June 30, 2022

Risk Assessment of Electronic Health Records : Risk management plays an important role in the implementation of information security, and is one of the requirements that the ISO/IEC 27001[1] security standard sets for certification. Moreover, parties involved in the handling of personal information are legally required to prepare risk assessments and to review such assessments on a regular basis.

Health care computer systems and Electronic Health Records (EHRs) can contain highly critical information, including personal and sensitive information that fall under the act and regulations on the protection and processing of personal data. At the same time there is a great demand on having EHRs easily accessible for health care providers. Privacy concerns need to be addressed with adequate controls to minimize risk of misuse and accidental disclosure.

When preparing a risk assessment, it is important to use a systematic method to assess the risk, i.e. a method that ensures that another person performing the same risk assessment reaches the same conclusions.

The following subparagraphs describe a methodology that is standardized and in accordance with the ISO/IEC 27005:2008[2] guidelines for information security risk management. This methodology helps the assessor to take into account all aspects of the risk assessment requirements of the ISO/IEC 27001 security standard.

1.1. Methodology
Risk assessment is performed in a methodological way, according to the ISO/IEC 27001 standard.

1.1.1. Define the Scope and Criteria
The first step when performing a risk assessment is context establishment, which involves setting the basic risk criteria, defining the scope and boundaries and establishing the appropriate organization operating the information security risk management. The scope can be the whole business or a part of it. In the case of the EHRs the scope should cover the whole operation, but could be handled in more manageable parts if it is ensured that nothing is left out. The basic risk criteria should state the minimum level of risk, i.e. what is the acceptable risk level.

1.1.2. Identify Assets and Their Value
The next step is to identify the information assets within the scope. An information asset is any information of value to an organization and its operation. Information assets, like other assets of a company, must be protected to ensure that the company’s operation meets expectations, and to ensure that there is no discontinuity in operations. All the information assets of the operation must be registered when information security is implemented. These assets can be either intangible, or tangible. Tangible assets are such as housing, computer equipment and furniture. Intangible assets include business connections, reputation, procedures, services, knowledge and human resources. The asset value to the operation has to be assessed and as according to ISO/IEC 27001 the confidentiality, integrity and availability must be assessed as well.

For each asset it is important and a requirement from the ISO/IEC 27001 standard to identify an owner of all assets. According to the standard the term owner identifies an individual or entity that has approved management responsibility for controlling the production, development, maintenance, use and security of the assets. The term owner does not mean that the person actually has any property rights to the asset.

The following list is an example of few identified information assets for an EHR: Reputation of EHR, the EHR data, contracts with hosting service providers, physical and logical components of the system, health care professionals, public users and the procedures of EHR usage.

1.1.3. Identify and Evaluate Threats
For each asset all possible threats and their sources should be identified. Threats may be different origin or nature and may arise within or from outside of the organization. Some threats may affect more than one asset and the resulting impact may differ depending on the asset. For each threat the probability of occurrence and impact need to be estimated and the vulnerability of an asset towards a threat has to be evaluated as well.

The following is an example of threats identified for a couple of assets:

· Reputation of EHR
· Careless communication of information to unauthorized recipient
· Adverse publicity in media
· Loss of availability to authorized users
· Physical and logical components of the system
· Traffic overloading
· Technical failure of network components
· Malicious software (e.g. viruses)
· Illegal use of software
· Network access by unauthorized users

1.1.4. Risk Evaluation and Risk Treatment
From the evaluated assets and threats it is possible to calculate the estimated risk which is here called base security risk. The base security risk represents the risk before any mitigating controls have been implemented. At this point it is important to evaluate the risk and compare it with the risk criteria decided upon establishing the context. The risk criteria decision and the context may be revisited and given more detail since at this point there is more knowledge about the identified risks. It should be determined whether the risks are acceptable or require treatment.

Once the risks have been evaluated it should be identified and evaluated which risk treatment options to use for those risks that stand out of the risk criteria. The possible actions include reducing risks by implementing appropriate controls, accepting risks providing they clearly satisfy the policy and criteria for accepting risks, avoiding risks and transferring risks to other parties such as insurers.

For risks where the treatment option selected is reducing risk then the appropriate and justified controls should be selected as mitigating controls. The selection should take account of the risk acceptance criteria as well as legal, regulatory and contractual requirements. In general, controls may provide one or more of the following types of protection: correction, elimination, prevention, impact minimization, deterrence, detection, recovery, monitoring and awareness. The implementation status of each control is then determined and a justification for the status recorded.

The following is an example of selected controls for a couple of the risks previously identified as an example:

· Reputation of EHR
· Careless communication of information to unauthorized recipient
· A.5.1.1 Information security policy documented
· A.6.1.5 Confidentiality agreements
· A.8.2.2 Information security awareness, education, and training
· Physical and logical components of the system
· Malicious software (e.g. viruses)
· A.10.4.1 Controls against malicious code
· A.10.6.1 Network security management
· Illegal use of software
· A.8.1.1 Roles and responsibilities
· A.8.2.3 Disciplinary process

1.2. Results
After completing the risk treatment it is important to obtain management approval of the proposed residual risks and to obtain auhorization to implement and operate the Information Security Managment System.

Health, The result of the risk management process appears in a Statement of Applicability (SOA) report that is presented as a confirmation of the state of information security in the operation. This is important for managers, clients and regulatory bodies, e.g. the Data Protection Authority, which request information on the security matters of the organisation or company in question. The SOA report shall include the following:

1. The control objectives and controls selected in the risk treatment process and the reasons for their selection.
2. The control objectives and controls currently implemented.
3. The exclusion of any control objectives and controls in Annex A of the ISO/IEC 27001 standard and the justification for their exclusion.