/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow Us/dq/media/post_banners/wp-content/uploads/2015/12/heathcare-technology.jpg)
Last week, in the article An Approach Paper on Cyber Risk Management in Healthcare: Part 1, the issue of why cybersecurity has become a source of major concern in the healthcare industry was touched upon. This week, let us take a look at the kind of risks involved in the healthcare industry in the Part 2 of the four series issue on cyber risk management in healthcare.
Risk is an uncertain event or condition that, if it materializes, can have a positive or a negative effect on project success. Risk includes both threats and opportunities. Risk management is a systematic approach to identifying, analysing, and responding to risks, maximizing the probability and consequences of positive events, minimizing the probability and consequences of adverse events.
With every risk there is an opportunity; if managed well, it can be used to the advantage of the project customer. Awareness of a potential problem is good, put it on the table, discuss it, plan for it, and manage it. There are many factors which makes healthcare unique. The healthcare industry deals with human life; it operates 24X7X365. It is fast-paced, rooted in tradition, knowledge-oriented and skill-based, and utilizes highly educated and sophisticated professionals.
Information technology processes are also unique. They involve innovation. Many healthcare practitioners avoid innovation. Innovation introduces change, and change produces uncertainty. IT creates dependencies, on
-systems availability (for data retrieval), up time, - speed of data processing, and data integrity,
-dependency on other professionals to sustain the environment.
Besides the above there are issues like
-verifying virus protection;
-providing vendor-approved patch management,
-hardware management (e.g., for servers and
workstations),
-disaster recovery (e.g., backups, hard drive ghosting), - data security; and
-enforcing policies and procedures.
As per our experience with other similar networks, the security assessment may reveal the following common vulnerabilities across the networked devices,
-password management,
-login monitoring
-auditing,
-backups,
-operating system maintenance, and virus protection,
-common language issues,
- standardization issues,
-application integration issues,
-confidentiality and
-security issues, and
-many other new rules and regulations that add complexity to the healthcare environment.
Complexity brings added risk and uncertainty
The CIO should addresses the roles, responsibilities, and activities that need to be carried out when managing these risks. We have tried to describe ways to becoming aware of the risk associated with the medical IT network.
We will also look at some steps towards a formal Risk Management practice.
How should a hospital keep track of the hundreds of risks prevalent in the regulatory and enforcement environment?
What Network Risk Assessment tools should they use?
How should they be organized?
Risk management in a hospital is complex, as it involves identifying, assessing and averting risks in virtually every area of the IT Network of the hospital.
Because tracking hundreds of risks by lining them up in alphabetical or chronological order is not efficient, we should first analyse the risks to determine if they could be grouped in broader categories.
We should also examine the time periods covered by risks to determine if the risks presented short-term or longer-term vulnerabilities.
Some other steps that may be followed:
Threat Identification
Vulnerability Identification
Control Analysis
Likelihood Determination, among human threats, -computer viruses effect
-intentional removal of information
-communication media misuse (such as email threats -sending rude emails
-is the disconnection of network cables.
Impact Analysis
Risk Determination
Control Recommendations