Continue Report 3 Final

profilejimpop1998
Report1.docx

RISK ASSESSMENT Page 2

Information technology system risk assessment

NAME

University

08/28/2022

Executive summary

This report is a risk assessment of Electronic Health Record (EHR) system. The risk assessment was carried out on 25th August 26, 2022 where potential risks within the system were analyzed. EHR is a critical part of information technology within healthcare that contains sensitive patient’s medical information including medical history, medications, treatment plans, diagnosis, test and laboratory results, immunization dates among other sensitive patient information. The system allows quick access and sharing of information across healthcare practitioners and departments for easy decision making. The purpose of the risk assessment was to identify potential risks that are associated with EHR systems including unauthorized access of patient’s data, erroneous deletion of sensitive patient data as well as system failure among other risks. This was an initial risk assessment to asses how secure are EHR systems. The level of risk was identified as high risk because of the sensitive nature of information contained in the system. Risk identified as high risk was unauthorized access of patient information. Security and privacy violations was classified as high risk because of its likelihood to happen. Data loss as a result of natural disaster or intentional deletion of patient’s medical records was classified as a moderate risk. In addition, EHR systems require users to key in patient medical information in to the database of the system. As a result, human error is a potential risk as users can key in wrong data. Human errors can be classified as high risk because of the likelihood of users keying in wrong data.

Body of the report: part 1

The purpose of the risk assessment was to identify the potential risks associated with the use of EHR systems within the healthcare institution. To understand potential risks a number of questions where asked. For instance, to identify the likelihood of human error when entering patient’s medical data, the practitioners were asked the number of instances when the system captured wrong patients’ medical data. Also, information regarding user authentication was asked to understand the likelihood of unauthorized access to patients’ information. For instance, the risk assessor users of the system whether they user passwords, one or two factor authentication to log in to their systems in order to enter or access patient medical records. To assess the risk of data loss through natural disaster or erroneous deletion, the users of EHR were asked if the healthcare center has a database backup for patient medical information collected through EHR. In addition, question regarding the security of the networks were asked.

Based on the above questions asked during risk assessment for EHR, it was noted that patient information faces significant risk of being exposed to unauthorized persons or being lost. Also, it was noted that there was high likelihood of erroneously recording patient information into the system. Assumptions included the likelihood of a user logging into the account of another user and accessing information they are not required to access. Access implies they can edit, delete or copy and share sensitive patient medical information without authorization. It was also assumed that since the institution did not have a backup, there was high likelihood that data would be lost incase of a natural disaster or erroneous deletion of patient’s medical data from the database.

To address the potential risks associated with EHR, a number of changes out to be implemented. For instance, to avoid unauthorized access of patients’ medical data, it is important for the healthcare center to implement two factor authentication to prevent unauthorized users from accessing sensitive medical information for patients (National Institute of Standards and Technology, 2012). The Project Risk Analysis Model (PRAM) is applicable in risk assessment for EHR system. the model uses Monte Carlo simulation to produce quantitative risk analysis output that provide actionable information to the management. For example, the model generates risk and uncertainty information of a project that aids the management to put in place preventative measures. Although the model is often used in project risk analysis, it can also be modified and applied to analyze EHR system.

Body of the report: part 2

The risk assessment of the system includes organizational functions. It seeks to identify ways in which the organisation can secure patients’ sensitive information. It explores potential areas in which the system can be compromised thus preventing the organisation from achieving its objectives and goals. EHR systems play a critical role with a healthcare organisation. It ensures that improved health outcomes as physicians are able to make fast and informed decisions in relation to patient treatment and medication prescription as it provides comprehensive patient medical data. Therefore, compromising the system means that patient information that informs their treatment decisions will be lost. In addition, one of the main focuses by healthcare center is to ensure patient privacy. Therefore, exposure of patient’s medical records to unauthorized parties is a significant failure on the side of the healthcare system.

EHR systems provides flow of information across physicians and departments that allows physicians to make fast and informed decisions regarding patients’ care. If the information is being shared over the external network, it possesses a great risk as unauthorized persons can hijack and hack sensitive patients’ medical information thus compromising patients’ privacy (National Institute of Standards and Technology, 2012).

To summarize the results of the risk assessment, EHR systems are exposed to a number of threats if the right measures are not put in place. Despite the positive impacts that technology brings in healthcare sector, it is also prone to potential risks that can be catastrophic. Assessment of the system within the healthcare center shows that the management has made little efforts to secure patients’ medical data. For instance, it was noted that a user can easily log in to another user’s account. This presents a potential risk since there would be accountability of data loss in case a user deletes data from the system. in addition, all users have the same access rights meaning they can access any patients’ data within the system despite the fact that they may not necessarily need the data. Furthermore, it was noted that the healthcare center does not have backup for its data. This means that in case of a disaster or accidental data deletion all patients medical records would be lost. The risk assessment is valid as long as the organisation continues to use the system. periodic audit of the system is required to ensure that potential risks are resolved.

References

National Institute of Standards and Technology (2012). Information security. U.S. department of commerce.