Overview • Write paper in sections • Understand the company • Find similar situations • Research and apply possible solutions • Research and find other issues About company: Health Network Inc • You
Risk Assessment Plan
Risk in Healthcare organization is prevalent. Thus any healthcare company must have a qualified risk manager who can assess, develop, implement & monitor risk management plan by which company can minimize exposures to threats. Risk assessment for all companies needs to be done after every specific period, which helps the company to take measures against new threats that might expose a vulnerability in future and impact in a loss for a company such as a loss of servers, loss of customer data, loss of company’s confidential information. HealthNet Network Inc needs an updated risk assessment so that management can make better decisions for the future and save companies assets, money, and their customers data. Currently, HealthNet has three main products i.e., HealthNet Exchange, HealthNet Pay and HealthNet Connect, and all three products access the company servers, customer data, payment portals, hospitals data through their website. Threat isn’t just the outside forces that can compromise company system, there is always more to that such as natural disasters, threat to system failure, Accidental human and the most important one is Malicious threat. Currently, HealthNet has three data centers at each location i.e., Minneapolis, Portland, and Arlington; third party vendor manages all. There are more than 1000 data servers and around 650 corporate laptops with other mobile devices. Production centers are also located at the data centers. With new Risk assessment plan for HealthNet can check the most current opportunities, threats, vulnerabilities, strengths of the company which can help management to take better decisions in future such as where & how much money do the company needs to invest in protecting HealtNet products from possible future Risks. For HealthNet company products to work properly; It is essential to identify the scope of the plan to avoid the risk of “Scope Creep,” i.e., the scope of the project increases uncontrollably. One of the significant scope for HealthNet Inc is to ensure HIPAA compliance for HealthNet Inc data. Some of the other scope are defined as follows:
HNet Exchange should be able to transfer data securely between the hospitals or clinics.
Exchange of medical messages between the customers should be done safely, and electronic messages should maintain their authenticity.
All the payments should be made through HNet Pay portal.
HNet Pay should support secure payments such as using HTTPS links.
HNet Connect contains all the doctor or patient information that should not be leaked to everyone, so it should be made sure only accessible person can look for doctors or patients profile.
All the three products are accessible through internet so secure network, good firewalls, updated antivirus and software, Intrusion detection system, and high good quality servers and equipment’s, should be used.
Identification, storage, usage, and transmission of health data.
Proper security policies are followed by all the employees.
For the Risk assessment, we can use the following equation to check the impact of that Risk:
Risk = Threat * Vulnerability
Risk is always high is the vulnerability is high, and Risk is low when our vulnerability is low. Threats are always out there, and it’s the vulnerability that threat always exposes and results in Risk. We can use the Risk Assessment Matrix to measure the impact of the Risk, which can weigh as High, Medium, and Low. Following two techniques are used to assess the Risk for HealthNet Inc.
Quantitative Risk Assessment
Technique is used to calculate the actual cost and helped to identify priority of risks and effectiveness of controls.
Qualitative Risk Assessment
Is a subjective method based on opinions from expert? Experts tell about their views about the likelihood & impact of the risks. After looking at the following table, we can prioritize risks for HNet inc. (Derril Gibson, 2015)
| Attacks | Probability | Impact | Risk Level |
| Loss of Protected Health Information Leaked from unauthorized Access | 30 | 100 | 0.3*100 30% |
| DOS Attack | 100 | 100 | 1.0*100 =100% |
| Accidental Human (Unintentional) | 100 | 100 | 1.0*100 =100% |
| Web Defacing | 50 | 90 | .50*90 45% |
| Natural Disaster | 50 | 100 | .50*100 50% |
| Loss of website due to hardware or System Failure | 30 | 100 | .30*100 30% |
| Attacker or Hacker ,(Malicious Attack) | 100 | 100 | 1.0*100 100% |
By using these techniques following threats are recognized at HealthCare Net Inc
Production systems helps to produce information for the company and to get the data. These systems should be working correctly. Threat is noticed that company data losses when hardware being removed from production systems.
Many laptops and mobile devices are stolen, which are considered to be as company assets, and with every stolen asset company losses information.
All three company products are accessible through the internet, and there is always an internet threat such as any hacker or malicious attack over the internet.
Threat of Natural disasters such as floods, hurricane, tornadoes, etc. can cause production outages, which can result in a loss to the company.
Insider Threat- Someone can make a mistake, and the threat of doing this is very high. Threats of human doing accidentally is always high.
Threat of system failure. This threat will be low if we use good and high-quality products or equipment for servers & system safety. We should never eliminate the possibility of system failure, or CPU fan is burn out, or power supply is out, or motherboard dies. Threat of all this is happening is high if equipment quality is low.
Following risk assessment matrix is used to tell the impact of all the possible risk in HealthCare Net company environment. (Derril Gibson, 2015)
| Risk | Threat | Vulnerability | Impact of Risk |
| Loss of data because of Production system outage. |
| Location | High |
| Loss of data |
|
| High |
| Network compromised | Malware | Antivirus software outdated or not renewed | High |
| Loss of company Information |
|
| High |
| Loss of confidentiality | Hacker | Public facing server not protected with firewalls and intrusion detection systems | High |
| Loss of customer | System Failure | Low quality equipment’s are used | High |
| Loss of Money | Internal | Lack of information about Policies such as HIPPA | Low |
After Prioritizing the risk, Business Impact Analysis is done to check the impact of these risk on HealthNet Inc. Following threats are identified after doing the BIA.
System outages
Loss of confidential data
loss of company Information,
Loss of company Assets
Loss of money
Resources are needed to get back our system online quickly if in case system outages occur. Following measures should be considered as soon as possible in the future to minimize the vulnerabilities that lead HealthNet to above-stated risks.
Cloud storage backup of data in case system outage occurs
High-quality Intrusion detection system and proper access controls should be implemented again to make sure there is no unauthorized access.
New insurance should be purchased for HealthNet, To insure all the Assets
Policies should be updated, and proper training held by department managers
Server protection software should be updated
Antivirus software at the systems should be updated and renewed till the time of next risk assessment
References:
[Eli the Computer Guy] (2010, Dec 13) Introduction to Risk Assessment. Retrieved from. https://www.youtube.com/watch?v=EWdfovZIg2g
Article, n.d. (2018). What Is Risk Management in Healthcare? Retrieved from. https://catalyst.nejm.org/what-is-risk-management-in-healthcare/
Gibson, D. (2015). Managing Risk in Information Systems, 2nd edition. Burlington, MA: Jones & Bartlett, 2015
