Continue Report 3 Final

Risk Assessment Report 2

Purpose of the risk assessment

The purpose of the risk assessment was to identify the potential risks associated with the use of HER systems within the healthcare institution. To understand potential risks a number of questions were asked. For instance, to identify the likelihood of human error when entering patient’s medical data, the practitioners were asked the number of instances when the system captured wrong patients’ medical data. Also, information regarding user authentication was asked to understand the likelihood of unauthorized access to patients’ information. For instance, the risk assessor users of the system whether they user passwords, one or two factor authentication to log in to their systems in order to enter or access patient medical records. To assess the risk of data loss through natural disaster or erroneous deletion, the users of HER were asked if the healthcare center has a database backup for patient medical information collected through HER. In addition, question regarding the security of the networks were asked.

Assumptions and constraints

The risk assessment involved analyzing the EHR system to identify potential risks to the system. However, major constraints involved is that the IT personnel could not allow full access of the system to identify the security measures put in place to avert potential risks. The biggest part of the risk assessment involved interviewing the personnel in charge of the system to understand its functionality. Therefore, it is assumed most of the information given out was about the system was accurate. In addition, a major constraint facing the institution in relation to the management of the EHR relates to the technicality of the clinicians in using the new system. potential risks for data breach can be linked to inappropriate use of the system by the clinicians without their knowledge (Ajami & Arab-Chadegani, 2013). In addition, for the system to work effectively and avoid potential risks, it needs a lot of investment to fully implement the system with its full security features and functionality. However, the institution lacks enough financial resources.

Risk tolerance inputs

Based on the risk assessment of the system, the level of risk tolerance of the system is high. Based on the security measures that the institution has put in place, the system is exposed to a couple of risks including data breach, data loss or data alteration. The system is also at a risk to be compromised such that it does not serve its purpose. Therefore, the institution needs to put in place measures to enhance risk tolerance of the system and to avoid potential risks. For example, potential risk tolerance inputs include two-factor authentication. Two-factor authentication helps prevent data breaches by requiring users to provide two different authentication factors to verify them identify so as to log into the system (Colnago et al., 2018). It helps protect the resources a user can access as well as user’s credentials. It adds an extra security layer to the authentication process thus making it harder for hackers to gain access to user’s device and online accounts because if user’s password account is hacked, that alone is not sufficient to pass the authentication check (National Institute of Standards and Technology, 2012). In addition, the healthcare facility needs to put an extra layer of firewalls in its network. Firewalls play a critical role in preventing hackers from compromising with the network and accessing sensitive resources of an organisation. For example, once attackers have compromised the network of the institution, they can go ahead and access backend system that contains medical records of patients thus compromising their privacy. Lastly, users need to be trained on how to ensure they securely use the EHR systems. In most cases, users leave their accounts logged in or write their passwords in an open place where other people can see. This puts the system at great risk of being accessed by unauthorized users.

Risk Model and Analytic Approach

There are different types of models that guide in risk analysis of a systems to identify potential issues and risks. The risk model and analytic approach used in this case was the Delphi Technique. This a model for risk analysis that is similar to a brainstorming session where experts and professionals in a given field come together to analyze different potential threats and vulnerabilities to a given system or project (Horvath, 2022). Since the risk assessment involved assessing an information technology system, ICT experts and professionals were involved in the risk assessment to identify potential risks to the EHR system. What makes the Delphi analytic model is that it uses professionals and experts to uncover the potential risks and threats within a system. In the risk assessment, ICT professionals within the healthcare institution were included in the system analysis and brainstorming to understand how the EHR works and the potential risks. Failure to utilize experts and professionals in the risk assessment using the Delphi model, it becomes hard to identify the potential risks within the system.

Rationale for decisions

The rationale for the assessment is based on the potential risks identified. The report provides recommendations of what the healthcare institution should do to prevent potential risks. The rationale for implementing a two-factor authentication is based on the risk that unauthorized user may access the EHR systems unauthorized and makes changes on the data or access sensitive medical records. The assessment found that users only use single authentication credentials and thus the rationale for two-factor authentication was based on this aspect. In addition, the recommendation to implement network firewalls is informed by the fact that the healthcare center did not have any network security and thus chances of the network being compromised by hackers is very high.

Uncertainties in the risk assessment

Uncertainty within the risk assessment is that the ICT team did not tell how information is shared across departments through the EHR and also where their servers are hosted, whether on premise or on cloud. The information was very vital to assess the potential risks that their data could be exposed to. In addition, another uncertainty while making decisions for recommendations was whether the institution has enough financial resources to implement a fully secured EHR system. EHR systems are very capital intensive and thus lack of enough resources would compromise implementation of the recommendations.

References

National Institute of Standards and Technology (2012). Information security. U.S. department of commerce.

Horvath, I. (2022). Top 5 risk analysis methods that you should know. https://www.invensislearning.com/blog/risk-analysis-methods/

Ajami, S., & Arab-Chadegani, R. (2013). Barriers to implement electronic health records (EHRs).  Materia socio-medica,  25(3), 213.

Colnago, J., Devlin, S., Oates, M., Swoopes, C., Bauer, L., Cranor, L., & Christin, N. (2018, April). “It's not actually that horrible” Exploring Adoption of Two-Factor Authentication at a University. In  Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems (pp. 1-11).