TITLE OF INFORMATION COLLECTION: Qualitative Research for Medical Community Baselining Phase II
PURPOSE:
The purpose of the Medical Community Baselining Phase II (MCB II) is to establish, through qualitative research, a better understanding of the level of cybersecurity awareness and prioritization throughout the Healthcare and Public Health (HPH) Sector. The research gathered will help prioritize and shape the plan for Version 2.0 of the Cybersecurity Information Sharing Act, CISA 405(d) document. Likewise, MCB II is complimentary to the larger effort to fulfill the requirement called for in the CISA of 2015, Section 405(d). In the legislation Congress mandates HHS, through a private/public partnership, to develop voluntary, consensus-based guidelines, best practices, & methodologies to strengthen the HPH-sector’s cybersecurity posture. The 405(d) Task Group has aimed to address the requirement with a targeted set of applicable & voluntary best practices that seeks to cost-effectively reduce the cybersecurity risks of the healthcare industry. The first version of the 405(d) voluntary best practices will be targeted to the entire Healthcare and Public Health Sector with a focus on those engaged in direct patient care, segmented into small, medium, and large organizations. MCB II is part of the initial building for Version 2.0.
DESCRIPTION OF RESPONDENTS:
The respondents in this effort will consist of various medical professionals, including doctors, nurses, practice administrators, etc. In addition, feedback will also be gathered from InfoSec professionals, including CISOs (Chief Information Security Officers), CIOs (Chief Information Officers), CMIOs (Chief Medical Information Officers), etc.
TYPE OF COLLECTION: (Check one)
[ ] Customer Comment Card/Complaint Form [ ] Customer Satisfaction Survey
[ ] Usability Testing (e.g., Website or Software [ ] Small Discussion Group
[X] Focus Group [ ] Other: ______________________
CERTIFICATION:
I certify the following to be true:
The collection is voluntary.
The collection is low-burden for respondents and low-cost for the Federal Government.
The collection is non-controversial and does not raise issues of concern to other federal agencies.
The results are not intended to be disseminated to the public.
Information gathered will not be used for the purpose of substantially informing influential policy decisions.
The collection is targeted to the solicitation of opinions from respondents who have experience with the program or may have experience with the program in the future.
Name:___Julie Chua
To assist review, please provide answers to the following question:
Personally Identifiable Information:
Is personally identifiable information (PII) collected? [ ] Yes [ X ] No
If Yes, is the information that will be collected included in records that are subject to the Privacy Act of 1974? [ ] Yes [ ] No
If Applicable, has a System or Records Notice been published? [ ] Yes [ ] No
Gifts or Payments:
Is an incentive (e.g., money or reimbursement of expenses, token of appreciation) provided to participants? [ ] Yes [ X ] No
BURDEN HOURS
Category of Respondent |
No. of Respondents |
Participation Time |
Burden hour |
Private Sector (Health Information Security Professionals) Screener - HHS MCB II |
90 |
30 min |
45 |
Private Sector (Medical Professionals) Screener - HHS MCB II |
90 |
30 min |
45 |
Private Sector (Health Information Security Professionals) Discussion Guide - HHS MCB II |
90 |
1.5 |
135 |
Private Sector (Medical Professionals) Discussion Guide - HHS MCB II |
90 |
1.5 |
135 |
Totals |
|
|
360 |
FEDERAL COST: The estimated annual cost to the Federal government is ___$3500___
If you are conducting a focus group, survey, or plan to employ statistical methods, please provide answers to the following questions:
The selection of your targeted respondents
Do you have a customer list or something similar that defines the universe of potential respondents and do you have a sampling plan for selecting from this universe? [ X] Yes [] No
If the answer is yes, please provide a description of both below (or attach the sampling plan)? If the answer is no, please provide a description of how you plan to identify your potential group of respondents and how you will select them?
The focus groups, the research will be conducted with will be identified through existing networks and various associations.
The focus groups will be drawn from three distinct categories of personnel at health care institutions: cybersecurity policy-makers (Chief Information Security Officers and Chief Information Officers, or their equivalents), mid-level administrators (practice administrators, network or systems administrators), and patient care professionals (doctors and nurses). Recruiting will be organized by partners belonging to the 405(d) Task Group, who are affiliated with local institutions and organizations involved in health care cybersecurity, under the guidance of a professional survey research project manager. They have extensive contacts in their regions and can assemble lists of potential group members who meet our criteria. There will be no incentives provided to incite participation, but we will over-recruit deliberately to ensure sufficient turnout despite the usual loss of recruits. We will aim to recruit 15 individuals for each group to yield a turnout of 10-12. We will also ask the recruiters to tap a variety of types of institutions (large, small, hospitals, physician practices).
In order to touch a variety of regions, we will conduct in-person groups with members of each of these professional categories (separately) in the Midwest (Chicago, IL), West (Denver, CO), and South (Ocala, FL). Chicago and Denver will let us reach health care centers in major cities. We will seek to reach rural health care organizations through the groups in Ocala, where the location will let us recruit them, as well as an online group with relevant professionals in Duluth, GA. We will seek to reach other harder-to-reach groups, such as small-town professionals elsewhere and practitioners serving the Indian Health Service, through such virtual groups and perhaps in Washington, DC when they come to attend meetings.
The result will be a baseline that gives a reasonable picture of cybersecurity awareness and practices among the various types of personnel and institutions as well as locations across the country. This will be of use in planning, refining, and thinking about promoting the healthcare cybersecurity guidelines that HHS is preparing.
Administration of the Instrument
How will you collect the information? (Check all that apply)
[ X ] Web-based or other forms of Social Media
[ X ] Telephone
[ X ] In-person
[ ] Other, Explain
Will interviewers or facilitators be used? [ X ] Yes [ ] No
Please make sure that all instruments, instructions, and scripts are submitted with the request.
TITLE OF INFORMATION COLLECTION: Provide the name of the collection that is the subject of the request. (e.g. Comment card for soliciting feedback on xxxx)
PURPOSE: Provide a brief description of the purpose of this collection and how it will be used. If this is part of a larger study or effort, please include this in your explanation.
DESCRIPTION OF RESPONDENTS: Provide a brief description of the targeted group or groups for this collection of information. These groups must have experience with the program.
TYPE OF COLLECTION: Check one box. If you are requesting approval of other instruments under the generic, you must complete a form for each instrument.
CERTIFICATION: Please read the certification carefully. If you incorrectly certify, the collection will be returned as improperly submitted or it will be disapproved.
Personally Identifiable Information: Provide answers to the questions.
Gifts or Payments: If you answer yes to the question, please describe the incentive and provide a justification for the amount.
BURDEN HOURS:
Category of Respondents: Identify who you expect the respondents to be in terms of the following categories: (1) Individuals or Households;(2) Private Sector; (3) State, local, or tribal governments; or (4) Federal Government. Only one type of respondent can be selected.
No. of Respondents: Provide an estimate of the Number of respondents.
Participation Time: Provide an estimate of the amount of time required for a respondent to participate (e.g. fill out a survey or participate in a focus group)
Burden: Provide the Annual burden hours: Multiply the Number of responses and the participation time and divide by 60.
FEDERAL COST: Provide an estimate of the annual cost to the Federal government.
If you are conducting a focus group, survey, or plan to employ statistical methods, please provide answers to the following questions:
The selection of your targeted respondents. Please provide a description of how you plan to identify your potential group of respondents and how you will select them. If the answer is yes, to the first question, you may provide the sampling plan in an attachment.
Administration of the Instrument: Identify how the information will be collected. More than one box may be checked. Indicate whether there will be interviewers (e.g. for surveys) or facilitators (e.g., for focus groups) used.
Please make sure that all instruments, instructions, and scripts are submitted with the request.
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File Title | DOCUMENTATION FOR THE GENERIC CLEARANCE |
Author | 558022 |
File Modified | 0000-00-00 |
File Created | 2021-01-21 |