Domain 3 – Privacy and Security in Healthcare Flashcards
Official (ISC)2 Guide to the HCISPP CBK
The pillars of information security consist of :
A. Confidentiality, Integrity, and Availability.
B. Privacy, Integrity, and Availability.
C. Confidentiality, Privacy, and Availability.
D. Confidentiality, Integrity, and Privacy.
A. Confidentiality, Integrity, and Availability.
A patient wants to ensure the email they received from their primary care specialist is actually from the person they expect and not an impostor. Which concept will BEST ensure the sender of the email is actually the primary care specialist?
A. Availability
B. Confidentiality
C. Digital Signatures
D. Hashing
C. Digital Signatures
During the subject’s purported identity is validated by one or more credentials from the three main categories of factors: something the subject knows (password or passphrase), something the subject has (smartcard, token, or certificate), or something the subject is (a biometric such as a fingerprint or retina scan).
A. Identification
B. Accountability
C. Access Control
D. Authentication
D. Authentication
HIPAA provides safe harbor against a breach if .
A. The data was collected more than five years ago.
B. The data was breached by a third party doing work on behalf of the original provider.
C. The organization didn’t understand information security and privacy.
D. The information was properly encrypted.
D. The information was properly encrypted.
Public Key Infrastructure or PKI is a form of .
A. Asymmetric encryption.
B. Symmetric encryption.
C. Hashing functions.
D. Digital signatures.
A. Asymmetric encryption.
Complete the following with the BEST answer: Sharing of login credentials
A. Should be encouraged because it greatly reduced administrative burdens.
B. Should be used only for workstations where the users know and trust each other very well.
C. Should be discouraged but tolerated as employee moral must be preserved.
D. Should be discouraged because non-repudiation will be violated.
D. Should be discouraged because non-repudiation will be violated.
______________are the points at which assets are susceptible to an exploit or attack and are often attributed to unintended design flaws in the implementation of a hardware device, software application, or a system.
A. Threats
B. Vulnerabilities
C. Likelihoods
D. Risks
B. Vulnerabilities
Separation of duties is BEST used in situations where:
A. There must be a high level of certainty about who performed an action.
B. Systems must be available for several days no matter the circumstances.
C. An individual must not have access to modify a record without permission.
D. A process requires checks and balances that force collusion.
D. A process requires checks and balances that force collusion.
An organization works mostly with older patients and wants to perform research on their patient population. The organization is subject to HIPAA, and an HCISPP has informed them they will need to remove all date information for patients older than 89 years of age. What is the BEST reason the organization must do this?
A. HIPAA provided an arbitrary age to limit the population of studies.
B. After the age of 89, there are considerably fewer people alive to match information to, and therefore an attacker can easily guess the individual.
C. The organization believes the HCISPP is an “expert” and therefore is relying on them for an expert determination.
D. Research on patients over 89 years of age is covered by legislation other than HIPAA.
B. After the age of 89, there are considerably fewer people alive to match information to, and therefore an attacker can easily guess the individual.
Least privilege is a form of .
A. Minimum necessary.
B. Non-repudiation.
C. Rotation of duties.
D. Mandatory vacations.
A. Minimum necessary.
All of the following are basic components of a security policy EXCEPT the
A. Definition of the issue and statement of relevant terms.
B. Statement of roles and responsibilities
C. Statement of applicability and compliance requirements.
D. Statement of performance of characteristics and requirements.
D. Statement of performance of characteristics and requirements.
Which one of the following is an important characteristic of an information security policy?
A. Identifies major functional areas of information.
B. Quantifies the effect of the loss of the information.
C. Requires the identification of information owners.
D. Lists applications that support the business function.
A. Identifies major functional areas of information.
Which of the following would be the first step in establishing an information security program?
A.) Adoption of a corporate information security policy statement
B.) Development and implementation of an information security standards manual
C.) Development of a security awareness-training program
D.) Purchase of security access control software
A.) Adoption of a corporate information security policy statement
What is the function of a corporate information security policy?
A. Issue corporate standard to be used when addressing specific security problems.
B. Issue guidelines in selecting equipment, configuration, design, and secure operations.
C. Define the specific assets to be protected and identify the specific tasks which must be completed to secure them.
D. Define the main security objectives which must be achieved and the security framework to meet business objectives.
D. Define the main security objectives which must be achieved and the security framework to meet business objectives.
Why must senior management endorse a security policy?
A. So that they will accept ownership for security within the organization.
B. So that employees will follow the policy directives.
C. So that external bodies will recognize the organizations commitment to security.
D. So that they can be held legally accountable.
A. So that they will accept ownership for security within the organization.
