CAHIMS EXAM TEST BANK 2025 | CERTIFIED ASSOCIATE IN
HEALTHCARE INFORMATION AND MANAGEMENT
SYSTEMS EXAM | 800+ QUESTIONS AND CORRECT
ANSWERS | GRADED A+ | VERIFIED ANSWERS | LATEST
VERSION 2025
The thing that makes ransomware particularly troublesome for healthcare
is:
A. It encrypts data
B. It involves negotiating with an extortionist
C. It undermines the health system's ability to provide care
D. It only attacks health systems ---------CORRECT ANSWER-----------------
C. Ransomware has become a very real threat to healthcare because it
does affect directly healthcare's ability to deliver care by disrupting its
systems, communications, and data.
While there are more physical thefts and loss of data events, hacking still
represents the biggest risk because:
A. It is the most damaging
B. It represents the largest risk of compromised records
C. It is conducted by cybercriminals
D. It is bad for business ---------CORRECT ANSWER-----------------B.
Hacking as of 2015 now represents the greatest risk to patient information
from a compromised records perspective. While physical theft and loss still
account for the majority of events, hacking, by a wide margin, accounts for
the greatest number of records compromised.
Using a framework like the NIST CSF provides which of the following
benefits?
A. A guideline for building and selecting controls
B. A way of demonstrating compliance
,C. A way of communicating cyber readiness to business partners
D. All of the above ---------CORRECT ANSWER-----------------D. Using a
framework like the NIST CSF provides many benefits, including a structure
for selecting controls, a method of measuring maturity, and a way to
demonstrate compliance or communicate security posture to others.
Limiting access is a key component of preventing cyber events. Which of
thefollowing is not a recommended practice?
A. Encrypting just elevated privileges
B. Vaulting elevated privileges
C. Applying additional authentication factors to privileges
D. Encrypting all privileges ---------CORRECT ANSWER-----------------A.
Encrypting all privileges, applying multifactor authentication, and vaulting
elevated privileges are all recommended practices for limiting access, a key
component of making the enterprise more resilient to threat. If hackers
cannot get hold of privileges, their task of exploiting the enterprise is
exponentially harder.
Most disruptive attacks that spread rapidly through an enterprise are aided
greatly by a lack of ____________.
A. segmentation
B. access control
C. new hardware
D. educated users ---------CORRECT ANSWER-----------------A. Lack of
segmentation, typical of flat networks, is the biggest enabler of rapidly
spreading viruses, ransomware, and other network attacks. Other factors
contribute, of course, but lack of segmentation is the chief limiting factor in
being able to stop the spread of an attack once it occurs.
Successfully monitoring and detection of cyber events in the future will
likely involve which of the following?
,A. Use of advanced detection systems with behavioral-based approaches
B. Advanced event correlation and analysis
C. Partnering with a managed security service provider for expertise
D. All the above ---------CORRECT ANSWER-----------------D. Successful
monitoring requires the integration of many systems, with advanced
detection capabilities, and the use of advanced correlation and analysis
tools like SIEM. This task, for most organizations, has grown too complex,
and requires 365/24 coverage, which most cannot provide, making
partnering with a managed security services provider (MSSP) necessary.
Which U.S. government agency regulates the release of medical devices
and assures their safety and effectiveness?
A. FTC
B. FDA
C. DHS
D. FCC ---------CORRECT ANSWER-----------------B. The U.S. Food and
Drug Administration (FDA) regulates firms who manufacture, repackage,
relabel, and/or import medical devices sold in the United States through its
Center for Devices and Radiological Health (CDRH).
What is the purpose of the FDA premarket and postmarket cybersecurity
guidance documents pertaining to medical devices?
A. They inform medical device manufacturers about expected future
regulations.
B. They define what hospitals should consider when they buy a new device
aswell as when they discard a device at the end of its useful life.
C. They define what security requirements manufacturers need to meet for
a device in clinical trials.
D. They provide guidance on device manufacturers' cybersecurity
responsibilities prior to market release and after market release of a
medical device. ---------CORRECT ANSWER-----------------D. The FDA's
premarket (October 2014) and postmarket (December 2016) guidance
documents lay out the agency's interpretation of existing regulation with
regard to medical device manufacturers' cybersecurity responsibilities as
, they release a new product to the market (premarket) and maintain its
security posture once it is released and in use (postmarket).
Why are medical devices' software patch levels difficult to keep up to date?
A. Because of the devices' critical patient care role.
B. Because the impact of a patch on cybersecurity is difficult to predict.
C. Because a new patch requires a new regulatory filing.
D. Because a new patch requires manufacturer testing and approval. --------
-CORRECT ANSWER-----------------D. Under FDA guidance, as long as a
patch or update does not change a device's functionality or intended use, in
most cases the device manufacturer is not required to update its regulatory
filing. However, under the Quality Systems Regulation, the patch or update
still needs to be approved by the manufacturer and undergo formal testing
to assure system safety has not been compromised. This adds cost and
overhead to each release, which makes it difficult to provide timely and
frequent security patches.
Are medical devices at risk of a malicious cyberattack?
A. No, because they typically are not connected to an open network.
B. Yes, because of their many software vulnerabilities.
C. No, because even hackers would not stoop that low.
D. Yes, but such an attack is highly unlikely. ---------CORRECT ANSWER---
--------------B. Security researchers, healthcare providers, and government
agencies have conducted medical device security testing and
demonstrated vast vulnerability due to poor security design practices.
What are the typical parts of a comprehensive security risk management
program?
A. Risk definition, assessment, and mitigation
B. Vulnerability, threat, and impact analysis
C. Replacement cost versus remaining life expectancy
HEALTHCARE INFORMATION AND MANAGEMENT
SYSTEMS EXAM | 800+ QUESTIONS AND CORRECT
ANSWERS | GRADED A+ | VERIFIED ANSWERS | LATEST
VERSION 2025
The thing that makes ransomware particularly troublesome for healthcare
is:
A. It encrypts data
B. It involves negotiating with an extortionist
C. It undermines the health system's ability to provide care
D. It only attacks health systems ---------CORRECT ANSWER-----------------
C. Ransomware has become a very real threat to healthcare because it
does affect directly healthcare's ability to deliver care by disrupting its
systems, communications, and data.
While there are more physical thefts and loss of data events, hacking still
represents the biggest risk because:
A. It is the most damaging
B. It represents the largest risk of compromised records
C. It is conducted by cybercriminals
D. It is bad for business ---------CORRECT ANSWER-----------------B.
Hacking as of 2015 now represents the greatest risk to patient information
from a compromised records perspective. While physical theft and loss still
account for the majority of events, hacking, by a wide margin, accounts for
the greatest number of records compromised.
Using a framework like the NIST CSF provides which of the following
benefits?
A. A guideline for building and selecting controls
B. A way of demonstrating compliance
,C. A way of communicating cyber readiness to business partners
D. All of the above ---------CORRECT ANSWER-----------------D. Using a
framework like the NIST CSF provides many benefits, including a structure
for selecting controls, a method of measuring maturity, and a way to
demonstrate compliance or communicate security posture to others.
Limiting access is a key component of preventing cyber events. Which of
thefollowing is not a recommended practice?
A. Encrypting just elevated privileges
B. Vaulting elevated privileges
C. Applying additional authentication factors to privileges
D. Encrypting all privileges ---------CORRECT ANSWER-----------------A.
Encrypting all privileges, applying multifactor authentication, and vaulting
elevated privileges are all recommended practices for limiting access, a key
component of making the enterprise more resilient to threat. If hackers
cannot get hold of privileges, their task of exploiting the enterprise is
exponentially harder.
Most disruptive attacks that spread rapidly through an enterprise are aided
greatly by a lack of ____________.
A. segmentation
B. access control
C. new hardware
D. educated users ---------CORRECT ANSWER-----------------A. Lack of
segmentation, typical of flat networks, is the biggest enabler of rapidly
spreading viruses, ransomware, and other network attacks. Other factors
contribute, of course, but lack of segmentation is the chief limiting factor in
being able to stop the spread of an attack once it occurs.
Successfully monitoring and detection of cyber events in the future will
likely involve which of the following?
,A. Use of advanced detection systems with behavioral-based approaches
B. Advanced event correlation and analysis
C. Partnering with a managed security service provider for expertise
D. All the above ---------CORRECT ANSWER-----------------D. Successful
monitoring requires the integration of many systems, with advanced
detection capabilities, and the use of advanced correlation and analysis
tools like SIEM. This task, for most organizations, has grown too complex,
and requires 365/24 coverage, which most cannot provide, making
partnering with a managed security services provider (MSSP) necessary.
Which U.S. government agency regulates the release of medical devices
and assures their safety and effectiveness?
A. FTC
B. FDA
C. DHS
D. FCC ---------CORRECT ANSWER-----------------B. The U.S. Food and
Drug Administration (FDA) regulates firms who manufacture, repackage,
relabel, and/or import medical devices sold in the United States through its
Center for Devices and Radiological Health (CDRH).
What is the purpose of the FDA premarket and postmarket cybersecurity
guidance documents pertaining to medical devices?
A. They inform medical device manufacturers about expected future
regulations.
B. They define what hospitals should consider when they buy a new device
aswell as when they discard a device at the end of its useful life.
C. They define what security requirements manufacturers need to meet for
a device in clinical trials.
D. They provide guidance on device manufacturers' cybersecurity
responsibilities prior to market release and after market release of a
medical device. ---------CORRECT ANSWER-----------------D. The FDA's
premarket (October 2014) and postmarket (December 2016) guidance
documents lay out the agency's interpretation of existing regulation with
regard to medical device manufacturers' cybersecurity responsibilities as
, they release a new product to the market (premarket) and maintain its
security posture once it is released and in use (postmarket).
Why are medical devices' software patch levels difficult to keep up to date?
A. Because of the devices' critical patient care role.
B. Because the impact of a patch on cybersecurity is difficult to predict.
C. Because a new patch requires a new regulatory filing.
D. Because a new patch requires manufacturer testing and approval. --------
-CORRECT ANSWER-----------------D. Under FDA guidance, as long as a
patch or update does not change a device's functionality or intended use, in
most cases the device manufacturer is not required to update its regulatory
filing. However, under the Quality Systems Regulation, the patch or update
still needs to be approved by the manufacturer and undergo formal testing
to assure system safety has not been compromised. This adds cost and
overhead to each release, which makes it difficult to provide timely and
frequent security patches.
Are medical devices at risk of a malicious cyberattack?
A. No, because they typically are not connected to an open network.
B. Yes, because of their many software vulnerabilities.
C. No, because even hackers would not stoop that low.
D. Yes, but such an attack is highly unlikely. ---------CORRECT ANSWER---
--------------B. Security researchers, healthcare providers, and government
agencies have conducted medical device security testing and
demonstrated vast vulnerability due to poor security design practices.
What are the typical parts of a comprehensive security risk management
program?
A. Risk definition, assessment, and mitigation
B. Vulnerability, threat, and impact analysis
C. Replacement cost versus remaining life expectancy
