Risk management Plan for Health Network Inc
Introduction
Health Network Inc. is a company which seems to be facing some risk related issues having acknowledged the large duration of time since the last review of its Risk management Plan (RMP). The organization mainly serves the customers through the use of three products namely: HNetExchange, HNetPay, HNetConnect. These services generally help customers to get information relating to data by querying its databases (Hayat, Usman 2012). It provides easy access and timely response to health-related situations. HNetExchange helps customers find clinics and also to exchange medically related messages over the net. HNetPay is Web Portal used by customers to process and display bills and payments. HNetConnect is a directory which helps customers to trace the clinics which offer good services including the doctors and their physicians of interests. The RMP is meant to protect staff members, guests, and patients from unintentional and intentional security breach as well as protection of the financial assets and the other intangible assets of the company. Don't use plagiarised sources.Get your custom essay just from $11/page
RMP Scope
The RMP plan applies to the information systems and network infrastructure of the organization. It seeks to mitigate the risks which also face the financial data. The risks to be considered are those which mainly affect everyone who accesses the systems, gains access to the system and also trusts the system for the storage of the data. The plan also enables risk mitigation and collaboration of the risk management staff in departments of Minnesota and Minneapolis and other locations such as Arlington, Oregon Virginia and Portland. The detailed operations for risk plan include transfer of data to a required destination, security of servers, secure transfer of data via the HNetExcahnge, HNetPay portal protection and availability, full data exchange, PHI data usage and storage, maintenance of information confidentiality and secured connections to third-party systems.
Regulations
Though regulations and laws form the basis of the risk management –plan, it also acts as one of the potential risks if it is not strictly followed while conducting organizational operations. Some of the laws and regulations which apply to the Health Network, Inc. include: Payment card Industry Data Standards (PCI), acts such as Healthcare Information Portability and Accountability Act [HIPPA]. The development of HIPPA standards was meant to protect citizens from personal information and data attacks (Farhadi, Haddad, & Shahriar. PCI standards, on the other hand, were specifically developed in order to reduce the losses due to card frauds or (Chuvakin, 5). The federal government also enacted the Gramm-Leach-Bliley Act [GLBA] which requires all financial institutions or any institution dealing with customers’ financial information to clarify the manner in which it shares the customers’ private data. There is also another bill referred to as the Computer Fraud and Abuse Act [CFAA] which was passed to ensure that no access to computers without access authorization (Goldman, 14).
Risks and Responsibilities
| Job Title | Roles and Responsibilities |
| IRM –IT Resource Manager | Ensure proper and up-to-date risk management plan in place, he also ensures that proper practices and policies are followed. He or she also assigns job responsibilities and follows up on the accountabilities. Assesses risk management operations in the three departments |
| Risk Coordinator (Manager) | Manages and coordinates Risk assessment activities and can stand for IRM |
| Health Network Inc. Senior Manager | Offers information about the risk faced by the company as well as helping in its initiation |
| Business SME | Helps in assessing the contexts, impacts, timing, consequences, and priorities of risks |
| The RPM team | -Helps in managing components of risks as directed by IRM (They will be assigned risk owners) -Documents incidences – Reports the supporting information to the coordinator or risk manager |
| Risk Owner | -Helps in managing components of risks as directed by IRM. -Documents incidences – Reports the supporting information to the coordinator or risk manager |
| Stakeholders | Involved in the planning processes and offering unique perspectives in risk operations, identifies and support the definition of the contexts, impacts, timing, consequences, and priorities of risks |
| Data Custodian (3rd Party) | They will implement controls as per the specifications of the risk owners, evaluation of the cost-effectiveness of the risk management processes, The will provide the technical, physical and the procedural protection of the information and data. They will also help in of3ring monitoring and procedural techniques for detection, reporting and investigating risk incidences. |
Risk Mitigation Plan
| Threat | Outcome | Proposed Revised Plan |
| Loss of data due to the removal of hardware from production systems | Handling of operation errors | The approved budget for replacement of hardware |
| Loss of company data due to loss of company assets | Compromise and loss of critical information | Data backup in all the systems |
| Loss of customers due to production outages caused by various events, such as natural disasters, unstable software, and change management | Stalling of process | Regular review of the continuity recovery plan and equipping all the data centers in the three locations. |
| Internet threats due to company products being accessible on the internet | Network system halt due to loss of vital information | Updating of all security software such as firewalls and ant viruses |
| Changes in the regulatory landscape that may impact operations | Delays in organizational systems processes | Constant regulatory review and update basing on the current government changes |
| Insider threats | Overall System risk | Communication of the policies and procedures regularly. |
References
Chuvakin, Anton. “Managing a PCI DSS Project to Achieve Compliance.” PCI Compliance, 2012, pp. 231-251.
Farhadi, Maryam, et al. “Static Analysis of HIPPA Security Requirements in Electronic Health Record Applications.” 2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC), 2018.
Goldman, Lee. “Interpreting the Computer Fraud and Abuse Act.” Pittsburgh Journal of Technology Law and Policy, vol. 13, 2012.
Hayat, Usman (2012). “Impact investing: making money the charitable way”. Financial Times. Retrieved 14 August 2014