Risk management plays an important role in providing information security and is one of the requirements set out in ISO / IEC 27001  security standard for certification. In addition, parties involved in the processing of personal data are legally obliged to carry out risk assessments and periodically review these evaluations.
Healthcare computer systems and electronic health records (EHRs) may contain highly critical information, including personal and sensitive information that is subject to the laws and regulations governing the protection and processing of personal data. At the same time, there is a great need for EHRs to be readily accessible to healthcare providers. Privacy concerns must be adequately controlled in order to minimize the risk of misuse and accidental disclosure.
When preparing a risk assessment, it is important to use a systematic method of risk assessment, that is to say, a method that ensures that the same risk assessor takes the same conclusions.
The following subparagraphs describe a methodology that is standardized and compliant with ISO / IEC 27005: 2008  guidelines for information security risk management. This methodology helps the evaluator to take into account all aspects of the risk assessment requirements of the ISO / IEC 27001 safety standard.
The risk assessment is done in a methodology according to ISO / IEC 27001.
1.1.1. Definition of Scope and Criterion
The first step in risk assessment is to create a context that includes the definition of basic risk criteria, the definition of scope and boundaries, and the establishment of an appropriate organization that operates information security risk management. The scope may be the whole or part of a business. In the case of EHRs, the scope of application should cover the entire operation, but it is more manageable if it is to ensure that nothing is left out. The basic risk criteria must include the minimum level of risk, ie the acceptable risk level.
1.1.2. Identifying Devices and Value
The next step is to identify information assets. The information tool is any information about the value and functioning of the organization. Information assets, such as other company assets, should be protected to ensure that the operations of the company meet the expectations and ensure that the operations are interrupted. All information elements of the operation must be recorded in the implementation of information security. These devices may be immaterial or tangible. Material assets are such as housing, computer equipment and furniture. Intangible assets include business relationships, reputation, procedures, services, knowledge and human resources. The asset value of the operation must be inspected and, in accordance with ISO / IEC 27001, confidentiality, integrity and availability must be evaluated.
Important for all devices, and ISO / IEC 27001 requires you to identify the owner of all devices. According to the standard, the owner designates a person or entity that has approved the administration's responsibility to control the production, development, maintenance, use, and security of the assets. The term owner does not mean that the person actually owns the asset.
The following is a list of identified information tools that relate to an EHR: EHR reputation, EHR data, contracts with hosting providers, physical and logical components of the system, healthcare professionals, public users, and EHR use.
1.1.3. Identification and Evaluation of Hazards
For all devices, all possible hazards and their sources should be identified. The fibers may be of different origin or nature and may occur within or outside the body. Some threats may affect multiple devices, and the resulting effect may differ depending on the device. For each threat, the likelihood of occurrence and impact should be estimated and the vulnerability of a device vulnerable.
The following example is a few tools identified by a threat:
· Reputation EHR
· Unsaved disclosure of information to unauthorized recipients
· Harmful advertising in the media
· Loss of availability
· Physical and
· Network overrun
· Technical problem of network components
· Malicious software (eg viruses)
· Illegal use of software
· Network access for unauthorized users
1.1.4. Risk Assessment and Risk Management
Estimated risks and risks can be estimated from the estimated risk, which is a so-called core security risk. The basic safety risk poses a risk before the risk mitigation checks are carried out. At this point it is important to assess the risk and compare it with the risk criteria defined by the context. The decision on the risk criterion and the context can be revised and detailed, as at this point they have more knowledge of identified risks. It is necessary to determine whether the risks are acceptable or need to be addressed.
Once the risks have been assessed, it is necessary to identify and evaluate which risk management options can be used for those risks that are different from the risk criteria. The possible steps to reduce risks by carrying out the appropriate audits accepting risks that clearly meet the risks and policies of adopting risks to other parties such as insurers.
For those risks where the choice of treatment option reduces the risk, appropriate and justified controls should be selected as mitigating controls. Selection must take into account the risk taking criteria and legal, regulatory and contractual requirements. In general, audits provide one or more of the following security types: correction, elimination, prevention, crash, deterrence, detection, recovery, monitoring, and awareness. Then, the execution state of each control is determined and the recorded state is verified.
The following example demonstrates an example of selected risks for the selected controls:
· EHR reputation
· Inadvertent information to unauthorized recipients
· A.5.1.1 Information Security Policy Documented
· A.6.1.5 Confidentiality agreements
· A.8.2.2 Information security awareness, education and training
· Physical and logical components of the system
· Malicious software (eg viruses)
· A.10.4 .1 Controls against malicious code
· A.10.6.1 Network Security Management
· Illegal Use of Software
· A.8.1.1 Roles and Responsibilities
· A.8.2.3 Discipline Procedure  1.2. Results
After finishing risk management, it is important to approve annual risk management and to introduce and operate the information security management system.
The outcome of the risk management process is the result of a Statement of Suitability (SOA) that appears as confirmation of the information security of the operation. This is important for managers, clients, and regulatory bodies, such as the data protection authority, who are requesting information about the security issues of the organization or company in question. The SOA report includes:
1. The reasons for the control goals and controls selected in the risk management process and the reasons for their selection.
2. Control objectives and controls are currently being implemented.
3. Exclusion and exclusion of control objectives and controls contained in Annex A to ISO / IEC 27001.
Source by sbobet