CHISSP CHISSP Healthcare Information Security & Risk Management

Question 1

Which risk management framework is most commonly adopted by US healthcare organizations to align information security with regulatory requirements?

Accepted Answer

NIST Cybersecurity Framework

Answer

ISO/IEC 27001

Answer

COBIT 5

Answer

PCI DSS

Question 2

What is the primary purpose of a Healthcare Risk Analysis (HRA) under the HIPAA Security Rule?

Accepted Answer

To identify and evaluate risks to the confidentiality, integrity, and availability of ePHI

Answer

To audit employee access logs for unauthorized activity

Answer

To document physical security controls for server rooms

Answer

To assess the financial impact of a data breach

Question 3

A healthcare organization classifies a threat as having HIGH likelihood and LOW impact. Which risk treatment action is MOST appropriate?

Accepted Answer

Monitor and accept

Answer

Immediately remediate

Answer

Transfer via cyber insurance

Answer

Avoid by discontinuing the system

Question 4

Which of the following BEST describes residual risk in healthcare information security?

Accepted Answer

Risk remaining after controls have been applied

Answer

Risk identified during the initial threat assessment

Answer

Risk transferred to a business associate

Answer

Risk eliminated through encryption

Question 5

Under the HIPAA Security Rule, which type of safeguard covers workforce training and security management policies?

Accepted Answer

Administrative safeguards

Answer

Physical safeguards

Answer

Technical safeguards

Answer

Operational safeguards

Question 6

What is the recommended approach when a healthcare organization cannot fully remediate a known vulnerability due to legacy system constraints?

Accepted Answer

Implement compensating controls and document the accepted risk

Answer

Immediately decommission the legacy system

Answer

Report the vulnerability to HHS without further action

Answer

Encrypt all data on the system and consider it compliant