November 12, 2012

[HOSPITAL MANAGEMENT SYSTEM RISK MANAGEMENT ]

RISK MANAGEMENT FOR HOSPITAL MANAGEMENT SYSTEM

November 12, 2012

[HOSPITAL MANAGEMENT SYSTEM RISK MANAGEMENT ]

Contents
RISK MANAGEMENT...................................................................................................................................... 1 FOR ................................................................................................................................................................ 1 HOSPITAL MANAGEMENT SYSTEM ............................................................................................................... 1 INTRODUCTION ............................................................................................................................................. 3 Risk management system ............................................................................................................................. 3 Risk overview ............................................................................................................................................ 3 Risk Assessment ........................................................................................................................................ 3 Characterization of the system ..................................................................................................... 3 Identification of the threat ........................................................................................................... 4 Identification of system weakness ................................................................................................ 4 Control Analysis: ........................................................................................................................... 4 Determination of risk probability.................................................................................................. 4 Analysis of risk impact................................................................................................................... 4 Determination of the risk:............................................................................................................. 4 Recommendation control: ............................................................................................................ 4 Documentation of the result: ....................................................................................................... 4

Risk Response Plan .................................................................................................................................... 5 Value Analysis ....................................................................................................................................... 5 Vulnerability analysis ............................................................................................................................ 5 Benefit of Control measure................................................................................................................... 6 Alternative Measure ............................................................................................................................. 6 Risk Response........................................................................................................................................ 6 SDLC for Risk Management ........................................................................................................................... 7 CONCLUSION................................................................................................................................................. 8 REFERENCES .................................................................................................................................................. 9

November 12, 2012

[HOSPITAL MANAGEMENT SYSTEM RISK MANAGEMENT ]

INTRODUCTION
The continuous growth and advancement of technology and information technology is constantly under threat by security concerns due to the vulnerability of the information system. the health sector is a sensitive industry that have little tolerance for risk and threats of any kind because of the human life that its meant to protect. it is no doubt that there is great reward for using technology in conducting business activities, but due to potential loss of valuable information and privacy issues many business refrains from using electronic commerce technology.

Risk management system

Risk management practice is the process of risk identification, analyzing the risk and respond duly to risk facing information system that faces the hospital in various facet of the daily activities including the life threatening cases.

Risk overview
Risk is defined as the potential threat that takes advantage of the vulnerability of an asset or system and thereby causing an extensive or minor damage to the system or the asset. Risk management is therefore, a process of determining the best way to manage a potential risk and protect the system against any possible threat.

Risk Assessment
The first process of risk management for hospital management system is the risk assessment. Risk assessment is used to determine the extent of risk a threat can cause for information technology system throughout the system life cycle. The result of the process helps in identifying the correct approach or control to mitigate risk or reduce risk impact. Threats to IT system must be thoroughly analyzed to determine the unfavorable effect of such threat. The risk assessment comprise of nine stages, they are:
Characterization of the system: risk of a system can be assessed when the scope

of the system is known; the boundaries of the system are highlighted with the necessary information that makes up the system such as the software, hardware and so on. Understanding of system environment is key to identifying IT system risk; information about the system hardware, software, system information must be collected for analysis.

November 12, 2012

[HOSPITAL MANAGEMENT SYSTEM RISK MANAGEMENT ]

Identification of the threat: A weakness or vulnerability can be exploited; the

potential threat must be identified and categorized in the risk statement. All potential threat and its likelihood must first be identified in any IT system to prevent them from causing harm to the system Identification of system weakness: risk analysis has to include the evaluation and assessing the weakness of the system. An item of various weakness or vulnerability and their impact must be stated in the risk assessment record as well as risk security requirement checklist. Control Analysis: This is to analyze the controls that are already implemented to limit the likelihood of threat; this should include security control and technical control such as firewall. Determination of risk probability: the probability of a risk occurring may be determine by considering the following; source and capability of the threat, nature of the system vulnerability and existence of system current control. The likelihood of the risk is rated as high, medium or low. Analysis of risk impact: risk impact measurement is a major step in risk management; this is to determine the resulting impact of a risk; risk impact can also be considered as being High, medium or low. Determination of the risk: the aim of risk determination is to assess the level of the risk to the system; risk can be determined by using risk matrix which also has risk rating of High, Medium or low ratings. Recommendation control: risk control recommendations are the factors or control that are identified as a measure to eliminate or mitigate the risk as identified. The objective of the risk recommendation is to reduce or eliminate a potential risk. This is usually as a result of risk assessment procedures. Documentation of the result: when all the procedures are completed, the report generated should be properly documented for management use. This is to help the management decision to be easy. Having identify different risk and their mitigating activities, documentation is necessary to back it up.

November 12, 2012

[HOSPITAL MANAGEMENT SYSTEM RISK MANAGEMENT ]

Risk Response Plan

Five stages are identified in risk management system to help IT managers identify the vulnerability or weakness of their system and to put in place adequate security measure appropriate to safeguard the system. These stages can be summarized as below: Value Analysis
Determination of sensitivity of the information. Asset estimate

Risk Analysis Asset threat Vulnerability identification

Benefit of Control measure Alternative Measure. Evaluate and test Chose Control Measure Implement control measure Value Analysis Use math approach Apply procedure Identify control measure Get change probability

Value analysis has to do with the determination of the sensitivity of the information that the system is supposed to process such as data that has to do with surgery, laboratory test and other diagnoses. The value analysis must be done to provide ground for other analysis.
Vulnerability analysis

Vulnerability analysis is done for a system to determine the weakness of the system in the system design or in the system implementation and find out the related threat if any. Vulnerability analysis is important in order to measure the seriousness of the threat and to measure the likelihood of the threat occurring.

November 12, 2012 Benefit of Control measure

[HOSPITAL MANAGEMENT SYSTEM RISK MANAGEMENT ]

Potential loss due to threat or system weakness is done by computing the appropriate control measure for the system. There is cost for any error made in system development or for unplanned change in a system architecture or damage caused by threat; proper assessment of these threat is important for the system.
Alternative Measure

There are several stages for developing plan against potential risk. Before developing alternative plan, there is need to establish priority of event for the general implementation of the system. These measures are implemented according to the degree of severity of the threat according to the analysis of the threat; the plan is subject to the management approval before it can be implemented.
Risk Response

Risk response is very important as the next step to be taken after risk evaluation or risk estimation. Risk response is meant to act in order to prevent risk occurrence, to reduce risk impact or for planning contingency plan for any potential risk. Risk response strategies are most important for dealing with threat poses in project outsource, Hillson (2002). It is not possible to fully deal with or prevent risk from occurring but strategies should be developed to arrest the impact or reduce the impact of risk on a project. Risk response is the strategy that is used in responding to threat or identified risks. The strategy is usually employed to avert the potential failure in any project or process in order to achieve the set objectives. The following are the approaches employed for risk response: Acceptance: the organization can decide to tolerate the risk; this approach is used

when the consequences risk or threat is not damaging and can be tolerated or when the cost of preventing the risk is too high that the organization cannot afford it. Risk Sharing: organization can share their risk with another organization such as

insurance banks that are designated to help commercial banks respond to

November 12, 2012

[HOSPITAL MANAGEMENT SYSTEM RISK MANAGEMENT ]

unexpected event. The only challenge is that the organization to share the risk with must be up to the task and its ready to take up the task. Risk Reduction: this has to do with the activities that are aimed at reduce the

impact of the risk or to reduce the risk in itself. This measure are geared to respond to the threat faced in the process or on the project. Risk Avoidance: Risk avoidance means that commercial banks avoid risk by

avoiding actions that triggers the risks or threat. Though, this strategy is not very productive and does not support organization growth because every progressive activity comes with various degrees of risks; hence risk is part of the process.

SDLC for Risk Management

Reduction of the impact of the risks identified in an organization is very important in order to made informed decision that aimed at moving the organization forward. An effective risk management must be integrated into the system development life cycle to ensure this. The SDLC life cycle is in five phases which are: initiation, development, implementation, maintenance and disposal. Risk analysis is a process that can be performed at any stage of system development. Phase Initiation Detail Risk activities The system purpose and Risks identified are used in scope is expressed the development of the system. The intended system is All the identified risk in this developed or purchased stage are used in developing support for the system The security feature for the Risk management process system is designed and supports the assessment of configure the implemented system with the requirement of the system The system performs its There is periodical risk operation. Also, there can assessment activities to be ongoing modification to determine the vulnerability the software as a result of of the system in its

Development

Implementation

Maintenance

November 12, 2012

[HOSPITAL MANAGEMENT SYSTEM RISK MANAGEMENT ] change in procedures or policy This stage of development may include the discarding of the system or information or to migrate the information to another system operational environment Risk analysis is done for the system that is to be disposed or replaced.

Disposal

CONCLUSION
The main objective of this risk analysis is to be able to provide support for hospital management system and for any other information system for organizations and businesses to protect them from everyday risks faced. It is essential that various sector of economy and industry manage different degree of risk according to the nature of their business and interest.

November 12, 2012

[HOSPITAL MANAGEMENT SYSTEM RISK MANAGEMENT ]

REFERENCES