CITI training Research Questions with complete solutions 2023

CITI training Research Questions with complete solutions 2023 Ethical writing and scholarship is based on an implicit contract between the author and readers, whereby readers assume that what they read is accurate, has been written by the author, and has: Not been disseminated before unless noted otherwise. Unless the subject matter is considered common knowledge, citations are necessary when writing about: Ideas, methodologies, or data from other authors and also your own previously published ideas, methodologies, or data. An idea is most likely to represent “common knowledge” if: It can be safely assumed that the readers and the author are both thoroughly familiar with the idea and its source. The primary way to determine whether an idea constitutes “common knowledge” is: Whether there is an expectation that the readers and the author would be very familiar with the material. When authors summarize the work of others, they typically should: Provide a condensed (shorter) version of the original material. Organizations covered by the federal HIPAA privacy law are expected to: Protect the health information under their control, train their workers in how to protect information, and help patients exercise their rights under the law. With respect to permissions for uses and disclosures, HIPAA divides health information into three categories. Into which category do discussions with family members go? Uses or disclosures that generally require oral agreement only. Under the federal HIPAA regulations, state health privacy laws: Can remain in force if "more stringent" than HIPAA, complementing HIPAA's foundation of protections, provided there is no direct conflict in requirements. With respect to permissions for uses and disclosures, HIPAA divides health information into three categories. Into which category does information related to "treatment, payment and health care operations" go? Uses or disclosures that can generally occur without any specific permission from the patient. HIPAA allows healthcare organizations to control many information decisions. However, where the patient retains control, which of the following is true? If a person has a right to make a healthcare decision, then generally that person has a right to control information associated with the decision. For health information privacy and security, are the legal and regulatory requirements for students different from those for regular members of the healthcare workforce? No, students must meet the same standards as a regular member of the workforce performing the same tasks. In regard to reporting privacy or security problems, are the requirements for students the same as for regular workers? Yes. Like any other member of the workforce, students are obligated to report problems they are not in a position to correct. How are the ethical standards for student uses and disclosures of patients’ health information different from those for regular members of the healthcare workforce? Some would say it is higher, because patients do not always benefit from students' access to their data. Use of social media tools and other new technologies to facilitate training-related communications is: Depends on the organization's policies, so you should check with your organization's officials about what is allowed or prohibited. Patients have to provide an additional, specific authorization for training uses and disclosures of their information. False Information security’s goals are sometimes described by the letters “CIA.” Which of the following is correct definition of C, I, or A? A is for Availability, which refers to the ability of legitimate users to access their data when needed. I is for Integrity, which refers to the accuracy of the data for its intended use, the security-equivalent of terms like validity and reliability. #1 and #3, not #2 C is for Confidentiality, which refers to limiting data access to appropriate persons for appropriate purposes. All of the above Which of these is generally not a good practice with respect to oral communications (that is, talking) in organizations like healthcare facilities? Use of full names in public areas or on intercom/paging systems, because there is no security issue with identifying persons in public areas and using full names helps avoid misidentification. Which of these is not generally a good practice for fax machine use? Sensitive faxes -- inbound or outbound -- are left sitting in or around the machine. Which of these is not generally a good practice for telephone use? Using voicemail systems and answering machines that do not require a password or PIN for access. Which of the following is a correct statement about the balance among prevention, detection, and response (PDR)? The greater the sensitivity and quantity of the data at issue, the more carefully the balance among these three must be evaluated. Which of the following is a good security practice for web browsing? Exercising caution before downloading files or any other clicking activity at a website. Which of the following is a good practice for protecting computing devices Ensuring anti-virus and other software is kept up-to-date. That includes keeping up with patches for the operating system itself, and upgrades to whatever browser and email software is used. Which of the following is a good practice if one wishes to avoid "social engineering" attacks? Using strict procedures when it is necessary to exchange an authentication credential like a password, PIN, account number, or other personal data that is critical to establishing personal identity. Being cautious any time someone asks for sensitive information, whether by phone, fax, email, or even in person. It could be a scam. Not opening attachments or clicking on links in messages, emails, or on websites unless absolutely sure of the source's authenticity. Taking appropriate steps to confirm a person's (or site's) identity for any transaction that involves sensitive data. Which of the following is a good practice for controlling computer access? Picking strong passwords and protecting them appropriately. Which of the following is a good security practice for email? Exercising care with every email message received, especially email containing file attachments that may be infected Secure disposal of a portable device at the end of its service life is: Generally considered essential for all devices. One should not assume there is no sensitive personal or organizational data on a device or accessible by it. Ensuring data backups for data stored on a portable device is generally considered: Necessary when the device would otherwise be the only source of hard-to-replace data, but the backup mechanism must also be secure. Enabling encryption of all data on a portable device is generally considered: Essential for any portable device. Software on a portable device should be Installed or updated only from trusted sources to be certain that it is a legitimate version. Desktop computers are often provided in the workplace by organizations, and laptops may be as well. However, portable devices (such as tablets and smartphones) may more commonly be allowed on a BYOD basis. For a BYOD (personally-owned) device Organizations may have requirements about how BYOD devices may be configured or used, as a condition of accessing the organization's information resources. Email signatures should: May be mandated by an organization's policies, which policies may also set limits on what can be in a signature. Contain basic contact information (such as name, title, phone number[s], and relevant addresses). May be omitted if it can be assumed that the recipient already has all this information. All of the above What kinds of content should generally not be sent in email? Sensitive personal information like social security numbers, credit card numbers, and computer user-IDs and passwords. Sensitive information that an organization's email policies have determined to be inappropriate for email. Entire files or record sets, when only a subset is needed for the business purpose. Material that could be considered defamatory, harassing, racist, sexist, obscene, or otherwise offensive. All of the above Which of the following is a correct statement about the security risks of email attachments and links embedded within emails? Email attachments and web links that are sent in messages should be confirmed as safe. Recipients inevitably rely on the sender for such security details. Email attachments and web links that are received in messages should be confirmed as safe. Recipients should be wary, even if the sender is known and considered safe. Email attachments and links within emails can represent a major security risk. all of the above Which of the following is correct about email transmission and storage? While defensive technologies exist, it is still best to think of email as an electronic postcard, subject to potential access by third parties while in route or at its destination. Disclaimers and confidentiality notices are a common feature of business emails. Which of the following is correct? Such notices should be included if an organization's policies require it, but cannot be counted upon as legal protection. Which of these is a greater risk "off site" than when a computer is used in a protected office environment? Human threats - such as theft. Answer 1 and 2 Device malfunctions - such as a hard drive crash. "Environmental" threats - such as water, electrical or fire damage. All of the above What "physical" security measures do you usually need to take for an off-site computer? Keep secure backup copies in a separate, physically secure location. Answer 1 and 3 Keep the computer locked up - or in a locked room - to prevent physical access by others. Pay attention to the environmental safety of the computer's location - to prevent damage by water, etc. All of the above What "administrative" measures do you usually need to take? Limit who can use the computer. Answer 2 and 3 Limit how the computer can be used - for example, no peer-to-peer downloads. Limit what kinds of data can be stored on the computer. All of the above What "technical measures" do you usually need to take with an off-site computer? Install anti-virus and anti-spyware software. Use a firewall or other intrusion detection/prevention system. Keep the operating system and applications software updated. Use passwords and other authentication mechanisms to protect against unauthorized access. All of the above