Cybersecurity protects information systems against: a. Humans b. Threats that exploit a system's vulnerabilities c. Viruses d. Spam and phishing attempts

Ace your homework & exams now with Quizwiz!

A firewall protects against the unauthorized transmission of ePHI between two computers within an internal network. a. True b. False

b. false

Data recovery should not include obtaining copies of records from entities that received records from the organization. a. True b. False

b. false

Large, medium, and small covered entities must all implement the HIPAA Security rule requirements in the same way. a. True b. False

b. false

Public key infrastructure is a less secure method of encryption because the key that decodes the information is transmitted with the data. a. True b. False

b. false

Ransomware is disseminated by viruses only. a. True b. False

b. false

The data backup plan is focused only on the electronic health record. a. True b. False

b. false

Cookies: a. Are based on trickery b. Identify a user's computer to a website c. Are a type of virus d. Are installed by information security experts to stop malicious incoming traffic

b. identify a users computer to a website

Ransomware resembles scareware, but it is different because: a. Its threat is fictitious b. Its threat is real c. There is no threat d. It employs social engineering

b. its threat is real

The MIPS composite performance score is based in part on: a. Ethical decision making b. HIPAA compliance c. Advancing care information d. Staffing levels

c. Advancing care information

A computer virus is unable to replicate itself a. True b. False

b. false

The HIPAA Security Rule is flexible. This means: a. A variety of different security measures may be used b. It applies to entities of any size c. It does not prescribe certain technologies d. Its standards are impossible to achieve

a. A variety of different security measures may be used

Changes to HIPAA are included in: a. HITECH b. Medicare Conditions of Participation c. Privacy Act of 1974 d. Child Abuse Prevention and Treatment Act

a. HITECH

Mary is a self-employed transcriptionist who transcribes physician office progress notes for several physician practices. Each document she transcribes is identified by the patient's name and medical record number. Mary: a. Is a business associate of the physician practices b. Is only a business associate of the physician practices that initiated business associate agreements c. Does not meet the definition of a business associate d. Is not legally liable for HIPAA violations she commits without a business associate agreement

a. Is a business associate of the physician practices

Deidentified information is: a. Not protected by HIPAA b. Always protected by HIPAA c. Protected by HIPAA only when it is used for research d. Protected by HIPAA only when it is used for vital statistics

a. Not protected by HIPAA

. A university with a medical center is a hybrid entity under HIPAA a. True b. False

a. True

Covered entities consist only of healthcare providers, health plans, and healthcare clearinghouses. a. True b. False

a. True

Use is the handling of PHI that is internal to a covered entity or BA. a. True b. False.

a. True

Weaknesses in Wi-Fi networks can be exploited by attackers to compromises a mobile phone user's personal information. a. True b. False

a. True

OCR has discretion to pursue corrective action without assessing penalties for which type of HIPAA violation? a. Unknowing or did not know b. Reasonable cause c. Willful neglect, corrected d. Willful neglect, uncorrected e. None of the above

a. Unknowing or did not know

General Hospital's health record department delivers a group of patient records to the quality improvement department for its monthly review. This constitutes: a. Use b. Disclosure c. A HIPAA violation d. None of the above

a. Use

Dr. Connor is able to access patient records remotely, even from less secure networks, by utilizing a secure tunnel to access the hospital's computer system. Based on these facts, Dr. Connor is utilizing: a. A virtual private network b. A firewall c. A public cloud d. Drive-by downloading

a. a virtual private network

Audit controls: a. Examine and record activity in systems with ePHI b. Assess data integrity c. Authenticate user identities d. Are a substitute for password management

a. examine and record activity in systems with ePHI

Which of the following characteristics describes a worm? a. It does not require human interaction to spread b. It is not a virus c. It is not a type of malware d. It appears to perform one action while actually performing a different action

a. it does not require human interaction to spread

Which approach to risk determination assigns values to the likelihood and effect of a particular threat? a. Qualitative b. Determinative c. Quantitative d. Reciprocal

a. qualitative

Which of the following is not a red flag category? a. Rejected credit card transactions b. Alerts and notifications c. Suspicious documents d. Suspicious personally identifying information

a. rejected credit card transactions

. A patient portal is often hosted and controlled by a provider or payer a. True b. False

a. true

. Per HIPAA, breach notification is one method by which an organization can mitigate a breach. a. True b. False

a. true

. Per the Red Flags Rule, creditors must develop and implement written identity theft programs in an effort to identify, detect, and respond to red flags. a. True b. False.

a. true

A single threat source may exploit more than one vulnerability. a. True b. False

a. true

Denial of service occurs when an attacker takes controls of a device to render it unusable. a. True b. False

a. true

"Break the glass" functionality: a. Is prohibited by the Security Rule b. Allows access privileges in limited and necessary situations c. Can be exercised only by an organization's CEO d. Does not need to be audited after the fact for appropriateness

b. Allows access privileges in limited and necessary situations

Deeming authority means: a. That accreditation exempts an organization from legal liability for acts of negligence b. An accrediting body may survey for compliance with conditions of participation c. That accreditation validates an organization's meaningful use of its electronic health record d. None of the above

b. An accrediting body may survey for compliance with conditions of participation

Which of the following rules is most likely to be utilized for noncontroversial administrative rules? a. Interim final b. Direct final rule c. Final rule d. None of the above

b. Direct final rule

A profession's Code of Ethics has the force of law. a. True b. False

b. False

Data backup will resolve all ransomware threats. a. True b. False

b. False

The Freedom of Information Act requires disclosure of health record a. True b. False

b. False

he Freedom of Information Act (FOIA) is based on the concept of: a. State government accountability b. Federal government accountability c. Open sharing of information created by private entities d. Safeguarding personally identifiable records

b. Federal government accountability

For information to be "individually identifiable" per HIPAA, it must: a. Contain the individual's name and date of birth b. Identify the person or provide a reasonable basis to believe the person could be identified c. Contain the individual's name, date of birth, and be held or transmitted by a covered entity d. Contain the individual's diagnoses

b. Identify the person or provide a reasonable basis to believe the person could be identified

A limited data set used for research: a. Is deidentified data b. Is PHI and protected by HIPAA c. Requires authorization to be disclosed d. Requires the opportunity to agree or object

b. Is PHI and protected by HIPAA

Spyware: a. Is primarily designed to propagate multiple computers b. Is primarily designed to attach to the host computer c. Includes misleading applications d. Can only be activated on unsecured wireless networks

b. Is primarily designed to attach to the host computer

A healthcare provider: a. Is always a covered entity per HIPAA b. Must conduct certain electronic transactions for HIPAA to apply c. Is not required to follow the HIPAA Security Rule d. None of the above

b. Must conduct certain electronic transactions for HIPAA to apply

To place a patient in a facility directory, a covered entity: a. Must obtain the patient's written authorization b. Must obtain the patient's verbal agreement c. Must include the patient's admission date and address d. Does not need any type of permission from the patient

b. Must obtain the patient's verbal agreement

A hospital human resources department has custody of its employees' employment records. These employment records are: a. Covered under HIPAA b. Not covered under HIPAA c. Covered under the HIPAA Privacy Rule only d. Covered under the HIPAA Security Rule only

b. Not covered under HIPAA

Ransomware: a. Consequences can be completely eliminated by data backup protocols b. Can be a virus c. Cannot be a worm d. Affects information but not system functionality

b. can be a virus

. A covered entity must act on an accounting of disclosures request within 30 days with on 30-day extension permitted. a. True b. False

b. false

The preemption doctrine requires: a. Compliance with both federal and state law when they conflict b. Compliance with state law when federal and state law conflict c. Compliance with federal law when federal and state law conflict d. Federal law to be rewritten if it conflicts with state law

c. Compliance with federal law when federal and state law conflict

Joe is on the first month of his job in a hospital IT department when the hospital's network is flooded with traffic. It becomes unusable for users trying to access information. What has occurred is: a. A power outage b. A ransomware attack c. Denial of service d. A mobile device breach

c. Denial of service

The following is identified as the person who is the subject of PHI: a. Patient b. Consumer c. Individual d. Client e. Person

c. Individual

Fifty years is a significant period of time regarding decedents' PHI. This is because decedents' records: a. Must be destroyed 50 years after death b. Must be retained 50 years after death c. Lose their PHI status 50 years after death d. May no longer be disclosed to family members 50 years after death

c. Lose their PHI status 50 years after death

Termination procedures apply: a. Only to employees b. Only to employees who are terminated involuntarily c. When a workforce member's access level changes d. None of the above

c. When a workforce member's access level changes

Maggie uses the same password for her work e-mail account, her bank account, and her gym sign-in. The gym's network has been hacked. Because she has the same password for her other accounts, her work e-mail account has also been hacked. Repeated attacks of this nature are: a. Spam b. Drive-by downloading c. Aftershock password breaches d. Denial of service

c. aftershock password breaches

Malware has infiltrated a device provides diagnostic data on cardiac patients. Which of the following are at risk? a. Confidentiality and availability b. Confidentiality and integrity c. Integrity and patient safety d. Availability and patient safety

c. integrity and patient safety

Software creators can repair a vulnerability through a: a. Virus b. Botnet c. Patch d. Trojan horse

c. patch

Encryption is an example of which control category? a. Detective b. Deterrent c. Preventive d. Reactive e. Recovery

c. preventitive

HIPAA requires that risk analysis documentation be retained: a. 10 years b. 15 years c. 5 years d. 6 years e. HIPAA does not specify

d. 6 years

The National Committee for Quality Assurance (NCQA) is most recognized for accrediting: a. Hospitals b. Physician practices c. Outpatient surgery centers d. Managed care organizations

d. Managed care organizations

hat is the right of a patient to control disclosure of his or her own health information? a. Security b. Privilege c. Access d. Privacy

d. Privacy

. Whaling is: a. Phishing directed at a specific group of people b. Malware that targets large populations of people c. A type of malware that penetrates a firewall d. Spearphishing aimed at an organization's executive

d. Spearphishing aimed at an organization's executive

Which of the following must be included in an authorization? a. Date of the individual's most recent treatment encounter b. Name of the individual's next of kin c. Date the information is to be disclosed by d. To whom the disclosure may be made

d. To whom the disclosure may be made

Which of the following destroys electronic data? a. Degaussing b. Clearing c. Physical destruction of electronic media d. All of the above

d. all of the above

Which of the following describes the processes and controls to be followed until operations are fully restored after an event? a. Business continuity plan b. Disaster recovery plan c. Data management and recovery d. Emergency mode operations plan

d. emergency mode operations

Which of the following is not a technical safeguard standard? a. Access control b. Integrity c. Transmission security d. Workstation security

d. workstation security

Organizations within a health information exchange must consider: a. How data ownership is defined b. What information will be exchanged c. How authorization will be tracked and controlled d. How user access will be authenticated e. All of the above

e. all of the above


Related study sets

NURS405 Ch30: Management of Patients with Hematologic Neoplasms

View Set

AP Environmental Science Ch. 1 and 2 Review ?s

View Set

Mental Health/Psych Nursing - Boyd - Exam 2 - Chaps. 18-27

View Set

PrepU Antineoplastic, Pharm Ch 14 Prepu, Pharmacology PrepU Chapter 14: Antineoplastic Agents

View Set