Domain 3: Enterprise Information Systems

Question 1

Examples of technical security controls at the network level

Answer 1

Firewalls
IDPS (intrusion detection and prevention systems)
NAC (network access control)
VPN (virtual private networks)
DLP (data leakage protection)

Question 2

When does public media and secretary of HHS need to be notified about a breach?

Answer 2

If > 500 records are breached

Question 3

45 CFR 164.308 (a)(1) stipulates that entities

Answer 3

Conduct or review a security risk analysis per 45 CFR 164.308 (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process

Question 4

Formula for # of connection required using point-to-point interfaces?

Answer 4

N*(N-1)/2

Question 5

What does Hick-Hyman Law state?

Answer 5

User response time (RT) is a function of # of possible responses

Question 6

What does Fitts Law state?

Answer 6

Time it takes to track to an object with a cursor is a function of distance traveled (D) and width of the target (W)

Question 7

Risk of maintaining a software product is transferred from the institution to the vendor by means of a?

Answer 7

Service Level Agreement (SLA)

Question 8

What does Application Service Provider (ASP) model refer to?

Answer 8

Business that provides computer services over the internet. Benefit of ASP model is that heavy computing is performed off-site by vendor so investment in data center is not needed.

Question 9

What is Norman’s Theory of Action

Answer 9

Human Information Processing theory. Separates each mental activity cycle into seven inter-related stages

1. Forming the target
2. Forming the intention
3. Specifying an action
4. Executing the action
5. Perceiving the state of the world
6. Interpreting the state of the world
7. Evaluating the outcome

Question 10

What is external representations

Answer 10

Example of external cognition, which is using external elements to help us make decisions. Use of the external element must change the cognitive task in some way.

Examples: Use of pen and paper to help with complex math; use of hand-drawn sketches to assist with brainstorming; graphical visualization of lab result to understand trends.

Question 11

What is distributed cognition?

Answer 11

Cognitive model focused on multiple people in a “cognitive system” collaborating to accomplish a shared goal.

Examples: crew working together to operate a ship; team of healthcare providers working together to care for a patient.

Question 12

3 categories of cognitive theories

Answer 12

1. Human Information Processing
2. External Cognition
3. Distributed Cognition

Question 13

Difference between Application Service Provider (ASP) and Software as a Service (Saas)

Answer 13

In ASP model, user is given access to virtual or physical computer

In SaaS model, user access is provided via web-based application that connects with vendor’s central database via API. Instead of running 1000 instances of app, vendor only needs to run one instance. Multitenancy is term used when multiple users share the same software instance.

Question 14

Protected health information is to be sent from a secure system to one that is less secure. The most appropriate action to take is:

Answer 14

De-identify and re-identify using assigned codes

Question 15

A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that:

Answer 15

(1) Derivation. The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and

(2) Security. The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification

Question 16

A Limited Data Set, which is exception to the Privacy Rule requirement allows PHI to be used for:

Answer 16

• Health care operations
• Research
• Public health

When data use agreement is established between entities

Question 17

What is heuristic evaluation within the discipline of human computer interaction (HCI)?

Answer 17

Type of usability evaluation that is performed by experts and does not typically involve system users. HE compares an application or system to a small set of well-tested design principles.

Question 18

What does event, problem and incident refer to in the Information Technology Infrastructure Library (ITIL) framework for IT service management (ITSM)

Answer 18

”Event” - Change of state that has significance for the management of a configuration item (CI) or IT service. Event management is therefore the basis for operational monitoring and control.

“Problem” - underlying cause of one or more incidents. Problem management involves root cause analysis to determine and resolve the underlying causes of incidents, and proactive activities to detect and prevent future problems/incidents.

“Incident” - unplanned interruption to an IT service, or reduction in the quality of an IT service, or a failure of a CI that has not yet impacted an IT service (for example failure of one disk from a mirror set).

Question 19

What is a covered entity under HIPAA?

Answer 19

• Health care provider
• Health plan
• Health care clearinghouse

Question 20

Benefits of blockchain in healthcare

Answer 20

• Decentralized management
• Immutable audit trail
• Data provenance (allows legitimacy of records to be verified)
• Robustness/availability
• Security/privacy

Question 21

5 Limitations of blockchain

Answer 21

• Interoperability
• Security and privacy
• Immutability (doesn’t auger well with “right to be forgotten”)
• Scalability
• Engaging patients (e.g. elderly/young)

Question 22

What is GOMS

Answer 22

Predictive Models of HCI
- Goal
- Operator
- Method
- Selection

Used to benchmark/compare efficiency of interfaces and estimate cost savings associated with increased user performance

Question 23

What are Buxton’s Three-State Model of Graphical Input

Answer 23

• Description of the states and transitions involved in using a mouse

0. Out of range <—-lift or put down mouse—> 1. Tracking <—-depress or release button—> 2. Dragging

Question 24

What is discount usability engineering?

Answer 24

Method of HCI evaluation that is easier/cheaper as described by Jakob Nielsen.

5+ testers form testing & inspection
- Modified think-aloud
- Heuristic evaluation
- Low fidelity prototypes

Question 25

3 steps of NIST 2012 recommended standard for testing, validation of EHR usability

Answer 25

1. EHR application analysis
2. EHR user interface expert review
   - 2 person heuristic review
   - Clinical SME review
3. User Interface validation test
   - Performance measurement (TASK COMPLETION and associated metrics)
   - Post test interview

Question 26

3 layers of situational awareness

Answer 26

Level 1: Perception
Level 2: Comprehension
Level 3: Projection (of future states and events)

Question 27

What does Uninterruptible Power Supplies (UPS) do?

Answer 27

• Provide 30 minute of backup power for data center using storage batteries
• Batteries should be replaced every 3-5 years

Question 28

Network devices in order of increasing complexity

Answer 28

Hub < Bridge < Switch < Router

Question 29

How many notes contain high risk copying error per Hammond study

Answer 29

1 in10

Question 30

How many stages are in the HIMSS Analytics EMR Adoption Model

Answer 30

8 (Stage 0 —> Stage 7)

Question 31

Two organizations that accredit hospitals

Answer 31

Joint Commission & DNV (Det Norske Veritas)

Question 32

3 main purpose of signature per AHIMA e-HIM Workgroup

Answer 32

1. Intent
2. Identity
3. Integrity

Question 33

How is IT operation and infrastructure work stratified per Information Technology Infrastructure Library (ITIL)

Answer 33

Portfolio –> Services –> Processes –> Procedures

Question 34

Who published SAFER Guides on EHR Safety and how are the 9 guides organized into 3 broad groups?

Answer 34

AHRQ & ONC

1. Foundational Guide
2. Infrastructure Guides
3. Clinical Process Guides

Question 35

What are 3 categories of usability evaluation?

Answer 35

1. Usability Testing
2. Usability Inspection
3. Usability Inquiry

Question 36

4 Examples of usability testing

Answer 36

• Coaching
• Thinking aloud
• Eye/click tracking
• Performance measurement

Question 37

Examples of usability inspection

Answer 37

• Cognitive walkthrough
• Heuristic evaluation

Question 38

Examples of usability inquiry

Answer 38

• Field observation
• Focus groups/interviews
• Surveys (e.g. NASA Task Load Index)
• Usage logs

Question 39

What is a Rootkit?

Answer 39

• Programs that grant total control of your system to a malicious party.
• Often, they operate at a level even closer to the machine than the operating system, making detection nearly impossible in some cases.

Question 40

What is a botnet?

Answer 40

• Installs a program called a “bot” that can be remotely commanded to perform specific tasks, such as sending email spam, participating in denial-of-service attacks and serving up pornography.

Question 41

What is a worm?

Answer 41

Self-replicating program that can spread from one computer to another