nerdexam
ExamsCAS-003Questions#701
CompTIA

CAS-003 · Question #701

CAS-003 Question #701: Real Exam Question with Answer & Explanation

The correct answer is A: When it is mandated by their legal and regulatory requirements. Healthcare organizations are governed by HIPAA (Health Insurance Portability and Accountability Act), which mandates that affected individuals be notified of a breach within 60 days of discovery. Legal and regulatory requirements define the disclosure timeline - not brand reputat

Question

A hospital's security team recently determined its network was breached and patient data was accessed by an external entity. The Chief Information Security Officer (CISO) of the hospital approaches the executive management team with this information, reports the vulnerability that led to the breach has already been remediated, and explains the team is continuing to follow the appropriate incident response plan. The executive team is concerned about the hospital's brand reputation and asks the CISO when the incident should be disclosed to the affected patients. Which of the following is the MOST appropriate response?

Options

  • AWhen it is mandated by their legal and regulatory requirements
  • BAs soon as possible in the interest of the patients
  • CAs soon as the public relations department is ready to be interviewed
  • DWhen all steps related to the incident response plan are completed
  • EUpon the approval of the Chief Executive Officer (CEO) to release information to the public

Explanation

Healthcare organizations are governed by HIPAA (Health Insurance Portability and Accountability Act), which mandates that affected individuals be notified of a breach within 60 days of discovery. Legal and regulatory requirements define the disclosure timeline - not brand reputation concerns, PR department readiness, CEO approval, or the completion of all IR plan steps. The CISO's answer to the executive team should be that disclosure timing is determined by compliance obligations, not business preference. Waiting for all IR steps to complete (D) or CEO approval (E) risks violating the regulatory notification window.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-003 Practice
A hospital's security team recently determined its network was... | CAS-003 Q#701 Answer | NerdExam