    observed
access.                                                                                                             1                                                   2.5 unk                                                  5   anomalies                                       2
                                                                                                                                                                                                                                     security
                                                                                                                                                                                                                                     metrics are
h. You have a routine report for middle and senior management of security metrics                                                                                                                                                    part of an
(e.g. number of security incidents, number of contingency plans tested) that describes                                                                                                                                               overall IT
activities and status in the security area.                                                                         4                                                   2.5 unk                                                  5   dashboard
                                                                                                                                                                                                                                     all BA                                          3
                                                                                                                                                                                                                                     access goes
                                                                                                                                                                                                                                     through
i. You monitor activities related to security with your business associates to ensure                                                                                                                                                enterprise
that they are protecting information to your corporate standards.                                                   2                                                   2.5 unk                                                  5   access risk
                                                                                                                                                                                                                                     annual                                          1
                                                                                                                                                                                                                                   assessment;
                                                                                                                                                                                                                                   technical
j.   You have a formal process to periodically evaluate your security program.                                      3                                                    3                        4                              5 vulnerability                                     4
                                                                                                                        strong in
                                                                                                                        authenticatio
k. Other                                                                                 a                              n; central

5. Considering your other (i.e. non- top 10) information systems, tell us about
your current ways in which you audit your security practices?
                                                                                                                      starting doing                                                                                               routine
                                                                                                                      more this                                                                                                    processes
a. You have a routine process in which the level of practice of security measures by                                  year;                                                                                                        apply across
managers, technical administrators, and users is assessed.                                                          2 HITECH                                            2.5 unk                                                  5 all systems;                                      2
b. You have a routine process in which the assessment information is reviewed by
middle and senior management.                                                                                       2                                                   2.5 unk                                                  5                                                   1
c. You have a routine process in which negative deviations of practice from policy
stimulate corrective measures.                                                                                      2                                                   2.5 unk                                                  5                                                   1




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                 7 of 57                                                                                                                                                                                         9/8/2012
                                                                                         AMC#1 - Rating/Selection




                                                                                                                                             AMC#2 - Rating/Selection




                                                                                                                                                                                                  AMC#3 - Rating/Selection




                                                                                                                                                                                                                                                      AMC#4 - Rating/Selection
                                                                                                                        AMC#1 - Comment(s)




                                                                                                                                                                             AMC #2 -Comment(s)




                                                                                                                                                                                                                                 AMC#3 - Comment(s)
 AMC Security Practices Survey 2011 v 2/3/2011

De-identified Survey Results and Analysis - v 4/12/2011
d.   You routinely write and keep logs of security-related system events.                                           3                                                   2.5 unk                                              5                                                   3

e.   You periodically review audit logs for attempts to breach your security policies.                              2                                                   2.5 unk                                              5                                                   1

f. You audit read access to protected health information looking for inappropriate
use of authorized privileges by electronic system users when concern is focused on
the access activities of a particular individual (i.e. for cause.)                                                  2                                                   2.5 unk                                              5                                                   4
g. You audit read access to protected health information looking for inappropriate
use of authorized privileges by electronic system users by doing random audits of
access.                                                                                                             2                                                   2.5 unk                                              5                                                   1
h. You have a routine report for middle and senior management of security metrics
(e.g. number of security incidents, number of contingency plans tested) that describes
activities and status in the security area.                                                                         2                                                   2.5 unk                                              5                                                   2
i. You monitor activities related to security with your business associates to ensure
that they are protecting information to your corporate standards.                                                   1                                                   2.5 unk                                              5                                                   1
j. You have a formal process to periodically evaluate your security program.                                        4                                                   2.5 unk                                              5                                                   3
                                                                                                                        will do much
                                                                                                                        more on this
k.   Other                                                                               a                              , this year.

6. Tell us about your formal written requirements for security processes (e.g.
computer operations)
                                                                                                                      not for small                                                                                            formal
a. You have an enforced requirement that systems have a formal documented                                             ones                                                                                                     design
security plan or design.                                                                                            4 enforced;                                         2.5 unk                                              5 process is                                        2
b. You have a process in which the security plans are reviewed by an appropriate
party (e.g. the ISO) for compliance with corporate standards.                                                       2                                                   2.5 unk                                              5                                                   2
c. You have an enforced requirement that security plans be implemented prior to
the introduction of PHI to the system.                                                                              2                                                   2.5 unk                                              5                                                   4
                                                                                                                                                                                                                               focus on
d. You have an enforced requirement that security practices (e.g. log checking,                                                                                                                                                restore
backup process) be logged in a way that bolsters accountability for the use of these                                                                                                                                           rather than
practices?                                                                                                          3                                                   2.5 unk to
                                                                                                                                                                            needs                                            5 backup;
                                                                                                                                                                                                                               HIPAA and                                         3
e. You have detailed technical standards for security that are used in forming                                                                                              be                                                 list of
security plans for each system.                                                                                     4                                                     4 checked                                          5 technical                                         2
                                                                                                                                                                            needs to                                           IT Contracts
f. You have a formal process for the review and signoff of contracts to ensure the                                                                                          be                                                 Team review
presence of appropriate terms related to security.                                                                  3                                                     4 checked                                          5 and bring in                                      3
                                                                                                                        requirements
g.    Other                                                                              a                              not met ;



7. Tell us about the measures that you take to manage system availability.
a. You have a formal process that requires each system to have written contingency
plan.                                                                                                               4                                                    3                                                   5 part of                                           5
                                                                                                                                                                                                                               onboarding
b. You classify systems based on their criticality and apply different risk                                                                                                                                                    process,
management processes based on these classifications. Please, also list your                                                                                                                                                    adding
classification model (e.g. “high, medium, low” or “institutional, departmental,                                                                                                                                                relevant
individual”) as a comment.                                                                                          2                                                    3                                                   5 security                                          5



c.   Your most critical systems have effective contingency plans.                                                   4                                                    5 need                                              5 full off-site                                     4
                                                                                                                                                                           greater                                             DR annually;
                                                                                                                                                                           refinemen                                           SunGaurd
d. You have a monitored process by which you test and revise your contingency                                                                                              t and                                               cold site; two
plans.                                                                                                              4                                                    3 precision                                         5 live data                                         4
                                                                                                                        need to catch
                                                                                                                        down before
e.    Other                                                                              a                              users see it;

8.    Tell us about your risk analysis processes.
a.   You have a formal risk analysis that you apply to every system.                                                4                                                    4                                                   5                                                   4
                                                                                                                                                                                                                               enterprise-
                                                                                                                                                                                                                               wide risk
b.   You have a formal risk analysis process that you apply to the AMC overall.                                     3                                                    5                                                   5 analysis                                          4

c. You have a formal risk analysis process that you apply to at least the most                                                                                                                                                 do on all
important systems.                                                                                                  4                                                    5                                                   1 systems                                           5




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                 8 of 57                                                                                                                                                                                     9/8/2012
                                                                                     AMC#1 - Rating/Selection




                                                                                                                                         AMC#2 - Rating/Selection




                                                                                                                                                                                              AMC#3 - Rating/Selection




                                                                                                                                                                                                                                                  AMC#4 - Rating/Selection
                                                                                                                    AMC#1 - Comment(s)




                                                                                                                                                                         AMC #2 -Comment(s)




                                                                                                                                                                                                                             AMC#3 - Comment(s)
 AMC Security Practices Survey 2011 v 2/3/2011

De-identified Survey Results and Analysis - v 4/12/2011
                                                                                                                    HITrust
                                                                                                                    analysis; just
d.    Other                                                                          a                              started; more

9.    Tell us about your approach to business associates
                                                                                                                                                                                                                           BAA were
                                                                                                                                                                                                                           updated in
a. You have a program that assures that your BAs have contracts with the required                                                                                                                                          accordance
language from the Security Rule and stipulates that they apply the same compliance                                                                                                                                         with the
constraints to their subcontractors.                                                                            4                                                    5                                                     Breach
                                                                                                                                                                                                                         5 because of                                        5
b. You have a program that uses measures beyond contract terms to assure that                                                                                                                                              state
BAs report their security incidents to you.                                                                     1                                                    3                                                   5 requirements                                      1


c. You have a program that uses measures beyond contract terms to assure that
the safeguard of the BA’s are in place.                                                                         1                                                   2.5 unk                                              5                                                   1
d. You have an active program to reform your BA agreements to meet HITECH
requirements and changed risk sharing needs.                                                                    3                                                   2.5 unk                                              5                                                   1
e. You are waiting for the final rule to start a program to reform your BA
agreements to meet HITECH requirements and changed risk sharing needs.                                          3                                                   2.5 unk                                              1                                                   5
f.    As a BA yourself, you are or plan to reform your BA agreements to meet
HITECH requirements and changed risk sharing needs.                                                             3                                                   2.5 unk                                              3 N                                                 1


g..    Other

10.    Tell us how you handle ePHI in email.


a. Your policies do not permit ePHI to be sent in email unencrypted sent beyond
the institution.                                                                                                5                                                   2.5 unk                                              5                                                   5
b. You have a policy that administratively requires senders to use encryption in
email with ePHI.                                                                                                5                                                   2.5 unk                                              5                                                   5
                                                                                                                  not
c.    You have provided a mechanism that supports encrypting of email with ePHI.                                3 integrated                                         3 use PGP                                           5                                                   5
                                                                                                                  has just put
                                                                                                                  Data
                                                                                                                  Leakage
d. You have provided a mechanism that technically enforces the encrypting of                                      Prevention
email with ePHI.                                                                                                2 tool in.                                          2.5 unk                                              5 Ironport                                          2



e.    Other

11.    Tell us about your security incident handling program                                                                                                           detection
                                                                                                                                                                       could use
a.    You have an effective incident reporting/detection process.                                               4                                                    3 improving                                         5                                                   3
                                                                                                                                                                                                                           Response
                                                                                                                                                                                                                           team/
b.    You have an effective incident response process.                                                          3                                                    5                                                   5 security-on-                                      3

c.    You have a formally composed CIRT (Computer Incident Response Team)                                       3                                                    5                                                   5                                                   3
                                                                                                                                                                                                                           looking for
                                                                                                                                                                                                                           lessons
d.    You maintain central records of reported incidents and their resolution.                                  4                                                    5                                                   5 learned                                           4
                                                                                                                                                                                                                           bi-monthly
                                                                                                                                                                                                                           meetings are
e.    You examine incident records to find potentials for systemic improvements.                                4                                                    4                                                   5 held                                              2
                                                                                                                    incidents are
                                                                                                                    major drivers
                                                                                                                    of control
f.    Other                                                                          a                              changes.



12. Tell us about these key aspects of your institution’s security processes :
a. You have a practice of having strong passwords.                                                              4                                                    5                                                   5                                                   3
                                                                                                                                                                                                                           every 90
                                                                                                                                                                       every 180                                           days; some
b.    You have a practice of changing passwords periodically                                                    4                                                    5 days                                              5 have a one-                                       2
c.    You have a culture of accountability for security.                                                        4                                                    4                                                   5                                                   3




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                             9 of 57                                                                                                                                                                                     9/8/2012
                                                                                          AMC#1 - Rating/Selection




                                                                                                                                              AMC#2 - Rating/Selection




                                                                                                                                                                                                   AMC#3 - Rating/Selection




                                                                                                                                                                                                                                                       AMC#4 - Rating/Selection
                                                                                                                         AMC#1 - Comment(s)




                                                                                                                                                                              AMC #2 -Comment(s)




                                                                                                                                                                                                                                  AMC#3 - Comment(s)
 AMC Security Practices Survey 2011 v 2/3/2011

 De-identified Survey Results and Analysis - v 4/12/2011                                                                                                                                                                        border and
                                                                                                                                                                                                                                interior;
d.   You have a well configured border firewall. (managing inside and outside).                                      5                                                    4                                                   5 enterprise-                                       4
e.   You monitor your internal network for intrusions.                                                               5                                                    5                                                   5                                                   3
f.   You authenticate access to your wireless network.                                                               5                                                    4                                                   5                                                   4
                                                                                                                                                                                                                                Symantec
                                                                                                                                                                                                                                enterprise-
g.   You have a widely-deployed virus protection scheme.                                                             4                                                    5                                                     wide
                                                                                                                                                                                                                              5 one person                                        4
                                                                                                                                                                                                                                full-time
h. You have a practice of having timely backups.                                                                     4                                                    5                                                   5 oversight
                                                                                                                                                                                                                                active                                            5
i. You have a program of routine penetration testing for servers and other key                                                                                                                                                    penetration
devices.                                                                                                             4                                                   2.5 unk                                              5   testing for                                     2
                                                                                                                                                                                                                                  managed by
j.   You have a strong sanction policy for staff/faculty and visibly enforce it.                                     3                                                    4                                                   5   Privacy                                         4
                                                                                                                                                                                                                                  coordinated
                                                                                                                                                                                                                                  from Lawson
                                                                                                                                                                                                                                  System;
k. You promptly terminate access for employees and contractors who leave                                                                                                                                                          audits and
employment.                                                                                                          4                                                    4                                                   5   tools to                                        4
                                                                                                                                                                                                                                  erasure
                                                                                                                                                                                                                                  standards -
                                                                                                                                                                                                                                  responsibility
l. You have a program that ensures that ePHI is erased from devices that are being                                                                                                                                                of inventory
disposed of.                                                                                                         4                                                    5                                                   5   staff who                                       4
                                                                                                                       workstations                                         whole
                                                                                                                       doesn't help                                         disk;
                                                                                                                       if constantly                                        blowfish
m. You have a program that encourages or requires the use of encryption for data at                                    in use; helps                                        for flash
rest.                                                                                                                3 on mobile                                          5 drives                                            5                                                   4
                                                                                                                                                                            education
                                                                                                                                                                            is
n. Your security standards/policies apply to all three major AMC functional areas                                                                                           managed
(education, research, and healthcare)                                                                                5                                                    3 separately                                        5                                                   4




o.    Other




13. For each security measure below, give your level of agreement as to
whether your institution has widely implemented the measure:




a.   You use biometric identifier systems widely.                                                                    1                                                    1                                                   1                                                   2




b.   You use PKI for authenticating users widely.                                                                    1                                                    1                                                   1                                                   1



c. You use software (e.g. scripts or commercial products) widely to do an initial
review of logs looking for security events.                                                                          3                                                    3 N                                                 5                                                   1
                                                                                                                                                                                                                                shared
                                                                                                                                                                                                                                workstations
                                                                                                                                                                                                                                autolog into
                                                                                                                                                                                                                                EPIC
d.   You strictly limit the use of other users sessions at shared workstations.                                      3                                                    4                                                   5 prompt, then                                      4
                                                                                                                                                                                                                                decision tree
                                                                                                                                                                            EPIC will                                           owned by
e. You widely use the technical capability to provide more granularity in                                                                                                   have even                                           Informatics/
authorizing access to information (e.g. limiting physicians to access to their patients                                example is 1                                         greater                                             EPIC
as opposed to granting access to all patients.)                                                                      2 ; rest at 3                                        5 granularity                                       5 systems;                                          2




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                  10 of 57                                                                                                                                                                                    9/8/2012
                                                                                            AMC#1 - Rating/Selection




                                                                                                                                                AMC#2 - Rating/Selection




                                                                                                                                                                                                     AMC#3 - Rating/Selection




                                                                                                                                                                                                                                                         AMC#4 - Rating/Selection
                                                                                                                           AMC#1 - Comment(s)




                                                                                                                                                                                AMC #2 -Comment(s)




                                                                                                                                                                                                                                    AMC#3 - Comment(s)
 AMC Security Practices Survey 2011 v 2/3/2011

 De-identified Survey Results and Analysis - v 4/12/2011


                                                                                                                                                                              Citrix
f. You widely use a mechanism (e.g. website, gateway) to assure that protected                                                                                                provides
health information transmitted outside the corporate network is encrypted.                                             3                                                    4 for that                                          5                                                   4



g. You make available to each patient a summary log of authorized users who have                                                                                              on
accessed that patient’s ePHI (e.g. through a patient portal website, or call center).                                  1                                                    4 request                                           5                                                   1
h.    You require the up-to-date use of anti-virus software.                                                           4                                                    5                                                   5                                                   4
                                                                                                                         except med
i.    You require the up-to-date use of security patches                                                               4 devices                                            5                                                   5                                                   4

                                                                                                                                                                              yes, when
                                                                                                                                                                              using
j.    You use encryption for data in flight within the AMC network.                                                    2                                                    3 Citrix                                            5                                                   1

                                                                                                                         backup tapes                                                                                             not every
k.    You use encryption for data at rest (e.g. in databases, backup tapes ) within                                      yes; others                                                                                              server
the AMC network.                                                                                                       2 depends                                            5                                                   4 internally                                        1
l    You require full device encryption for storage on laptops                                                         4                                                    5                                                   5 McAfee                                            4
                                                                                                                                                                                                                                  also, getting
                                                                                                                                                                                                                                  a CD/DVD
                                                                                                                                                                                                                                  drive
m   You disable autorun/autoplay on devices that mount storage (e.g. USB slots,                                                                                                                                                   requires an
CD/DVD drives)                                                                                                         4                                                     5 continuou                                        5 exception                                         2
                                                                                                                                                                               s event-
                                                                                                                                                                               based,
                                                                                                                                                                               not time-
n     User accounts are reviewed and re-authorized at least annually.                                                  3                                                     5 based                                            5                                                   2
o     You limit the use of admin rights for users of workstations.                                                     4                                                     5                                                  5                                                   4
p     You operate a central access log aggregation and reporting system.                                               5                                                   2.5 unk                                              5                                                   1

q     Your first-level log review process is significantly automated (e.g. using filters,
including data from other sources (e.g. HR))                                                                           5                                                   2.5 unk                                              5                                                   1
r    Automated reports based on access log anomalies are routinely received by and
acted on by a central group                                                                                            5                                                   2.5 unk                                              5                                                   1
s     Automated reports based on access log anomalies are routinely received by and
acted on by staff in sub-units of the AMC.                                                                             4                                                   2.5 unk                                              5                                                   1
t. You routinely perform technical vulnerability scans                                                                 5                                                   2.5 unk                                              5 for remote                                        3
u. You use two-factor or one-time password mechanisms for higher-risk account                                                                                                                                                     access(user
access.                                                                                                                1                                                   2.5 unk
                                                                                                                                                                               depends                                            id and
                                                                                                                                                                                                                                5 Websense                                          1
                                                                                                                         some proxy                                            on where                                           and have
v. You restrict access to social networks by staff onsite.                                                             2 servers                                             3 and what                                         4 policy                                            2
w You have separate wireless network for FDA-approved medical devices that use
a network in the facility.                                                                                             4 identity                                           5                                                   5                                                   1
x. Other                                                                       a                                         management
14    Your policy allows devices whose configuration is not managed by
approved IT support personnel to connect
a. To internal (non-guest) wired networks                                                                              4                                                   2.5 unk                                              1                                                   5
                                                                                                                         have to
                                                                                                                         authenticate
b. To internal (non-guest) wireless networks                                                                           4 (WPA)                                             2.5 unk                                              1                                                   5
c. Via VPN to internal (non-guest) networks                                                                            4                                                   2.5 unk                                              2                                                   5
                                                                                                                                                                                                                                  once
d. To internet-exposed email gateways (e.g. ActiveSync, Blackberry Enterprise)                                         4                                                   2.5 unk                                              4 connected,                                        5
15. What security processes do you think most need improvement in your
institution (e.g. expeditious turning-off of accounts when employees are
terminated)?
                                                                                                                                                                                                                                    processes
                                                                                                                                                                                                                                    for light
                                                                                                                                                                                                                                    weight
                                                                                                                                                                                                                                    changes to
                                                                                                                           do much                                                                                                  user
                                                                                                                           more in                                                                                                  accounts
                                                                                                                           awareness                                                                                                and
                                                                                                                           where users                                          activity                                            privileges
                                                                                                                           are                                                  time-outs                                           (current
                                                                                                                           personally                                           could be                                            process is
a.   Other 1                                                                                a                              responsible;         a                               shortened a                                         laborious)           a




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                    11 of 57                                                                                                                                                                                    9/8/2012
                                                                                         AMC#1 - Rating/Selection




                                                                                                                                             AMC#2 - Rating/Selection




                                                                                                                                                                                                 AMC#3 - Rating/Selection




                                                                                                                                                                                                                                                     AMC#4 - Rating/Selection
                                                                                                                        AMC#1 - Comment(s)




                                                                                                                                                                            AMC #2 -Comment(s)




                                                                                                                                                                                                                                AMC#3 - Comment(s)
 AMC Security Practices Survey 2011 v 2/3/2011

De-identified Survey Results and Analysis - v 4/12/2011

                                                                                                                                                                            account
                                                                                                                                                                            provisioni
                                                                                                                                                                            ng for non
                                                                                                                                                                            active
                                                                                                                        need to                                             directory-
                                                                                                                        improve re-                                         based
b.   Other 2                                                                             a                              authorization a                                     accounts                                                                 a
                                                                                                                        more data
                                                                                                                        leakage
                                                                                                                        encryption;
                                                                                                                        better email
                                                                                                                        encryption;                                         audit log
                                                                                                                        decentralizati                                      centralizat
c.   Other 3                                                                             a                              on effects     a                                    ion?

16. Tell us about the training/awareness initiatives your institution has
implemented regarding security processes (frequency per employee; length of
time, types).
                                                                                                                      annually in
                                                                                                                      hosp; longer
a. You train all new employees at hire.                                                                             5 for univ                                          4                                                   5                                                   5
b. You train those with administrative jobs with special security requirements (e.g.
LAN Admins) about security related to their job.                                                                    3                                                   5                                                   5                                                   1


                                                                                                                                                                                                                              all part of
                                                                                                                                                                                                                              general
c.   You train managers how to deal with security aspects of their operations.                                      3                                                   3                                                   3 training                                          2
d.   You provide regular security reminders/awareness/updates to all parties.                                       4                                                   4                                                   5                                                   4


e.    Other


17   Tell us about your program for sanctioning deviation from security policy.

                                                                                                                      policy has
a. You have a policy and well-enforced practice of sanctioning deviation from                                         non-specific
security policy by employees.                                                                                       3 sanctions                                         3                                                   4                                                   4
b. You have a policy and well-enforced practice of sanctioning deviation from
security policy by managers. (e.g. Given a policy of doing routine backups, a
manager who did not do so would be sanctioned.)                                                                     3                                                   3                                                   5                                                   4
c. You have a policy and well-enforced practice of sanctioning deviation from
security policy by contractors.                                                                                     3                                                   3                                                   5                                                   4
d. You have a policy and well-enforced practice of sanctioning deviation from                                         just got
security policy by faculty/physicians.                                                                              3 better on this                                    3                                                   5                                                   4
e. Actual sanctioning of people is visible to the group subject to the sanctions (e.g.
through summary reports in the institutions workforce publications).                                                2                                                   3                                                   1                                                   2


                                                                                                                                                                                                                              more so on
f. You actively pursue outsiders (typically hackers) who attempt to compromise                                                                                                                                                the physical
your security.                                                                                                      2                                                   3                                                   5 security side                                     4



g.   Other




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                 12 of 57                                                                                                                                                                                   9/8/2012
                                                                                        AMC#1 - Rating/Selection




                                                                                                                                            AMC#2 - Rating/Selection




                                                                                                                                                                                                AMC#3 - Rating/Selection




                                                                                                                                                                                                                                                    AMC#4 - Rating/Selection
                                                                                                                       AMC#1 - Comment(s)




                                                                                                                                                                           AMC #2 -Comment(s)




                                                                                                                                                                                                                               AMC#3 - Comment(s)
 AMC Security Practices Survey 2011 v 2/3/2011

De-identified Survey Results and Analysis - v 4/12/2011




For Likert-scale items choose:
Emerging Security Issues and Practices Section
5-strongly agree,
4- mostly agree
3- neither agree or disagree,
2- mostly disagree,
1-strongly disagree,
N- other/don’t understand

For other items, provide value requested



1a. In the context of changes that you wish to make in anticipation of
HITECH's impact, tell us about major contributors that you feel will enable
your institution to achieve and sustain compliance with your policies.


                                                                                                                                                                                                                             BOD
                                                                                                                                                                                                                             instituted
                                                                                                                                                                                                                             security
                                                                                                                                                                                                                             program 7
a. You have visible support and adequate resources granted by senior                                                                                                                                                         years ago
administrators.                                                                                                    3                                                   4                                                   5 and supports                                      3
b. Your security program has visibility with your institutional board (e.g. the Audit
and Compliance Committee of the Board).                                                                            5                                                   5                                                   5                                                   4

c. You have a critical mass of middle managers willing to make the changes.                                        2                                                   4                                                   5                                                   3
d. You have a critical mass of technical support people prepared to make the
changes.                                                                                                           3                                                   5                                                   5                                                   2



e. Your information security leaders are mandated to manage security for all types
of sensitive data and functions (not just ePHI; e.g. student data, faculty data,
employee data).                                                                                                    4                                                   4                                                   5                                                   4
                                                                                                                       more
f.   Other                                                                              a                              awareness

1) You expect the following aspects of HITECH to significantly affect (i.e.
increase management and resource needs) your security program
a Notice of Breach (both avoiding the need to do notice and execute notice)                                        4                                                   4                                                   5                                                   5
b You will make provisions for outsourced breach notification support.                                             4                                                   3                                                   5                                                   2

c Accounting of e-PHI Disclosures for TPO                                                                          2                                                   4                                                   5                                                   3
d BA relationships                                                                                                 2                                                   4                                                   5                                                   2
e Enforcement by HHS likelihood and impact                                                                         5                                                   5                                                   5                                                   3

f Enforcement by state AG likelihood and impact                                                                    5                                                   5                                                   5                                                   3
felony for knowing and illicit PHI use/disclosure                                                                  4                                                   5                                                   5                                                   3
h Restrictions on payer access to self-pay episode data                                                            3                                                   5                                                   5                                                   4
i Patient right of e-access                                                                                        4                                                   3                                                   5                                                   3
j New minimum necessary standards                                                                                  4                                                   4                                                   5                                                   4
k Meaningful Use requirements                                                                                      5                                                   5                                                   5                                                   5


l Health Information Exchange                                                                                      3                                                   4                                                   5                                                   3
m Other
2) You expect HITECH to have a significant impact on security in the
following areas:




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                13 of 57                                                                                                                                                                                   9/8/2012
                                                                                     AMC#1 - Rating/Selection




                                                                                                                                         AMC#2 - Rating/Selection




                                                                                                                                                                                             AMC#3 - Rating/Selection




                                                                                                                                                                                                                                               AMC#4 - Rating/Selection
                                                                                                                    AMC#1 - Comment(s)




                                                                                                                                                                        AMC #2 -Comment(s)




                                                                                                                                                                                                                          AMC#3 - Comment(s)
 AMC Security Practices Survey 2011 v 2/3/2011

De-identified Survey Results and Analysis - v 4/12/2011
                                                                                                                                                                                                                          additional
                                                                                                                                                                                                                          staff went to
a staffing for the ISO                                                                                          4                                                   3                                                   4 Privacy                                         4
b other staff commitments for security                                                                          4                                                   3                                                   1                                                 4
c level of senior level oversight of security                                                                   5                                                   3                                                   1                                                 4
d increased enforcement of security policy                                                                      5                                                   5                                                   4                                                 4
e care operations                                                                                               3                                                   4                                                   5                                                 4
f research operations                                                                                           4                                                   4                                                   5                                                 5
g education operations                                                                                          4                                                   3                                                   5                                                 3
h security/privacy policy set                                                                                   4                                                   4                                                   4                                                 4
I other


3) You expect to see significant security risk shift over the next few years in:
a handheld device use (e.g.ipads, smartphones)                                                                  4                                                   5                                                   5                                                 5
b social networking                                                                                             5                                                   5                                                   5 how they get                                    4
c   patient e-access to AMC datasets                                                                            3                                                   3                                                   4 to their                                        4
d    virus virulence                                                                                            4                                                   3                                                   3                                                 4
e    identity theft attempts                                                                                    4                                                   3                                                   5                                                 4
f   cloud based services                                                                                        3                                                   4                                                   5                                                 4
                                                                                                                    data integrity
g Other                                                                              a                              problem;

4) List your top five security development projects (i.e. significant efforts that
are upcoming or just underway)

                                                                                                                                                                        education
                                                                                                                                                                        and
                                                                                                                                                                        awarenes                                          identity
a one                                                                                a                              id mgmt              a                              s         a                                       management a



                                                                                                                                                                        vulnerabili
                                                                                                                                                                        ty
                                                                                                                                                                        assessme
                                                                                                                    role                                                nt/frequen                                        network
                                                                                                                    compliance                                          cy/internal                                       access
b two                                                                                a                              mgmt                 a                              /external a                                       control              a
                                                                                                                                                                        increased
                                                                                                                                                                        auditing
                                                                                                                                                                        and
                                                                                                                                                                        complianc
                                                                                                                                                                        e                                                 data loss
c three                                                                              a                              data leakage a                                      checking a                                        protection           a




                                                                                                                                                                                                                          authenticatio
d four                                                                                                                                                                                       a                            n             a

e five                                                                                                                                                                                                                                         a
5) List up to an additional five projects that you think would be done if you had
more resources.


                                                                                                                                                                        unknown
                                                                                                                                                                        at this                                           social
                                                                                                                                                                        time due                                          networks
                                                                                                                                                                        to                                                security -
a one                                                                                a                              PKI                  a                              newness              a                            better tools         a

                                                                                                                                                                                                                          database
                                                                                                                                                                                                                          security -
b two                                                                                a                              biometrics           a                                                   a                            better tools         a



                                                                                                                    more
c three                                                                              a                              monitoring                                                                                                                 a




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                             14 of 57                                                                                                                                                                                 9/8/2012
                                                                                 AMC#1 - Rating/Selection




                                                                                                                                 AMC#2 - Rating/Selection




                                                                                                                                                                                 AMC#3 - Rating/Selection




                                                                                                                                                                                                                                 AMC#4 - Rating/Selection
                                                                                                            AMC#1 - Comment(s)




                                                                                                                                                            AMC #2 -Comment(s)




                                                                                                                                                                                                            AMC#3 - Comment(s)
 AMC Security Practices Survey 2011 v 2/3/2011

De-identified Survey Results and Analysis - v 4/12/2011

d four                                                                                                                                                                                                                           a



e five                                                                                                                                                                                                                           a

 Please provide any other comments that you think will be of interest to other
AMCs or that you would like to hear about from other AMCs. (e.g. Risks
associated with international students.)




                                                                                                            e-discovery
                                                                                                            needs to be
                                                                                 a                          done better.



TOTAL WEIGHT FOR EMERGNG PRACTICES




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                         15 of 57                                                                                                                                                                   9/8/2012
                                                                                                                                                     #1               #2               #3               #4               #5               #6
                         AMC#5 - Rating/Selection




                                                                                  AMC#6 - Rating/Selection
AMC#4 - Comment(s)




                                                        AMC#5 - Comment(s)




                                                                                                                 AMC#6 - Comment(s)




                                                                                                                                                                                                                                                                            Mean Response
                                                                                                                                                     Weighted score




                                                                                                                                                                      Weighted score




                                                                                                                                                                                       Weighted score




                                                                                                                                                                                                        Weighted score




                                                                                                                                                                                                                         Weighted score



                                                                                                                                                                                                                                          Weighted score




                                                                                                                                                                                                                                                           # Responses
                                                                                                                                      Item Weight
                                                                                                                                      (subjective)




                                                                                                                                                                                                                                                                                                    Median
                                                       The                                                       He heads
                                                       original                                                  office of
                                                       CISO                                                      info
                                                       Office                                                    assurance
CPO                                                    was                                                       (ISO); asst
Dir                                                    dissolved.                                                dir. ; whole
Infrastruct                                            Interviewe                                                campus-
ure                                                    e is                                                      incl
 VP                                                    Director                                                  medical
 ISO;                                                  of                                                        school; not
                                                       Enterprise                                                hospitals;
actual                                                 IT Risk                                                   half of 7
a,b,c                   a                              and        a                                              on on op;                    0.00% NA                NA               NA               NA               NA               NA                    6 NA                        NA
                                                                                                                 "b" would
                                                                                                                 cover
                                                                                                                 med
                                                                                                                 school;
                                                                                                                 are part of
                                                                                                                 OCHA
                                                                                                                 with
                        c                                                        d                               hospital                     0.00% NA                NA               NA               NA               NA               NA                    6 NA                        NA




                                                                                                                 for med
                                                                                                                 school
                                                                                                                 practices -
100000+                 e                                                        d                               c,d                          0.00% NA                NA               NA               NA               NA               NA                    5 NA                        NA




                                                       >30 but
                        c                              <50                       c                                                            0.00% NA                NA               NA               NA               NA               NA                    6 NA                        NA




                        c                                                        b                                                            0.00% NA                NA               NA               NA               NA               NA                    6 NA                        NA




                     923 e                                                   2280 d                                                           0.00% NA                NA               NA               NA               NA               NA                    6 NA                        NA




                                                        sys
                                                        admins                                                   incl
                                                    725 incl.                                                550 hospital                     0.00% NA                NA               NA               NA               NA               NA                    6        424.17                  450.00




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                                                                                              16 of 57                                                                                                                     9/8/2012
                           AMC#5 - Rating/Selection




                                                                                   AMC#6 - Rating/Selection
AMC#4 - Comment(s)




                                                              AMC#5 - Comment(s)




                                                                                                                     AMC#6 - Comment(s)




                                                                                                                                                                                                                                                                                     Mean Response
                                                                                                                                                         Weighted score




                                                                                                                                                                          Weighted score




                                                                                                                                                                                           Weighted score




                                                                                                                                                                                                            Weighted score




                                                                                                                                                                                                                             Weighted score



                                                                                                                                                                                                                                              Weighted score




                                                                                                                                                                                                                                                               # Responses
                                                                                                                                          Item Weight
                                                                                                                                          (subjective)




                                                                                                                                                                                                                                                                                                             Median
1 ISO; 2 -
firewall; 3
patch                                                   12 security                                              8                                0.00% NA                NA               NA               NA               NA               NA                    6              12.67                    9.00
                                                           admins. In
                                                           field;
                                                           provisioni
                                                       494 ng team                                              15                                0.00% NA                NA               NA               NA               NA               NA                    6             107.04                   40.00




                           10-15%                                                                             15%                                 0.00% NA                NA               NA               NA               NA               NA                    5               1.12                    0.20
                                                                                                                   overlaps
                                                                                                                   with
                                                                                                                   number in
                                                                                                                25 item c                         0.00% NA                NA               NA               NA               NA               NA                    4              34.75                   24.50
telecom
and
datacente
r ops are                                                                                                          incl
insourced                                              350                                                     450 hospital                       0.00% NA                NA               NA               NA               NA               NA                    6             282.33                  300.00


                     -50                                  0                                                      5                                0.00% NA                NA               NA               NA               NA               NA                    6              18.33                    5.00




                                                        2.5 ITLC-5                                               4                                0.00% NA                NA               NA               NA               NA               NA                    6               5.13                    3.25




                                                         12                                                      4                                0.00% NA                NA               NA               NA               NA               NA                    6              12.63                    8.00
                                                            just suck
rough                                                       up and go
estimate;                                                   with what
uncertain                                                 0 we have                                              1                                0.00% NA                NA               NA               NA               NA               NA                    6               2.33                    2.50
                                                                                                                                                  0.00% NA                NA               NA               NA               NA               NA                             NA                      NA
                                                                                                                                                  0.00% NA                NA               NA               NA               NA               NA                             NA                      NA


                                                        in the
                                                        Medical
                                                 20,000 Center                                                4000                                0.00% NA                NA               NA               NA               NA               NA                    6 12333.33                        9500.00
                                                                                                                   hosp
                                                                                                                   100%;
      0.56                                               80                                                     70 univ 50%                       0.00% NA                NA               NA               NA               NA               NA                    6              61.17                   72.50
concurren
t 4500;                                                                                                            most
9000 is a                                                                                                          personally
guess                                                 9,000                                                   1500 owned;                         0.00% NA                NA               NA               NA               NA               NA                    6         4000.00                 1750.00



                                                         45                                                     40                                0.00% NA                NA               NA               NA               NA               NA                    5              46.60                   45.00



                                                            incl.
                                                            physical
                                                      1,000 and virtual                                        200                                0.00% NA                NA               NA               NA               NA               NA                    6             791.67                  900.00

                                                         88 850-900                                             50                                0.00% NA                NA               NA               NA               NA               NA                    6              86.17                   91.50




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                                                                                                  17 of 57                                                                                                                          9/8/2012
                     AMC#5 - Rating/Selection




                                                                          AMC#6 - Rating/Selection
AMC#4 - Comment(s)




                                                     AMC#5 - Comment(s)




                                                                                                          AMC#6 - Comment(s)




                                                                                                                                                                                                                                                                                                               Mean Response
                                                                                                                                               Weighted score




                                                                                                                                                                       Weighted score




                                                                                                                                                                                               Weighted score




                                                                                                                                                                                                                       Weighted score




                                                                                                                                                                                                                                               Weighted score



                                                                                                                                                                                                                                                                       Weighted score




                                                                                                                                                                                                                                                                                                # Responses
                                                                                                                               Item Weight
                                                                                                                               (subjective)




                                                                                                                                                                                                                                                                                                                                     Median
                                                88 850-900                                           80                                0.00% NA                        NA                      NA                      NA                      NA                      NA                            5    88.50    87.50
acad and                                             HIPAA                                                in fall                      0.00% NA                        NA                      NA                      NA                      NA                      NA                            0 NA       NA
care                                                 Team                                                 2010,
campuses                                             (meets                                               encrypted
integrated                                           twice/mon                                            all laptops
heavy                                                th) self-                                            and
research                                             assesses,                                            desktops
compone a                                            creates   a                                          and did                      0.00% NA                        NA                      NA                      NA                      NA                      NA                            6 NA                      NA




                                                                                                                                    11.50%                      0.04                    0.05                    0.06                    0.04                    0.05                    0.05   6.00           4.27                  4.41


interim                                          5                                                    5                                2.00%                    0.08                    0.10                    0.10                    0.08                    0.10                    0.10         6        4.67                  5.00



                                                 5                                                    5                                2.00%                    0.10                    0.10                    0.10                    0.08                    0.10                    0.10         6        4.83                  5.00




                                                 4                                                    5                                0.75%                    0.04                    0.03                    0.04                    0.04                    0.03                    0.04         6        4.67                  5.00

                                                 4                                                    3 almost a 4                     2.00%                    0.06                    0.08                    0.10                    0.04                    0.08                    0.06         6        3.50                  3.50

                                                 5                                                    4                                0.75%                    0.03                    0.03                    0.04                    0.03                    0.04                    0.03         6        4.33                  4.00

                                                 3                                                    4 hosp has                       0.75%                    0.02                    0.03                    0.04                    0.02                    0.02                    0.03         6        3.50                  3.50
                                                                                                        their own
                                                                                                        ISO. CIO
                                                                                                        is spread
                                                                                                        between
                                                                                                        med ctr
                                                 4                                                    5 and hosp;                      0.50%                    0.02                    0.03                    0.03                    0.03                    0.02                    0.03         6        4.67                  5.00
                                                   Head of                                              7 MS; 5
                                                 5 ITLC is                                           12 hosp                                   NA                      NA                      NA                      NA                      NA                      NA                            6        5.50                  5.00


                                                                                                        dept - 40
                                                 4                                                    5 people;                        0.75%                    0.01                    0.04                    0.02                    0.02                    0.03                    0.04         6        3.33                  3.50




some                                             5                                                    5                                1.00%                    0.04                    0.05                    0.05                    0.01                    0.05                    0.05         6        4.17                  5.00
university
coverage                                           HIPAA
of non                                             Team/ITL
epHI regs                                        4 C                                                  4                                1.00%                    0.03                    0.04                    0.05                    0.03                    0.04                    0.04         6        3.83                  4.00
                                                                                                          other
                                                                                                          HIPAA
                                                                                                          groups;
                                                                                                          HIPAA
                                                                                                          Privacy
                                                                          a                               Officer;                             NA                      NA                      NA                      NA                      NA                      NA                            2 NA                      NA
                                                                                                                                               NA                      NA                      NA                      NA                      NA                      NA                              NA                      NA




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                                                                                               18 of 57                                                                                                                                                     9/8/2012
                     AMC#5 - Rating/Selection




                                                                         AMC#6 - Rating/Selection
AMC#4 - Comment(s)




                                                    AMC#5 - Comment(s)




                                                                                                        AMC#6 - Comment(s)




                                                                                                                                                                                                                                                                                                                  Mean Response
                                                                                                                                             Weighted score




                                                                                                                                                                     Weighted score




                                                                                                                                                                                             Weighted score




                                                                                                                                                                                                                     Weighted score




                                                                                                                                                                                                                                             Weighted score



                                                                                                                                                                                                                                                                     Weighted score




                                                                                                                                                                                                                                                                                              # Responses
                                                                                                                             Item Weight
                                                                                                                             (subjective)




                                                                                                                                                                                                                                                                                                                                        Median
                                                                                                                                     3.00%                    0.03                    0.03                    0.04                    0.02                    0.03                    0.03   5.00                4.17                  4.13
                                                  Configurat
                                                  ions
                                                  Managem
                                                  ent Data                                            above risk
                                                  Base                                                threshold
                                                4 (CMDB)                                            5 database                       1.00%                    0.04                    0.04                    0.05                    0.04                    0.04                    0.05         6             4.33                  4.00




                                                4                                                   5                                0.75%                    0.03                    0.04                    0.04                    0.02                    0.03                    0.04         6             4.33                  4.50


                                                  part of
                                                  change
                                                  managem
                                                  ent                                                 recertify
                                                4 process                                           4 annually;                      0.75%                    0.03                    0.04                    0.04                    0.02                    0.03                    0.03         6             4.00                  4.00
                                                                                                      policy
                                                3                                                   4 goal;                          0.50%                    0.02                    0.02                    0.03                    0.02                    0.02                    0.02         6             4.00                  4.00
                                                                                                      do central
                                                                                                      mgmt;
                                                                                                      bigfix, MS
                                                                                                      AD,
                                                                                                      central
                                                                                                      AV; Mac
                                                                                                      reg for
                                                                         a                            wireless;                              NA                      NA                      NA                      NA                      NA                      NA                            1 NA                           NA
                                                                                                                                             NA                      NA                      NA                      NA                      NA                      NA                              NA                           NA



                                                                                                                                             NA                      NA                      NA                      NA                      NA                      NA                                     NA                    NA

                                                                                                                                             NA                      NA                      NA                      NA                      NA                      NA                                     NA                    NA


                                                    EMR
                                                    In-house
                                                    developed
                                                    EMR is
                                                    more than
                                                    an EMR;it
                                                    is
                                                    integrated
                                                    with other
                                                    systems
                                                    and
                                                    contains
                                                    more than
                                                    a legal                                             IDX; two
                                                    medical                                             implement
Epic                                                record.                                             ations                               NA                      NA                      NA                      NA                      NA                      NA                                     NA                    NA
                                                    HEO -
                                                    McKesso
                                                    n Horizon
                                                    Expert
                                                    Orders
                                                    Clinical
                                                    Order
                                                    Entry
                                                    Co-
                                                    developm
                                                    ent
                                                    between
                                                    McKesso
Flowcast                                            n and
(GE/IDX)                                            AMC                                                 Flowcast                             NA                      NA                      NA                      NA                      NA                      NA                                     NA                    NA




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                                                                                             19 of 57                                                                                                                                                          9/8/2012
                     AMC#5 - Rating/Selection




                                                                     AMC#6 - Rating/Selection
AMC#4 - Comment(s)




                                                AMC#5 - Comment(s)




                                                                                                AMC#6 - Comment(s)




                                                                                                                                                                                                                                                             Mean Response
                                                                                                                                    Weighted score




                                                                                                                                                     Weighted score




                                                                                                                                                                      Weighted score




                                                                                                                                                                                       Weighted score




                                                                                                                                                                                                        Weighted score



                                                                                                                                                                                                                         Weighted score




                                                                                                                                                                                                                                          # Responses
                                                                                                                     Item Weight
                                                                                                                     (subjective)




                                                                                                                                                                                                                                                                                   Median
                                                HED -
                                                McKesso
                                                n Horizon
                                                Expert
                                                Document
                                                ation
                                                Nurse
                                                Document
                                                ation
RIS                                             applicatio                                      Wideimag
PACS                                            n                                               e                                   NA               NA               NA               NA               NA               NA                             NA                   NA


                                                OPOC
                                                Outpatient
                                                Order
                                                Entry                                           EMR-
                                                In-house                                        Centricity;
Lab SCC                                         developed                                       EPIC                                NA               NA               NA               NA               NA               NA                             NA                   NA

                                                PSS
                                                Patient
                                                Summary
                                                Service
                                                In-house
                                                developed
                                                . Problem
                                                List,
                                                Meds,
                                                Allergies,
                                                Lab
                                                Alerts,                                         Trail Mgmt
                                                and other                                       (homegro
                                                patient                                         wn);
Script Pro                                      tracking                                        CTMS
(OP RX)                                         criteria                                        coming                              NA               NA               NA               NA               NA               NA                             NA                   NA
                                                EPIC
                                                Patient
                                                Schedulin
                                                g
OnBase                                          Schedulin
(Documen                                        g for
t Mgt)                                          outpatient                                                                          NA               NA               NA               NA               NA               NA                             NA                   NA


Repositor
y (Data
Warehous
e)                                              StarPanel                                                                           NA               NA               NA               NA               NA               NA                    0 NA                          NA




Trendstar                                                                                                                           NA               NA               NA               NA               NA               NA                             NA                   NA




AllScripts                                                                                                                          NA               NA               NA               NA               NA               NA                             NA                   NA



Exchange                                                                                                                            NA               NA               NA               NA               NA               NA                             NA                   NA




Proto                                                                                                                               NA               NA               NA               NA               NA               NA                             NA                   NA
                                                                                                                                    NA               NA               NA               NA               NA               NA                             NA                   NA




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                                                                             20 of 57                                                                                                                     9/8/2012
                     AMC#5 - Rating/Selection




                                                                         AMC#6 - Rating/Selection
AMC#4 - Comment(s)




                                                    AMC#5 - Comment(s)




                                                                                                        AMC#6 - Comment(s)




                                                                                                                                                                                                                                                                                                             Mean Response
                                                                                                                                             Weighted score




                                                                                                                                                                     Weighted score




                                                                                                                                                                                             Weighted score




                                                                                                                                                                                                                     Weighted score




                                                                                                                                                                                                                                             Weighted score



                                                                                                                                                                                                                                                                     Weighted score




                                                                                                                                                                                                                                                                                              # Responses
                                                                                                                             Item Weight
                                                                                                                             (subjective)




                                                                                                                                                                                                                                                                                                                                   Median
                                                                                                                                  10.00%                      0.03                    0.03                    0.05                    0.03                    0.04                    0.05   5.27           3.71                  3.75

                                                                                                      Sec
                                                                                                      Design
                                                4                                                   5 Review                         1.00%                    0.03                    0.04                    0.05                    0.03                    0.04                    0.05         6        4.00                  4.00




                                                4                                                   4                                1.00%                    0.03                    0.04                    0.05                    0.02                    0.04                    0.04         6        3.67                  4.00

                                                3                                                   5                                1.00%                    0.04                    0.04                    0.05                    0.02                    0.03                    0.05         6        3.83                  4.00
                                                                                                      policy is to
                                                                                                      keep 6
                                                                                                      years with
                                                                                                      incident; 1
                                                                                                      year if no
                                                4                                                   5 incident;                      1.00%                    0.04                    0.03                    0.05                    0.04                    0.04                    0.05         6        4.17                  4.00
                                                  have
                                                  created
                                                  breach
                                                  notificatio
                                                  n
                                                  policy/pro
                                                  cess re
                                                3 HITECH                                            4                                1.00%                    0.04                    0.03                    0.05                    0.02                    0.03                    0.04         5        3.42                  3.50




                                                                                                      have
                                                                                                      terminated
                                                                                                      people for
                                                4                                                   5 cause                          1.00%                    0.04                    0.03                    0.05                    0.05                    0.04                    0.05         5        4.25                  4.50

                                                                                                      some
                                                                                                      depts
                                                                                                      more than
                                                3                                                   4 others                         1.00%                    0.01                    0.03                    0.05                    0.02                    0.03                    0.04         5        2.92                  2.75


                                                                                                      monthly
                                                                                                      and
                                                4                                                   5 quarterly                      1.00%                    0.04                    0.03                    0.05                    0.03                    0.04                    0.05         5        3.92                  4.00
                                                                                                      do sec
                                                                                                      design
                                                                                                      reviews;
                                                3                                                   4 no ninjas                      1.00%                    0.02                    0.03                    0.05                    0.01                    0.03                    0.04         5        2.92                  2.75



                                                4                                                   5                                1.00%                    0.03                    0.03                    0.05                    0.04                    0.04                    0.05         7        4.00                  4.00
                                                                                                        bring in
                                                                                                        external
                                                                         a                              auditors                             NA                      NA                      NA                      NA                      NA                      NA                            2 NA                      NA
                                                                                                                                             NA                      NA                      NA                      NA                      NA                      NA                              NA                      NA

                                                                                                                                  10.00%                      0.02                    0.03                    0.05                    0.02                    0.04                    0.04   4.73           3.17                  3.18
this
question
was
scored as                                       4                                                   4                                1.00%                    0.02                    0.03                    0.05                    0.02                    0.04                    0.04         5        3.25                  3.25

                                                4                                                   3                                1.00%                    0.02                    0.03                    0.05                    0.01                    0.04                    0.03         5        2.92                  2.75

                                                3                                                   4                                1.00%                    0.02                    0.03                    0.05                    0.01                    0.03                    0.04         5        2.92                  2.75




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                                                                                             21 of 57                                                                                                                                                     9/8/2012
                     AMC#5 - Rating/Selection




                                                                         AMC#6 - Rating/Selection
AMC#4 - Comment(s)




                                                    AMC#5 - Comment(s)




                                                                                                        AMC#6 - Comment(s)




                                                                                                                                                                                                                                                                                                             Mean Response
                                                                                                                                             Weighted score




                                                                                                                                                                     Weighted score




                                                                                                                                                                                             Weighted score




                                                                                                                                                                                                                     Weighted score




                                                                                                                                                                                                                                             Weighted score



                                                                                                                                                                                                                                                                     Weighted score




                                                                                                                                                                                                                                                                                              # Responses
                                                                                                                             Item Weight
                                                                                                                             (subjective)




                                                                                                                                                                                                                                                                                                                                   Median
                                                4                                                   4                                1.00%                    0.03                    0.03                    0.05                    0.03                    0.04                    0.04         5        3.58                  3.50

                                                3                                                   4                                1.00%                    0.02                    0.03                    0.05                    0.01                    0.03                    0.04         5        2.92                  2.75




                                                4                                                   5                                1.00%                    0.02                    0.03                    0.05                    0.04                    0.04                    0.05         5        3.75                  4.00



                                                3                                                   3                                1.00%                    0.02                    0.03                    0.05                    0.01                    0.03                    0.03         5        2.75                  2.75



                                                4                                                   4                                1.00%                    0.02                    0.03                    0.05                    0.02                    0.04                    0.04         5        3.25                  3.25

                                                3                                                   3                                1.00%                    0.01                    0.03                    0.05                    0.01                    0.03                    0.03         5        2.58                  2.75
                                                4                                                   4                                1.00%                    0.04                    0.03                    0.05                    0.03                    0.04                    0.04         5        3.75                  4.00
                                                                                                        new policy
                                                                                                        - all
                                                                         a                              servers                              NA                      NA                      NA                      NA                      NA                      NA                            2 NA                      NA
                                                                                                                                             NA                      NA                      NA                      NA                      NA                      NA                              NA                      NA

                                                                                                                                     4.75%                    0.02                    0.02                    0.04                    0.02                    0.02                    0.04   4.86           3.92                  3.38
                                                  have an
                                                  PFI
                                                3 process                                           5                                1.00%                    0.04                    0.03                    0.05                    0.02                    0.03                    0.05         5        3.58                  3.50

                                                3                                                   5                                0.75%                    0.02                    0.02                    0.04                    0.02                    0.02                    0.04         5        3.25                  2.75

                                                3                                                   5                                0.75%                    0.02                    0.02                    0.04                    0.03                    0.02                    0.04         5        3.58                  3.50



                                                3 NIST,                                             4                                0.50%                    0.02                    0.01                    0.03                    0.02                    0.02                    0.02         5        3.42                  3.00
                                                  FISMA,HI
                                                3 PAA                                               5                                0.75%                    0.03                    0.03                    0.04                    0.02                    0.02                    0.04         6        3.83                  4.00


                                                3                                                   5                                1.00%                    0.03                    0.04                    0.05                    0.03                    0.03                    0.05         6        3.83                  3.50
                                                                                                        revamped
                                                                         a                              them in                              NA                      NA                      NA                      NA                      NA                      NA                            2 NA                      NA
                                                                                                                                             NA                      NA                      NA                      NA                      NA                      NA                              NA                      NA

                                                                                                                                     4.00%                    0.04                    0.04                    0.05                    0.05                    0.05                    0.05   6.00           4.33                  4.75

                                                5                                                   5 three                          1.00%                    0.04                    0.03                    0.05                    0.05                    0.05                    0.05         6        4.50                  5.00
                                                                                                      tiered
                                                                                                      model;
                                                                                                      one-lock,
                                                                                                      two-lock, 3-
                                                5                                                   5 lock                           1.00%                    0.02                    0.03                    0.05                    0.05                    0.05                    0.05         6        4.17                  5.00
                                                  Disaster
                                                  Recovery
                                                  Team;
                                                5 Response                                          5                                1.00%                    0.04                    0.05                    0.05                    0.04                    0.05                    0.05         6        4.67                  5.00




                                                5                                                   3                                1.00%                    0.04                    0.03                    0.05                    0.04                    0.05                    0.03         6        4.00                  4.00
                                                                                                        spent lot
                                                                                                        of time on
                                                                         a                              uptime;                              NA                      NA                      NA                      NA                      NA                      NA                         2 NA                         NA
                                                                                                                                             NA                      NA                      NA                      NA                      NA                      NA                           NA                         NA
                                                                                                                                     2.50%                    0.03                    0.04                    0.03                    0.04                    0.03                    0.04   5.00           4.17                  4.33
BIA                                             3                                                   5                                1.00%                    0.04                    0.04                    0.05                    0.04                    0.03                    0.05      6           4.17                  4.00

cybersecu
rity review                                     4                                                   5                                0.50%                    0.02                    0.03                    0.03                    0.02                    0.02                    0.03         6        4.33                  4.50
apply to
all
systems                                         4                                                   5                                1.00%                    0.04                    0.05                    0.01                    0.05                    0.04                    0.05         6        4.00                  4.50




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                                                                                             22 of 57                                                                                                                                                     9/8/2012
                     AMC#5 - Rating/Selection




                                                                         AMC#6 - Rating/Selection
AMC#4 - Comment(s)




                                                    AMC#5 - Comment(s)




                                                                                                        AMC#6 - Comment(s)




                                                                                                                                                                                                                                                                                                             Mean Response
                                                                                                                                             Weighted score




                                                                                                                                                                     Weighted score




                                                                                                                                                                                             Weighted score




                                                                                                                                                                                                                     Weighted score




                                                                                                                                                                                                                                             Weighted score



                                                                                                                                                                                                                                                                     Weighted score




                                                                                                                                                                                                                                                                                              # Responses
                                                                                                                             Item Weight
                                                                                                                             (subjective)




                                                                                                                                                                                                                                                                                                                                   Median
                                                                                                        do RA
                                                                                                        early in
                                                                         a                              software                             NA                      NA                      NA                      NA                      NA                      NA                         2 NA                         NA
                                                                                                                                             NA                      NA                      NA                      NA                      NA                      NA                           NA                         NA
                                                                                                                                     2.00%                    0.01                    0.01                    0.02                    0.01                    0.01                    0.01   5.50           3.22                  3.17
routine
procurem
ent
requireme
nt; special
nothing                                         5                                                   5                                1.00%                    0.04                    0.05                    0.05                    0.05                    0.05                    0.05         6        4.83                  5.00
beyond
contact                                         2                                                   3                                0.50%                    0.01                    0.02                    0.03                    0.01                    0.01                    0.02         6        2.50                  2.50
nothing
beyond
contact
language                                        2                                                   3                                0.50%                    0.01                    0.01                    0.03                    0.01                    0.01                    0.02         5        2.42                  2.25
waiting for                                                                                           new
final                                           5                                                   4 language;                      0.00%                    0.00                    0.00                    0.00                    0.00                    0.00                    0.00         5        3.42                  3.50

                                                2                                                   5                                0.00%                    0.00                    0.00                    0.00                    0.00                    0.00                    0.00         5        3.08                  2.75

                                                4                                                   5                                0.00%                    0.00                    0.00                    0.00                    0.00                    0.00                    0.00         6        3.08                  3.00
                                                                                                        in an
                                                                                                        OCHA ; so
                                                                         a                              collaborat                           NA                      NA                      NA                      NA                      NA                      NA                         1 NA                         NA
                                                                                                                                             NA                      NA                      NA                      NA                      NA                      NA                           NA                         NA
                                                                                                                                     3.00%                    0.03                    0.02                    0.04                    0.03                    0.03                    0.03   4.40           4.14                  4.25
                                                                                                      in some
                                                                                                      cases can
                                                  written                                             send
                                                5 policies                                          4 beyond                         1.00%                    0.05                    0.03                    0.05                    0.05                    0.05                    0.04         5        4.80                  5.00

                                                5                                                   5                                0.50%                    0.03                    0.01                    0.03                    0.03                    0.03                    0.03         5        5.00                  5.00
                                                  patient                                             secure file
                                                5 portals w/                                        5 xcfer util                     0.75%                    0.02                    0.02                    0.04                    0.04                    0.04                    0.04         6        4.33                  5.00




                                                2                                                   1                                0.75%                    0.02                    0.02                    0.04                    0.02                    0.02                    0.01         5        2.42                  2.00
                                                                                                        servers
                                                                                                        encrypt
                                                                                                        email in
                                                                         a                              transit                              NA                      NA                      NA                      NA                      NA                      NA                         1 NA                         NA
                                                                                                                                             NA                      NA                      NA                      NA                      NA                      NA                           NA                         NA
                                                                                                                                     3.50%                    0.03                    0.03                    0.04                    0.02                    0.03                    0.03   5.33           4.23                  4.60

                                                4                                                   5                                1.00%                    0.04                    0.03                    0.05                    0.03                    0.04                    0.05         6        4.00                  4.00


                                                5                                                   5                                1.00%                    0.03                    0.05                    0.05                    0.03                    0.05                    0.05         6        4.33                  5.00

                                                5                                                   5                                0.50%                    0.02                    0.03                    0.03                    0.02                    0.03                    0.03         6        4.33                  5.00


                                                5                                                   5                                0.50%                    0.02                    0.03                    0.03                    0.02                    0.03                    0.03         6        4.67                  5.00


                                                4                                                   4                                0.50%                    0.02                    0.02                    0.03                    0.01                    0.02                    0.02         6        3.83                  4.00

                                                                                                        7X24
                                                                                                        incident
                                                                         a                              response                             NA                      NA                      NA                      NA                      NA                      NA                            2 NA                      NA
                                                                                                                                             NA                      NA                      NA                      NA                      NA                      NA                              NA                      NA

                                                                                                                                  11.75%                      0.03                    0.04                    0.04                    0.03                    0.04                    0.04   5.93           4.36                  4.57
                                                5                                                   5                              1.00%                      0.04                    0.05                    0.05                    0.03                    0.05                    0.05      6           4.50                  5.00


                                                5                                                   5                                1.00%                    0.04                    0.05                    0.05                    0.02                    0.05                    0.05         6        4.33                  5.00
                                                4                                                   5                                0.50%                    0.02                    0.02                    0.03                    0.02                    0.02                    0.03         6        4.17                  4.00




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                                                                                             23 of 57                                                                                                                                                     9/8/2012
                     AMC#5 - Rating/Selection




                                                                         AMC#6 - Rating/Selection
AMC#4 - Comment(s)




                                                    AMC#5 - Comment(s)




                                                                                                        AMC#6 - Comment(s)




                                                                                                                                                                                                                                                                                                                  Mean Response
                                                                                                                                             Weighted score




                                                                                                                                                                     Weighted score




                                                                                                                                                                                             Weighted score




                                                                                                                                                                                                                     Weighted score




                                                                                                                                                                                                                                             Weighted score



                                                                                                                                                                                                                                                                     Weighted score




                                                                                                                                                                                                                                                                                              # Responses
                                                                                                                             Item Weight
                                                                                                                             (subjective)




                                                                                                                                                                                                                                                                                                                                        Median
                                                3                                                   4                                0.50%                    0.03                    0.02                    0.03                    0.02                    0.02                    0.02         6             4.17                  4.00
guest                                           4                                                   5                                1.00%                    0.05                    0.05                    0.05                    0.03                    0.04                    0.05         6             4.50                  5.00
(no),                                           5                                                   5                                0.50%                    0.03                    0.02                    0.03                    0.02                    0.03                    0.03         6             4.67                  5.00


                                                5                                                   5 central                        1.50%                    0.06                    0.08                    0.08                    0.06                    0.08                    0.08         6             4.67                  5.00
                                                                                                      backup
                                                4 run before                                        5 Tivoli                         0.50%                    0.02                    0.03                    0.03                    0.03                    0.02                    0.03         6             4.67                  5.00
                                                  installatio
                                                3 n;                                                5                                1.00%                    0.04                    0.03                    0.05                    0.02                    0.03                    0.05         5             3.58                  3.50

                                                4                                                   5                                1.25%                    0.04                    0.05                    0.06                    0.05                    0.05                    0.06         6             4.17                  4.00
                                                  employee
                                                  s linked to
                                                  HR;
                                                  contractor
                                                3 s process                                         5                                1.00%                    0.04                    0.04                    0.05                    0.04                    0.03                    0.05         6             4.17                  4.00




                                                4                                                   5                                1.00%                    0.04                    0.05                    0.05                    0.04                    0.04                    0.05         6             4.50                  4.50
                                                                                                      on
not for                                                                                               laptops,
servers;                                                                                              desktops;
yes for                                                                                               some
endpoints;                                      5                                                   5 servers;                       0.50%                    0.02                    0.03                    0.03                    0.02                    0.03                    0.03         6             4.50                  5.00




                                                5                                                   5                                0.50%                    0.03                    0.02                    0.03                    0.02                    0.03                    0.03         6             4.50                  5.00
                                                                                                        removal
                                                                                                        devices
                                                                                                        focus;
                                                                         a                              USBs                                 NA                      NA                      NA                      NA                      NA                      NA                            1 NA                           NA




                                                                                                                                             NA                      NA                      NA                      NA                      NA                      NA                                     NA                    NA




                                                                                                                                  23.25%                      0.03                    0.04                    0.05                    0.02                    0.04                    0.05   5.78                3.55                  3.79




                                                1                                                   3                                0.50%                    0.01                    0.01                    0.01                    0.01                    0.01                    0.02         6             1.50                  1.00




                                                1                                                   3                                0.25%                    0.00                    0.00                    0.00                    0.00                    0.00                    0.01         6             1.33                  1.00
                                                  lack
                                                  coordinati
                                                  on
                                                  between
                                                3 various                                           5 tripwire;                      1.00%                    0.03                    0.03                    0.05                    0.01                    0.03                    0.05         7             3.33                  3.00




                                                4                                                   5                                0.75%                    0.02                    0.03                    0.04                    0.03                    0.03                    0.04         6             4.17                  4.00
                                                  EMR
                                                  does not
                                                  yet have
                                                  the
                                                3 granularity                                       5                                0.75%                    0.02                    0.04                    0.04                    0.02                    0.02                    0.04         6             3.67                  4.00




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                                                                                             24 of 57                                                                                                                                                          9/8/2012
                     AMC#5 - Rating/Selection




                                                                         AMC#6 - Rating/Selection
AMC#4 - Comment(s)




                                                    AMC#5 - Comment(s)




                                                                                                        AMC#6 - Comment(s)




                                                                                                                                                                                                                                                                                                             Mean Response
                                                                                                                                             Weighted score




                                                                                                                                                                     Weighted score




                                                                                                                                                                                             Weighted score




                                                                                                                                                                                                                     Weighted score




                                                                                                                                                                                                                                             Weighted score



                                                                                                                                                                                                                                                                     Weighted score




                                                                                                                                                                                                                                                                                              # Responses
                                                                                                                             Item Weight
                                                                                                                             (subjective)




                                                                                                                                                                                                                                                                                                                                   Median
not
counting
email                                           4                                                   3                                0.75%                    0.02                    0.03                    0.04                    0.03                    0.03                    0.02         6        3.83                  4.00




                                                5                                                   5                                7.50%                    0.08                    0.30                    0.38                    0.08                    0.38                    0.38         6        3.50                  4.50
                                                5                                                   5                                1.00%                    0.04                    0.05                    0.05                    0.04                    0.05                    0.05         6        4.67                  5.00

                                                5                                                   5                                1.00%                    0.04                    0.05                    0.05                    0.04                    0.05                    0.05         6        4.67                  5.00



                                                4                                                   4                                0.50%                    0.01                    0.02                    0.03                    0.01                    0.02                    0.02         6        3.17                  3.50
endpoints;                                        especially
not                                               on
servers;                                          desktops
yes -                                           4 and                                               4                                0.50%                    0.01                    0.03                    0.02                    0.01                    0.02                    0.02         6        3.33                  4.00
                                                5                                                   5                                1.00%                    0.04                    0.05                    0.05                    0.04                    0.05                    0.05         6        4.67                  5.00
                                                  discourag
                                                  ed on
                                                  clinical
                                                  workstatio
                                                3 ns                                                5                                0.75%                    0.03                    0.04                    0.04                    0.02                    0.02                    0.04         6        4.00                  4.50




                                                5                                                   4                                0.75%                    0.02                    0.04                    0.04                    0.02                    0.04                    0.03         6        4.00                  4.50
                                                4                                                   5                                0.75%                    0.03                    0.04                    0.04                    0.03                    0.03                    0.04         6        4.50                  4.50
                                                3                                                   4                                0.50%                    0.03                    0.01                    0.03                    0.01                    0.02                    0.02         5        3.42                  3.50
                                                  especially
                                                  on the
                                                4 EMR                                               5                                0.75%                    0.04                    0.02                    0.04                    0.01                    0.03                    0.04         5        3.75                  4.50

                                                4                                                   5                                0.75%                    0.04                    0.02                    0.04                    0.01                    0.03                    0.04         5        3.75                  4.50

                                                3                                                   4                                0.75%                    0.03                    0.02                    0.04                    0.01                    0.02                    0.03         5        3.25                  3.50
                                                4 use two-                                          5                                0.75%                    0.04                    0.02                    0.04                    0.02                    0.03                    0.04         5        4.08                  4.50
                                                  factor for
                                                  remote
                                                3 working                                           4 allow at                       0.75%                    0.01                    0.02                    0.04                    0.01                    0.02                    0.03         5        2.75                  2.75
 only at                                          on                                                  hospital
clinical ws                                     2 appropriat                                        3 but not                        0.75%                    0.02                    0.02                    0.03                    0.02                    0.02                    0.02         6        2.67                  2.50

                                                3                                                   4 websense                       0.50%                    0.02                    0.03                    0.03                    0.01                    0.02                    0.02         6        3.67                  4.00
                                                                         a                            proxy                                  NA                      NA                      NA                      NA                      NA                      NA                            2 NA                      NA

                                                                                                                                     3.75%                    0.04                    0.02                    0.02                    0.05                    0.02                    0.04   5.00           3.25                  3.63
                                                4                                                   4                                1.00%                    0.04                    0.03                    0.01                    0.05                    0.04                    0.04      5           3.42                  4.00


                                                1                                                   4                                1.00%                    0.04                    0.03                    0.01                    0.05                    0.01                    0.04         5        2.92                  3.25
                                                1                                                   5                                1.00%                    0.04                    0.03                    0.02                    0.05                    0.01                    0.05         5        3.25                  3.25

                                                1                                                   4                                0.75%                    0.03                    0.02                    0.03                    0.04                    0.01                    0.03         5        3.42                  4.00




                                                                                                        turning off
                                                    lack                                                employee
breach of                                           correlatio                                          access
SSN ePHI                                            n of audit                                          when they
mgmt      a                                         logs       a                                        leave                                NA                      NA                      NA                      NA                      NA                      NA                            6 NA                      NA




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                                                                                             25 of 57                                                                                                                                                     9/8/2012
                     AMC#5 - Rating/Selection




                                                                         AMC#6 - Rating/Selection
AMC#4 - Comment(s)




                                                    AMC#5 - Comment(s)




                                                                                                        AMC#6 - Comment(s)




                                                                                                                                                                                                                                                                                                             Mean Response
                                                                                                                                             Weighted score




                                                                                                                                                                     Weighted score




                                                                                                                                                                                             Weighted score




                                                                                                                                                                                                                     Weighted score




                                                                                                                                                                                                                                             Weighted score



                                                                                                                                                                                                                                                                     Weighted score




                                                                                                                                                                                                                                                                                              # Responses
                                                                                                                             Item Weight
                                                                                                                             (subjective)




                                                                                                                                                                                                                                                                                                                                   Median
                                                    accretion
                                                    of
wired/wire                                          access/au
less net                                            thorization
access                                              privileges
mechanis                                            as users
m          a                                        move        a                                                                            NA                      NA                      NA                      NA                      NA                      NA                            5 NA                      NA




                                                                                                                                             NA                      NA                      NA                      NA                      NA                      NA                            2 NA                      NA
                                                                                                                                             NA                      NA                      NA                      NA                      NA                      NA                              NA                      NA



                                                                                                                                     3.00%                    0.03                    0.03                    0.03                    0.02                    0.03                    0.04   6.00           4.04                  4.13


                                                5                                                   5                                0.75%                    0.04                    0.03                    0.04                    0.04                    0.04                    0.04         6        4.83                  5.00

                                                4                                                   5                                0.75%                    0.02                    0.04                    0.04                    0.01                    0.03                    0.04         6        3.83                  4.50
                                                  need
                                                  specific-
                                                  focused
                                                  security
                                                3 training                                          5                                0.75%                    0.02                    0.02                    0.02                    0.02                    0.02                    0.04         6        3.17                  3.00
                                                4                                                   5                                0.75%                    0.03                    0.03                    0.04                    0.03                    0.03                    0.04         6        4.33                  4.00
                                                                                                        major
                                                                                                        training in
                                                                         a                              the fall;                            NA                      NA                      NA                      NA                      NA                      NA                            1 NA                      NA
                                                                                                                                             NA                      NA                      NA                      NA                      NA                      NA                              NA                      NA

                                                                                                                                     4.00%                    0.02                    0.02                    0.03                    0.02                    0.02                    0.03   6.00           3.56                  3.58




                                                5                                                   5                                1.00%                    0.03                    0.03                    0.04                    0.04                    0.05                    0.05         6        4.00                  4.00



                                                4                                                   5                                0.75%                    0.02                    0.02                    0.04                    0.03                    0.03                    0.04         6        4.00                  4.00

                                                4                                                   5                                0.50%                    0.02                    0.02                    0.03                    0.02                    0.02                    0.03         6        4.00                  4.00
though
level of
sanctions                                       4                                                   4                                0.75%                    0.02                    0.02                    0.04                    0.03                    0.03                    0.03         6        3.83                  4.00

                                                1                                                   4                                0.75%                    0.02                    0.02                    0.01                    0.02                    0.01                    0.03         6        2.17                  2.00
                                                  unless
                                                  legally or
                                                  contractu
                                                  ally
                                                1 required                                          5                                0.25%                    0.01                    0.01                    0.01                    0.01                    0.00                    0.01         6        3.33                  3.50

                                                                                                        sig effort
                                                                                                        on wording
                                                                         a                              in policies.                         NA                      NA                      NA                      NA                      NA                      NA                            1 NA                      NA




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                                                                                             26 of 57                                                                                                                                                     9/8/2012
                     AMC#5 - Rating/Selection




                                                                         AMC#6 - Rating/Selection
AMC#4 - Comment(s)




                                                    AMC#5 - Comment(s)




                                                                                                        AMC#6 - Comment(s)




                                                                                                                                                                                                                                                                                                                  Mean Response
                                                                                                                                             Weighted score




                                                                                                                                                                     Weighted score




                                                                                                                                                                                             Weighted score




                                                                                                                                                                                                                     Weighted score




                                                                                                                                                                                                                                             Weighted score



                                                                                                                                                                                                                                                                     Weighted score




                                                                                                                                                                                                                                                                                              # Responses
                                                                                                                             Item Weight
                                                                                                                             (subjective)




                                                                                                                                                                                                                                                                                                                                        Median
                                                                                                                                     0.00% NA                        NA                      NA                      NA                      NA                      NA                                     NA                    NA




                                                                                                                                  18.00%                      0.12                    0.16                    0.18                    0.11                    0.16                    0.18   6.00                4.23                  4.40




support
but
resources                                                                                             $3M for
lacking                                         4                                                   5 security                       4.00%                    0.12                    0.16                    0.20                    0.12                    0.16                    0.20         6             4.00                  4.00

                                                5                                                   5                                4.00%                    0.20                    0.20                    0.20                    0.16                    0.20                    0.20         6             4.83                  5.00

                                                4                                                   5                                4.00%                    0.08                    0.16                    0.20                    0.12                    0.16                    0.20         6             3.83                  4.00

                                                4                                                   5                                4.00%                    0.12                    0.20                    0.20                    0.08                    0.16                    0.20         6             4.00                  4.50
some
university
side
managem
ent of non-
PHI                                             5                                                   5                                2.00%                    0.08                    0.08                    0.10                    0.08                    0.10                    0.10         6             4.50                  4.50

                                                                                                                                             NA                      NA                      NA                      NA                      NA                      NA                            1 NA                           NA
                                                                                                                                             NA                      NA                      NA                      NA                      NA                      NA                              NA                           NA

                                                                                                                                  39.60%                      0.12                    0.14                    0.17                    0.11                    0.13                    0.14   6.00                4.07                  4.29
                                                3                                                   5                              3.30%                      0.13                    0.13                    0.17                    0.17                    0.10                    0.17      6                4.33                  4.50
                                                4                                                   2                              3.30%                      0.13                    0.10                    0.17                    0.07                    0.13                    0.07      6                3.33                  3.50
waiting for
final                                           5                                                   4                                3.30%                    0.07                    0.13                    0.17                    0.10                    0.17                    0.13         6             3.83                  4.00
                                                4                                                   4                                3.30%                    0.07                    0.13                    0.17                    0.07                    0.13                    0.13         6             3.50                  4.00
                                                4                                                   5                                3.30%                    0.17                    0.17                    0.17                    0.10                    0.13                    0.17         6             4.50                  5.00
                                                                                                      already
                                                3                                                   5 happened                       3.30%                    0.17                    0.17                    0.17                    0.10                    0.10                    0.17         6             4.33                  5.00
                                                3                                                   5                                3.30%                    0.13                    0.17                    0.17                    0.10                    0.10                    0.17         6             4.17                  4.50
                                                5                                                   3                                3.30%                    0.10                    0.17                    0.17                    0.13                    0.17                    0.10         6             4.17                  4.50
                                                4                                                   5                                3.30%                    0.13                    0.10                    0.17                    0.10                    0.13                    0.17         6             4.00                  4.00
                                                4                                                   4                                3.30%                    0.13                    0.13                    0.17                    0.13                    0.13                    0.13         6             4.17                  4.00
                                                4                                                   5                                3.30%                    0.17                    0.17                    0.17                    0.17                    0.13                    0.17         6             4.83                  5.00
already
doing a lot
of this                                         3                                                   4                                3.30%                    0.10                    0.13                    0.17                    0.10                    0.10                    0.13         6             3.67                  3.50
                                                                                                                                             NA                      NA                      NA                      NA                      NA                      NA                            0 NA                           NA

                                                                                                                                  25.10%                      0.13                    0.11                    0.11                    0.13                    0.12                    0.15   6.00                4.00                  4.06




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                                                                                             27 of 57                                                                                                                                                          9/8/2012
                     AMC#5 - Rating/Selection




                                                                         AMC#6 - Rating/Selection
AMC#4 - Comment(s)




                                                    AMC#5 - Comment(s)




                                                                                                        AMC#6 - Comment(s)




                                                                                                                                                                                                                                                                                                                  Mean Response
                                                                                                                                             Weighted score




                                                                                                                                                                     Weighted score




                                                                                                                                                                                             Weighted score




                                                                                                                                                                                                                     Weighted score




                                                                                                                                                                                                                                             Weighted score



                                                                                                                                                                                                                                                                     Weighted score




                                                                                                                                                                                                                                                                                              # Responses
                                                                                                                             Item Weight
                                                                                                                             (subjective)




                                                                                                                                                                                                                                                                                                                                        Median
                                                4                                                   5 add 1                          3.30%                    0.13                    0.10                    0.13                    0.13                    0.13                    0.17         6             4.00                  4.00
                                                4                                                   5                                3.30%                    0.13                    0.10                    0.03                    0.13                    0.13                    0.17         6             3.50                  4.00
                                                4                                                   5                                3.30%                    0.17                    0.10                    0.03                    0.13                    0.13                    0.17         6             3.67                  4.00
                                                3                                                   5                                3.30%                    0.17                    0.17                    0.13                    0.13                    0.10                    0.17         6             4.33                  4.50
                                                4                                                   5                                3.30%                    0.10                    0.13                    0.17                    0.13                    0.13                    0.17         6             4.17                  4.00
                                                4                                                   4                                3.30%                    0.13                    0.13                    0.17                    0.17                    0.13                    0.13         6             4.33                  4.00
                                                4                                                   4                                2.00%                    0.08                    0.06                    0.10                    0.06                    0.08                    0.08         6             3.83                  4.00
                                                4                                                   5                                3.30%                    0.13                    0.13                    0.13                    0.13                    0.13                    0.17         6             4.17                  4.00
                                                                         a                            billing                                NA                      NA                      NA                      NA                      NA                      NA                            1 NA                           NA


                                                                                                                                  17.30%                      0.11                    0.11                    0.13                    0.12                    0.11                    0.14   5.43                4.14                  4.17
                                                5                                                   5                              2.00%                      0.08                    0.10                    0.10                    0.10                    0.10                    0.10      6                4.83                  5.00
                                                3                                                   4                              2.10%                      0.11                    0.11                    0.11                    0.08                    0.06                    0.08      6                4.33                  4.50
                                                3                                                   5                                3.30%                    0.10                    0.10                    0.13                    0.13                    0.10                    0.17         6             3.67                  3.50
                                                3                                                   4                                3.30%                    0.13                    0.10                    0.10                    0.13                    0.10                    0.13         6             3.50                  3.50
                                                4                                                   5                                3.30%                    0.13                    0.10                    0.17                    0.13                    0.13                    0.17         6             4.17                  4.00
                                                5                                                   5                                3.30%                    0.10                    0.13                    0.17                    0.13                    0.17                    0.17         6             4.33                  4.50
                                                                                                        increased
                                                                         a                              use of                               NA                      NA                      NA                      NA                      NA                      NA                            2 NA                           NA
                                                                                                                                             NA                      NA                      NA                      NA                      NA                      NA                              NA                           NA


security
awarenes                                                                                                email
s and                                               PCI                                                 encryption;
training -                                          complianc                                           data
dept level a                                        e         a                                         leakage                              NA                      NA                      NA                      NA                      NA                      NA                            6 NA                           NA

                                                                                                        governanc
                                                                                                        e risk
                                                                                                        complianc
                                                                                                        e project
                                                    Procurem                                            (ITGRC-
                                                    ent                                                 inventory
better                                              Standard                                            w auto risk
SSN ePHI a                                          Policy   a                                          analysis)                            NA                      NA                      NA                      NA                      NA                      NA                            6 NA                           NA

                                                    Centraliza
                                                    tion on a
full                                                single                                              secure
endpoint                                            source                                              research
encryption a                                        user ID    a                                        repository                           NA                      NA                      NA                      NA                      NA                      NA                            6 NA                           NA
                                                    Continuati
                                                    on of
                                                    HIPAA
                                                    Risk and
                                                    IT
mobile                                              Assessm
device                                              ent
encryption a                                        Program                                                                                  NA                      NA                      NA                      NA                      NA                      NA                            3 NA                           NA
NC
firewall                                                                                                                                     NA                      NA                      NA                      NA                      NA                      NA                            1 NA                           NA

                                                                                                                                             NA                      NA                      NA                      NA                      NA                      NA                                     NA                    NA
                                                    continually
                                                    striving to
                                                    work
automate                                            within
d log                                               existing
auditing                                            resource
tools    a                                          allocation a                                        re auditing                          NA                      NA                      NA                      NA                      NA                      NA                            6 NA                           NA
                                                                                                        check on
NAC -                                                                                                   users
wired and                                                                                               doing
wireless a                                                               a                              reviews                              NA                      NA                      NA                      NA                      NA                      NA                            6 NA                           NA
mobile
device
technical
policy
mgmt                                                                                                                                         NA                      NA                      NA                      NA                      NA                      NA                            2 NA                           NA




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                                                                                             28 of 57                                                                                                                                                          9/8/2012
                     AMC#5 - Rating/Selection




                                                                     AMC#6 - Rating/Selection
AMC#4 - Comment(s)




                                                AMC#5 - Comment(s)




                                                                                                AMC#6 - Comment(s)




                                                                                                                                                                                                                                                        Mean Response
                                                                                                                                    Weighted score




                                                                                                                                                     Weighted score




                                                                                                                                                                      Weighted score




                                                                                                                                                                                       Weighted score




                                                                                                                                                                                                        Weighted score



                                                                                                                                                                                                                         Weighted score




                                                                                                                                                                                                                                          # Responses
                                                                                                                     Item Weight
                                                                                                                     (subjective)




                                                                                                                                                                                                                                                                              Median
full pen
test                                                                                                                                NA               NA               NA               NA               NA               NA                    1 NA                     NA
virtual
desktop
infrastruct
ure.                                                                                                                                NA               NA               NA               NA               NA               NA                    1 NA                     NA
                                                                                                                                    NA               NA               NA               NA               NA               NA                      NA                     NA



                                                Do other
                                                AMCs
                                                have a
                                                centralize
                                                d IT or a
                                                they
                                                completel
                                                y
                                                decentrali                                      students,
                                                zed or do                                       post-docs
                                                they have                                       etc using
                                                pockets of                                      personal
                                                IT                                              equipment
                                                operation                                       are a
                     a                          s?         a                                    challenge                           NA               NA               NA               NA               NA               NA                    3 NA                     NA




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                                                                             29 of 57                                                                                                                9/8/2012
                                           NA
                                                                                         Count (1/a)




                                                     0
                                                           0
                                                                 1
                                                                       1
                                                                             0
                                                                                   5




                                           NA
                                                                                         Count (2/b)




                                                     0
                                                           4
                                                                 1
                                                                       0
                                                                             3
                                                                                   0




                                           NA
                                                                                         Count (3/c)




                                                     1
                                                           2
                                                                 2
                                                                       0
                                                                             2
                                                                                   1




                                           NA
                                                NA




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls
                                                                                         Count (4d)




                                                     1
                                                           0
                                                                 2
                                                                       1
                                                                             1
                                                                                   0




                                           NA
                                                NA
                                                                                         Count (5/e)




                                                     3
                                                           0
                                                                 0
                                                                       3
                                                                             0
                                                                                   0




                                           NA
                                                                                         Count (N)




                                           #
                                                     1 L
                                                           0 L
                                                                 0 L
                                                                       0 L
                                                                             0 L
                                                                                   0 L




                                                F
                                                                                         QTYPE




                                                                                         Weight calc




30 of 57
                                                                                                          #1




                                                                                         Weighted score
                                                                                                          #2




                                                                                         Weighted score
                                                                                                          #3




                                                                                         Weighted score
                                                                                                          #4




                                                                                         Weighted score
                                                                                                          #5




                                                                                         Weighted score
                                                                                                          #6




                                                                                         Weighted score




9/8/2012
                                                                                                                                             Weighted score




                                                                                                                                                              Weighted score




                                                                                                                                                                               Weighted score




                                                                                                                                                                                                Weighted score




                                                                                                                                                                                                                 Weighted score



                                                                                                                                                                                                                                  Weighted score
                          Count (2/b)
       Count (1/a)




                                             Count (3/c)




                                                                                  Count (5/e)




                                                                                                                               Weight calc
                                                                Count (4d)




                                                                                                     Count (N)




                                                                                                                     QTYPE
NA                   NA                 NA                 NA                NA                 NA               #




NA                   NA                 NA                 NA                NA                 NA               #




NA                   NA                 NA                 NA                NA                 NA               #



NA                   NA                 NA                 NA                NA                 NA               #




NA                   NA                 NA                 NA                NA                 NA               #


NA                   NA                 NA                 NA                NA                 NA               #




NA                   NA                 NA                 NA                NA                 NA               #




NA                   NA                 NA                 NA                NA                 NA               #




NA                   NA                 NA                 NA                NA                 NA               #
NA                   NA                 NA                 NA                NA                 NA               F
NA                   NA                 NA                 NA                NA                 NA               F




NA                   NA                 NA                 NA                NA                 NA               #



NA                   NA                 NA                 NA                NA                 NA               #



NA                   NA                 NA                 NA                NA                 NA               #



NA                   NA                 NA                 NA                NA                 NA               #




NA                   NA                 NA                 NA                NA                 NA               #

NA                   NA                 NA                 NA                NA                 NA               #




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                                                     31 of 57                                                                                                              9/8/2012
                                                                                                                                                   Weighted score




                                                                                                                                                                             Weighted score




                                                                                                                                                                                                       Weighted score




                                                                                                                                                                                                                                 Weighted score




                                                                                                                                                                                                                                                           Weighted score



                                                                                                                                                                                                                                                                                     Weighted score
                           Count (2/b)
       Count (1/a)




                                               Count (3/c)




                                                                                      Count (5/e)




                                                                                                                                     Weight calc
                                                                   Count (4d)




                                                                                                          Count (N)




                                                                                                                          QTYPE
NA                   NA                  NA                  NA                 NA                  NA          #
            0                   0                   0                   0                  0                  0 L




            6                   0                   0                   0                  0                  0 L




     0.36                 0.27                0.64                1.82               2.55                0.00 A


            0                   0                   0                   2                  4                  0 N                 2.00%                               0.08                       0.1                       0.1                      0.08                       0.1                       0.1



            0                   0                   0                   1                  5                  0 N                 2.00%                                0.1                       0.1                       0.1                      0.08                       0.1                       0.1




            0                   0                   0                   2                  4                  0 N                 0.75%                             0.0375                      0.03                    0.0375                    0.0375                      0.03                    0.0375

            0                   1                   2                   2                  1                  0 N                 2.00%                               0.06                      0.08                       0.1                      0.04                      0.08                      0.06

            0                   0                   0                   4                  2                  0 N                 0.75%                               0.03                      0.03                    0.0375                      0.03                    0.0375                      0.03

            0                   1                   2                   2                  1                  0 N                 0.75%                             0.0225                      0.03                    0.0375                     0.015                    0.0225                      0.03




            0                   0                   0                   2                  4                  0 N                 0.50%                               0.02                     0.025                     0.025                     0.025                      0.02                     0.025

NA                   NA                  NA                  NA                 NA                  NA                #




            1                   1                   1                   1                  2                  0 N                 0.75%                             0.0075                    0.0375                     0.015                    0.0225                      0.03                    0.0375




            1                   0                   0                   1                  4                  0 N                 1.00%                               0.04                      0.05                      0.05                      0.01                      0.05                      0.05




            0                   0                   2                   3                  1                  0 N                 1.00%                               0.03                      0.04                      0.05                      0.03                      0.04                      0.04




            2                   0                   0                   0                  0                  0 L
NA                   NA                  NA                  NA                 NA                  NA          F




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                                                           32 of 57                                                                                                                                                                    9/8/2012
                                                                                                                                                    Weighted score




                                                                                                                                                                            Weighted score




                                                                                                                                                                                                      Weighted score




                                                                                                                                                                                                                                Weighted score




                                                                                                                                                                                                                                                          Weighted score



                                                                                                                                                                                                                                                                                   Weighted score
                           Count (2/b)
       Count (1/a)




                                               Count (3/c)




                                                                                      Count (5/e)




                                                                                                                                      Weight calc
                                                                   Count (4d)




                                                                                                          Count (N)




                                                                                                                           QTYPE
     0.20                 0.20                0.40                2.60               1.60                0.00 A




            0                   0                   0                   4                  2                  0 N                  1.00%                             0.04                      0.04                      0.05                      0.04                     0.04                      0.05




            0                   0                   1                   2                  3                  0 N                  0.75%                             0.03                    0.0375                    0.0375                    0.0225                     0.03                    0.0375




            0                   1                   0                   3                  2                  0 N                  0.75%                             0.03                    0.0375                    0.0375                     0.015                     0.03                      0.03

            0                   0                   1                   4                  1                  0 N                  0.50%                             0.02                      0.02                     0.025                      0.02                    0.015                      0.02




            1                   0                   0                   0                  0                  0 L
NA                   NA                  NA                  NA                 NA                  NA          F



NA                   NA                  NA                  NA                 NA                  NA                F

NA                   NA                  NA                  NA                 NA                  NA                F




NA                   NA                  NA                  NA                 NA                  NA                FF




NA                   NA                  NA                  NA                 NA                  NA                F




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                                                            33 of 57                                                                                                                                                                 9/8/2012
                                                                                                                                             Weighted score




                                                                                                                                                              Weighted score




                                                                                                                                                                               Weighted score




                                                                                                                                                                                                Weighted score




                                                                                                                                                                                                                 Weighted score



                                                                                                                                                                                                                                  Weighted score
                          Count (2/b)
       Count (1/a)




                                             Count (3/c)




                                                                                  Count (5/e)




                                                                                                                               Weight calc
                                                                Count (4d)




                                                                                                     Count (N)




                                                                                                                     QTYPE
NA                   NA                 NA                 NA                NA                 NA               F




NA                   NA                 NA                 NA                NA                 NA               F




NA                   NA                 NA                 NA                NA                 NA               F




NA                   NA                 NA                 NA                NA                 NA               F




            0                  0                  0                  0                 0                 0 L




NA                   NA                 NA                 NA                NA                 NA               F




NA                   NA                 NA                 NA                NA                 NA               F



NA                   NA                 NA                 NA                NA                 NA               F




NA                   NA                 NA                 NA                NA                 NA               F
NA                   NA                 NA                 NA                NA                 NA               F




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                                                     34 of 57                                                                                                              9/8/2012
                                                                                                                                               Weighted score




                                                                                                                                                                       Weighted score




                                                                                                                                                                                                Weighted score




                                                                                                                                                                                                                        Weighted score




                                                                                                                                                                                                                                                Weighted score



                                                                                                                                                                                                                                                                        Weighted score
                           Count (2/b)
       Count (1/a)




                                               Count (3/c)




                                                                                      Count (5/e)




                                                                                                                                 Weight calc
                                                                   Count (4d)




                                                                                                          Count (N)




                                                                                                                      QTYPE
     0.36                 0.45                1.00                1.91               1.55                0.00 A



            0                   0                   2                   2                  2                  0 N             1.00%                             0.03                     0.04                    0.05                    0.03                    0.04                    0.05




            0                   1                   1                   3                  1                  0 N             1.00%                             0.03                     0.04                    0.05                    0.02                    0.04                    0.04

            0                   1                   1                   2                  2                  0 N             1.00%                             0.04                     0.04                    0.05                    0.02                    0.03                    0.05




            0                   0                   1                   3                  2                  0 N             1.00%                             0.04                     0.03                    0.05                    0.04                    0.04                    0.05




            0                   1                   1                   2                  1                  0 N             1.00%                             0.04                    0.025                    0.05                    0.02                    0.03                    0.04




            0                   0                   0                   2                  3                  0 N             1.00%                             0.04                    0.025                    0.05                    0.05                    0.04                    0.05




            1                   1                   1                   1                  1                  0 N             1.00%                             0.01                    0.025                    0.05                    0.02                    0.03                    0.04




            0                   0                   1                   2                  2                  0 N             1.00%                             0.04                    0.025                    0.05                    0.03                    0.04                    0.05




            1                   1                   1                   1                  1                  0 N             1.00%                             0.02                    0.025                    0.05                    0.01                    0.03                    0.04



            0                   0                   2                   3                  2                  0 N             1.00%                             0.03                     0.03                    0.05                    0.04                    0.04                    0.05


            2                   0                   0                   0                  0                  0 L
NA                   NA                  NA                  NA                 NA                  NA          F

     0.73                 0.82                0.91                1.27               1.00                0.00 A



            0                   2                   0                   2                  1                  0 N             1.00%                             0.02                    0.025                    0.05                    0.02                    0.04                    0.04

            1                   1                   1                   1                  1                  0 N             1.00%                             0.02                    0.025                    0.05                    0.01                    0.04                    0.03

            1                   1                   1                   1                  1                  0 N             1.00%                             0.02                    0.025                    0.05                    0.01                    0.03                    0.04




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                                                       35 of 57                                                                                                                                                         9/8/2012
                                                                                                                                               Weighted score




                                                                                                                                                                        Weighted score




                                                                                                                                                                                                  Weighted score




                                                                                                                                                                                                                            Weighted score




                                                                                                                                                                                                                                                     Weighted score



                                                                                                                                                                                                                                                                               Weighted score
                           Count (2/b)
       Count (1/a)




                                               Count (3/c)




                                                                                      Count (5/e)




                                                                                                                                 Weight calc
                                                                   Count (4d)




                                                                                                          Count (N)




                                                                                                                      QTYPE
            0                   0                   2                   2                  1                  0 N             1.00%                              0.03                     0.025                      0.05                     0.03                      0.04                      0.04

            1                   1                   1                   1                  1                  0 N             1.00%                              0.02                     0.025                      0.05                     0.01                      0.03                      0.04




            0                   1                   0                   2                  2                  0 N             1.00%                              0.02                     0.025                      0.05                     0.04                      0.04                      0.05



            1                   1                   2                   0                  1                  0 N             1.00%                              0.02                     0.025                      0.05                     0.01                      0.03                      0.03



            0                   2                   0                   2                  1                  0 N             1.00%                              0.02                     0.025                      0.05                     0.02                      0.04                      0.04

            2                   0                   2                   0                  1                  0 N             1.00%                              0.01                     0.025                      0.05                     0.01                      0.03                      0.03
            0                   0                   1                   3                  1                  0 N             1.00%                              0.04                     0.025                      0.05                     0.03                      0.04                      0.04


            2                   0                   0                   0                  0                  0 L
NA                   NA                  NA                  NA                 NA                  NA          F

     0.29                 0.71                1.43                0.86               1.57                0.00 A


            0                   1                   1                   1                  2                  0 N             1.00%                              0.04                     0.025                      0.05                     0.02                      0.03                      0.05

            0                   2                   1                   0                  2                  0 N             0.75%                             0.015               0.01875                        0.0375                    0.015                    0.0225                    0.0375

            0                   1                   1                   1                  2                  0 N             0.75%                             0.015               0.01875                        0.0375                     0.03                    0.0225                    0.0375



            0                   0                   3                   1                  1                  0 N             0.50%                             0.015                    0.0125                     0.025                    0.015                     0.015                      0.02

            0                   1                   1                   2                  2                  0 N             0.75%                              0.03                      0.03                    0.0375                    0.015                    0.0225                    0.0375


            0                   0                   3                   1                  2                  0 N             1.00%                              0.03                      0.04                      0.05                     0.03                      0.03                      0.05
            2                   0                   0                   0                  0                  0 L
NA                   NA                  NA                  NA                 NA                  NA          F

     0.00                 0.25                1.00                1.25               3.50                0.00 A

            0                   0                   1                   1                  4                  0 N             1.00%                              0.04                      0.03                      0.05                     0.05                      0.05                      0.05




            0                   1                   1                   0                  4                  0 N             1.00%                              0.02                      0.03                      0.05                     0.05                      0.05                      0.05



            0                   0                   0                   2                  4                  0 N             1.00%                              0.04                      0.05                      0.05                     0.04                      0.05                      0.05




            0                   0                   2                   2                  2                  0 N             1.00%                              0.04                      0.03                      0.05                     0.04                      0.05                      0.03


            2                   0                   0                   0                  0                0 L
NA                   NA                  NA                  NA                 NA                  NA        F
     0.75                 0.00                0.50                1.75               2.00                0.00 A
        0                    0                   1                   3                  2                   0 N               1.00%                              0.04                      0.04                      0.05                     0.04                      0.03                      0.05


            0                   0                   1                   2                  3                  0 N             0.50%                             0.015                     0.025                     0.025                     0.02                      0.02                     0.025


            1                   0                   0                   2                  3                  0 N             1.00%                              0.04                      0.05                      0.01                     0.05                      0.04                      0.05




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                                                       36 of 57                                                                                                                                                                  9/8/2012
                                                                                                                                               Weighted score




                                                                                                                                                                         Weighted score




                                                                                                                                                                                                   Weighted score




                                                                                                                                                                                                                             Weighted score




                                                                                                                                                                                                                                                       Weighted score



                                                                                                                                                                                                                                                                                 Weighted score
                           Count (2/b)
       Count (1/a)




                                               Count (3/c)




                                                                                      Count (5/e)




                                                                                                                                 Weight calc
                                                                   Count (4d)




                                                                                                          Count (N)




                                                                                                                      QTYPE
            2                   0                   0                   0                  0                0 L
NA                   NA                  NA                  NA                 NA                  NA        F
     1.17                 0.50                1.17                0.50               2.00                0.17 A




            0                   0                   0                   1                  5                  0 N             1.00%                               0.04                      0.05                      0.05                      0.05                      0.05                      0.05

            2                   1                   2                   0                  1                  0 N             0.50%                              0.005                     0.015                     0.025                     0.005                      0.01                     0.015



            2                   1                   1                   0                  1                  0 N             0.50%                              0.005                    0.0125                     0.025                     0.005                      0.01                     0.015

            1                   0                   1                   1                  2                  0 N             0.00%                                 0                         0                         0                         0                         0                         0

            1                   1                   1                   0                  2                  0 N             0.00%                                 0                         0                         0                         0                         0                         0

            1                   0                   2                   1                  1                  1 N             0.00%                                 0                         0                         0                         0                         0                         0


            1                   0                   0                   0                  0                0 L
NA                   NA                  NA                  NA                 NA                  NA        F
     0.40                 0.60                0.40                0.20               2.80                0.00 A



            0                   0                   0                   1                  4                  0 N             1.00%                               0.05                     0.025                      0.05                      0.05                      0.05                      0.04

            0                   0                   0                   0                  5                  0 N             0.50%                              0.025                    0.0125                     0.025                     0.025                     0.025                     0.025

            0                   0                   2                   0                  4                  0 N             0.75%                             0.0225                    0.0225                    0.0375                    0.0375                    0.0375                    0.0375




            1                   3                   0                   0                  1                  0 N             0.75%                              0.015               0.01875                        0.0375                     0.015                     0.015                    0.0075



            1                   0                   0                   0                  0                0 L
NA                   NA                  NA                  NA                 NA                  NA        F
     0.33                 0.17                1.00                1.33               2.50                0.00 A

            0                   0                   2                   2                  2                  0 N             1.00%                               0.04                      0.03                      0.05                      0.03                      0.04                      0.05


            0                   0                   2                   0                  4                  0 N             1.00%                               0.03                      0.05                      0.05                      0.03                      0.05                      0.05

            0                   0                   2                   0                  4                  0 N             0.50%                              0.015                     0.025                     0.025                     0.015                     0.025                     0.025


            0                   0                   0                   2                  4                  0 N             0.50%                               0.02                     0.025                     0.025                      0.02                     0.025                     0.025


            0                   1                   0                   4                  1                  0 N             0.50%                               0.02                      0.02                     0.025                      0.01                      0.02                      0.02



            2                   0                   0                   0                  0                  0 L
NA                   NA                  NA                  NA                 NA                  NA          F

     0.00                 0.14                0.64                1.93               3.21                0.00 A
        0                    0                   1                   1                  4                   0 N               1.00%                               0.04                      0.05                      0.05                      0.03                      0.05                      0.05


            0                   1                   0                   1                  4                  0 N             1.00%                               0.04                      0.05                      0.05                      0.02                      0.05                      0.05
            0                   0                   1                   3                  2                  0 N             0.50%                               0.02                      0.02                     0.025                     0.015                      0.02                     0.025




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                                                       37 of 57                                                                                                                                                                    9/8/2012
                                                                                                                                                   Weighted score




                                                                                                                                                                             Weighted score




                                                                                                                                                                                                       Weighted score




                                                                                                                                                                                                                                 Weighted score




                                                                                                                                                                                                                                                           Weighted score



                                                                                                                                                                                                                                                                                     Weighted score
                           Count (2/b)
       Count (1/a)




                                               Count (3/c)




                                                                                      Count (5/e)




                                                                                                                                     Weight calc
                                                                   Count (4d)




                                                                                                          Count (N)




                                                                                                                          QTYPE
            0                   0                   1                   3                  2                  0 N                 0.50%                              0.025                      0.02                     0.025                      0.02                     0.015                      0.02
            0                   0                   1                   1                  4                  0 N                 1.00%                               0.05                      0.05                      0.05                      0.03                      0.04                      0.05
            0                   0                   0                   2                  4                  0 N                 0.50%                              0.025                      0.02                     0.025                      0.02                     0.025                     0.025


            0                   0                   0                   2                  4                  0 N                 1.50%                               0.06                     0.075                     0.075                      0.06                     0.075                     0.075

            0                   0                   0                   2                  4                  0 N                 0.50%                               0.02                     0.025                     0.025                     0.025                      0.02                     0.025

            0                   1                   1                   1                  2                  0 N                 1.00%                               0.04                     0.025                      0.05                      0.02                      0.03                      0.05

            0                   0                   1                   3                  2                  0 N                 1.25%                             0.0375                      0.05                    0.0625                      0.05                      0.05                    0.0625




            0                   0                   1                   3                  2                  0 N                 1.00%                               0.04                      0.04                      0.05                      0.04                      0.03                      0.05




            0                   0                   0                   3                  3                  0 N                 1.00%                               0.04                      0.05                      0.05                      0.04                      0.04                      0.05




            0                   0                   1                   1                  4                  0 N                 0.50%                              0.015                     0.025                     0.025                      0.02                     0.025                     0.025




            0                   0                   1                   1                  4                  0 N                 0.50%                              0.025                     0.015                     0.025                      0.02                     0.025                     0.025




            1                   0                   0                   0                  0                  0 L




NA                   NA                  NA                  NA                 NA                  NA                F




     0.91                 0.43                0.83                1.43               2.13                0.04 A




            4                   1                   1                   0                  0                  0 N                 0.50%                              0.005                     0.005                     0.005                      0.01                     0.005                     0.015




            5                   0                   1                   0                  0                  0 N                 0.25%                             0.0025                    0.0025                    0.0025                    0.0025                    0.0025                    0.0075




            1                   0                   3                   0                  2                  1 N                 1.00%                               0.03                      0.03                      0.05                      0.01                      0.03                      0.05




            0                   0                   1                   3                  2                  0 N                 0.75%                             0.0225                      0.03                    0.0375                      0.03                      0.03                    0.0375




            0                   2                   1                   0                  3                  0 N                 0.75%                              0.015                    0.0375                    0.0375                     0.015                    0.0225                    0.0375




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                                                           38 of 57                                                                                                                                                                    9/8/2012
                                                                                                                      Weighted score




                                                                                                                                                Weighted score




                                                                                                                                                                          Weighted score




                                                                                                                                                                                                    Weighted score




                                                                                                                                                                                                                              Weighted score



                                                                                                                                                                                                                                                        Weighted score
                      Count (2/b)
       Count (1/a)




                                     Count (3/c)




                                                                  Count (5/e)




                                                                                                        Weight calc
                                                    Count (4d)




                                                                                 Count (N)




                                                                                             QTYPE
            0              0              2              3             1             0 N             0.75%                             0.0225                      0.03                    0.0375                      0.03                      0.03                    0.0225




            2              0              0              1             3             0 N             7.50%                              0.075                       0.3                     0.375                     0.075                     0.375                     0.375
            0              0              0              2             4             0 N             1.00%                               0.04                      0.05                      0.05                      0.04                      0.05                      0.05

            0              0              0              2             4             0 N             1.00%                               0.04                      0.05                      0.05                      0.04                      0.05                      0.05



            1              1              1              2             1             0 N             0.50%                               0.01                     0.015                     0.025                     0.005                      0.02                      0.02



            1              1              0              3             1             0 N             0.50%                               0.01                     0.025                      0.02                     0.005                      0.02                      0.02
            0              0              0              2             4             0 N             1.00%                               0.04                      0.05                      0.05                      0.04                      0.05                      0.05




            0              1              1              1             3             0 N             0.75%                               0.03                    0.0375                    0.0375                     0.015                    0.0225                    0.0375




            0              1              1              1             3             0 N             0.75%                             0.0225                    0.0375                    0.0375                     0.015                    0.0375                      0.03
            0              0              0              3             3             0 N             0.75%                               0.03                    0.0375                    0.0375                      0.03                      0.03                    0.0375
            1              0              1              1             2             0 N             0.50%                              0.025                    0.0125                     0.025                     0.005                     0.015                      0.02


            1              0              0              1             3             0 N             0.75%                             0.0375               0.01875                        0.0375                    0.0075                      0.03                    0.0375

            1              0              0              1             3             0 N             0.75%                             0.0375               0.01875                        0.0375                    0.0075                      0.03                    0.0375

            1              0              1              2             1             0 N             0.75%                               0.03               0.01875                        0.0375                    0.0075                    0.0225                      0.03
            0              0              1              1             3             0 N             0.75%                             0.0375               0.01875                        0.0375                    0.0225                      0.03                    0.0375

            2              0              1              1             1             0 N             0.75%                             0.0075               0.01875                        0.0375                    0.0075                    0.0225                      0.03

            0              3              2              1             0             0 N             0.75%                              0.015                    0.0225                      0.03                     0.015                     0.015                    0.0225

            1              0              1              2             2             0 N             0.50%                               0.02                     0.025                     0.025                     0.005                     0.015                      0.02
            2              0              0              0             0             0 L

     1.25            0.25           0.00           2.25          1.25           0.00 A
        1               0              0              3             1              0 N               1.00%                               0.04                     0.025                      0.01                      0.05                      0.04                      0.04


            2              0              0              2             1             0 N             1.00%                               0.04                     0.025                      0.01                      0.05                      0.01                      0.04
            1              1              0              1             2             0 N             1.00%                               0.04                     0.025                      0.02                      0.05                      0.01                      0.05

            1              0              0              3             1             0 N             0.75%                               0.03               0.01875                          0.03                    0.0375                    0.0075                      0.03




            6              0              0              0             0             0 L




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                              39 of 57                                                                                                                                                                    9/8/2012
                                                                                                                                               Weighted score




                                                                                                                                                                         Weighted score




                                                                                                                                                                                                   Weighted score




                                                                                                                                                                                                                             Weighted score




                                                                                                                                                                                                                                                       Weighted score



                                                                                                                                                                                                                                                                                 Weighted score
                           Count (2/b)
       Count (1/a)




                                               Count (3/c)




                                                                                      Count (5/e)




                                                                                                                                 Weight calc
                                                                   Count (4d)




                                                                                                          Count (N)




                                                                                                                      QTYPE
            5                   0                   0                   0                  0                  0 L




            2                   0                   0                   0                  0                  0 L
NA                   NA                  NA                  NA                 NA                  NA          F



     0.25                 0.25                1.25                1.50               2.75                0.00 A


            0                   0                   0                   1                  5                  0 N             0.75%                             0.0375                      0.03                    0.0375                    0.0375                    0.0375                    0.0375

            1                   0                   1                   1                  3                  0 N             0.75%                             0.0225                    0.0375                    0.0375                    0.0075                      0.03                    0.0375




            0                   1                   4                   0                  1                  0 N             0.75%                             0.0225                    0.0225                    0.0225                     0.015                    0.0225                    0.0375
            0                   0                   0                   4                  2                  0 N             0.75%                               0.03                      0.03                    0.0375                      0.03                      0.03                    0.0375


            1                   0                   0                   0                  0                  0 L
NA                   NA                  NA                  NA                 NA                  NA          F

     0.50                 0.50                1.67                1.83               1.50                0.00 A




            0                   0                   2                   2                  2                  0 N             1.00%                               0.03                      0.03                      0.04                      0.04                      0.05                      0.05



            0                   0                   2                   2                  2                  0 N             0.75%                             0.0225                    0.0225                    0.0375                      0.03                      0.03                    0.0375

            0                   0                   2                   2                  2                  0 N             0.50%                              0.015                     0.015                     0.025                      0.02                      0.02                     0.025


            0                   0                   2                   3                  1                  0 N             0.75%                             0.0225                    0.0225                    0.0375                      0.03                      0.03                      0.03

            2                   2                   1                   1                  0                  0 N             0.75%                              0.015                    0.0225                    0.0075                     0.015                    0.0075                      0.03




            1                   1                   1                   1                  2                  0 N             0.25%                              0.005                    0.0075                    0.0125                      0.01                    0.0025                    0.0125



            1                   0                   0                   0                  0                  0 L




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                                                       40 of 57                                                                                                                                                                    9/8/2012
                                                                                                                                                          Weighted score




                                                                                                                                                                                   Weighted score




                                                                                                                                                                                                            Weighted score




                                                                                                                                                                                                                                     Weighted score




                                                                                                                                                                                                                                                              Weighted score



                                                                                                                                                                                                                                                                                       Weighted score
                           Count (2/b)
       Count (1/a)




                                               Count (3/c)




                                                                                      Count (5/e)




                                                                                                                                           Weight calc
                                                                   Count (4d)




                                                                                                          Count (N)




                                                                                                                              QTYPE
                                                                                                                      TOTAL           100.00% Score for                     3.21                     3.66                     4.72                     2.92                     3.91                     4.54




NA                   NA                  NA                  NA                 NA                  NA                F




     0.00                 0.40                0.80                1.80               3.00                0.00 A




            0                   0                   2                   2                  2                  0 N                       4.00%                               0.12                     0.16                      0.2                     0.12                     0.16                      0.2

            0                   0                   0                   1                  5                  0 N                       4.00%                                0.2                      0.2                      0.2                     0.16                      0.2                      0.2

            0                   1                   1                   2                  2                  0 N                       4.00%                               0.08                     0.16                      0.2                     0.12                     0.16                      0.2

            0                   1                   1                   1                  3                  0 N                       4.00%                               0.12                      0.2                      0.2                     0.08                     0.16                      0.2




            0                   0                   0                   3                  3                  0 N                       2.00%                               0.08                     0.08                      0.1                     0.08                      0.1                      0.1

            1                   0                   0                   0                  0                  0 L
NA                   NA                  NA                  NA                 NA                  NA          F

     0.00                 0.42                1.25                1.83               2.50                0.00 A
        0                    0                   1                   2                  3                   0 N                         3.30%                              0.132                    0.132                    0.165                    0.165                    0.099                    0.165
        0                    2                   1                   2                  1                   0 N                         3.30%                              0.132                    0.099                    0.165                    0.066                    0.132                    0.066

            0                   1                   1                   2                  2                  0 N                       3.30%                              0.066                    0.132                    0.165                    0.099                    0.165                    0.132
            0                   2                   0                   3                  1                  0 N                       3.30%                              0.066                    0.132                    0.165                    0.066                    0.132                    0.132
            0                   0                   1                   1                  4                  0 N                       3.30%                              0.165                    0.165                    0.165                    0.099                    0.132                    0.165

            0                   0                   2                   0                  4                  0       N                 3.30%                              0.165                    0.165                    0.165                    0.099                    0.099                    0.165
            0                   0                   2                   1                  3                  0       N                 3.30%                              0.132                    0.165                    0.165                    0.099                    0.099                    0.165
            0                   0                   2                   1                  3                  0       N                 3.30%                              0.099                    0.165                    0.165                    0.132                    0.165                    0.099
            0                   0                   2                   2                  2                  0       N                 3.30%                              0.132                    0.099                    0.165                    0.099                    0.132                    0.165
            0                   0                   0                   5                  1                  0       N                 3.30%                              0.132                    0.132                    0.165                    0.132                    0.132                    0.132
            0                   0                   0                   1                  5                  0       N                 3.30%                              0.165                    0.165                    0.165                    0.165                    0.132                    0.165


            0                   0                   3                   2                  1                  0 N                       3.30%                              0.099                    0.132                    0.165                    0.099                    0.099                    0.132
            0                   0                   0                   0                  0                  0 L

     0.25                 0.00                0.88                3.25               1.63                0.00 A




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                                                                 41 of 57                                                                                                                                                               9/8/2012
                                                                                                                                                   Weighted score




                                                                                                                                                                            Weighted score




                                                                                                                                                                                                     Weighted score




                                                                                                                                                                                                                              Weighted score




                                                                                                                                                                                                                                                       Weighted score



                                                                                                                                                                                                                                                                                Weighted score
                           Count (2/b)
       Count (1/a)




                                               Count (3/c)




                                                                                      Count (5/e)




                                                                                                                                     Weight calc
                                                                   Count (4d)




                                                                                                          Count (N)




                                                                                                                          QTYPE
            0                   0                   1                   4                  1                  0       N           3.30%                             0.132                    0.099                    0.132                    0.132                    0.132                    0.165
            1                   0                   1                   3                  1                  0       N           3.30%                             0.132                    0.099                    0.033                    0.132                    0.132                    0.165
            1                   0                   1                   2                  2                  0       N           3.30%                             0.165                    0.099                    0.033                    0.132                    0.132                    0.165
            0                   0                   1                   2                  3                  0       N           3.30%                             0.165                    0.165                    0.132                    0.132                    0.099                    0.165
            0                   0                   1                   3                  2                  0       N           3.30%                             0.099                    0.132                    0.165                    0.132                    0.132                    0.165
            0                   0                   0                   4                  2                  0       N           3.30%                             0.132                    0.132                    0.165                    0.165                    0.132                    0.132
            0                   0                   2                   3                  1                  0       N           2.00%                              0.08                     0.06                      0.1                     0.06                     0.08                     0.08
            0                   0                   0                   5                  1                  0       N           3.30%                             0.132                    0.132                    0.132                    0.132                    0.132                    0.165
            1                   0                   0                   0                  0                  0       L


     0.29                 0.00                1.29                1.86               2.00                0.00 A
        0                    0                   0                   1                  5                   0 N                   2.00%                              0.08                      0.1                      0.1                      0.1                      0.1                      0.1
        0                    0                   1                   2                  3                   0 N                   2.10%                             0.105                    0.105                    0.105                    0.084                    0.063                    0.084
            0                   0                   3                   2                  1                  0       N           3.30%                             0.099                    0.099                    0.132                    0.132                    0.099                    0.165
            0                   0                   3                   3                  0                  0       N           3.30%                             0.132                    0.099                    0.099                    0.132                    0.099                    0.132
            0                   0                   1                   3                  2                  0       N           3.30%                             0.132                    0.099                    0.165                    0.132                    0.132                    0.165
            0                   0                   1                   2                  3                  0       N           3.30%                             0.099                    0.132                    0.165                    0.132                    0.165                    0.165

            2                   0                   0                   0                  0                  0 L
NA                   NA                  NA                  NA                 NA                  NA          F




            6                   0                   0                   0                  0                  0 L




            6                   0                   0                   0                  0                  0 L




            6                   0                   0                   0                  0                  0 L




            3                   0                   0                   0                  0                  0 L

            1                   0                   0                   0                  0                  0 L

NA                   NA                  NA                  NA                 NA                  NA                F




            6                   0                   0                   0                  0                  0 L



            6                   0                   0                   0                  0                  0 L




            2                   0                   0                   0                  0                  0 L




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls                                                                                           42 of 57                                                                                                                                                              9/8/2012
                                                           NA
                                                                          Count (1/a)




                                                     3
                                                                1
                                                                    1




                                                           NA
                                                                          Count (2/b)




                                                     0
                                                                0
                                                                    0




                                                           NA
                                                                          Count (3/c)




                                                     0
                                                                0
                                                                    0




                                                           NA




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls
                                                                          Count (4d)




                                                     0
                                                                0
                                                                    0




                                                           NA
                                                                          Count (5/e)




                                                     0
                                                                0
                                                                    0




                                                           NA




                                                                          Count (N)




                                                     0 L
                                                           0 L
                                                                    0 L




                                                             F




                                                                          QTYPE




                                                                          Weight calc




                                           100.00%




43 of 57
                                                                          Weighted score




                                                                          Weighted score




                                                                          Weighted score




                                                                          Weighted score




                                                                          Weighted score



                                                                          Weighted score




9/8/2012
f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls   44 of 57   9/8/2012
f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls   45 of 57   9/8/2012
f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls   46 of 57   9/8/2012
f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls   47 of 57   9/8/2012
f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls   48 of 57   9/8/2012
f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls   49 of 57   9/8/2012
f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls   50 of 57   9/8/2012
f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls   51 of 57   9/8/2012
f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls   52 of 57   9/8/2012
f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls   53 of 57   9/8/2012
f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls   54 of 57   9/8/2012
      113




f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls   55 of 57   9/8/2012
f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls   56 of 57   9/8/2012
f4f680ed-94e0-497c-ba13-f8d7089aa8c2.xls   57 of 57   9/8/2012

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:1
posted:9/8/2012
language:English
pages:57