NR 512 Information Systems in
Healthcare – 2025/2026 Exam With
Verified Correct Answers
Data Security (Questions 1-25)
1. Question: Under HIPAA 2024 updates, what is the minimum encryption
standard required for PHI transmitted electronically? Options:
o A. AES-256
o B. DES
o C. RSA-1024
o D. No encryption required Answer: A. AES-256 Rationale: HIPAA
Security Rule (2024) mandates AES-256 for protecting ePHI during
transmission to prevent breaches; this aligns with HIMSS
cybersecurity frameworks, ensuring confidentiality in telehealth and
EHR exchanges.
2. Question: A nurse discovers a phishing email requesting login credentials.
The first action is? Options:
o A. Report to IT security team immediately
o B. Click the link to verify
o C. Share with colleagues
o D. Delete without reporting Answer: A. Report to IT security team
immediately Rationale: Phishing is a top threat per HIMSS 2025;
immediate reporting activates incident response, mitigating credential
theft that could lead to ransomware attacks under HIPAA breach
notification rules.
3. Question: In data security, role-based access control (RBAC) ensures?
Options:
o A. Users access only necessary information based on job function
o B. Unlimited access for all staff
o C. Password-free logins
o D. Annual audits only Answer: A. Users access only necessary
information based on job function Rationale: RBAC is a HIPAA-
required safeguard (2024); it minimizes unauthorized disclosures,
supporting least privilege principle to protect PHI integrity and reduce
insider threat risks.
,4. Question: What is the primary purpose of a firewall in healthcare IT
systems? Options:
o A. Monitor and block unauthorized network traffic
o B. Encrypt data at rest
o C. Generate audit logs
o D. Backup files Answer: A. Monitor and block unauthorized network
traffic Rationale: Firewalls act as network barriers per NIST 2025; in
healthcare, they prevent external intrusions (e.g., during EHR access),
aligning with HIPAA's technical safeguards for availability.
5. Question: A breach involving 500 PHI records requires notification within
how many days under HIPAA 2024? Options:
o A. 60 days to affected individuals
o B. 30 days to HHS
o C. Immediate to media
o D. No notification Answer: A. 60 days to affected individuals
Rationale: HITECH Act (via HIPAA 2024) mandates timely breach
notification; for 500+ records, HHS reporting within 60 days
promotes transparency and risk mitigation.
6. Question: Multifactor authentication (MFA) enhances security by
requiring? Options:
o A. Something you know, have, and are
o B. Password only
o C. Username and PIN
o D. Biometrics alone Answer: A. Something you know, have, and are
Rationale: HIMSS 2025 recommends MFA for EHR logins;
combining factors (e.g., password + token + fingerprint) reduces
unauthorized access by 99%, per HIPAA risk analysis.
7. Question: Social engineering attacks in healthcare often exploit? Options:
o A. Human vulnerabilities like trust
o B. Hardware failures
o C. Software bugs
o D. Network latency Answer: A. Human vulnerabilities like trust
Rationale: Phishing preys on staff trust per NIST 2025; annual
training reduces susceptibility by 40%, a key HIPAA administrative
safeguard.
8. Question: Data encryption at rest protects PHI by? Options:
o A. Converting it to unreadable code until decrypted
o B. Deleting backups
o C. Limiting access logs
, o D. Compressing files Answer: A. Converting it to unreadable code
until decrypted Rationale: HIPAA 2024 requires encryption for
stored ePHI (e.g., on servers); AES standards ensure if stolen, data
remains unusable, supporting breach avoidance.
9. Question: Incident response plans in healthcare must include? Options:
o A. Identification, containment, eradication, recovery
o B. Reporting only
o C. Backup restoration
o D. Staff training Answer: A. Identification, containment, eradication,
recovery Rationale: NIST 2025 framework for HIPAA compliance;
structured response minimizes downtime in EHR breaches, ensuring
continuity of care.
10.Question: A biometric authentication system uses? Options:
• A. Fingerprint or iris scan
• B. Password
• C. Smart card
• D. Token Answer: A. Fingerprint or iris scan Rationale: Biometrics
provide "something you are" per HIMSS 2025; robust for high -security
areas like pharmacy access, reducing credential sharing risks.
11.Question: The HIPAA Security Rule addresses? Options:
• A. Administrative, physical, and technical safeguards
• B. Privacy only
• C. Billing practices
• D. Marketing Answer: A. Administrative, physical, and technical
safeguards Rationale: 2024 updates require risk assessments; balances
security with usability in nursing informatics for safe PHI handling.
12.Question: Ransomware attacks on healthcare systems typically demand?
Options:
• A. Cryptocurrency payment for decryption keys
• B. Data deletion
• C. Staff firings
• D. System shutdown Answer: A. Cryptocurrency payment for decryption
keys Rationale: FBI 2025 warns against payment; backups and
segmentation per HIMSS prevent 80% impacts, emphasizing proactive
cybersecurity.
Healthcare – 2025/2026 Exam With
Verified Correct Answers
Data Security (Questions 1-25)
1. Question: Under HIPAA 2024 updates, what is the minimum encryption
standard required for PHI transmitted electronically? Options:
o A. AES-256
o B. DES
o C. RSA-1024
o D. No encryption required Answer: A. AES-256 Rationale: HIPAA
Security Rule (2024) mandates AES-256 for protecting ePHI during
transmission to prevent breaches; this aligns with HIMSS
cybersecurity frameworks, ensuring confidentiality in telehealth and
EHR exchanges.
2. Question: A nurse discovers a phishing email requesting login credentials.
The first action is? Options:
o A. Report to IT security team immediately
o B. Click the link to verify
o C. Share with colleagues
o D. Delete without reporting Answer: A. Report to IT security team
immediately Rationale: Phishing is a top threat per HIMSS 2025;
immediate reporting activates incident response, mitigating credential
theft that could lead to ransomware attacks under HIPAA breach
notification rules.
3. Question: In data security, role-based access control (RBAC) ensures?
Options:
o A. Users access only necessary information based on job function
o B. Unlimited access for all staff
o C. Password-free logins
o D. Annual audits only Answer: A. Users access only necessary
information based on job function Rationale: RBAC is a HIPAA-
required safeguard (2024); it minimizes unauthorized disclosures,
supporting least privilege principle to protect PHI integrity and reduce
insider threat risks.
,4. Question: What is the primary purpose of a firewall in healthcare IT
systems? Options:
o A. Monitor and block unauthorized network traffic
o B. Encrypt data at rest
o C. Generate audit logs
o D. Backup files Answer: A. Monitor and block unauthorized network
traffic Rationale: Firewalls act as network barriers per NIST 2025; in
healthcare, they prevent external intrusions (e.g., during EHR access),
aligning with HIPAA's technical safeguards for availability.
5. Question: A breach involving 500 PHI records requires notification within
how many days under HIPAA 2024? Options:
o A. 60 days to affected individuals
o B. 30 days to HHS
o C. Immediate to media
o D. No notification Answer: A. 60 days to affected individuals
Rationale: HITECH Act (via HIPAA 2024) mandates timely breach
notification; for 500+ records, HHS reporting within 60 days
promotes transparency and risk mitigation.
6. Question: Multifactor authentication (MFA) enhances security by
requiring? Options:
o A. Something you know, have, and are
o B. Password only
o C. Username and PIN
o D. Biometrics alone Answer: A. Something you know, have, and are
Rationale: HIMSS 2025 recommends MFA for EHR logins;
combining factors (e.g., password + token + fingerprint) reduces
unauthorized access by 99%, per HIPAA risk analysis.
7. Question: Social engineering attacks in healthcare often exploit? Options:
o A. Human vulnerabilities like trust
o B. Hardware failures
o C. Software bugs
o D. Network latency Answer: A. Human vulnerabilities like trust
Rationale: Phishing preys on staff trust per NIST 2025; annual
training reduces susceptibility by 40%, a key HIPAA administrative
safeguard.
8. Question: Data encryption at rest protects PHI by? Options:
o A. Converting it to unreadable code until decrypted
o B. Deleting backups
o C. Limiting access logs
, o D. Compressing files Answer: A. Converting it to unreadable code
until decrypted Rationale: HIPAA 2024 requires encryption for
stored ePHI (e.g., on servers); AES standards ensure if stolen, data
remains unusable, supporting breach avoidance.
9. Question: Incident response plans in healthcare must include? Options:
o A. Identification, containment, eradication, recovery
o B. Reporting only
o C. Backup restoration
o D. Staff training Answer: A. Identification, containment, eradication,
recovery Rationale: NIST 2025 framework for HIPAA compliance;
structured response minimizes downtime in EHR breaches, ensuring
continuity of care.
10.Question: A biometric authentication system uses? Options:
• A. Fingerprint or iris scan
• B. Password
• C. Smart card
• D. Token Answer: A. Fingerprint or iris scan Rationale: Biometrics
provide "something you are" per HIMSS 2025; robust for high -security
areas like pharmacy access, reducing credential sharing risks.
11.Question: The HIPAA Security Rule addresses? Options:
• A. Administrative, physical, and technical safeguards
• B. Privacy only
• C. Billing practices
• D. Marketing Answer: A. Administrative, physical, and technical
safeguards Rationale: 2024 updates require risk assessments; balances
security with usability in nursing informatics for safe PHI handling.
12.Question: Ransomware attacks on healthcare systems typically demand?
Options:
• A. Cryptocurrency payment for decryption keys
• B. Data deletion
• C. Staff firings
• D. System shutdown Answer: A. Cryptocurrency payment for decryption
keys Rationale: FBI 2025 warns against payment; backups and
segmentation per HIMSS prevent 80% impacts, emphasizing proactive
cybersecurity.
