project work 5 pages -part 2

Risk Assessment

Student’s Name

University

Risk Assessment

Health IT operators meet the problem of increasing demand for the creation and operation of a sound digital health record safety environment. The safety risk assessment required to start this initiative is the pillar of the establishment of a powerful information security program. It offers an organization with knowledge onto its guarded and unguarded safety exercises and allows the organization to create wise safety choices. Most health IT managers concentrate on data security within their data centers, but several Chief Information Officers and Chief Medical Information Officers do not comprehend or concentrate on risks and problems outside the data center. What are the controls in place to cope with information violations, computer attacks, and fraud? What staff, procedures, and techniques are required to tackle these and other underlying variables? Risk is essential in the provision of healthcare services. Safety risks affiliated with health systems have risen as direct (network), and indirect (media) networking has risen (Ayatollahi & Shagerdi, 2017). With advanced machinery, there will always be more dangers than any organization can manage to remove completely. There is, therefore, a requirement for a comprehensive, detailed risk assignment technique such that hazards could be identified in the order of preference, mitigated appropriately, and remaining risks recorded and acknowledged. This paper seeks to explain how to conduct a risk assessment and how to implement risk mitigation plan.

The IT safety-related risk management mechanism for the health system is very comparable to lengthy-standing equipment security procedures. For instance, instruments such as Failure Mode and Effect Analysis (FMEA) as implemented to safety factors can also be used for safety inquiries. The paper will examine in depth the safety risk assessment apart from the situation where safety should be subordinated to the safety of the patient and the operator. 

Where a health risk has a reliable safety danger, after the suggested mitigation, the safety risk assessment method takes precedence. In particular, this implies shifting the main risk debate to the safety department, followed by a competent safety team participant. In this way, the two procedures usually continue in succession all through the production phase.

List of assets

As a foundation for managing risk, the assets under the account that require safeguard, along with their planned use, should be identified. A standard, and not detailed, list of resources includes the hardware and software used to handle health information and important data components, and includes distinct types of data: Particular devices / medical implementation applications (e.g., conceptual frameworks for picture creation, network devices) of the hospital IT platform, Unspecific devices / medical implementation applications of the hospital IT platform (e.g., cyber-attacks may prevent all network traffic), Medical application software itself, Hardware and software setup details, Confidential information of a particular client, Private information of employees and other individuals, Medical care assistance information, such as past use and operator / user details.

The list of assets requires to be sufficiently accurate to start the execution of immediate threats to every one of them and to be able to interpret and execute suitable risk management policies. For instance, merely listing the hospital information system as one asset would not give sufficient particularity to show a reasonable, particular danger. In particular, the network illustration (even if the typical network was decided upon) provides a thorough description of the IT platform of the advanced machinery or the entire hospital network.

Collection of Security-Related Requirements

All components detailing the security system standards, such as the particulars for all assets at the stage of nondisclosure, trustworthiness, accessibility, responsibility (i.e., authentication, and availability/use of log-files) are collected. Input recommendations would generally come from: user-specific regulatory requirements (HIPAA, Directive 95/46 EC, etc.), customer requirements (public agencies, purchasing organizations, etc.), Safe Interface Configuration Guides (e.g. NIST, NSA and other guides), internal security / privacy policy records, Sector Good practices White Papers, Remedial Action Requisites based on previous operations, etc. (Ayatollahi & Shagerdi, 2017).

Elaboration of Threats and Impacts

With asset lists and specifications related to safety, the risk assessment team creates, creates, and records all perceived threats to each asset. When an overall threat can be manipulated in a specific scheme, it is recognized as a system weakness. 

Possible Actors

There is a broad range of performers, both human and non-human. It is possible to classify actors using the threats as:

Authorized individuals: legitimate account insiders who are not authorized to undertake a particular job, such as accidental assaults, insiders hired by external initiators, insiders encouraged by private profit or vengeance (Watt, 2013).

Persons not permitted to access the network infrastructure: outsiders who have no account but a kind of (physical or logical) access to healthcare provider facilities, such as vandals (script kids or hackers), hired outsiders / criminal organizations, reporters requesting information about VIPs (sports figures, politicians, etc.), tourists and clients, troops and/or perpetrators.

Non-human events: these incidents generally occur on an unexpected grounds without immediate human impact, local infrastructure breakdown: urgent space is separated from the backbone network, but certain emergency assistance deserves to be given to patients, large industrial accidents: a big amount of accidents should be handled while a power outage induced by accident impedes health care delivery, Natural disasters: Local community and local infrastructure may be injured. A power outage may impede the health device's activity, and at the same moment, many injuries are flooding the emergency department.

Threat Paths

If individuals are already behind an assault, they might use separate means of accessing their goal on the channel. They are distinct in their capacity to be identified: while others are visible by individuals, and some are not:

Direct (physical) entry to the healthcare system (visible action) o Sitting on a healthcare system panel offers a method of compromising system safety, and appliances can be robbed without adequate physical security, physical entry paves the way to storage media (CD, DVD, USB stick, etc.).

Logical (non-visible) network entry (e.g., IP network or telephone link as a route), From within the company: customers recognized to the scheme who might have the main approval to execute a particular job, like saving x-ray images on a CD for customer therapy purposes, might use this route for criminal operations. Moreover, they might not have the permission to save x-ray pictures on a CD for other reasons, including transmitting the information to a reporter, there is an accessible route that can be exploited from outside of the corporation. For instance, the malware uses an unguarded accessible terminal to take control of the system (Ayatollahi & Shagerdi, 2017).

Possible Impacts

It is essential to fully comprehend the prospective effect of a prosperous assault when composing probable system weaknesses extracted from specific threats. The effect can be under a specific software model number for a single test or tracking case, a single client, a single testing or tracking system, or a complete implemented set of devices. Generally speaking, the greater the number of systems that were affected, the greater the seriousness. It is essential to remember; however, even a single incident of patient confidentiality can be extremely severe (Watt, 2013). The irrevocable revelation of harmful personal health data, such as certain illnesses and circumstances, can be financially disastrous to people, particularly when implemented to well-known government figures.

The single or multiple devices that have been affected may be affected by: impaired customer or user security, unauthorized reproduction, loss or alteration of private information, tracking system usage: who uses the devices that has been handled, system alteration outside of the maker's requirement, system accessibility disruption, theft by deception or supplies.

Scoring of Risk

The scoring for a hazard assigned to a known weakness is a mix of both the likelihood of a successful attack and the intensity of the successive impact of assets. For security risk assessment, important parts of the Failure Mode Effects Analysis (FMEA) are used. The aim of this evaluation is to obtain a reasonable ranking of risks in order to ascertain mitigation activities.

Likelihood of a Successful Attack

The following considerations should be regarded: exposure to long-term weakness, Threat-source: actor encouragement and ability. The motive under the attack is the main factor in evaluating the probability of personal assault, as it generally dictates the effort and resources that the attacker will spend on violating relevant rules or regulations (ICHE, 2012). In fact, the attacker can create a cost-benefit evaluation to evaluate the cost of conducting the attack against the value of a prosperous assault.

The severity of a Successful Attack

Loss of integrity: integrity of the system and information relates to the necessity to safeguard information from incorrect alteration. Integrity is destroyed if, by intentional or accidental acts, unlawful modifications are produced to the information or scheme. If system failure or data consistency is not fixed, ongoing use of malicious payload or defective data may lead in inconsistency, fraud, or security problems. Infringement of integrity can also be the forerunner to an effective assault on the accessibility of data protection of the scheme.

Loss of accessibility: The mission of the medical facility may be impacted if a system is inaccessible to its end customers. For instance, loss of system functionality and operational efficiency may create security issues or decrease the amount and/or quality of care (ICHE, 2012).

Confidentiality loss: confidentiality of the system and data relates to information safety from unlawful disclosure. Unapproved, unforeseen or unintended release of information could contravene the supplier or healthcare provider's legislative, regional directives

Risk Score

Merging the probability and severity of an assault determines the scoring of a danger. It defines the risk reduction action ranking. According to ICHE (2012), there really is no easy universal consensus to decide what danger score is appropriate and what rating the risk reduction procedures need to be implemented. In its working context, system particulars, as well as other local circumstances, the main priority for risk reduction relies on the particular healthcare significance of the scheme.

Risk Mitigation plan

The supplier (or healthcare provider) has the appropriate information accessible after performing the steps outlined above to identify the required risk reduction measures. The objective is to create policies that best decrease the danger for a particular scheme or health care provider to an appropriate rating. The Risk assessment Matrix provides a post-mitigation risk estimate to clearly determine the overall risk when a reduction plan is established (Wheeler, 2013). If fresh hazards emerge or threat ratings are not sufficiently small, then repeat this process.

It is essential to remember that managing risk can include inner analytical system controls (e.g., network channel closing), external technical system controls (e.g., properly configured firewall), or key personnel process description and preparation. Countermeasures generally cover technology, procedures, and individuals. In architecture control, if a threat could not be adequately alleviated, the threat should be correctly recorded and allocated to the operating environment. The healthcare company must apply external (technical) monitoring (e.g., sensing of intrusion). The risk assessment team should acknowledge the risk reduction interventions introduced and the remaining risk overview at the end of this process.

The risk reduction plan records the risk reduction strategy of each defined risk case, and activities to decrease or remove the risk will be taken by the software development team.

Risk prevention: generally includes creating an alternative approach that is more likely to succeed but generally at a greater price connected with performing a project assignment. According to Wheeler (2013), using tested and current systems instead of adopting new methods is a popular risk prevention method, although the new methods may demonstrate the promise of better results or reduced expenses. A project team can select a seller with a proven history over a fresh seller who provides substantial cost opportunities to prevent the danger of operating with a fresh seller. The project team that needs drug testing for members of the team is practicing risk prevention by preventing harm done under the influence of drugs by someone. The project team that needs drug testing for members of the team is practicing risk prevention by preventing harm done under the influence of drugs by someone.

Reduction of risk: is an expenditure of resources to decrease a project's risk. Hospitals may sometimes buy an exchange rate assurance on global ventures to decrease the danger connected with currency exchange changes. A project manager may employ a specialist to inspect a project's analytical specifications or cost estimates to boost trust in the scheme and decrease the danger of the project. Another technique of risk reduction is to attribute extremely qualified project staff to handle high-risk operations. Experts handling a high-risk event can sometimes predict issues and find alternatives that avoid adverse effect on the project from the operations.

Risk sharing: includes partnerships to share accountability for dangerous operations with others. By creating a joint project with hospitals situated in that nation, many organizations working on global projects will decrease political, legal, labor, and other kinds of danger associated with global projects. Partnership with other healthcare systems to share the threats involved with a portion of the project is beneficial when the other healthcare has the knowledge, and the development team has no understanding (Watt, 2013). If there is a threat incident, the partnering healthcare will absorb some or all of the event's adverse effect.

Risk transfer: is a technique of risk decrease that transfers the risk to another party from the project. Buying insurance for particular products is a technique of risk transfer. The risk is transmitted to the insurance company from the project. Insurance purchases are generally in fields outside of the project team's jurisdiction. Weather, political disturbances, and labor strikes are instances of occurrences that are beyond the reach of the project team that can have a noticeable effect on the project.

The organization is a risk is risk-tolerant since it is a description of the level of risk that an organization is prepared to acknowledge, articulated either qualitatively or quantitatively, and is used as a gating factor for threat-based decision making (Gantz & Philpott, 2013). Organizations often give distinct rates of tolerance for risk to distinct risk kinds, but when organizations use coherent risk ranking or assessment scales, the very same amount of risk tolerance could apply irrespective of risk form or source. Risk tolerance, sometimes also referred to as risk appetite or risk propensity, differ commonly between many organizations depending on several variables, such as the relative risk awareness of risk directors and other organizational officials, the task of the organization, the type of its assets, funds, and the working procedures it supports. Risk managers make choices in information security or any other domain of risk management not based on the complete risk that the organization might face, but based on the risk that stays after danger mitigation or other danger reduction measures have been placed in place (Gantz & Philpott, 2013).

Business continuity planning will decrease future residual risk as it involves recognizing the hazards to your company that is constantly present and relate to the nature and behavior of your company, decreasing hazards to your company, enhancing your capacity to survive and protecting your company viability. Once risk intensity is evaluated, medium and high exposure events should be planned, and the project should include operations to reduce the likelihood and/or effect of the most significant hazards. These schemes are the plans for mitigation. In addition, recovery or contingency schemes should be scheduled for most essential threats and would be implemented if, notwithstanding reduction operations, the risk remains an issue.

Control. A project's dangers are more volatile than its demands: commonly and suddenly they alter. Throughout growth, new hazards are found, and their significance may alter. The project manager should, therefore, be conscious of this and pay attention to the risk status throughout the entire project.

Identification. The team must find the circumstances that can cause issues in a project and be conscious of them.

Analysis. Risks are evaluated in order to determine a few of their characteristics. Typically it is necessary to identify at least two characteristics: the likelihood of the situation that causes the risk, and the effect that the threat has on the project. A risk's vulnerability or significance is a mixture of likelihood and effect. The most significant are generally hazards with a high likelihood of occurrence and high effect on the project.

Preventive action: comprises of preventing the occurrence of a high-risk scenario. It includes health and safety coaching, corporate server firewall security, and your team's cross-training.

In conclusion, many other nations, there are rules and laws that protect patient and board safety, delivery of health care (diagnosis and treatment), and confidentiality (safeguarding personal data). A cautious method of managing safety risks as outlined in this paper will assist achieve these objectives. This method can be used throughout the manufacturer's development stage and during the healthcare provider's network (re)configuration procedure, e.g., when adding fresh networked devices. The method of threat handling is comparable to what is regarded as a method of threat handling in the sector and can use the same instruments. Both procedures can run in parallel with each other. And, like security, frequent review of threat assessments or when a failure happens. It is essential to keep a strong partnership between all stakeholders (safety, security, and workflow people) so that safety threats can be effectively mitigated while progressing the healthcare mission.

References

Ayatollahi, H., & Shagerdi, G. (2017). Information Security Risk Assessment in Hospitals. The Open Medical Informatics Journal, 11(1), 37–43. doi: 10.2174/1874431101711010037

Gantz, S. D., & Philpott, D. R. (2013). Thinking About Risk. FISMA and the Risk Management Framework, 53–78. doi: 10.1016/b978-1-59-749641-4.00003-5

Integrating the Healthcare Enterprise (IHE). (2012). Electronic Health Record, 175–185. doi: 10.1002/9781118479612.ch19

Watt, A. (2013). Project management. Place of publication not identified: publisher not identified.

Wheeler, E. (2011). Risk Evaluation and Mitigation Strategies. Security Risk Management, 147–162. doi: 10.1016/b978-1-59749-615-5.00008-6