unit 7 cahims
Which step in the contingency planning process is implemented when Arural Hospital's HIT management establishes the criticality of each EHR system component and ranks them accordingly? 1. Develop the contingency planning policy statement 2. Conduct the business impact analysis (BIA) 3. Identify preventive controls 4. Create contingency recovery strategies 5. Develop an information system contingency plan 6. Ensure plan testing, training, and exercises 7. Ensure plan maintenance
2. Conduct the business impact analysis (BIA)
The recommendations for punishments for privacy or security violations relates to which principle? Boundaries Security Consumer control Accountability Public responsibility
Accountability
A macro virus runs when which of the following occurs? Microsoft Word is loaded. An infected document is saved from an email. An infected document is copied from a network share. An infected document is opened.
An infected document is opened.
The network indicates it is time to change your password. What is the best strategy for choosing a new one? Choose something easy to remember, such as your cat's name or spouse's birthday. Add a "!" or number "1" to the end of your existing password. Choose something you can remember, but modify it with some complex pattern of characters. Type a sequence of keys following a path on the keyboard.
Choose something you can remember, but modify it with some complex pattern of characters.
Once a threat or vulnerability is identified, which of the following should be done to determine the actual risk of occurrence? Assign a priority to the risk. Identify the likelihood of the risk event occurrence. Measure the magnitude of the threat to the organization. Combine the likelihood of an occurrence with the magnitude of the event should it occur.
Combine the likelihood of an occurrence with the magnitude of the event should it occur.
Which of the following refers to the meaning of core security principles? Confidentiality, integrity, and availability Application of the four forms of risk management responses Design and implementation of defense in depth Development and implementation of strong authentication and access controls
Confidentiality, integrity, and availability
In which step of the contingency planning process does Arural Hospital's HIT management design a strategy that supports the efforts to recover the hospital's healthcare delivery functions after an emergency? 1. Develop the contingency planning policy statement 2. Conduct the business impact analysis (BIA) 3. Identify preventive controls 4. Create contingency recovery strategies 5. Develop an information system contingency plan 6. Ensure plan testing, training, and exercises 7. Ensure plan maintenance
Create contingency recovery strategies
To encrypt a single file on a Windows system, which of the following is used? VPN EFS BitLocker SSL
EFS
When AC Hospital creates plans to sustain system access and recover the system features, software, hardware, and databases in the event of an EHR system failure, which mission-critical concern is being addressed? Patient data privacy and confidentiality Patient data integrity EHR system availability
EHR system availability
Which of the following is the best way to fix a compromised computer? Run an antivirus scan Format the hard disk and restore the files Install cleanup software from a website Reboot the computer
Format the hard disk and restore the files
You receive an email from your bank stating that you need to change your password for security reasons. What should you do? Go to your bank's website and change your password. Click on the link in the email and change your password. Ignore it—it is a phishing email.
Go to your bank's website and change your password.
Under the HITECH Act, covered entities must maintain a log of breaches and annually report them to --HHS/affected patients/local media--.
HHS
Which of the following is a major compliance driver of data security audits within medical organizations? Sarbanes-Oxley HIPAA FMLA Malware
HIPAA
AC Hospital has completed its risk assessment process and is now developing its risk management program. The hospital is ready to draft its emergency preparedness plans. The construction of the disaster recovery plan would be assigned to hospital --HIT/business-- managers.
HIT The disaster recovery plan is an HIT-focused plan for restoring HIT operations, not business operations, and it is limited to major, usually catastrophic, events that deny access to the regular facility for an extended period.
Which of the following statements best characterizes one of the purposes of HIPAA? Improve the overall effectiveness of the US healthcare system Disallow the use of preexisting conditions to deny health insurance coverage for individual health insurance policyholders Extend Medicaid to workers when they move from one job to another Allow covered entities to transmit electronic health information
Improve the overall effectiveness of the US healthcare system
Why do both HIPAA and the HITECH Act have rules that relate to specific diseases and genetic predispositions? Knowledge of these patients' health status could cause their insurance rates to go up. Knowledge of these patients' health status can affect their ability to recover from treatment. Knowledge of these patients' health status can affect their relationships and employment. These health conditions are difficult to treat.
Knowledge of these patients' health status can affect their relationships and employment.
Joyce is a professor at a community college who teaches courses for medical assistants. She also works part time at a hospital, which gave her permission to use some actual medical records as examples for her classes so long as she redacted (removed or blacked out) any protected health information (PHI) identifiers. Which of the following did Joyce have to remove or black out? Diagnosis codes Procedure charges Form number Medical record number
MRN
--Nonrepudiation/Integrity/Availability-- provides proof that a certain action has taken place or that something or someone is what or who they claim to be.
Nonrepudiation Nonrepudiation requires that those who access protected health information are allowed to do so and that they prove they are who they say they are.
Which one of the following describes a public health agency functioning as a hybrid? One that primarily provides immunizations for a variety of diseases and provides access to state-funded medications for patients with HIV who could not otherwise afford them One that primarily monitors global occurrences of communicable diseases and provides education and travel advisories to the public during outbreaks One that primarily provides diagnoses and treatments for sexually transmitted infections (STIs) and gathers and reports related data to the state to prevent and control the spread of STIs One that provides free dental checkups to children and distributes free toothpaste and toothbrushes to them
One that primarily provides diagnoses and treatments for sexually transmitted infections (STIs) and gathers and reports related data to the state to prevent and control the spread of STIs
Which authentication method is the easiest to deploy and also the easiest to crack? Biometrics Security tokens Swipe cards Password and PINs
Password and PINs
Which of these choices best defines why security, privacy, and confidentiality of patient health data is so critical? Patient data is particularly vulnerable to fraudulent use. Many situations must be monitored for threats and vulnerabilities. HIT staff must create contingency plans for all possible threats and vulnerabilities. Healthcare employees are more likely than employees in other businesses to make human errors.
Patient data is particularly vulnerable to fraudulent use.
When AC Hospital installs HIT security controls and contingency plans that establish access and authentication controls to safeguard protected health information (PHI), which mission-critical concern is being addressed? Patient data privacy and confidentiality Patient data integrity EHR system availability
Patient data privacy and confidentiality
Marcus is a medical assistant at a nursing home. He forgot his password, and the facility's desktop computer system locked him out after his third failed logon attempt. Which of the following safeguards did the nursing home apply? Information access management Integrity controls Person or audit authentication Theft prevention
Person or audit authentication
If AC Hospital's EHR project team is analyzing and designing software, hardware architecture, and solutions that address system redundancy, recovery strategies, and security controls, where is the team in terms of the system life cycle (SLC)? Phase 1, Initiation Phase 2, Development or acquisition Phase 3, Implementation Phase 4, Operations and maintenance Phase 5, Disposal
Phase 2, Development or acquisition
Which of the following is not an example of multifactor authentication? Providing a secret answer to a personal security question Scanning a fingerprint and inserting a USB key Swiping a bank card and entering a PIN Inserting a smartcard and typing a password
Providing a secret answer to a personal security question
Under the HITECH Act, some breached information does not have to be reported if it is unreadable, unusable, or indecipherable to unauthorized individuals by either encryption or destruction or was inadvertently disclosed by authorized users. What are these types of breaches known as? Unsecured Secured Low probability Safe harbor
Safe harbor
HCOs increasingly use business partners, including vendors who provide hosted services. This arrangement complicates business continuity processes. Which of the following solutions should AC Hospital use to address this concern in its business continuity plan (BCP)? Disk-to-disk (D2D) backups, offsite standby system, virtual system HCO executive support and enterprise culture Service level agreements (SLAs) and vendor testing and training participation External network and network service provider testing
Service level agreements (SLAs) and vendor testing and training participation
In which step of the Risk Management Guide for Information Technology Systems (NIST Special Publication 800-30) risk assessment process is each threat or vulnerability considered and the risk determined when the likelihood and magnitude of the event have been identified? Step 1, preparation for risk assessment Step 2, conduct risk assessment Step 3, communicate results Step 4, maintain assessment
Step 2, conduct risk assessment
True or false? A subcontractor that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity's business associate is also defined as a business associate under the HITECH Act.
TRUE
When Arural Hospital's IT team is planning data backup strategies, it has several decisions to make to ensure data is protected and available for efficient and timely restoration if a disaster occurs. Which of the following options represents the choice of media the hospital might use for data backups? Tape, D2D, and/or cloud options Frequency Onsite/offsite Encryption
Tape, D2D, and/or cloud options
Levi has had sinus problems for some time. He asks his dentist to send his electronic records to a sinus specialist whom he has just started seeing to help her better understand his condition. Which of the following best describes how the HITECH Act applies to this scenario? The HITECH Act stipulates that Levi has the right to make this request of his dentist, who must comply if he is technically able to transfer electronic records. The HITECH Act stipulates that Levi has the right to make this request of his dentist, who will have to pay a fine if he does not honor it. The HITECH Act stipulates that Levi has the right to make this request of his dentist, who has the option of honoring it or not at his own discretion. The HITECH Act stipulates that Levi has the right to make this request of his dentist, who can give the records to Levi rather than to the specialist.
The HITECH Act stipulates that Levi has the right to make this request of his dentist, who must comply if he is technically able to transfer electronic records.
Which of the following best ensures health information database integrity? Restricting database access only to individuals who need it to do their job. Analyzing information stored in databases to promote public health. Verifying the accuracy of the information retrieved from a database. Training employees who must access databases on privacy and security requirements.
Verifying the accuracy of the information retrieved from a database.
Which of the following is the preferred wireless network authentication and encryption security method for homes and small businesses? MAC WEP WPA2 RADIUS
WPA2
At her last office visit, Liza informed her doctor that she did not want the prescription that he gave her to be reported to her health insurance company and that she would pay for the drug herself. The doctor agreed to Liza's request and sent the prescription to her pharmacy via the clinic's e-prescribing system. Could this constitute a breach of the patient's request not to send the information to the insurance company? Yes. If the pharmacy is unaware of Liza's request, it will fill the prescription and submit the charge to her insurance company in order to determine the patient's owed amount. No. Liza did not submit her request in writing, which is required for this request to be honored. Yes. Using an e-prescribing system does not provide a way for the doctor to inform the pharmacy of Liza's request. Maybe. If the clinic has a business associate agreement with the pharmacy, then the pharmacy must honor Liza's request.
Yes. If the pharmacy is unaware of Liza's request, it will fill the prescription and submit the charge to her insurance company in order to determine the patient's owed amount.
Which of the following protects a computer or computer network from network-based attacks by filtering the data traveling on the network? An uninterruptable power supply A firewall An authentication system An encryptor
a firewall
The National Research Council (NRC) recommends that all organizations that handle protected health information (PHI) should have --authentication/access/audit-- controls in place to ensure that users can access only the information they need to perform their job.
access
Sonja is a data entry clerk for American Health Insurance Corporation. Her sole job function is to type information from paper claims into the company's computer system so it can be processed. She cannot view records of customer service calls or previously submitted claims. Which recommendation of the National Research Council (NRC) is the company following? Software discipline Backup plans Audit trails Access controls
access controls
Reviewing firewall logs, interviewing IT staff on the frequency of backups, checking which patches are installed on a billing computer, and examining the permissions on the EHR database are all examples of what type of activity? Auditing Authentication Disaster recovery Enforcement
auditing
Which of the following reviews and measures the level of compliance with security policies? Security log Active Directory Integrity Auditing
auditing
Which risk response category represents eliminating risk by choosing not to allow a system feature to be used? Acceptance Mitigation Avoidance Transfer
avoidance
AC Hospital has completed its risk assessment process and is now developing its risk management program. The hospital is ready to draft its emergency preparedness plans. The construction of the continuity of operations plan would be assigned to hospital --HIT/business-- managers.
business
--Privacy/Confidentiality/Security-- means that personal information is shared only when it needs to be and among people who have a professional need to know it.
confidentiality
Antivirus software, data encryption, and computer patch management are examples of technologies that support data ____________. confidentiality integrity availability
confidentiality
When Minjoon received a statement from his insurance company regarding his recent eye surgery, he noticed that it said he had surgery on his right eye, but the surgery was actually performed on his left eye. It turns out that the mistake was in the provider's records, which he eventually had corrected. Which of the following principles underlying HIPAA privacy and security came into play when the records were changed? Accountability Public responsibility Consumer control Security
consumer control
Which of the following contingency plan components is not required by the HIPAA Security Rule? Emergency mode operations plan Decommissioned device plan Disaster recovery plan Data backup plan
decomissioned device plan
Which of the following describes how individuals are expected to follow security policy rules? Security definition Auditing Enforcement Authorization
enforcement
True or false? AC Hospital should implement role-based access and authentication security controls to meet HIPAA regulatory standards and to ensure employees are able to access all the electronic protected health information (ePHI) available in the EHR system.
false
True or false? Although it is resource intensive, humans must directly verify the accuracy of data stored in databases to ensure their integrity.
false
True or false? Authorization occurs before authentication.
false
True or false? Well-designed technology-based security measures, including firewalls, antivirus software, password complexity requirements, data encryption, and email spam filters can prevent social engineering data compromises.
false
True or false? Implementing network permissions is the best approach for a comprehensive information security strategy.
false A comprehensive information security strategy combines technical, business, and culture elements through the application of administrative policies and procedures, physical access controls, and network access controls.
True or false? Accountability is the ethical expectation of privacy between a patient and healthcare provider.
false Accountability stipulates that individuals and groups will be held responsible for their actions. Confidentiality is the ethical expectation of privacy between a patient and healthcare provider. It means that protected health information is not to be made available or disclosed to unauthorized persons.
Acme Health Informatics is a company that receives medical claim information from providers who do not have systems that can process standard code sets electronically. Acme converts this information into standard electronic format and submits it to the appropriate health insurance plan for processing. True or false? Acme Health Informatics is not a covered entity according to HIPAA.
false Acme Health Informatics is a healthcare clearinghouse and so is a covered entity according to HIPAA.
True or false? Risk management is primarily an HIT function that also addresses elements of an HCO's business function and adherence to government regulations.
false Although health IT is a significant aspect of risk management, the HCO business and regulatory concerns are of equal or greater importance. Risk management is more a management than a technical endeavor.
Providing patients with a copy of their paper health record poses a security safeguard challenge because the data must be encrypted.
false Data encryption is a security safeguard for electronic data, not paper data.
True or false? Administrative activities, fraud and abuse investigations, and health insurance policy underwriting are not covered by the HIPAA Privacy Rule.
false In general, patient authorization is not required in order to disclose personal health information for the purposes of treatment, payment, and healthcare operations (TPO). Healthcare operations are all activities that support the treatment and payment activities of healthcare. Administrative activities, fraud and abuse investigations, and health insurance policy underwriting are just a few examples of healthcare operations.
True or false? When any covered entity is required by law to report information to a public health agency, the public health agency is classified as a business associate of the covered entity, so a business associate agreement is required
false When any covered entity is required by law to report information to a public health agency, the public health agency is not a business associate of the covered entity, so a business associate agreement is not required.
True or false? WEP provides better wireless network security than WPA.
false Wired Equivalent Privacy (WEP) is the original wireless connection encryption method, which has design flaws, is easily broken, and is not to be used.
Acme Health Informatics is a company that receives medical claim information from providers who do not have systems that can process standard code sets electronically. Acme converts this information into standard electronic format and submits it to the appropriate health insurance plan for processing. Which of the following types of organizations is Acme Health Informatics? Healthcare plan Healthcare organization Healthcare clearinghouse
healthcare clearinghouse
AC Hospital is establishing an alternate site system as part of its disaster recovery strategy. It has decided on a --cold/warm/hot-- standby system in which the hardware, software, and health data are mirrors of the production system. Each time an update is made to the production system, it is also made to the alternate site system.
hot A hot standby system is a mirror of the production system and is ready to go anytime a disaster hits. It has up-to-date hardware, software, and data at all times.
Which of the following refers to operations a user or piece of software normally does not perform but are indicative of malware behavior? Antivirus signature On-access scanning Firewall filtering Malicious activity
malicious activity
Public health agencies in a Midwestern state have observed a spike in the number of illnesses caused by salmonella poisoning. A common thread among the patients appears to be that they all ate cantaloupe just before becoming sick. The Food and Drug Administration (FDA) has asked all public health agencies across the state to report to it any protected health information (PHI) possibly related to the salmonella outbreak so it can determine the source of the possibly contaminated cantaloupe. Are these public health agencies required to obtain patient authorization in this case?
no
As part of the office renovation, all of the clerical and front-desk computers were replaced with new units. Which of the following may be done with the old computers? Select Yes or No for each option. Buy new memory chips for the computers and then give them to the staff to use at home. --YesNo Reinstall the operating systems and donate the computers to a local school. --YesNo Remove and destroy the hard drives. Take the rest of the computer to a recycling center. --YesNo Place the computers in the storage warehouse in case they are needed in the future. --YesNo
no no yes no
Which of the following are important information security concerns? Select Yes or No for each option. Authorization --YesNo Availability --YesNo Physical security --YesNo Network permissions --YesNo Integrity --YesNo Confidentiality --YesNo
no yes no no yes yes
Dr. Blue is considering a risk management program for his private practice. Which of these options would be considered a business associate? Select Yes or No for each option. The other physicians who are partners in his practice --YesNo Hospitals where his patients are treated when they need in-patient care --YesNo Cardiology registries --YesNo Pharmacies --YesNo
no yes yes yes Feedback Part 1 Correct. Other physicians in Dr. Blue's practice are not business associations from a HIPAA perspective because, as partners, they are all subject to the risk management program that covers the practice. Part 2 Correct. Assuming Dr. Blue is not an employee of the hospital, each hospital that treats one of his patients and wants access to his patient records must be considered a business associate for HIPAA purposes. Part 3 Correct. Cardiology registries have valid reasons for requesting data regarding Dr. Blue's patients who have heart problems. The registries are considered business associates for HIPAA and other regulatory purposes. Part 4 Correct. Pharmacies that fill prescriptions for Dr. Blue's patients should be considered business associates for HIPAA and other regulatory purposes.
An example of a public health agency that functions primarily as a --covered/hybrid/noncovered-- entity is one that is mandated by state law to receive protected health information (PHI) from healthcare providers in order to conduct an epidemiological investigation.
noncovered
Federal law emphasizes that the security of electronic health information is a/an --optional recommendation/ongoing process/one-time goal--.
ongoing process
What controls the actions you can and cannot perform on a file, folder, computer, or network object? Authorization Permissions Complexity factor Authentication
permissions
You receive an email from your bank asking you to log on to verify a payment. This is an example of which kind of attack? Rootkit Worm Phishing Macro virus
phishing
--Physical/Administrative/Technical-- safeguards include facility access and control, workstation and device security, and theft prevention.
physical
Which type of cryptography uses one key for encryption and a different one for decryption? Symmetric Private-key Public-key Encrypt with password
public key
HIPAA --requires/recommends-- that hospitals design their business continuity plan (BCP) to include tests for their electronic protected health information (ePHI) backup, disaster recovery, and emergency mode operations plans and procedures.
recommends
HIPAA --requires/recommends-- that hospitals design their business continuity plan (BCP) to include emergency mode operations plans and procedures to continue critical business processes involving electronic protected health information (ePHI) while responding to an emergency.
requires
When AC Hospital implements security measures sufficient to address risks in a reasonable and appropriate manner, it is adhering to the --risk analysis/risk management/recurring risk evaluation-- mandate of the Code of Federal Regulations (CFR).
risk mgmt
Piotr, the network administrator, and Bill and Sharon, the practice owners, decide not to set up their own credit card processing system on their network but to use a third-party external service instead. This is an example of which of the following risk management responses? Risk avoidance Risk mitigation Risk transfer Risk acceptance
risk transfer
General Hospital has an automated process in place that records all accesses to its computer systems. Designated staff are charged with running reports to break down and review these accesses to ensure that any access to and creation or modification of protected health information (PHI) complies with regulations and hospital guidelines. Which of the following safeguards is the hospital implementing in maintaining this record of all accesses to its PHI? Administrative Physical Technical
technical
True of false? Domain-based networks can be configured so that unauthorized computers and other devices will not work on the network.
true
True or false? A robust risk assessment process, coupled with a thorough risk management program, comprehensive business and HIT emergency preparedness plans, and a well-prepared and knowledgeable staff are all essential to minimizing the negative ramifications of a security incident or disaster.
true
True or false? A violation can occur within the same public health agency if its protected health information (PHI) crosses from its covered to its noncovered operations.
true
True or false? AC Hospital's business continuity plan (BCP) should address concerns related to tracking, responding to, and reporting all breach attempts.
true
True or false? AC Hospital's risk management program places great emphasis on protecting patient data and ensuring its availability. There are many facets to providing this protection, including meeting regulatory mandates and ensuring business continuity, patient safety, quality of care, and system availability.
true
True or false? Individual Microsoft Office documents can be encrypted using a shared-secret key from within the application (such as Word or Excel).
true
True or false? Risk management in a healthcare setting is more critical than in most business environments because clinicians often face life-or-death situations that require access to accurate and current patient data.
true
True or false? Several risks identified by Arural Hospital's risk assessment process are HIT related. HIT staff should analyze those risks and take action to abate the risks with security controls and/or should develop a contingency plan to address the threat should an event occur.
true
True or false? The Privacy Act of 1974 applied only to federal agencies, not to state or local governments.
true
True or false? The SSID is a wireless network's name
true
True or false? Under the HIPAA compliance audit program, entities that the Office for Civil Rights (OCR) finds not to be in good faith compliance with HIPAA could face large penalties.
true
True or false? General Hospital has a backup server and contingency plans to protect its database in the event of the destruction of its primary location. This is one of the National Research Council (NRC) recommendations for addressing information security concerns.
true True or false? General Hospital has a backup server and contingency plans to protect its database in the event of the destruction of its primary location. This is one of the National Research Council (NRC) recommendations for addressing information security concerns.
When Judy logs on to her office network, she first enters her username and password. The system then sends her a text message on her personal cell phone with a PIN she also needs to enter to complete the logon. This is an example of --one-factor/two-factor/three-factor-- authentication.
two factor
In cases of --international disease outbreaks/births and deaths/workplace medical surveillance--, public health agencies must notify patients of disclosure of their protected health information (PHI) even though patient authorization is not required.
workplace medical surveillance
Which of the following can generate so much network traffic that the network becomes unusable? Spyware Macro viruses Worms Hoaxes
worms
Physicians at AC Hospital have requested that one-time password (OTP) tokens or smartcard access controls be used to replace the traditional user ID and password controls. Which of the following options provides the hospital with justification to seriously consider their request? Select Yes or No for each option. Traditional user ID and password access controls require the physicians to memorize a large number of passwords. --YesNo Physicians are often locked out of necessary patient data or critical system functions because they have incorrectly entered their password too many times. --YesNo Physicians are often locked out of critical systems because they have not accessed that system in a specified period of time. --YesNo Physicians often use other physicians' user ID and passwords to access the system when they cannot use their own because they are locked out or cannot remember their password. --YesNo
yes yes yes no
Which of the following are network security objects? Select Yes or No for each option. Database table --YesNo Microsoft Word document --YesNo Laser printer --YesNo Security policy --YesNo User --YesNo SecureID security token --YesNo Wireless laptop computer --YesNo
yes yes yes no yes no yes
Which of the following are important information security concerns? Select Yes or No for each option. Identity theft or impersonation --YesNo Loss, unauthorized modification, or compromise of data --YesNo Threats to disclose data or to disclose that data has been compromised --YesNo Business interruption due to denial of service --YesNo
yes yes yes yes
Which of the following would be reasons for a hacker to compromise your network? Select Yes or No for each option. Destroy data --YesNo For the challenge --YesNo Financial gain --YesNo Add computers to a botnet --YesNo
yes yes yes yes
