Health Network (HN) Risk Management Plan: Assessment and Strategies
VerifiedAdded on 2022/11/16
|10
|3397
|251
Report
AI Summary
The Health Network (HN) risk management plan addresses potential threats like data breaches, focusing on secure messaging, billing, and information services. The plan identifies risks, assesses their impact, and develops mitigation strategies. It covers compliance with regulations such as HIPAA, FDASIA, and the Cures Act, essential for handling sensitive health and financial data. The scope includes HN's IT infrastructure across its locations, including Minneapolis, Portland, and Arlington. The plan employs both qualitative and quantitative approaches, outlining mitigation measures for risks like data loss due to hardware issues, stolen assets, and production outages. It emphasizes data security through secure access, cloud-based systems, encryption, and geo-fencing. The plan also details roles and responsibilities for risk management, ensuring business continuity and customer satisfaction.
RISK MANAGEMENT PLAN FOR THE HEALTH NETWORK 1
Risk Management Plan for the Health Network
Risk Management Plan for the Health Network
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
RISK MANAGEMENT PLAN FOR THE HEALTH NETWORK 2
Risk Management Plan for the Health Network
Introduction
The Health Network (HN) is a medical services provider, offering services for secure
messaging from medical facilities to patients, a safe payment plan for medical billing, and an
information services portal to help patients access various medical services at a suitable location
and cost. The company is therefore at risk of data breaches, given the advanced methods and
technologies that hackers and other malicious users have, and the sensitivity of the information it
handles, including sensitive doctor/ care-giver to client messaging and billing information that takes
in client details as well as those of medical facilities. The purpose of this risk management plan is to
be able to identify possible problems (threats) before they are experienced so that activities aimed at
handling the identified risks are planned well before hand and be invoked as required across the
organization and its IT resources so as to mitigate and managed adverse effects that can potentially
affect the organization. Risk management is a process that is continuous, forward-looking and is
important in the business and technical management processes at HN. The purpose of this risk
management plan is also to address issues that can endanger the possibility of HN achieving its
business and performance objectives as well as continued service delivery to its clients, while
maintaining its revenues and business standing in the industry. A risk management plan is important
to any organization, including HN because it enables the company be aware of possible risks; being
aware sets into motion steps aimed at mitigating and possibly preventing the identified risks from
being experienced. His is important for ensuring the company’s operations remain efficient and
consistent (Marine Agency Insurance, 2019). It also ensures that the company’s customers remain
happy and satisfied and ensures a healthy business and financial performance, for instance, due to
reduced interruptions of services. This risk management plan is for the management of the Health
network (HN) and it discusses the scope and method used for creating the plan, a detailed risk
assessment, the regulations and compliance laws that HN must adhere to to effectively manage IT
and information risks, a plan for mitigating the risks identified and assessed, as well as a definition
of the relevant roles and responsibilities of the various departments and individuals responsible for
managing risk at HN. The risk assessment is undertaken in a systematic manner, following the set
steps for the identification and assessment of risks
Scope and Methodology
The scope of this risk management plan entails the identification, characterization,
assessment, and development of mitigation measures for risks related to the HN Information and
Communications technology infrastructure for all its operations (secure messaging, billing, and
information services) across all the company’s physical and enterprise operations and locations that
Risk Management Plan for the Health Network
Introduction
The Health Network (HN) is a medical services provider, offering services for secure
messaging from medical facilities to patients, a safe payment plan for medical billing, and an
information services portal to help patients access various medical services at a suitable location
and cost. The company is therefore at risk of data breaches, given the advanced methods and
technologies that hackers and other malicious users have, and the sensitivity of the information it
handles, including sensitive doctor/ care-giver to client messaging and billing information that takes
in client details as well as those of medical facilities. The purpose of this risk management plan is to
be able to identify possible problems (threats) before they are experienced so that activities aimed at
handling the identified risks are planned well before hand and be invoked as required across the
organization and its IT resources so as to mitigate and managed adverse effects that can potentially
affect the organization. Risk management is a process that is continuous, forward-looking and is
important in the business and technical management processes at HN. The purpose of this risk
management plan is also to address issues that can endanger the possibility of HN achieving its
business and performance objectives as well as continued service delivery to its clients, while
maintaining its revenues and business standing in the industry. A risk management plan is important
to any organization, including HN because it enables the company be aware of possible risks; being
aware sets into motion steps aimed at mitigating and possibly preventing the identified risks from
being experienced. His is important for ensuring the company’s operations remain efficient and
consistent (Marine Agency Insurance, 2019). It also ensures that the company’s customers remain
happy and satisfied and ensures a healthy business and financial performance, for instance, due to
reduced interruptions of services. This risk management plan is for the management of the Health
network (HN) and it discusses the scope and method used for creating the plan, a detailed risk
assessment, the regulations and compliance laws that HN must adhere to to effectively manage IT
and information risks, a plan for mitigating the risks identified and assessed, as well as a definition
of the relevant roles and responsibilities of the various departments and individuals responsible for
managing risk at HN. The risk assessment is undertaken in a systematic manner, following the set
steps for the identification and assessment of risks
Scope and Methodology
The scope of this risk management plan entails the identification, characterization,
assessment, and development of mitigation measures for risks related to the HN Information and
Communications technology infrastructure for all its operations (secure messaging, billing, and
information services) across all the company’s physical and enterprise operations and locations that
RISK MANAGEMENT PLAN FOR THE HEALTH NETWORK 3
include Minneapolis, Portland, and Arlington. It includes a risk assessment for all its servers,
network infrastructure, operational procedures, IT assets including all devices, network access
points, and servers, and staff risks (internal risks are some of the most sinister and potentially
damaging). The method used for undertaking the risk management plan follows the following
systematic approach;
Identification of the hazards, threats, and risks
Determination of what specific assets or systems may be damaged as well as the entities/
parties that may be harmed
an evaluation of the identified risks (risk assessment) and determining what precautions and
measures to be undertaken
Recording these (documentation)
A review of the risk assessment and the development of a comprehensive risk management
plan for HN
The risk management plan incorporates both qualitative and quantitative approaches to
managing risks
Compliance Laws and Regulations
Being a company handling numerous personal as well as corporate information pertaining to
individuals health, financial, and personal information, HN must comply with existing regulations
concerning personal data, IT enterprises, and financial information laws and regulations.
HN must be complaint with the Data protection 2019 laws and regulations of the USA. There is
actually no singly principle data protection law in the US, but a collection of several laws at both
State and Federal level aimed at protecting personal data of US residents. The company also has to
comply with the various state laws for Minnesota, Oregon, and Virginia given its operations in these
states. FDASIA (the Food and Drug Administration Safety Innovation Act) of 2012 that is targeted
at the Health IT framework to enable the management of of health information across various
multiple electronic devices and systems including wireless medial devices, communications
infrastructure, hospital information systems, and EHR (electronic health records). These laws are
mandated to the Federal Communications Commission (the FCC), the Office of the National
Coordinator for Health IT (the ONC), and the Federal Drug Administration (the FDA).
The HN must also comply with the 21st Cetury Cures Act (the Cures Act) that is aimed at
improving the exchange and flow of electronic health information. The ONC is in charge of
actualizing those pieces of Title IV, conveyance, identified with propelling interoperability,
restricting data blocking, and improving the ease of use, openness, and protection and security of
health IT. ONC attempts to guarantee that all people, their families and their social insurance
include Minneapolis, Portland, and Arlington. It includes a risk assessment for all its servers,
network infrastructure, operational procedures, IT assets including all devices, network access
points, and servers, and staff risks (internal risks are some of the most sinister and potentially
damaging). The method used for undertaking the risk management plan follows the following
systematic approach;
Identification of the hazards, threats, and risks
Determination of what specific assets or systems may be damaged as well as the entities/
parties that may be harmed
an evaluation of the identified risks (risk assessment) and determining what precautions and
measures to be undertaken
Recording these (documentation)
A review of the risk assessment and the development of a comprehensive risk management
plan for HN
The risk management plan incorporates both qualitative and quantitative approaches to
managing risks
Compliance Laws and Regulations
Being a company handling numerous personal as well as corporate information pertaining to
individuals health, financial, and personal information, HN must comply with existing regulations
concerning personal data, IT enterprises, and financial information laws and regulations.
HN must be complaint with the Data protection 2019 laws and regulations of the USA. There is
actually no singly principle data protection law in the US, but a collection of several laws at both
State and Federal level aimed at protecting personal data of US residents. The company also has to
comply with the various state laws for Minnesota, Oregon, and Virginia given its operations in these
states. FDASIA (the Food and Drug Administration Safety Innovation Act) of 2012 that is targeted
at the Health IT framework to enable the management of of health information across various
multiple electronic devices and systems including wireless medial devices, communications
infrastructure, hospital information systems, and EHR (electronic health records). These laws are
mandated to the Federal Communications Commission (the FCC), the Office of the National
Coordinator for Health IT (the ONC), and the Federal Drug Administration (the FDA).
The HN must also comply with the 21st Cetury Cures Act (the Cures Act) that is aimed at
improving the exchange and flow of electronic health information. The ONC is in charge of
actualizing those pieces of Title IV, conveyance, identified with propelling interoperability,
restricting data blocking, and improving the ease of use, openness, and protection and security of
health IT. ONC attempts to guarantee that all people, their families and their social insurance
You're viewing a preview
Unlock full access by subscribing today!
RISK MANAGEMENT PLAN FOR THE HEALTH NETWORK 4
suppliers have proper access to electronic wellbeing data to help improve the general soundness of
the country's populace. Notwithstanding supporting therapeutic research, propelling interoperability,
explaining HIPAA protection principles, and supporting substance misuse and emotional wellness
benefits, the Cures Act characterizes interoperability as the capacity trade and utilize electronic
health data without extraordinary exertion with respect to the client and as not establishing data
blocking (Health IT Legislation, 2019).
Given the company handles large volumes of health related data, HN must comply with the
MACRA (The Medicare Access and CHIP Reauthorization) of 2015; it defines a Quality payment
Plan which ir relevant to HN because it manages a payment system for its clients including the
APMs (Advanced Alternative Payment Models) and or the MIPS (The Merit-based Incentive
Payment Systems).
HN must also comply with the HITECH (Health Information Technology for Economic and
Clinical Health) Act of 2009 that is concerned with improved safety, efficiency, and promotion of
Health IT, including EHR and a secure and private health information exchange system.
HN must also comply with the HIPAA (the Health Insurance Portability and Accountability)
Act of of 1996. The secures medical coverage inclusion for specialists and their families when they
change or lose their positions, requires the foundation of national norms for electronic social
insurance exchanges, and requires foundation of national identifiers for suppliers, health care
coverage plans, and managers. The HHS Office for Civil Rights manages the HIPAA Privacy and
Security Rules. The HIPAA Privacy Rule portrays what data is ensured and how secured data can be
utilized and revealed. The HIPAA Security Rule depicts who is secured by the HIPAA security
assurances and what shields must be set up to guarantee proper insurance of electronic ensured
wellbeing data (Health IT Legislation, 2019).
There must also be compliance with the Computer Fraud and Abuse Act – 1986 that seeks to
protect computer data against fraud
The HN must also comply with the Final Rule on Privacy of Consumer Financial
Information of the 16 Federal Regulations Code, Part 313.
Risk Mitigation Plan
The risk mitigation plan is developed below, based on the identified and characterized risks
for HN
Risk Mitigation Plan
Company data loss due to This can be mitigated in several ways as discussed below;
suppliers have proper access to electronic wellbeing data to help improve the general soundness of
the country's populace. Notwithstanding supporting therapeutic research, propelling interoperability,
explaining HIPAA protection principles, and supporting substance misuse and emotional wellness
benefits, the Cures Act characterizes interoperability as the capacity trade and utilize electronic
health data without extraordinary exertion with respect to the client and as not establishing data
blocking (Health IT Legislation, 2019).
Given the company handles large volumes of health related data, HN must comply with the
MACRA (The Medicare Access and CHIP Reauthorization) of 2015; it defines a Quality payment
Plan which ir relevant to HN because it manages a payment system for its clients including the
APMs (Advanced Alternative Payment Models) and or the MIPS (The Merit-based Incentive
Payment Systems).
HN must also comply with the HITECH (Health Information Technology for Economic and
Clinical Health) Act of 2009 that is concerned with improved safety, efficiency, and promotion of
Health IT, including EHR and a secure and private health information exchange system.
HN must also comply with the HIPAA (the Health Insurance Portability and Accountability)
Act of of 1996. The secures medical coverage inclusion for specialists and their families when they
change or lose their positions, requires the foundation of national norms for electronic social
insurance exchanges, and requires foundation of national identifiers for suppliers, health care
coverage plans, and managers. The HHS Office for Civil Rights manages the HIPAA Privacy and
Security Rules. The HIPAA Privacy Rule portrays what data is ensured and how secured data can be
utilized and revealed. The HIPAA Security Rule depicts who is secured by the HIPAA security
assurances and what shields must be set up to guarantee proper insurance of electronic ensured
wellbeing data (Health IT Legislation, 2019).
There must also be compliance with the Computer Fraud and Abuse Act – 1986 that seeks to
protect computer data against fraud
The HN must also comply with the Final Rule on Privacy of Consumer Financial
Information of the 16 Federal Regulations Code, Part 313.
Risk Mitigation Plan
The risk mitigation plan is developed below, based on the identified and characterized risks
for HN
Risk Mitigation Plan
Company data loss due to This can be mitigated in several ways as discussed below;
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
RISK MANAGEMENT PLAN FOR THE HEALTH NETWORK 5
hardware being removed
from the production systems
The company should have secure access to all its hardware,
including the data centers where only authorized personnel have
access to the server rooms and the data centers.
The company should have a cloud based system so that it has a
hybrid cloud where all the data is copied and a copy kept in a public
cloud service providers’ infrastructure in addition to having its own
data center.
HN should have a policy on who can access what information and
data at the server rooms and where all physical data is contained and
what they can do with the hardware resources; for instance, only a
few people should be mandated to move any hardware, change
hardware, or perform maintenance and upgrading actions on
hardware devices, including power backup systems (Hillson, 2017)
Implementing a RAID (random array of inexpensive disks) on the
servers, such as RAID- 5 to ensure there is no data loss in the event
of accidental or intended damage to some hard disks
HN should also implement virtualization and have virtual machines
in physical machines to reduce the number of physical hardware and
act as security in case there is damage to some physical hardware;
the VMs should be mirrored
The hardware devices should have two-way authentication
requirements in the event that any person has to access data; access
to the hardware rooms such as the data center and server rooms must
be restricted using biometric access systems
Loss of company
information due to stolen or
lost company owned assets,
including laptops and
mobile devices
The company should have a policy restricting the use of mobile
devices and laptops by staff. These should have two-way
authentication before they can be used to access company resources.
The mobile devices, hardware, and other access points should not
have physical data stored on them; this implies having all the
company data and information stored in the company’s servers, in a
hybrid cloud architecture . This way, the users can only use the
devices to access the information, but have no information physical
stored in their various laptop, mobile, and other hardware devices.
hardware being removed
from the production systems
The company should have secure access to all its hardware,
including the data centers where only authorized personnel have
access to the server rooms and the data centers.
The company should have a cloud based system so that it has a
hybrid cloud where all the data is copied and a copy kept in a public
cloud service providers’ infrastructure in addition to having its own
data center.
HN should have a policy on who can access what information and
data at the server rooms and where all physical data is contained and
what they can do with the hardware resources; for instance, only a
few people should be mandated to move any hardware, change
hardware, or perform maintenance and upgrading actions on
hardware devices, including power backup systems (Hillson, 2017)
Implementing a RAID (random array of inexpensive disks) on the
servers, such as RAID- 5 to ensure there is no data loss in the event
of accidental or intended damage to some hard disks
HN should also implement virtualization and have virtual machines
in physical machines to reduce the number of physical hardware and
act as security in case there is damage to some physical hardware;
the VMs should be mirrored
The hardware devices should have two-way authentication
requirements in the event that any person has to access data; access
to the hardware rooms such as the data center and server rooms must
be restricted using biometric access systems
Loss of company
information due to stolen or
lost company owned assets,
including laptops and
mobile devices
The company should have a policy restricting the use of mobile
devices and laptops by staff. These should have two-way
authentication before they can be used to access company resources.
The mobile devices, hardware, and other access points should not
have physical data stored on them; this implies having all the
company data and information stored in the company’s servers, in a
hybrid cloud architecture . This way, the users can only use the
devices to access the information, but have no information physical
stored in their various laptop, mobile, and other hardware devices.
RISK MANAGEMENT PLAN FOR THE HEALTH NETWORK 6
The devices should be encrypted with any information stored on
them being encrypted and requiring a decrypting passw0rd for
anyone to access and use them; this will ensure that even in the event
of theft, the data contained in them, including remote access
credentials are n usable expect by an authorized user (Pather,
Remenyi and Remenyi, 2011)
The devices should also be geo-fences such that when they go out of
certain geographic boundaries, they are automatically rendered
inaccessible to mitigate theft and access from a remote location
The devices should also be configured with ‘fail-safe’ features such
that any repeated attempted access without having the right
credentials or having the devices reported stolen results in the data
and information contained within them destroyed (bricked) such that
they cannot be accessed by third parties. This also requires
configuration of the devices to be locked remotely should there be
any suspicious activity on them or be reported as lost
The mobile devices and laptops should be configured with privileged
access s that different classes of users are only able to access specific
relevant information. This minimizes greatly the risk that
information will be stolen or reduces the kind of information that can
be accessed should the devices get lost or be stolen.
Customers loss due to
production outages caused
by a variety of factors and
events including natural
disasters, unstable software,
and change management
This is mitigated through having a cloud based architecture for the
company’s resources. This means the data and processes are stored
in a hybrid cloud consisting of HN’s physical private cloud and a
public cloud services provider. This ensures business process
continuity in the event that there is a breakdown in the company’s
physical communication systems, networks, and data centers.
The company should also have its data centers located in different
geographical locations and have the data mirrored in all the different
data centers so as to guard against damages to one of the data centers
such as through natural disasters or fires that can damage the
physical hardware and result in data loss.
HN should have a second data transmission medium and protocol;
The devices should be encrypted with any information stored on
them being encrypted and requiring a decrypting passw0rd for
anyone to access and use them; this will ensure that even in the event
of theft, the data contained in them, including remote access
credentials are n usable expect by an authorized user (Pather,
Remenyi and Remenyi, 2011)
The devices should also be geo-fences such that when they go out of
certain geographic boundaries, they are automatically rendered
inaccessible to mitigate theft and access from a remote location
The devices should also be configured with ‘fail-safe’ features such
that any repeated attempted access without having the right
credentials or having the devices reported stolen results in the data
and information contained within them destroyed (bricked) such that
they cannot be accessed by third parties. This also requires
configuration of the devices to be locked remotely should there be
any suspicious activity on them or be reported as lost
The mobile devices and laptops should be configured with privileged
access s that different classes of users are only able to access specific
relevant information. This minimizes greatly the risk that
information will be stolen or reduces the kind of information that can
be accessed should the devices get lost or be stolen.
Customers loss due to
production outages caused
by a variety of factors and
events including natural
disasters, unstable software,
and change management
This is mitigated through having a cloud based architecture for the
company’s resources. This means the data and processes are stored
in a hybrid cloud consisting of HN’s physical private cloud and a
public cloud services provider. This ensures business process
continuity in the event that there is a breakdown in the company’s
physical communication systems, networks, and data centers.
The company should also have its data centers located in different
geographical locations and have the data mirrored in all the different
data centers so as to guard against damages to one of the data centers
such as through natural disasters or fires that can damage the
physical hardware and result in data loss.
HN should have a second data transmission medium and protocol;
You're viewing a preview
Unlock full access by subscribing today!
RISK MANAGEMENT PLAN FOR THE HEALTH NETWORK 7
for example, the different locations can be linked through fiber optic
cables and a second radio based VSAT system be put in place in the
event there is damage to the fiber optic cables to ensure continuity
Internet threats caused by
company product and
infrastructure being
accessible through the
Internet
The company should have all its data encrypted when being
transported through its networks and over the Internet. This also
includes having a virtual private network (VPN) that is encrypted,
especially for mobile devices used by employees outside the
physical locations of HN. The network resources should be isolated
so that only a certain class of authorized users have access to some
network resources. The company should also incorporate a cloud
based network infrastructure to ensure continuity in the event the
physical network has problems.
Basic network protection measures should be out in place, including
having psychical and software based fire wall systems installed in
the servers and server rooms. This is to ensure there is effective
monitoring of network traffic and filtering of information to help
detect attacks and take remedial measures.
Wireless Access Points (WAPs) should be secured sufficiently, with
the access pots (routers) being secured through encryption and have
router passwords effectively managed since this is a common weak
access point that can be exploited.
Have a well defined policy for accessing and clicking on links
embedded in e-mails, working with Spam e-mail filtering and
isolation of various assets to ensure that such attacks from malicious
code embedded in e-mails are mitigated or guarded against.
The company should implement various anti- malware software
applications including anti viruses, anti malware, and have these
updated regularly to remain up do date.
Routers, network devices, and devices must have their firmware and
operating system patches up to date and patched regularly to guard
against new kinds of threats (Rass and Schauer, 2017)
Insider Threats The company should have detailed policies on who can access what
information with privileged rights for all company resources. Access
for example, the different locations can be linked through fiber optic
cables and a second radio based VSAT system be put in place in the
event there is damage to the fiber optic cables to ensure continuity
Internet threats caused by
company product and
infrastructure being
accessible through the
Internet
The company should have all its data encrypted when being
transported through its networks and over the Internet. This also
includes having a virtual private network (VPN) that is encrypted,
especially for mobile devices used by employees outside the
physical locations of HN. The network resources should be isolated
so that only a certain class of authorized users have access to some
network resources. The company should also incorporate a cloud
based network infrastructure to ensure continuity in the event the
physical network has problems.
Basic network protection measures should be out in place, including
having psychical and software based fire wall systems installed in
the servers and server rooms. This is to ensure there is effective
monitoring of network traffic and filtering of information to help
detect attacks and take remedial measures.
Wireless Access Points (WAPs) should be secured sufficiently, with
the access pots (routers) being secured through encryption and have
router passwords effectively managed since this is a common weak
access point that can be exploited.
Have a well defined policy for accessing and clicking on links
embedded in e-mails, working with Spam e-mail filtering and
isolation of various assets to ensure that such attacks from malicious
code embedded in e-mails are mitigated or guarded against.
The company should implement various anti- malware software
applications including anti viruses, anti malware, and have these
updated regularly to remain up do date.
Routers, network devices, and devices must have their firmware and
operating system patches up to date and patched regularly to guard
against new kinds of threats (Rass and Schauer, 2017)
Insider Threats The company should have detailed policies on who can access what
information with privileged rights for all company resources. Access
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
RISK MANAGEMENT PLAN FOR THE HEALTH NETWORK 8
to such resources must require secure authentication with passwords
changed regularly and sensitive resources requiring two step
authentication.
The resources should be set such that users cannot download, copy
or transfer some company resources, such as client databases or
information onto external storage devices. For some sensitive
computers and access points, external access points such as USB
ports should be disabled and set up such that any attempt at
downloading or transferring information raises an alarm and stops
the exercise until authorization is given.
Users should be educated on ways in which they can be tricked by
hackers; they should never open any e-mail links or open suspicious
mail, and never give up any personal information through e-mail or
social media sites that can be used for Phishing to access their access
credentials for organization resources.
Use artificial intelligence methods to evaluate and forestall risky
staff behavior and take appropriate measures before they happen
Provide a safe and secure reporting channel where employees can
report suspicious activity by their colleagues
Record and review user logs to check for suspicious activity and be
able to follow up in case of breaches
Changes in the regulatory
landscape that can impact
operations
Have a detailed ICT policy and have the IT managers regulatory
review any existing policies and respond accordingly when there are
regulatory policy changes
Have Senior ICT staff to be members of various associations that
will ensure relevant updates are given for policy changes
Conduct audits using professionals and consultants to ensure the
organization is compliant with all laws and regulations
Threats caused by acts of
omission and commission
Have a detailed ICT policy and review it regularly while providing
training and ensuring the policy is followed
Roles and Responsibilities
to such resources must require secure authentication with passwords
changed regularly and sensitive resources requiring two step
authentication.
The resources should be set such that users cannot download, copy
or transfer some company resources, such as client databases or
information onto external storage devices. For some sensitive
computers and access points, external access points such as USB
ports should be disabled and set up such that any attempt at
downloading or transferring information raises an alarm and stops
the exercise until authorization is given.
Users should be educated on ways in which they can be tricked by
hackers; they should never open any e-mail links or open suspicious
mail, and never give up any personal information through e-mail or
social media sites that can be used for Phishing to access their access
credentials for organization resources.
Use artificial intelligence methods to evaluate and forestall risky
staff behavior and take appropriate measures before they happen
Provide a safe and secure reporting channel where employees can
report suspicious activity by their colleagues
Record and review user logs to check for suspicious activity and be
able to follow up in case of breaches
Changes in the regulatory
landscape that can impact
operations
Have a detailed ICT policy and have the IT managers regulatory
review any existing policies and respond accordingly when there are
regulatory policy changes
Have Senior ICT staff to be members of various associations that
will ensure relevant updates are given for policy changes
Conduct audits using professionals and consultants to ensure the
organization is compliant with all laws and regulations
Threats caused by acts of
omission and commission
Have a detailed ICT policy and review it regularly while providing
training and ensuring the policy is followed
Roles and Responsibilities
RISK MANAGEMENT PLAN FOR THE HEALTH NETWORK 9
The IT manager for the organization is responsible for setting the tone for the risk management
strategy; working with other division IT managers, they develop and review the risk management
strategy. Section heads are responsible for managing the risk management strategy and IT staff such
as assistant managers, and security staff 9for IT) responsible for continuous monitoring and
reporting of any threats, as well as staking the first line of action. The top IT management, together
with senior executives form a risk management team for the company in terms of IT security
(Hack2Secure, 2017).
The IT manager for the organization is responsible for setting the tone for the risk management
strategy; working with other division IT managers, they develop and review the risk management
strategy. Section heads are responsible for managing the risk management strategy and IT staff such
as assistant managers, and security staff 9for IT) responsible for continuous monitoring and
reporting of any threats, as well as staking the first line of action. The top IT management, together
with senior executives form a risk management team for the company in terms of IT security
(Hack2Secure, 2017).
You're viewing a preview
Unlock full access by subscribing today!
RISK MANAGEMENT PLAN FOR THE HEALTH NETWORK 10
References
Hack2Secure. (2017). An Introduction To Information Security Roles and Responsibilities 2017-
09-22 Hack2Secure 1. Available at: https://www.hack2secure.com/blogs/an-introduction-to-
information-security-roles-and-responsibilities [Accessed 14 Jul. 2019]
Health IT Legislation (2019). Health IT Legislation | HealthIT.gov. [online] Healthit.gov. Available
at: https://www.healthit.gov/topic/laws-regulation-and-policy/health-it-legislation [Accessed
14 Jul. 2019].
Hillson, D. (2017). Managing Risk in Projects. Milton: Taylor & Francis.
Marine Agency Insurance (2019). 9 Reasons Companies Are in Need of a Risk Management Plan.
[online] Marine Agency. Available at: https://marineagency.com/reasons-why-every-
company-should-implement-a-risk-management-plan/ [Accessed 14 Jul. 2019].
Pather, S., Remenyi, B. and Remenyi, D. (2011). Managing risks of ICT projects. Kidmore End:
Academic Publishing.
Rass, S. and Schauer, S. (2017). Game theory for security and risk management. 1st ed. Hoboken,
NJ: Wiley.
References
Hack2Secure. (2017). An Introduction To Information Security Roles and Responsibilities 2017-
09-22 Hack2Secure 1. Available at: https://www.hack2secure.com/blogs/an-introduction-to-
information-security-roles-and-responsibilities [Accessed 14 Jul. 2019]
Health IT Legislation (2019). Health IT Legislation | HealthIT.gov. [online] Healthit.gov. Available
at: https://www.healthit.gov/topic/laws-regulation-and-policy/health-it-legislation [Accessed
14 Jul. 2019].
Hillson, D. (2017). Managing Risk in Projects. Milton: Taylor & Francis.
Marine Agency Insurance (2019). 9 Reasons Companies Are in Need of a Risk Management Plan.
[online] Marine Agency. Available at: https://marineagency.com/reasons-why-every-
company-should-implement-a-risk-management-plan/ [Accessed 14 Jul. 2019].
Pather, S., Remenyi, B. and Remenyi, D. (2011). Managing risks of ICT projects. Kidmore End:
Academic Publishing.
Rass, S. and Schauer, S. (2017). Game theory for security and risk management. 1st ed. Hoboken,
NJ: Wiley.
1 out of 10
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.