Académique Documents
Professionnel Documents
Culture Documents
No
Vulnerability
Threat
Risk of
compromise
of
Risk Summary
Health
Information
exchange not
secured
Data compromise
by intrusion, data
breach
Sensitive and
critical data
Failure at Data
Warehouse
Denial of Service
attack on Data
Centre
Availability of
data and
applications
Disaster
Recovery and
Business
Continuity not in
place
Severe effect on
operations of the
hospital, impact
on business
Productivity,
revenue,
patient safety
Unidentified
security
vulnerabilities in
biomedical
devices
Systems can be
hacked or
planted with
malware
Patient safety,
privacy of data
Electronic Health
Record (EHR)
application not
secured
Access rights
misused, data
breach or man in
the middle attack
Data privacy,
intellectual
property
As health information
exchanges (HIEs) make
patient information
electronically available
across hospital system,
privacy and data security
concerns have become
paramount. The risks are
compounded by the
numerous systems and
organizations involved.
Data-based business
intelligence is quickly
moving to the forefront
for most healthcare
organizations. The
greater the emphasis on
better managing
outcomes and overall
population health, the
more important data
(clinical or otherwise)
becomes.
Productivity, revenue,
and even patient safety
could be severely
affected if systems
and data are not
available and operational
at all times. While
business continuity
related to disaster
recovery is not a new
concern for healthcare
organizations,
it ranked high because of
its strategic and business
impact.
Unidentified security
vulnerabilities in
biomedical devices can
affect patient safety as
well as the privacy of
data on devices and
networked systems.
Many healthcare
organizations
are susceptible to risks
related to the
No information
security policy
implemented
Technical,
physical, and
administrative
safeguards
vulnerable
Security of
health
information
IT assets and
Software licenses
not tracked
Use of outdated
software
introduces
vulnerability,
software stops
operating after
license expiry
Security of
health
information,
availability of
data and
applications
Access through
personal devices
not restricted
(BYOD)
Data loss,
malware infection
Confidentiality
and integrity of
hospital data
(financial, ip,
staff info)
Identity
management and
RBAC not
implemented
Unauthorised
access to data or
applications
Security of
hospital data,
patient
information,
applications
implementation of
electronic health record
(EHR), financial, and
other business systems.
HIPAA remains an area of
significant risk for
healthcare organizations.
Maintaining the security
of protected health
information is
challenging. Absence of
supporting
documentation
demonstrating
adherence to policies can
be a huge risk.
Many organizations have
issues with tracking not
only their physical IT
assets but
their software licenses as
well. Lack of control in
these areas can lead to
financial losses for the
organization.
Electronic protected
health information (ePHI)
and similarly sensitive
data can be disclosed to
unauthorized personnel
either by malicious intent
or inadvertent mistake.
Unauthorized access to
data or applications is a
significant organizational
risk, making system
access a highly ranked
area of concern.
Healthcare organizations
often struggle to
maintain consistent core
controls (for example,
passwords, timeouts, and
lockouts) around system
access.
10
Not complied to
Payment Card
Industry Data
Security Standard
(PCI DSS)
Customers'
credit card data
11
Malfunctioning of
the application
Electronic Health
Record (EHR)
Application
failure
An enterprise system
tends to come with
standard IT
configurations.leaving a
huge margin for error If
your hospital has
deployed an electronic
health record (EHR)
system, you probably
have a contingency plan
in the event of a system
outage. After all,
computing systems go
down, and when an EHR
system is not working, it
affects nearly every
aspect of a hospitals
operations, from patient
care to admissions to
finance to supply chain
12
Defects in the
systems
Systems failure in
hospitals
13
Intentional
human Error
Unscheduled
system downtime
Unscheduled downtime is
unplanned downtime due to
system or environmental (e.g.,
power) failures. Downtime may
affect a single application or be
systemwide
14
Levels of
securities not
applied
Indiscriminate
Malicious Attack(Mock
Cyberattacks)
Medical
devices, patient
safety
15
Patients
details,their
reputation and
privacy
16
Distruntled
member,frustrated
person
Personal Revenge
Business
loss,reputation
at stake
sophisticated in terms of
knowledge about systems or
well
funded
17
Occurrence of Natural
calamities,disasters.
Wide spread
disasters results
power blackout
Availability of
the entire
infrastructure
18
Operational
discontinuity
Business
Impact,Availabili
ty impact
19
Lack of awareness