Risk Assessment and Management

In an effort to protect an organization’s health care information and systems, or manage risk, the organization must first identify and understand each of the possible risks. For this purpose, risk is defined as the probability a specific threat could exploit a specific vulnerability - as well as the outcome of that exploitation. Wagner, Lee and Glaser, utilizing the research of Steve Weil, outline a process for conducting a risk analysis with eight distinct components: boundary definition, threat identification, vulnerability identification, security control analysis, risk likelihood determination, impact analysis, risk determination and security control recommendations.

Boundary definition is the process by which an organization takes inventory of their health information systems and components. It is important to gain a full understanding of all the health information systems utilized by the organization, whether internal or external. Obtaining the inventory list can be done through inspections, interviews, questionnaires among other methods. The second step is identifying the threats associated with each of the health information systems among the inventoried list. There are three general types of threats that should be cataloged: 1) Natural threats like fire, earthquakes or floods; 2) Human threats which can be either deliberate or unintentional; And 3), Environmental threats such as a power outage. Once the threats have been itemized, the next step is identifying the vulnerabilities. That is, list out the vulnerabilities that affect the organization’s own health information systems, by looking for weaknesses or flaws in the design or system procedures. Most organizations will require assistance in vulnerability detection by utilizing software packages or outside consultation. Other methods to identify vulnerabilities require the assistance of the users themselves, and may be obtained through interviews, questionnaires or other similar methods.

The fourth step, security control analysis, is the process where the organization lists out the current security controls in place. These security controls take two basic forms. The first concerns itself with methods to detect potential or actual threats. These include controls like alarms and audit trails. The second are preventative security controls and take the form of system access controls and procedures for authentication. Once the security control analysis is done, across the organization’s health care systems, the fifth step of determining the risk likelihood commences. Risk likelihood determination assigns a risk rating to each of the health information systems. Although any type of rating system can be used, it is recommended to use a low granular rating system of low, medium and high risk for simplicity.

Impact analysis is the sixth step in risk analysis process. Impact analysis looks at each possible breach and determines what the actual impact would be to the organization if it were to occur. Such a breach could possibly affect availability of the system, system integrity may be jeopardized and/or patient confidentiality may be compromised. It is also advisable to rate each impact, also using a low-granular system of low, medium and high. For instance, a power outage may temporarily affect system availability, and may be rated medium, depending on the organization and their perceived impact.

The seventh step ties all the risk analysis information, gathered to this point, together. Risk determination examines all the risk analysis information collected, to define the actual risk associated with each of the organization’s health information systems. The risk determination should be based upon three factors: 1) The likelihood rating that a specific threat could exploit a specific vulnerability (low, medium or high). 2) The level of impact if the threat is able to exploit the vulnerability (low, medium or high) . And 3), the aptitude of existing or planned security controls (low, medium or high). It is important that each type of information, and each system, be assessed across these factors. Upon completion, the risk determination can be rolled-up to produce an overall organizational risk rating of low, medium or high. The final, eighth step in the risk analysis process is the recommendation of security controls. This is the last step and meant to be a summary of the analysis findings and includes recommendations for improving security controls.

Before an organization can begin to protect its health care information and systems, the organization must first understand the risks associated with their systems. A risk analysis is the process by which an organization inventories it’s information systems, identifies the associated threats and vulnerabilities, and recommendations to overcome them. “The risk analysis should lead to the development of policies and procedures outlining risk management procedures and sanctions or consequences for employees and other individuals who do not follow the established pro­cedures.” (Wager, Lee, Glaser. 2009). It is of critical importance that all health care organizations have a risk management program in place.

Wager KA, Lee FW, Glaser JP, Wager KA. Health care information systems: a practical approach for health care management. San Francisco, CA: Jossey-Bass; 2009.