23 Sep Describe the missions/functions if the risk assessment includes organizational missions/business functions. Describe the systems if the risk assessment includes organizational information s
Please follow the to-do word document and Risk assessment.
*** Here is the topic I have selected risk assessment report on the Healthcare system for Reports 1 & 2. This is a tier 3 assessment*** Please continue on Report 1 & 2 doc. Please make sure to review the to-do word document and follow all the steps that are required Starting from Overview to Rubric. Please make sure it covers all the Rubric Grading Criteria. I also attached Reports 1 and 2 doc.
Purpose
This assignment is intended to help you learn to do the following:
· Describe the missions/functions if the risk assessment includes organizational missions/business functions.
· Describe the systems if the risk assessment includes organizational information systems.
· Summarize risk assessment results.
· Identify the time frame for which the risk assessment is valid.
· List the associated with adversarial threats.
· List the risks associated with non-adversarial threats.
Overview
Complete Part 2 of the “Body of the Report” section of your report. Follow the guidance in the Risk Assessment Reports Template when writing your report. Revise the other sections of your report to address feedback received from your professor. You may need to revise your Executive Summary to provide additional relevant details. Compile all previous sections of your report into one coherent, carefully-edited Word document.
Use Library to find scholarly sources for information and support; use them where applicable. Use APA citation style for your report. All sources consulted must be appropriately cited. The Purdue OWL APA Formatting and Style Guide (Links to an external site.) is an excellent resource for this.
Action Items
1. Complete Part 2 of the “Body of the Report” section according to the Risk Assessment Reports Template guidelines.
2. Revise the other sections of your report.
3. Compile all previous sections of your report into one Word document.
Grading Criteria
Read the assignment rubric to understand how your work will be assessed.
Rubric
Risk Assessment Report 3
image1.png
image2.png
,
Risk Assessment Reports Template Name: ______________
Risk Assessment Reports
This risk assessment report, adapted from NIST’s Special Publication 800-30, provides the essential elements of information that organizations can use to communicate the results of risk assessments. Risk assessment results provide decision makers with an understanding of the information security risk to organizational operations and assets, individuals, other organizations, or the Nation that derive from the operation and use of organizational information systems and the environments in which those systems operate.
The essential elements of information in a risk assessment can be described in three sections of the risk assessment report (or whatever vehicle is chosen by organizations to convey the results of the assessment): (i) an executive summary; (ii) the main body containing detailed risk assessment results; and (iii) supporting appendices.
Reference NIST 800-30 Guide for Conducting Risk Assessments as you complete this report, paying special attention to Section 2.4 Application of Risk Assessments.
*Your report should focus on either Tier 1, Tier 2 or Tier 3.
Tip: Search for “Tier 1” or “Tier 2” or “Tier 3” throughout the NIST 800-30 document for references to these Tiers.
1. Executive Summary
· List the date of the risk assessment.
· Summarize the purpose of the risk assessment.
· Describe the scope of the risk assessment.
· For Tier 1 and Tier 2 risk assessments, identify: organizational governance structures or processes associated with the assessment (e.g., risk executive [function], budget process, acquisition process, systems engineering process, enterprise architecture, information security architecture, organizational missions/business functions, mission/business processes, information systems supporting the mission/business processes).
· For Tier 3 risk assessments, identify: the information system name and location(s), security categorization, and information system (i.e., authorization) boundary.
· State whether this is an initial or subsequent risk assessment. If a subsequent risk assessment, describe the circumstances that prompted the update and include a reference to the previous Risk Assessment Report.
· Describe the overall level of risk (e.g., Very Low, Low, Moderate, High, or Very High).
· List the number of risks identified for each level of risk (e.g., Very Low, Low, Moderate, High, or Very High).
2. Body of the Report: Part 1
Include the following:
· Describe the purpose of the risk assessment, including questions to be answered by the assessment. For example:
· How the use of a specific information technology would potentially change the risk to organizational missions/business functions if employed in information systems supporting those missions/business functions; or
· How the risk assessment results are to be used in the context of the RMF (e.g., an initial risk assessment to be used in tailoring security control baselines and/or to guide and inform other decisions and serve as a starting point for subsequent risk assessments; subsequent risk assessment to incorporate results of security control assessments and inform authorization decisions; subsequent risk assessment to support the analysis of alternative courses of action for risk responses; subsequent risk assessment based on risk monitoring to identify new threats or vulnerabilities; subsequent risk assessments to incorporate knowledge gained from incidents or attacks).
· Identify assumptions and constraints.
· Describe risk tolerance inputs to the risk assessment (including the range of consequences to be considered).
· Identify and describe the risk model and analytic approach; provide a reference or include as an appendix, identifying risk factors, value scales, and algorithms for combining values.
· Provide a rationale for any risk-related decisions during the risk assessment process.
· Describe the uncertainties within the risk assessment process and how those uncertainties influence decisions.
3. Body of the Report: Part 2
Include the following:
· If the risk assessment includes organizational missions/business functions, describe the missions/functions (e.g., mission/business processes supporting the missions/functions, interconnections and dependencies among related missions/business functions, and information technology that supports the missions/business functions).
· If the risk assessment includes organizational information systems, describe the systems (e.g., missions/business functions the system is supporting, information flows to/from the systems, and dependencies on other systems, shared services, or common infrastructures).
· Summarize risk assessment results (e.g., using tables or graphs), in a form that enables decision makers to quickly understand the risk (e.g., number of threat events for different combinations of likelihood and impact, the relative proportion of threat events at different risk levels).
· Identify the time frame for which the risk assessment is valid (i.e., time frame for which the assessment is intended to support decisions).
· List the risks due to adversarial threats (see Table F-1 in Appendix F).
· List the risks due to non-adversarial threats (see Table F-2 in Appendix F).
,
Risk Assessment Report 2
Purpose of the risk assessment
The purpose of the risk assessment was to identify the potential risks associated with the use of HER systems within the healthcare institution. To understand potential risks a number of questions were asked. For instance, to identify the likelihood of human error when entering patient’s medical data, the practitioners were asked the number of instances when the system captured wrong patients’ medical data. Also, information regarding user authentication was asked to understand the likelihood of unauthorized access to patients’ information. For instance, the risk assessor users of the system whether they user passwords, one or two factor authentication to log in to their systems in order to enter or access patient medical records. To assess the risk of data loss through natural disaster or erroneous deletion, the users of HER were asked if the healthcare center has a database backup for patient medical information collected through HER. In addition, question regarding the security of the networks were asked.
Assumptions and constraints
The risk assessment involved analyzing the EHR system to identify potential risks to the system. However, major constraints involved is that the IT personnel could not allow full access of the system to identify the security measures put in place to avert potential risks. The biggest part of the risk assessment involved interviewing the personnel in charge of the system to understand its functionality. Therefore, it is assumed most of the information given out was about the system was accurate. In addition, a major constraint facing the institution in relation to the management of the EHR relates to the technicality of the clinicians in using the new system. potential risks for data breach can be linked to inappropriate use of the system by the clinicians without their knowledge (Ajami & Arab-Chadegani, 2013). In addition, for the system to work effectively and avoid potential risks, it needs a lot of investment to fully implement the system with its full security features and functionality. However, the institution lacks enough financial resources.
Risk tolerance inputs
Based on the risk assessment of the system, the level of risk tolerance of the system is high. Based on the security measures that the institution has put in place, the system is exposed to a couple of risks including data breach, data loss or data alteration. The system is also at a risk to be compromised such that it does not serve its purpose. Therefore, the institution needs to put in place measures to enhance risk tolerance of the system and to avoid potential risks. For example, potential risk tolerance inputs include two-factor authentication. Two-factor authentication helps prevent data breaches by requiring users to provide two different authentication factors to verify them identify so as to log into the system (Colnago et al., 2018). It helps protect the resources a user can access as well as user’s credentials. It adds an extra security layer to the authentication process thus making it harder for hackers to gain access to user’s device and online accounts because if user’s password account is hacked, that alone is not sufficient to pass the authentication check (National Institute of Standards and Technology, 2012). In addition, the healthcare facility needs to put an extra layer of firewalls in its network. Firewalls play a critical role in preventing hackers from compromising with the network and accessing sensitive resources of an organisation. For example, once attackers have compromised the network of the institution, they can go ahead and access backend system that contains medical records of patients thus compromising their privacy. Lastly, users need to be trained on how to ensure they securely use the EHR systems. In most cases, users leave their accounts logged in or write their passwords in an open place where other people can see. This puts the system at great risk of being accessed by unauthorized users.
Risk Model and Analytic Approach
There are different types of models that guide in risk analysis of a systems to identify potential issues and risks. The risk model and analytic approach used in this case was the Delphi Technique. This a model for risk analysis that is similar to a brainstorming session where experts and professionals in a given field come together to analyze different potential threats and vulnerabilities to a given system or project (Horvath, 2022). Since the risk assessment involved assessing an information technology system, ICT experts and professionals were involved in the risk assessment to identify potential risks to the EHR system. What makes the Delphi analytic model is that it uses professionals and experts to uncover the potential risks and threats within a system. In the risk assessment, ICT professionals within the healthcare institution were included in the system analysis and brainstorming to understand how the EHR works and the potential risks. Failure to utilize experts and professionals in the risk assessment using the Delphi model, it becomes hard to identify the potential risks within the system.
Rationale for decisions
The rationale for the assessment is based on the potential risks identified. The report provides recommendations of what the healthcare institution should do to prevent potential risks. The rationale for implementing a two-factor authentication is based on the risk that unauthorized user may access the EHR systems unauthorized and makes changes on the data or access sensitive medical records. The assessment found that users only use single authentication credentials and thus the rationale for two-factor authentication was based on this aspect. In addition, the recommendation to implement network firewalls is informed by the fact that the healthcare center did not have any network security and thus chances of the network being compromised by hackers is very high.
Uncertainties in the risk assessment
Uncertainty within the risk assessment is that the ICT team did not tell how information is shared across departments through the EHR and also where their servers are hosted, whether on premise or on cloud. The information was very vital to assess the potential risks that their data could be exposed to. In addition, another uncertainty while making decisions for recommendations was whether the institution has enough financial resources to implement a fully secured EHR system. EHR systems are very capital intensive and thus lack of enough resources would compromise implementation of the recommendations.
References
National Institute of Standards and Technology (2012). Information security. U.S. department of commerce.
Horvath, I. (2022). Top 5 risk analysis methods that you should know. https://www.invensislearning.com/blog/risk-analysis-methods/
Ajami, S., & Arab-Chadegani, R. (2013). Barriers to implement electronic health records (EHRs). Materia socio-medica, 25(3), 213.
Colnago, J., Devlin, S., Oates, M., Swoopes, C., Bauer, L., Cranor, L., & Christin, N. (2018, April). “It's not actually that horrible” Exploring Adoption of Two-Factor Authentication at a University. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems (pp. 1-11).
,
RISK ASSESSMENT Page 2
Information technology system risk assessment
NAME
University
08/28/2022
Executive summary
This report is a risk assessment of Electronic Health Record (EHR) system. The risk assessment was carried out on 25th August 26, 2022 where potential risks within the system were analyzed. EHR is a critical part of information technology within healthcare that contains sensitive patient’s medical information including medical history, medications, treatment plans, diagnosis, test and laboratory results, immunization dates among other sensitive patient information. The system allows quick access and sharing of information across healthcare practitioners and departments for easy decision making. The purpose of the risk assessment was to identify potential risks that are associated with EHR systems including unauthorized access of patient’s data, erroneous deletion of sensitive patient data as well as system failure among other risks. This was an initial risk assessment to asses how secure are EHR systems. The level of risk was identified as high risk because of the sensitive nature of information contained in the system. Risk identified as high risk was unauthorized access of patient information. Security and privacy violations was classified as high risk because of its likelihood to happen. Data loss as a result of natural disaster or intentional deletion of patient’s medical records was classified as a moderate risk. In addition, EHR systems require users to key in patient medical information in to the database of the system. As a result, human error is a potential risk as users can key in wrong data. Human errors can be classified as high risk because of the likelihood of users keying in wrong data.
Body of the report: part 1
The purpose of the risk assessment was to identify the potential risks associated with the use of EHR systems within the healthcare institution. To understand potential risks a number of questions where asked. For instance, to identify the likelihood of human error when entering patient’s medical data, the practitioners were asked the number of instances when the system captured wrong patients’ medical data. Also, information regarding user authentication was asked to understand the likelihood of unauthorized access to patients’ information. For instance, the risk assessor users of the system whether they user passwords, one or two factor authentication to log in to their systems in order to enter or access patient medical records. To assess the risk of data loss through natural disaster or erroneous deletion, the users of EHR were asked if the healthcare center has a database backup for patient medical information collected through EHR. In addition, question regarding the security of the networks were asked.
Based on the above questions asked during risk assessment for EHR, it was noted that patient information faces significant risk of being exposed to unauthorized persons or being lost. Also, it was noted that there was high likelihood of erroneously recording patient information into the system. Assumptions included the likelihood of a user logging into the account of another user and accessing information they are not required to access. Access implies they can edit, delete or copy and share sensitive patient medical information without authorization. It was also assumed that since the institution did not have a backup, there was high likelihood that data would be lost incase of a natural disaster or erroneous deletion of patient’s medical data from the database.
To address the potential risks associated with EHR, a number of changes out to be implemented. For instance, to avoid unauthorized access of patients’ medical data, it is important for the healthcare center to implement two factor authentication to prevent unauthorized users from accessing sensitive medical information for patients (National Institute of Standards and Technology, 2012). The Project Risk Analysis Model (PRAM) is applicable in risk assessment for EHR system. the model uses Monte Carlo simulation to produce quantitative risk analysis output that provide actionable information to the management. For example, the model generates risk and uncertainty information of a project that aids the management to put in place preventative measures. Although the model is often used in project risk analysis, it can also be modified and applied to analyze EHR system.
Body of the report: part 2
The risk assessment of the system includes organizational functions. It seeks to identify ways in which the organisation can secure patients’ sensitive information. It explores potential areas in which the system can be compromised thus preventing the organisation from achieving its objectives and goals. EHR systems play a critical role with a healthcare organisation. It ensures that improved health outcomes as physicians are able to make fast and informed decisions in relation to patient treatment and medication prescription as it provides comprehensive patient medical data. Therefore, compromising the system means that patient information that informs their treatment decisions will be lost. In addition, one of the main focuses by healthcare center is to ensure patient privacy. Therefore, exposure of patient’s medical records to unauthorized parties is a significant failure on the side of the healthcare system.
EHR systems provides flow of information across physicians and departments that allows physicians to make fast and informed decisions regarding patients’ care. If the information is being shared over the external network, it possesses a great risk as unauthorized persons can hijack and hack sensitive patients’ medical information thus compromising patients’ privacy (National Institute of Standards and Technology, 2012).
To summarize the results of the risk assessment, EHR systems are exposed to a number of threats if the right measures are not put in place. Despite the positive impacts that technology brings in healthcare sector, it is also prone to potential risks that can be catastrophic. Assessment of the system within the healthcare center shows that the management has made little efforts to secure patients’ medical data. For instance, it was noted that a user can easily log in to another user’s account. This presents a potential risk since there would be accountability of data loss in case a user deletes data from the system. in addition, all users have the same access rights meaning they can access any patients’ data within the system despite the fact that they may not necessarily need the data. Furthermore, it was noted that the healthcare center does not have backup for its data. This means that in case of a disaster or accidental data deletion all patients medical records would be lost. The risk assessment is valid as long as the organisation continues to use the system. periodic audit of the system is required to ensure that potential risks are resolved.
References
National Institute of Standards and Technology (2012). Information security. U.S. department of commerce.
