Memo

0990-0379 Memo Cybersecurity in the healthcare and public health sector v1.docx

Fast Track Generic Clearance for the Collection of Qualitative Feedback on Agency Service Delivery

Memo

OMB: 0990-0379

⚠️ Notice: This form may be outdated. More recent filings and information on OMB 0990-0379 can be found here:

2024-07-08 - No material or nonsubstantive change to a currently approved collection
2024-02-28 - No material or nonsubstantive change to a currently approved collection

Document [docx]

Download: docx | pdf

Shape3

Request for Approval under the “Generic Clearance for the Collection of Routine Customer Feedback” (OMB Control Number: 0990-0379)

Shape1 TITLE OF INFORMATION COLLECTION: Comments on the Cybersecurity in the healthcare and public health sector

PURPOSE:

The purpose of the Cybersecurity in the healthcare and public health sector is to provide cybersecurity awareness and prioritization throughout the Healthcare and Public Health (HPH) Sector. The comments gathered will help update the document and make it more effective.

The document is a requirement called for in the CISA of 2015, Section 405(d). In the legislation Congress mandates HHS, through a private/public partnership, to develop voluntary, consensus-based guidelines, best practices, & methodologies to strengthen the HPH-sector’s cybersecurity posture. The 405(d) Task Group has aimed to address the requirement with a targeted set of applicable & voluntary best practices that seeks to cost-effectively reduce the cybersecurity risks of the healthcare industry. The first version of the Cybersecurity in the healthcare and public health sector will be targeted to the entire Healthcare and Public Health Sector with a focus on those engaged in direct patient care, segmented into small, medium, and large organizations.

DESCRIPTION OF RESPONDENTS:

The respondents in this effort will consist of various medical professionals, including doctors, nurses, practice administrators, etc. In addition, feedback will also be gathered from InfoSec professionals, including CISOs (Chief Information Security Officers), CIOs (Chief Information Officers), CMIOs (Chief Medical Information Officers), etc.

TYPE OF COLLECTION: (Check one)

[ ] Customer Comment Card/Complaint Form [ ] Customer Satisfaction Survey

[ ] Usability Testing (e.g., Website or Software [ ] Small Discussion Group

[X] Focus Group [ ] Other: ______________________

CERTIFICATION:

I certify the following to be true:

The collection is voluntary.
The collection is low-burden for respondents and low-cost for the Federal Government.
The collection is non-controversial and does not raise issues of concern to other federal agencies.
The results are not intended to be disseminated to the public.
Information gathered will not be used for the purpose of substantially informing influential policy decisions.
The collection is targeted to the solicitation of opinions from respondents who have experience with the program or may have experience with the program in the future.

Name:___Julie Chua

To assist review, please provide answers to the following question:

Personally Identifiable Information:

Is personally identifiable information (PII) collected? [ ] Yes [ X ] No
If Yes, is the information that will be collected included in records that are subject to the Privacy Act of 1974? [ ] Yes [ ] No
If Applicable, has a System or Records Notice been published? [ ] Yes [ ] No

Gifts or Payments:

Is an incentive (e.g., money or reimbursement of expenses, token of appreciation) provided to participants? [ ] Yes [ X ] No

BURDEN HOURS

Category of Respondent	No. of Respondents	Participation Time	Burden hour
Private Sector (Health Information Security Professionals) 405D Pre Testing Discussion Guide	45	1 hr	45
Private Sector (Medical Professionals) - 405D Pre Testing Discussion Guide	45	1 hr	45
Private Sector (Health Information Security Professionals) Discussion Guide Main Document - Cybersecurity for the Healthcare and Public Health Sector 5-30-18.pdf	45	1 hr	45
Private Sector (Medical Professionals) Discussion Guide - Main Document - Cybersecurity for the Healthcare and Public Health Sector 5-30-18.pdf	45	1 hr	45
Private Sector (Medical Professionals) Technical Volume 1 - Cybersecurity Best Practices for Small Organizations_5 29 18.pdf	45	30 min	22.5
Private Sector (Health Information Security Professionals) - Cybersecurity Best Practices for Small Organizations_5 29 18.pdf	45	30 min	22.5
Private Sector (Health Information Security Professionals) - Technical Volume 2 - Cybersecurity Best Practices for Medium and Large Organizations_5 29 18.pdf	45	30 min	22.5
Private Sector (Medical Professionals) - Technical Volume 2 - Cybersecurity Best Practices for Medium and Large Organizations_5 29 18.pdf	45	30 min	22.5
Totals			270

FEDERAL COST: The estimated annual cost to the Federal government is ___$4500___

If you are conducting a focus group, survey, or plan to employ statistical methods, please provide answers to the following questions:

The selection of your targeted respondents

Do you have a customer list or something similar that defines the universe of potential respondents and do you have a sampling plan for selecting from this universe? [ X] Yes [] No

If the answer is yes, please provide a description of both below (or attach the sampling plan)? If the answer is no, please provide a description of how you plan to identify your potential group of respondents and how you will select them?

The focus groups, the research will be conducted with will be identified through existing networks and various associations.

The focus groups will be drawn from three distinct categories of personnel at health care institutions: cybersecurity policy-makers (Chief Information Security Officers and Chief Information Officers, or their equivalents), mid-level administrators (practice administrators, network or systems administrators), and patient care professionals (doctors and nurses). Recruiting will be organized by partners belonging to the 405(d) Task Group, who are affiliated with local institutions and organizations involved in health care cybersecurity, under the guidance of a professional survey research project manager. They have extensive contacts in their regions and can assemble lists of potential group members who meet our criteria. There will be no incentives provided to incite participation, but we will over-recruit deliberately to ensure sufficient turnout despite the usual loss of recruits. We will aim to recruit 15 individuals for each group to yield a turnout of 10-12. We will also ask the recruiters to tap a variety of types of institutions (large, small, hospitals, physician practices).

In order to touch a variety of regions, we will conduct in-person groups with members of each of these professional categories (separately) in the Midwest (Chicago, IL), West (Denver, CO), and South (Ocala, FL). Chicago and Denver will let us reach health care centers in major cities. We will seek to reach rural health care organizations through the groups in Ocala, where the location will let us recruit them, as well as an online group with relevant professionals in Duluth, GA. We will seek to reach other harder-to-reach groups, such as small-town professionals elsewhere and practitioners serving the Indian Health Service, through such virtual groups and perhaps in Washington, DC when they come to attend meetings.

The result will be a baseline that gives a reasonable picture of cybersecurity awareness and practices among the various types of personnel and institutions as well as locations across the country. This will be of use in planning, refining, and thinking about promoting the healthcare cybersecurity guidelines that HHS is preparing.

Administration of the Instrument

How will you collect the information? (Check all that apply)

[ X ] Web-based or other forms of Social Media

[ X ] Telephone

[ X ] In-person

[ ] Mail

[ ] Other, Explain

Will interviewers or facilitators be used? [ X ] Yes [ ] No

Please make sure that all instruments, instructions, and scripts are submitted with the request.

Instructions for completing Request for Approval under the “Generic Clearance for the Collection of Routine Customer Feedback”

Shape2

TITLE OF INFORMATION COLLECTION: Provide the name of the collection that is the subject of the request. (e.g. Comment card for soliciting feedback on xxxx)

PURPOSE: Provide a brief description of the purpose of this collection and how it will be used. If this is part of a larger study or effort, please include this in your explanation.

DESCRIPTION OF RESPONDENTS: Provide a brief description of the targeted group or groups for this collection of information. These groups must have experience with the program.

TYPE OF COLLECTION: Check one box. If you are requesting approval of other instruments under the generic, you must complete a form for each instrument.

CERTIFICATION: Please read the certification carefully. If you incorrectly certify, the collection will be returned as improperly submitted or it will be disapproved.

Personally Identifiable Information: Provide answers to the questions.

Gifts or Payments: If you answer yes to the question, please describe the incentive and provide a justification for the amount.

BURDEN HOURS:

Category of Respondents: Identify who you expect the respondents to be in terms of the following categories: (1) Individuals or Households;(2) Private Sector; (3) State, local, or tribal governments; or (4) Federal Government. Only one type of respondent can be selected.

No. of Respondents: Provide an estimate of the Number of respondents.

Participation Time: Provide an estimate of the amount of time required for a respondent to participate (e.g. fill out a survey or participate in a focus group)

Burden: Provide the Annual burden hours: Multiply the Number of responses and the participation time and divide by 60.

FEDERAL COST: Provide an estimate of the annual cost to the Federal government.

If you are conducting a focus group, survey, or plan to employ statistical methods, please provide answers to the following questions:

The selection of your targeted respondents. Please provide a description of how you plan to identify your potential group of respondents and how you will select them. If the answer is yes, to the first question, you may provide the sampling plan in an attachment.

Administration of the Instrument: Identify how the information will be collected. More than one box may be checked. Indicate whether there will be interviewers (e.g. for surveys) or facilitators (e.g., for focus groups) used.

Please make sure that all instruments, instructions, and scripts are submitted with the request.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
File Title	DOCUMENTATION FOR THE GENERIC CLEARANCE
Author	558022
File Modified	0000-00-00
File Created	2021-01-21