| Risk management plays an important role in the | | | | impact need to be estimated and the vulnerability |
| implementation of information security, and is one | | | | of an asset towards a threat has to be evaluated |
| of the requirements that the ISO/IEC 27001[1] | | | | as well. |
| security standard sets for certification. Moreover, | | | | The following is an example of threats identified |
| parties involved in the handling of personal | | | | for a couple of assets: |
| information are legally required to prepare risk | | | | · Reputation of EHR |
| assessments and to review such assessments on | | | | · Careless communication of information to |
| a regular basis. | | | | unauthorized recipient |
| Health care computer systems and Electronic | | | | · Adverse publicity in media |
| Health Records (EHRs) can contain highly critical | | | | · Loss of availability to authorized users |
| information, including personal and sensitive | | | | · Physical and logical components of the system |
| information that fall under the act and regulations | | | | · Traffic overloading |
| on the protection and processing of personal data. | | | | · Technical failure of network components |
| At the same time there is a great demand on | | | | · Malicious software (e.g. viruses) |
| having EHRs easily accessible for health care | | | | · Illegal use of software |
| providers. Privacy concerns need to be addressed | | | | · Network access by unauthorized users |
| with adequate controls to minimize risk of misuse | | | | 1.1.4. Risk Evaluation and Risk Treatment |
| and accidental disclosure. | | | | From the evaluated assets and threats it is |
| When preparing a risk assessment, it is important | | | | possible to calculate the estimated risk which is |
| to use a systematic method to assess the risk, | | | | here called base security risk. The base security |
| i.e. a method that ensures that another person | | | | risk represents the risk before any mitigating |
| performing the same risk assessment reaches | | | | controls have been implemented. At this point it is |
| the same conclusions. | | | | important to evaluate the risk and compare it |
| The following subparagraphs describe a | | | | with the risk criteria decided upon establishing the |
| methodology that is standardized and in | | | | context. The risk criteria decision and the context |
| accordance with the ISO/IEC 27005:2008[2] | | | | may be revisited and given more detail since at |
| guidelines for information security risk | | | | this point there is more knowledge about the |
| management. This methodology helps the | | | | identified risks. It should be determined whether |
| assessor to take into account all aspects of the | | | | the risks are acceptable or require treatment. |
| risk assessment requirements of the ISO/IEC | | | | Once the risks have been evaluated it should be |
| 27001 security standard. | | | | identified and evaluated which risk treatment |
| 1.1. Methodology | | | | options to use for those risks that stand out of |
| Risk assessment is performed in a methodological | | | | the risk criteria. The possible actions include |
| way, according to the ISO/IEC 27001 standard. | | | | reducing risks by implementing appropriate |
| 1.1.1. Define the Scope and Criteria | | | | controls, accepting risks providing they clearly |
| The first step when performing a risk | | | | satisfy the policy and criteria for accepting risks, |
| assessment is context establishment, which | | | | avoiding risks and transferring risks to other |
| involves setting the basic risk criteria, defining the | | | | parties such as insurers. |
| scope and boundaries and establishing the | | | | For risks where the treatment option selected is |
| appropriate organization operating the information | | | | reducing risk then the appropriate and justified |
| security risk management. The scope can be the | | | | controls should be selected as mitigating controls. |
| whole business or a part of it. In the case of the | | | | The selection should take account of the risk |
| EHRs the scope should cover the whole operation, | | | | acceptance criteria as well as legal, regulatory and |
| but could be handled in more manageable parts if | | | | contractual requirements. In general, controls may |
| it is ensured that nothing is left out. The basic risk | | | | provide one or more of the following types of |
| criteria should state the minimum level of risk, i.e. | | | | protection: correction, elimination, prevention, |
| what is the acceptable risk level. | | | | impact minimization, deterrence, detection, |
| 1.1.2. Identify Assets and Their Value | | | | recovery, monitoring and awareness. The |
| The next step is to identify the information | | | | implementation status of each control is then |
| assets within the scope. An information asset is | | | | determined and a justification for the status |
| any information of value to an organization and its | | | | recorded. |
| operation. Information assets, like other assets of | | | | The following is an example of selected controls |
| a company, must be protected to ensure that | | | | for a couple of the risks previously identified as |
| the company's operation meets expectations, and | | | | an example: |
| to ensure that there is no discontinuity in | | | | · Reputation of EHR |
| operations. All the information assets of the | | | | · Careless communication of information to |
| operation must be registered when information | | | | unauthorized recipient |
| security is implemented. These assets can be | | | | · A.5.1.1 Information security policy documented |
| either intangible, or tangible. Tangible assets are | | | | · A.6.1.5 Confidentiality agreements |
| such as housing, computer equipment and | | | | · A.8.2.2 Information security awareness, |
| furniture. Intangible assets include business | | | | education, and training |
| connections, reputation, procedures, services, | | | | · Physical and logical components of the system |
| knowledge and human resources. The asset value | | | | · Malicious software (e.g. viruses) |
| to the operation has to be assessed and as | | | | · A.10.4.1 Controls against malicious code |
| according to ISO/IEC 27001 the confidentiality, | | | | · A.10.6.1 Network security management |
| integrity and availability must be assessed as well. | | | | · Illegal use of software |
| For each asset it is important and a requirement | | | | · A.8.1.1 Roles and responsibilities |
| from the ISO/IEC 27001 standard to identify an | | | | · A.8.2.3 Disciplinary process |
| owner of all assets. According to the standard the | | | | 1.2. Results |
| term owner identifies an individual or entity that | | | | After completing the risk treatment it is important |
| has approved management responsibility for | | | | to obtain management approval of the proposed |
| controlling the production, development, | | | | residual risks and to obtain auhorization to |
| maintenance, use and security of the assets. The | | | | implement and operate the Information Security |
| term owner does not mean that the person | | | | Managment System. |
| actually has any property rights to the asset. | | | | The result of the risk management process |
| The following list is an example of few identified | | | | appears in a Statement of Applicability (SOA) |
| information assets for an EHR: Reputation of EHR, | | | | report that is presented as a confirmation of the |
| the EHR data, contracts with hosting service | | | | state of information security in the operation. This |
| providers, physical and logical components of the | | | | is important for managers, clients and regulatory |
| system, health care professionals, public users and | | | | bodies, e.g. the Data Protection Authority, which |
| the procedures of EHR usage. | | | | request information on the security matters of |
| 1.1.3. Identify and Evaluate Threats | | | | the organisation or company in question. The SOA |
| For each asset all possible threats and their | | | | report shall include the following: |
| sources should be identified. Threats may be | | | | 1. The control objectives and controls selected in |
| different origin or nature and may arise within or | | | | the risk treatment process and the reasons for |
| from outside of the organization. Some threats | | | | their selection. |
| may affect more than one asset and the resulting | | | | 2. The control objectives and controls currently |
| impact may differ depending on the asset. For | | | | implemented. |
| each threat the probability of occurrence and | | | | 3. |