Chapter 22
Question 1
The focus of disaster planning in electronic health care information should be on which of the
following?
1. Ensuring that all patient care information is available in hardcopy
2. Safeguarding business continuity by protection of health care data
3. Supporting patient care by providing continual access to patient information
4. Recovery and restoration of health care data and information
5. Stopping all patient care until the disaster is over
Correct Answer: 1, 2, 3, 4
Rationale 1:
Ensuring that all patient care information is available in hardcopy ensures that vital patient
data remains accessible even in the event of electronic system failures. Hardcopy records can
be relied upon when electronic systems are compromised, allowing for continuity of care.
Rationale 2:
Safeguarding business continuity by protecting health care data is crucial for maintaining the
functionality of healthcare services during and after a disaster. Protecting electronic health
records from loss or corruption helps ensure that healthcare providers can continue operations
and provide necessary care to patients.
Rationale 3:
Supporting patient care by providing continual access to patient information is a key
objective of disaster planning in electronic healthcare information. Continuous access to
patient information enables healthcare professionals to make informed decisions and deliver
timely care, even in challenging circumstances.
Rationale 4:
Recovery and restoration of health care data and information are essential aspects of disaster
planning in electronic healthcare information. Having processes in place to recover and
restore data ensures that healthcare services can resume normal operations as quickly as
possible following a disaster, minimizing disruption to patient care and organizational
functions.
Rationale 5:
Stopping all patient care until the disaster is over is not a viable option in disaster planning.
Continuity of care is paramount, and healthcare providers must strive to maintain service
provision even in adverse situations. The focus should be on ensuring access to patient
information and restoring services rather than halting patient care entirely. Therefore, this
option is not part of the correct answer.
Question 2
Which of the following occurrences may not qualify as a disaster?
1. A virus infects a walk-in clinic's electronic medical record (EMR) system and randomly
deletes data on Friday afternoon. The IT staff is on vacation.
2. The rheumatology department of a multi-specialty clinic is without analog telephone
access for two hours (computer network connections remain intact).
3. The health department is wiped out after a fire.
4. A hospital is without electrical power for 48 hours due to a hurricane and flooding.
Correct Answer: 2
Rationale 1:
The scenario described involves a virus infecting and deleting data in a clinic's EMR system,
which can significantly disrupt operations and compromise patient care. This qualifies as a
disaster as it affects the availability and integrity of critical healthcare information.
Rationale 2:
The temporary loss of analog telephone access for a specific department, while inconvenient,
may not qualify as a disaster, especially if computer network connections remain intact.
Although communication may be hindered for that department during the two-hour period, it
is a relatively short-term and isolated incident that does not significantly impact the overall
functioning of the clinic or compromise patient care.
Rationale 3:
The destruction of a health department due to a fire qualifies as a disaster, as it results in the
loss of infrastructure, resources, and potentially vital records or systems. Such an event can
have far-reaching consequences for public health services and emergency response
capabilities.
Rationale 4:
A hospital being without electrical power for 48 hours due to a hurricane and flooding
constitutes a disaster, as it can lead to the disruption of critical services, including patient
care, medical equipment operation, and environmental control systems. The loss of power for
an extended period in a healthcare setting poses significant risks to patients and staff,
requiring prompt response and mitigation efforts.
Question 3
Which of the following statements are accurate about emergency and backup plans?
1. An emergency plan outlines steps to ensure the availability of resources for ongoing
business and information system processing operations whereas a backup plan provides
direction during and immediately after an incident.
2. An emergency plan is tested routinely whereas a backup plan is only used if the emergency
plan fails.
3. Emergency and backup plans are the same.
4. A backup plan outlines steps to ensure the availability of resources for ongoing business
and information system processing operations whereas an emergency plan provides direction
during and immediately after an incident.
Correct Answer: 4
Rationale 1:
This statement is incorrect. An emergency plan typically provides guidance for immediate
response and actions to be taken during and immediately after an incident to ensure safety
and minimize damage. On the other hand, a backup plan focuses on ensuring the availability
of resources, including data and systems, for ongoing business and information system
processing operations in the event of a disruption or disaster.
Rationale 2:
This statement is incorrect. Both emergency and backup plans should be tested routinely to
ensure their effectiveness and readiness. While emergency plans may be tested more
frequently due to their critical role in immediate response, backup plans also need regular
testing to verify that backup systems and processes are functioning correctly and can be relied
upon when needed.
Rationale 3:
This statement is incorrect. Emergency and backup plans serve distinct purposes and are
designed to address different aspects of continuity and disaster recovery. While they may
complement each other within an organization's overall resilience strategy, they are not the
same and fulfill different roles in mitigating and responding to disruptions.
Rationale 4:
This statement is accurate. A backup plan typically outlines steps and procedures to ensure
the availability of resources, such as data and systems, for ongoing business and information
system processing operations in the event of a disruption or disaster. On the other hand, an
emergency plan provides direction and guidance during and immediately after an incident to
ensure safety, minimize damage, and facilitate a coordinated response.
Question 4
In continuity planning, which of the following is a component of the business impact
assessment (BIA)?
1. Secure top management support
2. Establish continuity maintenance policies and procedures
3. Assess continuity plan for weaknesses
4. Determine critical functions of the organization
Correct Answer: 4
Rationale 1:
This statement is incorrect. Secure top management support is not typically a component of
the business impact assessment (BIA). It is, however, an essential aspect of overall continuity
planning as it ensures organizational commitment and resources for continuity efforts.
Rationale 2:
This statement is incorrect. Establishing continuity maintenance policies and procedures is
not specifically part of the business impact assessment (BIA). Instead, it pertains more to the
implementation phase of continuity planning, where strategies are put into action to maintain
and update the continuity plan over time.
Rationale 3:
This statement is incorrect. While assessing the continuity plan for weaknesses is an
important aspect of continuity planning, it is not typically part of the business impact
assessment (BIA). The BIA focuses more on identifying and prioritizing critical functions
and resources within the organization.
Rationale 4:
This statement is accurate. Determining the critical functions of the organization is a key
component of the business impact assessment (BIA). It involves identifying and assessing the
potential impacts of disruptions to various business functions and processes, allowing
organizations to prioritize their continuity efforts based on the importance of these functions
to overall operations and objectives.
Question 5
The two primary sources of data loss are ____ ____ and mechanical failure.
Correct Answer: human error
Rationale:
The two primary sources of data loss are human error and mechanical failure.
Question 6
The 24-hour-a-day, 7-days-a-week operations of health care providers make continuity of
services essential. What is the first line of defense in providing the continuous systems
availability that is required in a health care setting?
1. Adequate firewall protection
2. Software redundancy
3. Installing anti-virus software
4. Hardware redundancy
Correct Answer: 4
Rationale 1:
Firewall protection is essential for securing networks and preventing unauthorized access to
sensitive information, but it primarily addresses cybersecurity concerns rather than ensuring
continuous systems availability. While firewalls play a crucial role in overall system security,
they are not the first line of defense specifically for ensuring continuous operations in a
healthcare setting.
Rationale 2:
Software redundancy involves duplicating critical software components to minimize the
impact of software failures. While software redundancy can contribute to system resilience, it
does not directly address the continuous systems availability needed in a healthcare setting,
especially in environments where operations must be maintained 24/7.
Rationale 3:
Installing anti-virus software is important for protecting systems from malware and viruses,
but it primarily addresses cybersecurity threats rather than ensuring continuous systems
availability. While anti-virus software is a critical component of a comprehensive security
strategy, it is not the first line of defense specifically for maintaining continuous operations in
a healthcare setting.
Rationale 4:
This is the correct answer. Hardware redundancy involves duplicating critical hardware
components, such as servers, storage systems, and networking devices, to ensure that if one
component fails, another can seamlessly take over its functions. Hardware redundancy is a
foundational principle in ensuring continuous systems availability in healthcare settings
where uninterrupted access to patient records and critical systems is essential for patient care
and safety. Therefore, it serves as the first line of defense in providing the required
continuous availability of systems.
Question 7
What is metadata?
1. Data stored off site in a cold storage facility
2. A set of data that provides information about how, when, and by whom data are collected,
formatted, and stored
3. A backup copy of all data within an organization
4. A set of data that is transferred electronically over high-speed telephone lines to another
site and set to expire at the correct time
Correct Answer: 2
Rationale 1:
This statement is incorrect. Metadata refers to data that provides information about other
data, such as how it's organized, its format, and its characteristics. It does not specifically
refer to data stored off-site in a cold storage facility.
Rationale 2:
This is the correct answer. Metadata is indeed a set of data that provides information about
how, when, and by whom data are collected, formatted, and stored. It serves to describe and
provide context for the actual data, making it easier to manage, search, and interpret.
Rationale 3:
This statement is incorrect. While backups may contain metadata about the data they are
backing up, the term "metadata" itself does not refer to a backup copy of all data within an
organization. Instead, it specifically refers to the information about the data, such as its
attributes and characteristics.
Rationale 4:
This statement is incorrect. The description provided does not accurately represent metadata.
Metadata is not about transferring data electronically or setting expiration times; rather, it is
about providing contextual information about the data itself.
Question 8
The HIPAA security rule requires continuity planning and disaster recovery processes for
protected health information. Which of the following activities are required in order to
safeguard protected patient information?
1. Lowering security requirements during a disaster
2. Development of disaster recovery processes
3. Establishment of a continuity plan
4. Creation, access, storage, and destruction of manual records
5. Give access codes and usernames to emergency personnel
Correct Answer: 2,3,4
Rationale 1:
The HIPAA security rule requires continuity planning and disaster recovery processes. All
health care organizations must have a data backup plan, a recovery plan, an emergency mode
of operation plan, and testing and evaluation procedures. Lowering security requirements
during a disaster is incorrect as the rule demands safeguards for security in more normal
operating mode and during disaster mode.
Rationale 2:
The HIPAA security rule requires continuity planning and disaster recovery processes. All
health care organizations must have a data backup plan, a recovery plan, an emergency mode
of operation plan, and testing and evaluation procedures. Lowering security requirements
during a disaster is incorrect as the rule demands safeguards for security in more normal
operating mode and during disaster mode.
Rationale 3:
The HIPAA security rule requires continuity planning and disaster recovery processes. All
health care organizations must have a data backup plan, a recovery plan, an emergency mode
of operation plan, and testing and evaluation procedures. Lowering security requirements
during a disaster is incorrect as the rule demands safeguards for security in more normal
operating mode and during disaster mode.
Rationale 4:
Lowering security requirements during a disaster is incorrect as the rule demands safeguards
for security in more normal operating mode and during disaster mode. The HIPAA security
rule requires continuity planning and disaster recovery processes. All health care
organizations must have a data backup plan, a recovery plan, an emergency mode of
operation plan, and testing and evaluation procedures.
Rationale 5:
The HIPAA security rule requires continuity planning and disaster recovery processes. All
health care organizations must have a data backup plan, a recovery plan, an emergency mode
of operation plan, and testing and evaluation procedures. Lowering security requirements
during a disaster is incorrect as the rule demands safeguards for security in more normal
operating mode and during disaster mode.
Question 9
The Joint Commission suggests that organizations conduct at least how many emergency
drill(s) per year?
1. One
2. Two
3. Three
4. Four
Correct Answer: 2
Rationale 1:
This statement is incorrect. The Joint Commission suggests conducting more than one
emergency drill per year to adequately prepare healthcare organizations for various scenarios.
Conducting only one drill may not provide sufficient practice or coverage for different types
of emergencies.
Rationale 2:
This is the correct answer. The Joint Commission suggests that organizations conduct at least
two emergency drills per year to assess their readiness and response capabilities. These drills
help identify strengths and areas for improvement in emergency preparedness and response.
Rationale 3:
This statement is incorrect. While conducting three emergency drills per year might enhance
preparedness further, the Joint Commission specifically recommends a minimum of two drills
per year as a baseline requirement.
Rationale 4:
This statement is incorrect. Four emergency drills per year would exceed the minimum
recommendation suggested by the Joint Commission. While conducting more drills may
provide additional practice and preparedness, it is not the minimum requirement specified by
the Joint Commission.
Question 10
A good continuity plan can anticipate problems and minimize losses incurred by damage.
Which of the following are advantages associated with continuity planning?
1. Strategies for correction of organization vulnerabilities
2. Allowing time for restoration of equipment, facility, and services
3. Means to capture information needed for regulatory and accrediting bodies
4. Providing continuity of client records and delivery of care
5. Complete protection against interruption in services
Correct Answer: 1,2,3,4
Rationale 1:
This statement is accurate. A good continuity plan includes strategies for identifying and
correcting organizational vulnerabilities, such as weak points in infrastructure, processes, or
policies. By addressing these vulnerabilities proactively, organizations can minimize the
likelihood and impact of disruptions.
Rationale 2:
This statement is accurate. Continuity planning allows organizations to establish procedures
for responding to disruptions effectively, including allocating resources, coordinating
response efforts, and restoring equipment, facilities, and services in a timely manner. This
helps minimize downtime and facilitates the swift recovery of operations.
Rationale 3:
This statement is accurate. Continuity planning involves documenting essential information
and procedures, which can include data needed for regulatory compliance and accreditation
requirements. By capturing this information within the continuity plan, organizations can
demonstrate their preparedness and compliance to regulatory and accrediting bodies.
Rationale 4:
This statement is accurate. One of the primary objectives of continuity planning is to ensure
the continuity of critical functions, such as maintaining client records and delivering care,
even in the face of disruptions or disasters. A well-developed continuity plan outlines
procedures for safeguarding and accessing essential data and resources to support ongoing
operations and service delivery.
Rationale 5:
This statement is incorrect. While continuity planning aims to minimize interruptions in
services, it cannot guarantee complete protection against all possible disruptions. There may
be scenarios or events beyond the scope of the plan's provisions that could still cause
interruptions in services. Continuity planning helps organizations mitigate risks and recover
from disruptions efficiently, but it does not provide absolute protection against all
interruptions.
Question 11
Many health care agencies lack the infrastructure to accommodate and support information
systems (IS) during an environmental disaster. Which of the following can threaten IS during
an environmental disaster?
1. A 10-day supply of fuel to power generators
2. Presence of excessive heat
3. Underground power lines
4. Housing IS in areas above the first floor
Correct Answer: 2
Rationale 1:
Sufficient fuel should be on hand to power generators for at least one week; therefore, a 10day supply is not a threat. The presence of excessive heat can threaten IS by shutting down
computers and causing processing errors. Housing IS in areas above the first floor means key
computers and data are not threatened by potential flooding. Underground power lines are not
a threat.
Rationale 2:
The presence of excessive heat can threaten IS by shutting down computers and causing
processing errors. Sufficient fuel should be on hand to power generators for at least one
week; therefore, a 10 day supply is not a threat. Housing IS in areas above the first floor
means key computers and data are not threatened by potential flooding. Underground power
lines are not a threat.
Rationale 3:
Underground power lines are not a threat. The presence of excessive heat can threaten IS by
shutting down computers and causing processing errors. Sufficient fuel should be on hand to
power generators for at least one week; therefore, a 10 day supply is not a threat. Housing IS
in areas above the first floor means key computers and data are not threatened by potential
flooding.
Rationale 4:
Housing IS in areas above the first floor means key computers and data are not threatened by
potential flooding. The presence of excessive heat can threaten IS by shutting down
computers and causing processing errors. Sufficient fuel should be on hand to power
generators for at least one week; therefore, a 10 day supply is not a threat. Underground
power lines are not a threat.
Question 12
Lost or damaged data have a negative impact on business processes, impede the delivery of
safe care, reduce productivity, and undermine public confidence. It is estimated that
somewhere between what percentage of organizations that have incurred a significant
downtime with data loss will go out of business within five years?
1. 40 to 90%
2. 20 to 70%
3. 10 to 50%
4. 30 to 80%
Correct Answer: 1
Rationale 1:
This statement is accurate. Organizations that have incurred a significant downtime with data
loss face severe consequences, including financial losses, compromised patient care,
decreased productivity, and damage to their reputation. Studies have shown that between 40%
to 90% of organizations experiencing such significant downtime and data loss may go out of
business within five years due to the extent of the damage incurred.
Rationale 2:
This statement is incorrect. While downtime and data loss can indeed have severe
consequences for organizations, the specified percentage range (20% to 70%) does not
accurately represent the potential impact on businesses over a five-year period. The actual
impact is generally more significant, as indicated by the correct answer.
Rationale 3:
This statement is incorrect. The percentage range provided (10% to 50%) does not align with
estimates regarding the likelihood of organizations going out of business within five years
following significant downtime with data loss. The correct answer reflects a higher potential
impact on businesses facing such circumstances.
Rationale 4:
This statement is incorrect. The percentage range specified (30% to 80%) does not accurately
represent the estimated likelihood of organizations going out of business within five years
after experiencing significant downtime with data loss. The correct answer provides a broader
range, capturing the severity of the potential consequences for affected organizations.
Question 13
The second step in continuity planning is the development of the plan itself. This step
determines the probabilities of all types of disasters, their impact on critical functions, and
which of the following other concerns?
1. Business impact analysis
2. Systematic evaluation
3. Factors necessary to restore services
4. Policies, procedures and vendor contracts
Correct Answer: 3
Rationale 1:
This statement is incorrect. While the business impact analysis (BIA) is an essential
component of continuity planning, it is typically conducted prior to the development of the
plan itself. The BIA helps identify critical functions, assess their dependencies, and prioritize
recovery efforts, but it is not a concern specifically addressed during the development of the
plan.
Rationale 2:
This statement is incorrect. While systematic evaluation may be part of the continuity
planning process, it is not a specific concern addressed during the development of the plan
itself. Systematic evaluation may occur during various stages of continuity planning,
including risk assessment and plan testing, but it is not uniquely associated with plan
development.
Rationale 3:
This is the correct answer. During the development of the continuity plan, considerations
include factors necessary to restore services after a disruption. This involves identifying
resources, procedures, and strategies required to recover critical functions and resume normal
operations in the aftermath of a disaster or significant event.
Rationale 4:
This statement is incorrect. While policies, procedures, and vendor contracts are important
components of a continuity plan, they are not the primary concern addressed during the
development of the plan itself. These elements are typically detailed within the plan and are
implemented as part of the overall continuity planning process but are not specific to the
development stage.
Question 14
Health care agencies incorporate a continuity plan to ensure business continuity and
successful recovery after a disaster. Which of the following is the most effective way to
emphasize the importance of disaster preparedness?
1. Conduct staff reviews of continuity and recovery plans
2. Test the emergency staff notification system
3. Incorporate mock disaster situations into staff training
4. Display continuity plans in conspicuous places
Correct Answer: 3
Rationale 1:
This statement is incorrect. While conducting staff reviews of continuity and recovery plans
is important for ensuring awareness and understanding, it may not effectively emphasize the
importance of disaster preparedness on its own. Staff reviews are part of the implementation
and communication phase rather than a method to emphasize the importance of preparedness.
Rationale 2:
This statement is incorrect. Testing the emergency staff notification system is a vital aspect of
disaster preparedness, but it primarily focuses on assessing the functionality and effectiveness
of communication systems rather than emphasizing the importance of preparedness to staff
members.
Rationale 3:
This is the correct answer. Incorporating mock disaster situations into staff training is an
effective way to emphasize the importance of disaster preparedness. By simulating realistic
emergency scenarios, staff members can experience firsthand the potential challenges and
consequences of a disaster. This helps raise awareness, improve readiness, and reinforce the
significance of preparedness measures.
Rationale 4:
This statement is incorrect. While displaying continuity plans in conspicuous places can
increase visibility and accessibility, it may not effectively emphasize the importance of
disaster preparedness to staff members. Simply having plans visible does not necessarily
ensure that staff understand their significance or are adequately prepared to respond to
emergencies.
Question 15
Which of the following authorized the development of a national, near real-time information
network to coordinate federal and state response to public health emergencies?
1. Health Insurance Portability and Accountability Act
2. Pandemic and All-Hazards Preparedness Act
3. Sarbanes-Oxley Act
4. Federal Information Privacy and Security Act
Correct Answer: 2
Rationale 1:
This statement is incorrect. The Health Insurance Portability and Accountability Act (HIPAA)
primarily focuses on protecting the privacy and security of health information and does not
specifically address the development of a national, near real-time information network for
public health emergencies.
Rationale 2:
This is the correct answer. The Pandemic and All-Hazards Preparedness Act (PAHPA)
authorized the development of a national, near real-time information network to coordinate
federal and state responses to public health emergencies. This network, known as the Public
Health Emergency Management System (PHEMS), aims to enhance situational awareness,
communication, and coordination during emergencies.
Rationale 3:
This statement is incorrect. The Sarbanes-Oxley Act (SOX) is legislation primarily focused
on enhancing corporate governance, financial reporting, and accountability in response to
corporate accounting scandals. It does not pertain to public health emergency response or the
development of information networks for that purpose.
Rationale 4:
This statement is incorrect. There is no legislation known as the "Federal Information Privacy
and Security Act." While various federal laws and regulations address information privacy
and security, none specifically authorized the development of a national, near real-time
information network for public health emergencies.
Question 16
Together the Joint Commission and HIPAA require that health care providers perform a
business impact analysis, employ crisis management, conduct employee training, implement
ongoing continuity plan reviews, plan for information technology disasters and recovery, and
audit their continuity plan processes. There are other groups that demonstrate interest in
business continuity management. Which of the following are included in those other groups?
1. National Institute of Standards and Technology (NIST)
2. Disaster Recovery Institute International
3. Federal Emergency Management Agency (FEMA)
4. Food and Drug Administration (FDA)
5. Bioterrorism Working Group, Centers for Disease Control and Prevention (CDC)
Correct Answer: 1,2,3,4,5
Rationale 1:
This statement is accurate. The National Institute of Standards and Technology (NIST)
provides guidance and standards related to cybersecurity, risk management, and business
continuity planning. NIST's publications, such as the NIST Special Publication 800 series,
offer valuable resources for organizations seeking to enhance their business continuity
management practices.
Rationale 2:
This statement is accurate. Disaster Recovery Institute International (DRI) is a global
organization that offers education, certification, and resources related to disaster recovery and
business continuity management. DRI's programs and initiatives aim to promote best
practices and professional development in the field of continuity planning.
Rationale 3:
This statement is accurate. The Federal Emergency Management Agency (FEMA) plays a
significant role in emergency preparedness, response, and recovery efforts in the United
States. FEMA provides guidance, training, and assistance to organizations and communities
to help them develop effective continuity plans and mitigate the impact of disasters.
Rationale 4:
This statement is accurate. The Food and Drug Administration (FDA) is involved in
regulating the safety and security of food, drugs, medical devices, and other products. As part
of its responsibilities, the FDA may provide guidance and requirements related to business
continuity planning for healthcare providers, pharmaceutical companies, and other regulated
entities.
Rationale 5:
This statement is accurate. The Bioterrorism Working Group at the Centers for Disease
Control and Prevention (CDC) focuses on preparedness and response to bioterrorism threats
and other public health emergencies. The CDC may collaborate with healthcare providers and
other stakeholders to ensure they have effective continuity plans in place to address
bioterrorism incidents and other emergencies.
Question 17
In 2001, the Joint Commission introduced new emergency management standards for
hospitals, long-term care facilities, and behavioral health and ambulatory care that focus on
the concept of community involvement in the management process. What event was recently
added by the Joint Commission to the list of events that organizations must consider in their
plans?
1. Disaster preparedness
2. Bioterrorism
3. Information security
4. Recovery planning
Correct Answer: 2
Rationale 1:
This statement is incorrect. Disaster preparedness has long been a critical aspect of
emergency management standards introduced by the Joint Commission in 2001. While
disaster preparedness is an essential component, it is not the recently added event mentioned
in the question.
Rationale 2:
This is the correct answer. The Joint Commission recently added bioterrorism to the list of
events that organizations must consider in their emergency management plans. This addition
reflects the evolving landscape of threats and risks faced by healthcare organizations,
highlighting the importance of preparedness for deliberate acts of bioterrorism and public
health emergencies.
Rationale 3:
This statement is incorrect. Information security, while important for protecting sensitive
data, is not the recently added event specified in the question. The focus of the question is on
events that organizations must consider in their emergency management plans, and
information security, while relevant, does not fall within that context.
Rationale 4:
This statement is incorrect. Recovery planning, while integral to emergency management, is
not the recently added event mentioned in the question. Recovery planning involves
preparing strategies and procedures for restoring operations and services after a disruption,
but it is not a new addition to the list of events organizations must consider in their
emergency management plans.
Question 18
A continuity plan is a critical aspect of an organization's risk management strategy and is
instrumental to its survival in the aftermath of a disaster. Tolerance for IT downtime is rapidly
declining; a recent survey set the figure at how many hours or less?
1. 5 hours
2. 10 hours
3. 18 hours
4. 24 hours
Correct Answer: 1
Rationale 1:
This statement is accurate. As organizations increasingly rely on information technology (IT)
systems to conduct their operations, the tolerance for IT downtime is rapidly declining.
According to a recent survey, the figure for acceptable IT downtime is often reported to be 5
hours or less. This means that organizations aim to minimize disruptions and downtime in
their IT systems to ensure continuity of operations and minimize the impact of disasters.
Rationale 2:
This statement is incorrect. While 10 hours of IT downtime may still be considered
significant, the trend in recent surveys suggests that organizations have a lower tolerance for
downtime, often aiming for 5 hours or less to minimize disruptions and maintain continuity
of operations.
Rationale 3:
This statement is incorrect. While 18 hours of IT downtime may have been acceptable in the
past, the tolerance for downtime is rapidly decreasing as organizations become more reliant
on IT systems for their daily operations. Recent surveys indicate that many organizations aim
for 5 hours or less of downtime to ensure business continuity and minimize the impact of
disasters.
Rationale 4:
This statement is incorrect. While 24 hours of IT downtime may have been tolerated in the
past, the expectation for rapid recovery and continuity of operations has increased
significantly in recent years. Many organizations now aim for 5 hours or less of downtime to
ensure minimal disruption and maintain business continuity in the event of a disaster.
Question 19
Each organization must select its criteria for business disaster recovery timeframes based
upon its own perspective. Data flowcharts help to ensure which of the following?
1. The timeframes are appropriate
2. Integrity of the information is maintained
3. All critical processes are documented
4. No personnel are left out of the process
Correct Answer: 3
Rationale 1:
This statement is incorrect. While data flowcharts may aid in assessing the flow of data and
processes within an organization, they do not directly ensure that the selected timeframes for
business disaster recovery are appropriate. Determining appropriate recovery timeframes
involves assessing the criticality of various functions and systems, as well as considering
factors such as acceptable levels of downtime and potential impacts on operations.
Rationale 2:
This statement is incorrect. While data flowcharts may help identify points where integrity of
information could be compromised, their primary purpose is not to maintain the integrity of
information. Data flowcharts are visual representations of how data moves through processes
and systems, aiding in understanding and documenting those processes.
Rationale 3:
This is the correct answer. Data flowcharts help ensure that all critical processes within an
organization are documented. By visually representing the flow of data and information
through various processes and systems, data flowcharts assist in identifying and documenting
critical processes, dependencies, and interconnections. This documentation is essential for
developing effective business disaster recovery plans.
Rationale 4:
This statement is incorrect. While data flowcharts may facilitate communication and
collaboration among personnel involved in the disaster recovery process, their primary
purpose is not to ensure that no personnel are left out of the process. The inclusion of
personnel in disaster recovery planning involves other activities such as stakeholder
engagement, training, and communication strategies.
Question 20
Which of the following statements is not true about continuity planning?
1. A good continuity plan is intentionally ambiguous to prevent hacking.
2. Wait time decreases satisfaction and can diminish quality of care.
3. Health care organizations are catching up with other industries in understanding the
business case for continuity of operations.
4. Health care organizations must be able to effectively deal with crises.
Correct Answer: 1
Rationale 1:
This statement is incorrect. A continuity plan should not be intentionally ambiguous to
prevent hacking. In fact, clarity and specificity are essential in a continuity plan to ensure that
all stakeholders understand their roles and responsibilities during a crisis or disaster.
Ambiguity in the plan can lead to confusion and hinder effective response and recovery
efforts.
Rationale 2:
This statement is incorrect. Wait time decreasing satisfaction and potentially diminishing
quality of care is a well-established concept in healthcare, particularly in settings such as
emergency departments and outpatient clinics. However, it is not directly related to the
statement about continuity planning.
Rationale 3:
This statement is accurate. Health care organizations have increasingly recognized the
importance of continuity of operations, especially in the face of evolving threats and risks
such as natural disasters, cyberattacks, and public health emergencies. While other industries
may have been more proactive in understanding the business case for continuity planning,
healthcare organizations are catching up by investing in preparedness measures to ensure the
uninterrupted delivery of care.
Rationale 4:
This statement is incorrect. Health care organizations must indeed be able to effectively deal
with crises, but this statement alone does not provide a rationale for the correctness of
Statement 1. Effective crisis management requires clear, well-defined continuity plans and
procedures, rather than intentionally ambiguous ones.
Question 21
The HIPAA security rule requires continuity planning and disaster recovery processes. In
response, all health care organizations must have which of the following?
1. A data backup and a recovery plan
2. A data backup plan, a recovery plan, an emergency mode of operation plan, and testing and
evaluation procedures
3. An emergency mode of operation plan and testing and evaluation procedures
4. A data backup plan
Correct Answer: 2
Rationale 1:
This statement is incorrect. While having a data backup plan is important for data protection
and recovery, the HIPAA security rule requires more comprehensive continuity planning and
disaster recovery processes beyond just data backup.
Rationale 2:
This is the correct answer. The HIPAA security rule requires health care organizations to have
a comprehensive set of continuity planning and disaster recovery processes, including a data
backup plan, a recovery plan, an emergency mode of operation plan, and testing and
evaluation procedures. These elements ensure that organizations can adequately prepare for
and respond to emergencies and disruptions while maintaining the security and integrity of
protected health information (PHI).
Rationale 3:
This statement is incorrect. While an emergency mode of operation plan and testing and
evaluation procedures are important components of continuity planning and disaster recovery,
the HIPAA security rule requires more comprehensive measures, including a data backup
plan and a recovery plan, to address various aspects of continuity and resilience in healthcare
organizations.
Rationale 4:
This statement is incorrect. While having a data backup plan is a crucial component of
continuity planning and disaster recovery, the HIPAA security rule mandates additional
measures, such as a recovery plan, an emergency mode of operation plan, and testing and
evaluation procedures, to ensure comprehensive preparedness and response capabilities in
health care organizations.
Question 22
Post-disaster recovery expenses usually exceed anticipated costs, leading to changes in
recovery strategies that can be used for future disasters. What can planners do to minimize
the budget variations?
1. Hold mock disasters.
2. Increase the budget line in anticipation of a disaster.
3. Set aside funds to supplement the budget.
4. Complete the grant writing process to supplement the existing budget.
Correct Answer: 1
Rationale 1:
This is the correct answer. Holding mock disasters, also known as disaster drills or exercises,
allows planners to simulate emergency situations and response activities. By conducting these
exercises, organizations can identify potential budget variations, refine recovery strategies,
and assess resource needs more accurately. Mock disasters also provide an opportunity to
train staff, test procedures, and improve overall preparedness without incurring the actual
costs associated with a real disaster.
Rationale 2:
This statement is incorrect. Increasing the budget line in anticipation of a disaster may lead to
unnecessary expenditures and strain on financial resources. While it's important to allocate
sufficient funds for disaster preparedness and recovery, simply increasing the budget without
a clear understanding of actual needs and potential variations may not be the most effective
approach to minimizing budget variations.
Rationale 3:
This statement is partially correct. Setting aside funds to supplement the budget can help
mitigate budget variations to some extent. However, without a comprehensive understanding
of potential variations and specific needs, simply setting aside funds may not address the
underlying factors contributing to budget variations. Holding mock disasters and conducting
thorough assessments are more effective strategies for minimizing budget variations.
Rationale 4:
This statement is incorrect. While completing the grant writing process to supplement the
existing budget can provide additional funding for disaster preparedness and recovery efforts,
it is not specifically focused on minimizing budget variations. Grants can be a valuable
source of funding, but they may not address the need for accurate budgeting and cost
estimation to minimize variations in post-disaster recovery expenses. Holding mock disasters
and conducting thorough assessments are more effective strategies for addressing budget
variations.
Question 23
Post-disaster feedback is crucial to the design and implementation of a better continuity plan
for future health care agency use. Which of the following supports this statement?
1. The feedback should be used to identify what worked and what did not. Plans that looked
good before a disaster may not look so good after one.
2. Feedback collected after disasters (or mock disasters) is not useful since the staff had no
other options during the disaster.
3. Feedback collected after disasters (or mock disasters) is not necessarily accurate.
4. Feedback collected after disasters (or mock disasters) provides data for change in a limited
number of areas.
Correct Answer: 1
Rationale 1:
This is the correct answer. Post-disaster feedback is indeed crucial for improving continuity
plans for future use. By collecting feedback, organizations can identify what aspects of the
plan worked well during the disaster and what aspects did not. Plans that may have seemed
effective in theory or on paper may reveal weaknesses or deficiencies during an actual
disaster scenario. Analyzing feedback allows organizations to make necessary adjustments
and enhancements to their continuity plans to improve effectiveness and resilience in the face
of future disasters.
Rationale 2:
This statement is incorrect. Feedback collected after disasters, including mock disasters, is
valuable for assessing the effectiveness of continuity plans. While staff may have had limited
options during the actual disaster, their feedback can still provide insights into areas where
improvements can be made to enhance preparedness and response for future incidents.
Rationale 3:
This statement is incorrect. While feedback collected after disasters, or mock disasters, may
not always be perfect or completely accurate, it still provides valuable insights and
perspectives on the effectiveness of continuity plans. By collecting feedback from various
stakeholders and participants, organizations can identify trends, common issues, and areas for
improvement in their plans and procedures.
Rationale 4:
This statement is incorrect. Feedback collected after disasters, or mock disasters, can provide
data for change in multiple areas, not just a limited number. By analyzing feedback from
participants, including staff, emergency responders, and other stakeholders, organizations can
identify a wide range of issues and opportunities for improvement in their continuity plans,
procedures, and practices. This comprehensive feedback allows for meaningful adjustments
and enhancements to be made to improve overall preparedness and resilience.
Question 24
Which of the following is not a benefit of an effective disaster plan?
1. Limits the loss of data
2. Increase in the budget line to prepare for future disasters
3. Limits loss of equipment
4. Offers a logical system to employ during an unforeseen disaster
Correct Answer: 2
Rationale 1:
This statement is incorrect. Limiting the loss of data is indeed a benefit of an effective
disaster plan. A well-designed disaster plan includes provisions for data backup, storage, and
recovery, minimizing the risk of data loss during unforeseen disasters or emergencies.
Rationale 2:
This is the correct answer. Increasing the budget line to prepare for future disasters is not a
direct benefit of an effective disaster plan. While having adequate funding for disaster
preparedness and response activities is important, it is not inherently a benefit of the plan
itself. The primary benefits of an effective disaster plan relate to minimizing the impact of
disasters, safeguarding assets, ensuring continuity of operations, and facilitating a
coordinated and effective response.
Rationale 3:
This statement is incorrect. Limiting the loss of equipment is indeed a benefit of an effective
disaster plan. A well-developed plan includes provisions for protecting equipment, such as
through physical safeguards, redundancy, and recovery strategies, to minimize the loss of
critical assets during disasters or emergencies.
Rationale 4:
This statement is incorrect. Offering a logical system to employ during an unforeseen disaster
is a benefit of an effective disaster plan. A well-designed plan provides clear guidance,
procedures, and protocols for responding to various types of disasters or emergencies, helping
organizations navigate complex and stressful situations in a systematic and organized manner.
Question 25
____________________________ is broadly defined as the process that seeks to ensure
organizations are capable of withstanding any disruption to normal functioning
Correct Answer: Business continuity management
Rationale:
Business continuity management is broadly defined as the process that seeks to ensure
organizations are capable of withstanding any disruption to normal functioning
Question 26
Business continuity planning (BCP) is not a one-step or one-time activity but is a set of
successive stages that are repeated periodically. It is best characterized as a life cycle. Which
of the following supports continuity planning?
1. Lost or corrupted data are costly to re-create and threaten the survival of a business or
health care delivery system in a highly competitive environment.
2. Business continuity planning is done after the implementation process.
3. Business continuity planning is associated with the cost incurred by vendors.
4. Located data after a disaster is generally corrupted.
Correct Answer: 1
Rationale 1:
Business continuity planning (BCP) is not a one-step or one-time activity but is a set of
successive stages that are repeated periodically. It is best characterized as a life cycle. A
completed BCP life cycle results in a formal plan with a printed manual available for
reference before, during, and after disruptions have occurred. Lost or corrupted data are
costly to re-create and threaten the survival of a business or health care delivery system in a
highly competitive environment.
Rationale 2:
Business continuity planning (BCP) is not a one-step or one-time activity but is a set of
successive stages that are repeated periodically. It is best characterized as a life cycle. A
completed BCP life cycle results in a formal plan with a printed manual available for
reference before, during, and after disruptions have occurred.
Rationale 3:
Business is not a one-step or one-time activity but is a set of successive stages that are
repeated periodically. It is best characterized as a life cycle. A completed BCP life cycle
results in a formal plan with, during and after disruptions have occurred.
Rationale 4:
(BCP) is not a one-step or one-time activity but is a set of successive stages that are repeated
periodically. It is best characterized as a life cycle. A completed BCP life cycle results in a
after disruptions have occurred.
Question 27
Which of the following are advantages of continuity planning?
1. Identifies strategies for correction of vulnerabilities within the organization
2. Provides a reasonable amount of protection against interruption in services, downtime, and
data loss
3. Allows time for restoration of equipment, the facility, and services
4. Helps to ensure compliance with HIPAA legislation and requirements of the Joint
Commission
5. Expedites reporting of diagnostic tests
Correct Answer: 1,2,3,4,5
Rationale 1:
This statement is correct. Continuity planning involves identifying strategies for correcting
vulnerabilities within the organization. By conducting risk assessments and business impact
analyses, organizations can pinpoint weaknesses and areas for improvement, allowing them
to proactively address vulnerabilities before they lead to disruptions or disasters.
Rationale 2:
This statement is correct. Continuity planning provides a reasonable amount of protection
against interruption in services, downtime, and data loss. By implementing measures such as
data backups, redundancy, and recovery plans, organizations can mitigate the impact of
disruptions and maintain essential services during emergencies or disasters.
Rationale 3:
This statement is correct. Continuity planning allows time for the restoration of equipment,
facilities, and services. By having predefined procedures and resources in place,
organizations can expedite the recovery process and minimize the duration of disruptions,
ensuring that operations can resume as quickly as possible after an adverse event.
Rationale 4:
This statement is correct. Continuity planning helps ensure compliance with HIPAA
legislation and the requirements of the Joint Commission. By addressing elements such as
data security, patient privacy, and business continuity, organizations can demonstrate their
commitment to regulatory compliance and accreditation standards, reducing the risk of
penalties or sanctions.
Rationale 5:
This statement is correct. While not typically emphasized as a primary advantage of
continuity planning, expediting the reporting of diagnostic tests can be facilitated by having
robust continuity measures in place. Ensuring the availability of systems, resources, and
procedures during and after a disruption can help healthcare organizations maintain timely
reporting and communication, contributing to effective patient care.
Question 28
Which law authorized development of a national, near-real-time information network to
coordinate federal and state response to public health emergencies?
1. HIPAA
2. The Pandemic and All-Hazards Preparedness Act (PAHPA)
3. Sarbanes–Oxley Act of 2002
4. The Federal Information Privacy and Security Act of 2002
Correct Answer: 2
Rationale 1:
The Pandemic and All-Hazards Preparedness Act (PAHPA) was enacted in 2006 at the end of
the 109th Congressional session (Goedert, 2007). The purpose of this law was to improve the
nation’s public health and medical preparedness and response capabilities for emergencies,
whether deliberate, accidental, or natural. This law authorized development of a national,
near-real-time information network to coordinate federal and state response to public health
emergencies within two years of enactment.
Rationale 2:
The Pandemic and All-Hazards Preparedness Act (PAHPA) was enacted in 2006 at the end of
Goedert, 2007. The purpose of this law was to improve the nation’s public health and medical
preparedness and response capabilities for emergencies natural. This law authorized
development of a national, near-real-time information network to coordinate federal and state
response to public health emergencies within two years of enactment.
Rationale 3:
The Sarbanes–Oxley Act of 2002 was enacted by the federal government as a means to
legislate corporate accountability and responsibility. While it only applied to publicly traded
corporations, Sarbanes–Oxley impacts the health care industry by increasing the demand for
fiscal responsibility, accountability and accurate financial reporting and disclosure.
Rationale 4:
The Federal Information Privacy and Security Act of 2002 established a minimum standard
of performance for the protection of information and information systems managed by federal
agencies, their contractors, and other agencies acting on their behalf, and required the
institution of continuity plans for information systems supporting the operations of the
agency (Collmann, 2007).
Question 29
Which of the following are stages of the continuity life cycle?
1. Organizational structure and objectives
2. Analysis
3. Implementation
4. Solution design
5. Testing and acceptance
Correct Answer: 1, 2, 3, 5
Rationale 1:
Organizational structure and objectives stage involves establishing the framework within
which continuity planning will occur, including defining the organization's mission, goals,
and objectives related to continuity.
Rationale 2:
Analysis is a crucial stage where an assessment of potential risks, vulnerabilities, and impacts
on the organization is conducted. This analysis informs the development of strategies and
plans for continuity.
Rationale 3:
Implementation involves putting into action the strategies and plans developed during the
analysis stage. It includes executing continuity measures and ensuring that resources are
allocated appropriately to support continuity efforts.
Rationale 4:
Solution design is not typically considered a distinct stage in the continuity life cycle. While
designing solutions is integral to continuity planning, it is often encompassed within the
analysis and implementation stages rather than being a separate stage itself.
Rationale 5:
Testing and acceptance are essential stages in the continuity life cycle where the effectiveness
of continuity plans and procedures is evaluated through testing exercises. This stage ensures
that plans are functional and can be implemented effectively in real-world scenarios, gaining
acceptance from stakeholders within the organization.
Test Bank for Handbook of Informatics for Nurses and Healthcare Professionals
Toni Lee Hebda, Patricia Czar, Theresa Calderone
9780132574952, 9780132959544, 9780134711010, 9780131512627, 9780130311023, 9780805373264, 9780135205433, 9780135043943