Three essential functions of Information Security Risk Management for Health Sector
Information Security Risk Management orchestrates all the necessary activities to ensure that security risks are identified, analysed, addressed and are consistent with business goals and objectives. These activities include the assessment, appropriate management and monitoring of current and emerging security risks that could cause disturbance, loss or harm to persons, business operations, information (including personal health data), systems or any other assets.
First, the objective of conducting risk assessments should be clearly presented. The scope must be defined (level: organisation, sector(s), department(s), project(s), resource(s) etc.) and provide all the dependencies, internally into the organisation, but also with all the external service providers.
Prior to starting the risk analysis, the organisation must specify the acceptable levels of risk tolerance. These thresholds provide guidance on how risks should be treated. Risks which fall below the threshold are acceptable to the organisation and may not require any actions. Risks which are assessed to be above the threshold will require actions which involve security controls intended to reduce the risk below the specific value.
Next step is the identification of assets and the valuation of them. A value must be assigned to each asset. As a list of assets in a complex health care organisation might prove to be much extended, introduction of (sub) categories can help make the risk assessment process easier. Any legal and/or other requirement related to each of the assets and to the organisation should be reflected in assets valuation. The outcome of this step is the list of assets and their values.
Apart from asset analysis, risk assessment process should also evaluate whether any existing and/or planned safeguards are sufficient enough and if new ones need to be introduced in order to diminish the risk to acceptable levels.
Moving forward, the likelihood of occurrence should be assessed. All the possible threats that can emerge within organisation’ environment must be identified, to recognise the related vulnerabilities that may be exploited by these threats. For all these threats, the threat source and the threat target should be determined, and the likelihood of occurrence should be assessed. Afterwards, the potential impact to the business if the vulnerability is exploited must be determined. Finally, the combination of threat likelihood and the estimation of impact provide the levels of risk.
Once risks have been identified and assessed, all techniques to manage the risk fall into one or more of these four major categories:
- Reduction: The risk is limited by implementing controls that minimize the adverse impact of a threat exploiting a vulnerability. More often than not, risk mitigation is the approach taken by most organisations.
- Sharing: The risk or part of its impact is transferred to another party such as a supplier, through contracts, insurance and other mechanisms to limit the severity of consequences to the organisation or affected stakeholders
- Avoidance: The risk is avoided by changing the business scope, technical characteristics or usage of the information or system determined to be at risk.
- Retention: The risk is accepted as is and operation of the system continues. Risk retention is a viable strategy for small risks where the cost of insuring against the risk would be greater over time than the total losses sustained. All risks that are not avoided or transferred are retained by default.
Ideal use of these risk control strategies may not be possible. Some of them may involve trade-offs that are not acceptable to the organisation or person making the risk management decisions. Once a decision has been made on how to treat the risks, a corrective action plan should be put into place outlining what must be done, by whom and by when. The action plan must be monitored for progress and completion.
Risk mitigation needs to be approved by the appropriate level of management. For instance, a risk concerning the image of the organisation should have top management decision behind it whereas IT management would have the authority to decide on computer virus risks. The risk management plan should propose applicable and effective security controls for managing the risks. A good risk management plan should contain a schedule for control implementation and responsible persons for those actions. Implementation follows all of the planned methods for mitigating the effect of the risks.
Risk Monitoring and Reviewing
In a constantly changing environment it is necessary to monitor risks, the effectiveness of the designed risk treatment plan and the evaluation of the implemented safeguards. Ongoing review is essential to ensure that the plan remains relevant and up to date.
More information about the Information Security Risk Management in Health sector can be found in Deliverable 1.5 that is publicly available here.