1.
Any comments for the scorer to take into account?
2.
You receive work email on your phone, and you are getting ready to pay at a restaurant. You need to provide a promotion code that's on your phone. The waiter asks to take your phone to scan the information at his kiosk. Which action would keep your email safe? (choose all that apply)
Correct Answer(s)
B. Ask the waiter to write down the human readable promotion code from your phone instead of scanning.
C. Ask the waiter to bring the scanner to you, keeping control of your phone.
D. You have separated access of the promotion code app from all parts of your phone that you don't want to be accessed. You give the waiter your phone with access to the promotion code app opened.
Explanation
To keep your email safe, you should ask the waiter to write down the human readable promotion code from your phone instead of scanning. This way, you maintain control of your phone and prevent any unauthorized access to your email. Additionally, you can ask the waiter to bring the scanner to you, allowing you to keep control of your phone throughout the process. Alternatively, if you have separated access to the promotion code app from other parts of your phone, you can give the waiter your phone with only the app opened, ensuring that your email and other sensitive information remains protected.
3.
Someone outside the office says "Hi, I'm a new employee starting today. Can you let me in since I don't have an access card yet?" What action should you take? (choose all that apply)
Correct Answer(s)
B. You escort them to the receptionist. If the receptionist isn't there, tell them to have a seat and you find someone to help them.
D. You don't let the person in, and tell them to wait outside the door for someone to come get them.
Explanation
The correct answer is to escort the person to the receptionist and if the receptionist isn't there, tell them to have a seat and find someone to help them. This is the appropriate action to take because as a new employee, they would need guidance and assistance in getting settled into the office. The receptionist is usually responsible for welcoming and assisting visitors, so directing the new employee to them ensures that they receive the necessary support. If the receptionist is unavailable, asking the person to wait and finding someone else to help them ensures that their needs are addressed promptly.
4.
You want to host an event in the office. It includes people that you don't know. What action should you take?
Correct Answer
A. Contact the Office Manager to coordinate the event.
Explanation
When hosting an event in the office that includes people you don't know, it is best to contact the Office Manager to coordinate the event. The Office Manager will have the necessary knowledge and resources to ensure the event runs smoothly and safely. They can handle tasks such as organizing the space, managing security measures, and communicating with the attendees. This will help maintain a professional and controlled environment, ensuring the event is successful and all participants feel comfortable and secure.
5.
Visitors have arrived, but it's after business hours or you can't find the receptionist. In these special cases, visitors don't need to write their names in the log.
Correct Answer
B. False
Explanation
In this scenario, the statement "Visitors have arrived, but it's after business hours or you can't find the receptionist" suggests that there may be situations where visitors are present but unable to write their names in the log due to the absence of staff or the facility being closed. Therefore, the correct answer is False, indicating that visitors still need to write their names in the log even in these special cases.
6.
You need to access a system immediately to complete your work, but have not received approval, credentials, or other access set up yet. What action should you take? (choose all that apply)
Correct Answer(s)
A. You wait for approval and for credentials to be provided.
D. You let your supervisor know that you are delayed because you don't have system access.
Explanation
The correct answer is to wait for approval and credentials to be provided because it is important to follow the proper protocols and obtain the necessary permissions before accessing a system. This ensures that you are authorized to use the system and protects the security and integrity of the system and its data. Additionally, letting your supervisor know about the delay shows transparency and accountability in your work.
7.
You had your password reset, and were provided a temporary password. You were told to change it immediately. What do you do?
Correct Answer
A. You type the temporary password and immediately change the temporary password to meet password standards.
Explanation
The correct answer is to type the temporary password and immediately change it to meet password standards. This is the recommended action because using a temporary password for an extended period of time can pose a security risk. Changing the password immediately ensures that the account is protected with a strong and unique password that meets the required standards.
8.
You notice an unattended and unlocked work device. What do you do? (choose all that apply)
Correct Answer(s)
B. You have someone run an audit trail report to determine if any information was inappropriately accessed.
D. You don't know how to lock the device, and you can't leave the device unattended. You have someone find the owner, so the device can be locked.
E. You're familiar with the device, and you lock the device immediately.
Explanation
If you notice an unattended and unlocked work device, the correct course of action is to have someone run an audit trail report to determine if any information was inappropriately accessed. This helps to ensure that any potential security breaches are identified and addressed. Additionally, if you don't know how to lock the device and can't leave it unattended, it is important to have someone find the owner so that the device can be locked. If you are familiar with the device, it is also appropriate to lock it immediately to prevent any unauthorized access.
9.
You're upgrading to a new version of an open source software, and the change will be better all around. Since the change makes things better and even fixes some of the bugs in a product, you can bypass the change request process.
Correct Answer
B. False
Explanation
The statement suggests that because the change will make things better and fix some bugs, one can bypass the change request process. However, this is not true. Even if the change is beneficial, it is still important to follow the change request process to ensure proper documentation, evaluation, and approval of the changes being made. Bypassing the process can lead to potential issues or conflicts in the future.
10.
Only supervisors are responsible for knowing security incident or security breach response procedures.
Correct Answer
B. False
Explanation
This statement is false because it is not only supervisors who are responsible for knowing security incident or security breach response procedures. In any organization, all employees, regardless of their position or level of authority, should be familiar with these procedures. This ensures that everyone is prepared to respond appropriately in the event of a security incident or breach, promoting a culture of security and minimizing potential risks.
11.
You have an unscheduled change that has to be implemented for a customer tonight. It's already past the customer's normal operating hours for the application, so you don't need to notify them.
Correct Answer
B. False
Explanation
The statement is false because even though it is past the customer's normal operating hours for the application, it is still necessary to notify them about the unscheduled change that will be implemented tonight. Keeping the customer informed about any changes or updates is important for maintaining a good relationship and ensuring their satisfaction.
12.
You find confidential data that is not encrypted for storage. What action do you take? (choose all that apply)
Correct Answer(s)
A. You find out how to encrypt the data, or ensure someone will encrypt the data.
B. You notify your supervisor or a security champion that you had discovered unencrypted confidential data.
Explanation
The given correct answers are to find out how to encrypt the data or ensure someone will encrypt it, and to notify your supervisor or a security champion about the discovery of unencrypted confidential data. Encrypting the data will help protect it from unauthorized access and ensure its confidentiality. Notifying a supervisor or security champion is important to report the issue and take appropriate actions to secure the data. The other options of copying the data to an encrypted location or reclassifying the data as public do not address the issue of data security and confidentiality.
13.
From the list below, identify which items are considered PHI.
Correct Answer(s)
A. Name: Stuart Holmes
C. Age: 94
D. Discharge Date: March 6, 2015
E. Born: May 9, 1920
F. Patient ID: 65446571
G. Lives at: 123 belle Ln Apt 2 Fairyland, WA
Explanation
The items considered PHI (Protected Health Information) in this list are Name: Stuart Holmes, Age: 94, Discharge Date: March 6, 2015, Born: May 9, 1920, Patient ID: 65446571, and Lives at: 123 belle Ln Apt 2 Fairyland, WA. These items contain personal information related to the individual's health and can be used to identify the person.
14.
You receive an email with PHI. What action do you take? (choose all that apply)
Correct Answer(s)
B. Contact Security Operations or your manager to find out what to do.
E. Work with Security Operations or the project owner to ensure the incident is recorded, and the email is properly removed from our systems.
Explanation
If you receive an email with PHI (Protected Health Information), the correct actions to take are to contact Security Operations or your manager to find out what to do and to work with Security Operations or the project owner to ensure the incident is recorded and the email is properly removed from the systems. This is because PHI is sensitive information that needs to be handled carefully and in accordance with security protocols. It is important to seek guidance from the appropriate authorities and take necessary steps to protect the privacy and security of the PHI.
15.
You and others on your team see some data that may be PHI or PII. None of you are sure if you should see or use the data. What action do you take? (choose all that apply)
Correct Answer(s)
B. Check with the project owner to see if the data is part of the project.
C. Ensure the data is encrypted at-rest and in-transit.
E. Check with the project owner to find out whether the data is PHI or PII.
Explanation
The correct answer is to check with the project owner to see if the data is part of the project, ensure the data is encrypted at-rest and in-transit, and check with the project owner to find out whether the data is PHI or PII. These actions prioritize communication and clarification with the project owner to determine the appropriate course of action regarding the data. Additionally, ensuring that the data is encrypted both at-rest and in-transit helps to protect its confidentiality and integrity.
16.
A server or hard drive with PHI isn't needed anymore. It can be retired or used for a low priority situation. (choose all that apply)
Correct Answer
E. Work with Security Operations to figure out next steps.
Explanation
Working with Security Operations is the correct answer because when dealing with a server or hard drive that contains PHI (Protected Health Information), it is important to follow proper protocols for data security and privacy. Security Operations can provide guidance on the appropriate steps to take, such as securely wiping the data, ensuring compliance with regulations, and determining the best course of action for retiring or repurposing the server or hard drive.
17.
A customer asks for a report that contains patient information on it. The customer is okay with ePHI or paper format. What should you do? (choose all that apply)
Correct Answer(s)
B. Determine if he has access to encrypted email and if not, request IT to set up an SFTP or other secured communication protocol to transfer the report.
E. You print the report with standard confidentiality cover sheet, and store it securely until your meeting with the customer tomorrow.
Explanation
The correct answers are to determine if the customer has access to encrypted email and if not, request IT to set up a secure communication protocol, and to print the report with a confidentiality cover sheet and store it securely until the meeting with the customer tomorrow. These options prioritize the security and confidentiality of patient information, ensuring that it is transferred and stored in a secure manner.
18.
Can I have PHI on my laptop or desktop? I'll have the data stored on an encrypted drive.
Correct Answer
A. Though local machines are secured with passwords and drive encrypted, the policy is to never store PHI on them.
Explanation
The correct answer is that the policy is to never store PHI on local machines, even if they are secured with passwords and drive encryption. This is because local machines are still vulnerable to physical theft, malware attacks, and other security breaches. Storing PHI on encrypted drives may provide an additional layer of protection, but it is still not recommended according to the policy. It is important to follow the policy and ensure that PHI is stored on secure servers or other approved platforms to minimize the risk of unauthorized access or data breaches.
19.
Your laptop was stolen out of your car, and you don't think it was encrypted. You had temporarily decided to put PHI on the laptop to do some work at home. What do you do? (choose all that apply)
Correct Answer(s)
A. Report the issue to security operations, and work with them to provide the information needed to have the situation properly assessed.
B. Review internal procedures and training on handling of mobile devices.
E. This will be classified as a data breach and the HITECH Breach Notification Rule will need to be followed. In addition to penalties, notifications would include: patients, media outlets, and the HHS Secretary.
Explanation
In this scenario, the correct answers are to report the issue to security operations and work with them to assess the situation, review internal procedures and training on handling mobile devices, and follow the HITECH Breach Notification Rule. By reporting the issue to security operations, they can take appropriate action to address the theft and potential data breach. Reviewing internal procedures and training can help prevent similar incidents in the future. Following the HITECH Breach Notification Rule is necessary to comply with regulations and ensure that affected parties are notified of the breach.
20.
You have a new feature or application, and just need a few patient records to demo it.
Correct Answer
C. You create random/fictitious test data to use
Explanation
Creating random/fictitious test data is the best option in this scenario because it allows you to showcase the new feature or application without compromising the privacy or confidentiality of any real patient records. Using records from a current or past customer's project may violate data protection regulations and could potentially expose sensitive information. Asking peers for their records may also lead to privacy concerns. Bypassing testing and releasing directly to production is not recommended as it can lead to unforeseen issues and bugs. Therefore, creating random/fictitious test data ensures a safe and reliable demonstration of the new feature or application.
21.
Your computer is at your desk, and you need to walk away from your computer for a few minutes. It's okay to leave your computer unlocked.
Correct Answer
B. False
Explanation
Leaving the computer unlocked while walking away from the desk is not okay because it poses a security risk. Unlocked computers can be accessed by unauthorized individuals who may tamper with or steal sensitive information. It is important to lock the computer or log out before leaving to ensure the security and privacy of the data on the device.
22.
You accidentally left your building access card in a backpack that you loaned to a friend over the weekend. You get your backpack back and find the building access card. What do you do? (choose all that apply)
Correct Answer
C. Your friend doesn't know where your office is, but you still report it to the Office Manager immediately.
Explanation
The correct answer is to report it to the Office Manager immediately. Although you trust your friend and they don't know where your office is, it is still important to inform the Office Manager about the situation. This ensures that they are aware of the potential security breach and can take appropriate measures to protect the building and its occupants. It is better to err on the side of caution and prioritize the security of the building.
23.
A customer needs us to receive PHI to develop a custom solution. What do you do?
Correct Answer(s)
A. Ensure there's a BAA.
B. Review requirements in the BAA.
Explanation
The correct answer is to ensure there's a BAA and to review the requirements in the BAA. This is because PHI (Protected Health Information) is subject to strict regulations under HIPAA (Health Insurance Portability and Accountability Act), and it is essential to have a Business Associate Agreement (BAA) in place before receiving PHI. The BAA outlines the responsibilities and obligations of both parties regarding the handling and protection of PHI. Reviewing the requirements in the BAA ensures compliance with HIPAA regulations and helps to ensure the security and privacy of the customer's data.
24.
You need to bring up an environment for PHI in AWS. What will you ensure is done?
Correct Answer(s)
A. Only use dedicated instances.
B. Only use encrypted disks, ensuring root level encryption or that processes ensure there is no PHI at root level.
C. Make sure all data is encrypted at-rest.
Explanation
The correct answer is to ensure that only dedicated instances are used, encrypted disks are used with root level encryption or processes that ensure no PHI at root level, and all data is encrypted at-rest. This is because PHI (Protected Health Information) needs to be handled securely in accordance with privacy regulations. Using dedicated instances ensures that the resources are not shared with other customers, reducing the risk of unauthorized access. Encrypting disks with root level encryption or ensuring processes prevent PHI at root level adds an extra layer of protection. Encrypting data at-rest ensures that even if the storage is compromised, the data remains protected. Encryption in-transit is not an absolute requirement, but it is still recommended for comprehensive security.
25.
If the customer has not provided any requirements or specifications for a secured environment in the BAA, you don't have to worry about encrypting at-rest or in-transit.
Correct Answer
B. False
Explanation
If the customer has not provided any requirements or specifications for a secured environment in the BAA, it does not mean that you don't have to worry about encrypting at-rest or in-transit. It is always important to prioritize the security of sensitive data, regardless of whether specific requirements are provided or not. Encrypting data at-rest and in-transit helps protect it from unauthorized access and ensures compliance with data protection regulations. Therefore, the statement is false.