Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
37 Cards in this Set
- Front
- Back
|
Which of the following best describes the general concepts of privacy?
A. how data is to be protected, safeguarded, used, disclosed B. which organizatinos are covered by the rules C. which technology is to be used to safeguard data D. data integrity and availability |
A. general privacy rules deal with an organization's ability to keep information protected, and to define whom and when it is to be used or disclosed
|
|
|
The CIO of a health plan is gathering information related to the security posture of the organization in preparation for a security gap analysis. Which of the following is LEAST useful?
A. network diagrams B. existing policies and procedures C. organizational charts D. credentialing data |
D. credentialing information is not directly relevant to the security posture of the health plan.
|
|
|
Which of the following best describes the general process of gap analysis for privacy and security compliance?
A. identifying the gaps between legacy and target systems B. comparison of the regulatory requirements to the organization's current baseline C. comparison of different business functions within an organization D. analysis of industry best practies as compared with an organization's practices |
B. The general proces of conducting a gap analysis includes comparing the requirements of the regulation (or law or other requirement) with the organization's current conduct specific to the requirement in question.
|
|
|
The ability for an organization to ensure electronic health information in its possession is kept consistent with its source, protecting the data from improper alteration or destruction is defined as
A. authentication B. integrity C. verification D. security |
B. Keeping data integrity means that the data is kept true to its source and that it is not inappropriately accessed, changed, altered or destroyed
|
|
|
Which of the following would be the LEAST important consideration when implementing technical access controls?
A. minimum necessary definitions B. principles for access profiles C. termination or modification of access D. general ledger data |
D. When implementing technical access controls, answers a, b, and c are all important considerations; answer d is not related
|
|
|
Privacy and security suspected breaches need to be documented, analyzed and reported routinely to the organization's senior management to support the organization's ability to:
A. take steps to prevent reoccurrence B. meet accreditation requirements C. meet requirements of the organization's CEO d. meet minimum necessary definitions |
A. Take steps to prevent reoccurrence
An organization must first know what types of privacy and security issues occur before they can be addressed, and hopefully prevented from moving forward. |
|
|
Which of the following tools would be most useful to identify a suspected privacy or security breach in an environment using an electronic health record?
A. network diagram B. audit trail of user activity C. encrypted email protocol D. implementation guide |
B. Audit trail of user activity
An audit trail can provide the means to identify and reconstruct user activity and therefore would be the most helpful tool in confirming a suspected breach of security or privacy. |
|
|
Which of the following describes the goal of capturing audit trails?
A. provides a mechanism to monitor user activity B. provides a mechanism to identify suspicious activity and/or breaches of information C. provides necessary data for the organization to reconstruct any past events where integrity of data may be questioned D. may be used to identify, recreate, maintain and reconstruct user activity |
D. May be used to identify, recreate, maintain and reconstruct user activity
|
|
|
When considering how/where to keep a back-up copy of data as part of an organization's contingency plan, which is the least important?
A. proximity of back-up location B. deciding who has access to the back-up data C. determining how often data should be revised and reposted to the back-up location D. principles for access profiles |
D. principles for access profiles
Determining the distance between the main site and the back-up location, deciding who should have appropriate access and determining updates are all important to the contingency plan process. However, principles for access profiles are a concept which is unrelated to the contingency planning process. |
|
|
What is the purpose of general rules of privacy?
|
Privacy rules typically set forth guidelines regarding data to be protected and provide a general understanding of how the data is to be used, disclosed, and safeguarded.
|
|
|
What are individual rights?
|
Individual rights relate to the rules allowing information to be shared as required by state and govermental laws.
|
|
|
What are four examples of responsibilities of a privacy officer?
|
1. developing policies and procedures
2. processing related complaints 3. monitoring ongoing compliance 4. assuring routne training for workforce members |
|
|
What are four reasons variations in methods to safeguard and prtoect information may exist?
|
1. the structure (eg foundation, for-profit) and size (small provider, large insurer)
2. business operations and external business partners/arrangements 3. financial and workforce resources 4. technical foundation |
|
|
What three tings must be balanced for successful security implementation?
|
1. controls or limitations on the data contained in IS
2. controls regarding workforce members 3. controls regarding the physical environment |
|
|
What four things should an organization include in its privacy and security compliance program?
|
1. awareness
2. assessment 3. remediation 4. maintenance |
|
|
What are two ways an organization can remediate privacy and security compliance issues?
|
1. closing the gaps on paper via policy
2. closing the gaps via practice |
|
|
What does the assessment phase entail?
|
The assessement phase performs a systemic comparison of its current business operations with the requirements of the standards, regulations and/or laws with which it is seeking to become compliant
|
|
|
Why is document gathering useful in the assessment phase?
|
Document gathering consilidates documentation and allows for early observations.
|
|
|
What are four types of organizational assets it needs to protect?
|
1. information
2. systems 3. services and applications 4. people |
|
|
What is the purpose of a facility walkthrough?
|
A facility walkthrough will identify areas that need to be addressed to bring the organization into compliance. The focus should be on the identification of areas that could result in authorized access to health information.
|
|
|
What is a technical baseline?
|
A snapshot of the organization's current technical status. This can be completed by conducting an internal and external security evaluation that documetns the existing information systems/assets and identifies system vulnerabilities.
|
|
|
What is a threat-source?
|
A person, circumstance or event with the potential to cause harm to an IT system. Can be classified as natural, human, or environmental.
|
|
|
What is a threat?
|
A threat is the potential for a threat-source to exercise a specific vulnerability.
|
|
|
What is vulnerability?
|
Vulnerability is flaws or weaknesses in system security procedures, design, implementation or internal controls that could be exercised to result in a breach or violation of the security policy
|
|
|
What are some examples of how common vulnerability can be identified? (5)
|
Previous risk assessments
Audit reports vulnerability lists such as NIST 1-CAT vulnerability db Security advisories such as FedCircc Vendor advisories |
|
|
What is a natural threat source?
|
Natural threat sources include floods, earthquakes, tornadoes, landslides, avalanches, electrical storms
|
|
|
What is a human threat source?
|
unintententional acts (inadvertent data entry), or deliberate actions (attacks)
|
|
|
What are environemental threat sources?
|
long-term power failure, pollution, chemicals and liquid leakage
|
|
|
What three factors should be considered when determine likelihood?
|
threat-source motivation and capability, nature of the vulnerability, existence and effectiveness of current controls
|
|
|
What are the three security goals?
|
Integrity, availability and confidentiality
|
|
|
What are the three components of risk determination?
|
1. likelihood
2. magnitude 3. adequacy of planned or existing security controls |
|
|
What are three examples of data authentication controls?
|
1. database integrity - check sums, hashes, data duplicatiobn, transaction logging, error-correcting memory
2. message integrity - check sums, message authentication codes, digital signatures 3. procedure integrity - redundant systems, duplicate power systems, cooling systems |
|
|
What are three components of a risk management program?
|
1. initial risk assessment
2. risk mitigation 3. ongoing monitoring and asseessment |
|
|
What are three measures that can be considered to reduce risk to acceptable levels?
|
1. no action
2. reduce or mitigate 3. transfer the risk |
|
|
What are five examples of auditing or monitoring tools?
|
1. self-audit
2. walk-through 3. person-to-person interviews 4. checklists or scorecards 5. rating scale |
|
|
What are four reasons audit trails are used?
|
1. monitor user activity
2. identify suspicious activity 3. reconstruction of past events 4. deter seeking of inappropriate access |
|
|
What are five things an organization's continency plan should include?
|
1. data backup plan
2. disaster recovery plan 3. emergency mode operation plan 4. testing and revision 5. applications and data criticality analysis |
