Health Network Inc. Risk Management Plan

Health Network Inc. Risk Management Plan

Health Network Inc. is a health information technology systems support company. Its primary duty is providing IT and communications support to health facilities and healthcare providers. It also acts as a bridge between patients and healthcare providers, allowing patients to choose their most preferred and convenient healthcare provider. The company’s main office is in Minneapolis, Minnesota, with branches in Portland, Oregon, and Arlington, Virginia.

The company runs three main products. HNetExchange is the messaging arm that handles communication between customers and clients and the primary source of the company’s revenue. HNetPay provides secure payment and billing services between customers and their healthcare providers. Finally, HNetConnect provides online directory services where healthcare providers upload their credentials, location, and contact information that patients can use to choose their preferred healthcare provider.

Risk Management

Risks are sudden, uncertain occurrences that could have a substantial effect on the running of an organization. Risk management involves the identification, analysis, prioritizing, and response activities laid out if forecast and preparation for the event of a risk. For an effective risk management plan, the manager should view every possible threat the organization faces that could paralyze operations. Once all aspects have been identified, measures to minimize the risks should be suggested. Also, the management should forecast ways an attack of the weak points can affect the company and prepare accordingly. For a health care information management company, the analysis of the risks involved should be guided by existing laws and regulations.

Scope and Boundaries

Health Network Inc. handles personally identifiable data, health data, and communication information for its clients, who consist of healthcare facilities, healthcare professionals, and patients seeking healthcare services. The information in their possession is managed by third-party data hosting vendors. The scope of the risks involved in running their business, therefore, includes malicious exposure of client, doctor, and health center information. It also consists of the loss of valuable data collected from different clients over time. Health Network Inc. also has technological assets, including computers and cell phones, in possession of its employees that could be used to obtain personal information illegally. There is also a high risk involved in the use of HTTPS hosting for communication, payments, and other transactions involving sensitive data.

Compliance Laws and Regulations

The nature of the business of Health Network Inc. imposes laws and regulations regarding the protection of privacy, health information, and credit transaction information provided by all its clients. The amount of information in these categories that the company deals with poses a risk of lawsuits if they are maliciously accessed. The Health Insurance Portability and Accountability Act (HIPAA) govern the protection of personal health information and related data availed to health professionals. Health Network Inc. should be compliant with the HIPAA regulations in the protection of health-related data in their possession. Fair and Accurate Credit Transactions Act (FACTA) protects people against fraudulent use of their financial information. The company should also be compliant with the FACTA regulations as they have a platform through which financial transactions are carried out between healthcare providers and their patients.

Individual Roles in Risk Management

All employees working at the Health Network Inc. have the responsibility of carrying out risk management procedures while on duty. The systems include ensuring that the data protection measures are up-to-date, information obtained from their clients is given under verifiable consent, and that the data provided is strictly used for the purposes stated in the consent information. Individuals should report any uncharacteristic observations that could signal a risk. Employees should also be responsible for the company assets in their possession, and the data stored in them. To manage the risk of exposure, the employees should refrain from accessing unauthorized sites using company technological assets, as this might expose the company assets to compounded risk due to the use of local area network systems.

Departmental Roles in Risk Management

From the input of its employees, each department should have a working reference point for all possible sources of risk. The recommendations suggested should be put in place to ensure adequate management of risk factors as they present. All departments should have suitable protective measures guarding the access, transfer, and storage of information regarding the company clientele. Prioritized access measures should be enforced regarding the clearance levels at which employees should have access to client information data. Each department should also have a way to monitor the third-party data storage providers relevant to their data to ensure malicious access does not occur.

RISK ASSESSMENT

Risk Assessment is the cornerstone approach to preventing a business from the adverse effect of an occurring risk. It is the process of identifying threats or danger factors that have the potential to cause harm, which enables the analysis and evaluation of risks associated with the threat. Risk assessment involves analyzing potential or future events that may negatively impact individuals, assets, and or the business environment. Risk assessment, therefore, includes making judgments on the tolerability of the risk, based on risk analysis, while considering influencing factors. It determines possible mishaps, their likelihood and consequences, and the tolerance for such events. The results of this process may be expressed in a Quantitative or Qualitative fashion. Risk Assessment is an inherent part of a broader strategy to introduce control measures to eliminate any potential risk-related consequences.

Scope and Boundaries

The Risk Assessment Plan should address the measure of certainty that a risk-posing event will occur. For Health Network Inc., the frequency of occurrence of the risk, unless action is taken to change circumstances, should be considered. Information technology-related risks occur less frequently if the process is corrected and presenting issues identified with minimal audit activity. The estimated impact of an occurring risk on the activities of the business should be quantified. Health Network Inc.’s risk assessment plan should include the effects of presenting risks on the clients, stakeholders, business partners, and the business itself. All potentially at-risk parties should be put into consideration when conducting a risk assessment, to ensure that every possible risk is planned for during the mitigation stage.

Risk Assessment Approaches

• WHAT-ANALYSIS is used to identify threats and hazards. It involves asking a what-if question about what could go wrong and what could happen if things do go wrong. The analysis is a brainstorming activity carried out by people who know the areas, operations, and processes that may be exposed to hazardous events and conditions.
• CHECKLIST approach creates a list of known risks and hazards to identify the threats and dangers. The value of this type of analysis depends upon a quality checklist and the experience of the user.
• A combination of the Checklist and the What-If Analysis helps to identify the threats and hazards. Checklists are used to ensure that all the relevant what-if questions have been asked and discussed, and to encourage a creative approach to risk assessment.
• Hazard and Operability Study (HAZOP) approach may be used to identify potential threats and hazards using a thorough analysis. However, it is costly, time-consuming, and requires strong leadership. It also assumes the availability of a very knowledgeable interdisciplinary team, one with detailed knowledge about the areas, operations, and processes that may be exposed to hazardous events and conditions.
• Failure Mode and Effect Analysis (FMEA) approach are relevant in identifying potential failures and the effects the failures would have. This method begins by selecting a system for analysis and then looks at each element within the system. It then attempts to predict what would happen to the system as a whole when each aspect fails. This method is often used to predict hardware failures and is best suited for this purpose.
• Fault Tree Analysis (FTA) is used to identify all the things that could potentially cause a hazardous event. It starts with a particular type of dangerous event and then tries to identify possible causes.

Individual Roles in Risk Assessment

Each employee involved requires a clear understanding of the legal context, concepts, and processes of assessing risk, and the roles played by the main factors involved in the process. Workers must participate in the risk assessment since they know the problems and details of what happens when they perform their tasks or activities. Their participation in risk assessment is essential in bringing practical knowledge or competencies needed to develop workable preventive measures. While on duty, every employee is in a unique position to identify possible threats and potential risks attached to their specific responsibilities. Employee participation is not only a right but a fundamental measure to make the company’s risk management effective and efficient.

Departmental Roles in Risk Assessment

Health Network Inc. is made up of three major departments. The measures taken at the departmental level, using the input of individual employees, feed into the company’s risk assessment system. The role of each department is to regularly identify potential risks using compliance laws and regulations, client complaints, and weakness assessments in the systems. Taking evaluations of protective measures against cyber attacks, malicious access to company data, and identification of computer glitches provides the departments with the relevant information they require for risk assessments. Regular reports outlining the challenges each team faces give the management insight into areas of opportunity and growth, including potential risks for the team and organization. Department heads should support the requests of their teams, which, if unattended, can lead to significant risk exposure for the entire organization.

Risk Mitigation

Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a data center. Rather than just planning to avoid risk, mitigation deals with the aftermath of a disaster and the steps that can be taken before the event occurring to reduce adverse and potentially long-term effects. It can also be explained as a process of developing options and actions to enhance opportunities and reduce threats to organizational objectives. Comparable to risk reduction, risk mitigation takes steps to minimize the adverse effects of threats on business continuity (BC). Such include threats that might put the company at risk include cyber-attacks, weather events, and other causes of physical or virtual damage to the data center.

Presenting Threats

Health Network Inc. operates three production data centers that provide high availability across the company’s products. The data center hosts about 1000 production servers, and Health Network maintains 650 corporate laptops and company-issued mobile devices for its employees. Thus, upon review of the current risk management plan, the following threats were identified:

• Loss of company data due to the hardware being removed from production systems
• Loss of company information on lost or stolen company-owned assets, such as mobile devices and laptops
• Loss of customers due to production outages caused by various events such as natural disasters, change management, unstable software, and so on.
• Internet threats due to the accessibility of company products.
• Insider threats
• Changes in the regulatory landscape that may impact operations.

Proposed Mitigation Measures

Ideally, a data center should be prepared for all risks and threats and avoid them entirely. However, having a risk mitigation plan can help a datacenter prepare for the worst, acknowledging that some degree of damage will occur, and having systems in place to confront the loss. Some of the proposed mitigation measures are:

• Identify the risk by identifying potential events and event sequences where risk is presented. Risks can be in the form of existing vulnerabilities in the datacenter or known threats.
• Perform a risk assessment by finding the quantitative risk of each event, weighing its potential impact and the likelihood of it occurring.
• Once the risk assessment has been completed, rank the potential risks from the most severe to the least. Areas with the lowest level of acceptable risk should be the priority.
• Track Risks. If a risk can be followed, keep track of it and the threat it poses; for instance, track severe weather results if your organization is in a known natural disaster area, or monitor the frequency of cyber attacks in the organization.
• Implement and Monitor Progress: Once your mitigation plan is in place; continue to monitor how it is working and perform tests to ensure the plan is up to date. If risk priorities change, make sure your plan evolves as well.

BUSINESS IMPACT ANALYSIS

Business Impact Analysis (BIA) is a systematic process to determine and evaluate the potential effects of an interruption to critical business operations as a result of a disaster, accidents, or emergency. A BIA is an essential component of an organization’s business continuance plan, which includes an exploratory component to reveal any vulnerabilities and a planning component to develop strategies for minimizing risks. The result, which is a business impact analysis report, describes the potential risks specific to the organization studied, in this case, being the Health Network Inc. The BIA will determine the most crucial business functions and systems, the staff and technology resources needed for operations to run optimally, and the time frame within which the services need to be recovered for the organization to restore operations as close as possible to a normal working state.

Business Functions

The central role of the BIA is to identify the costs linked to failures, replacement of equipment, and loss of profits, staff, and data. The report quantifies the importance of business components and suggests appropriate fund allocation for measures to protect them. The possibility of failures is likely to be assessed in terms of their impacts in areas such as finances, marketing, business reputation, legal compliance, and quality assurance. Where possible, the effect is expressed monetarily for purposes of comparison. The BIA should assess a disaster’s impact over time and help to establish recovery strategies, priorities, and requirements for resources and time.

Critical Company Resources

Critical company resources that should be considered during BIA for Health Network Inc. include the software, hardware, internet resources, websites, client data, and the various transaction systems used by the company. The identification and recovery prioritization of these components will play a significant role in ensuring full analysis, mitigation, and recovery of the business from a disaster. Adequate backup and fall-back mechanisms for all these critical resources should be established early and enforced regularly. Secondary software, website protocols, and all payment and other internet resources should be developed and stored for activation in case of a failure of the existing protocols.

Maximum Allowable Outage

Maximum Allowable Outage is the maximum amount of time a system can be unavailable before its loss compromises the organization’s objectives or survival. A similar and more standard term for this is the Maximum Tolerable Period of Disruption(MTPOD). Maximum Allowable Outage is also known as Maximum Acceptable Outage(MAO), and this is the time frame during which recovery must become effective before an outage compromises the ability of an organization to achieve its business objectives and or survival. Generally, MAO can be explained as the maximum period that an organization can tolerate the disruption of a critical business function before the achievement of objectives is adversely affected. The Health Network should be able to adopt MAO following the determination that the existing risk management plan for the company is outdated and a new risk management plan had to be developed. Because of the importance of risk management, the company committed to creating a new layout.

Impact of Maximum Allowable Time/Maximum Tolerable Downtime

Once an organization determines its Maximum Allowable Time, then the recovery options can be determined. For instance, a 10day MTD indicates that a cold site may be a reasonable option; but one that’s a few hours suggests that a redundant site or hot site is a potential option.

• A redundant site is an exact production duplicate of a system that can seamlessly operate all necessary IT operations without loss of services to the end-user of the system. The redundant site receives data backups in real-time so that in the event of a disaster, the users of the system have no loss of data. It is a building configured exactly like the primary site and is the most expensive recovery option because it effectively more than doubles the cost of IT operations. To be fully redundant, a website must have real-time data backups to the redundant system, and the end-user should not notice any difference in IT services or operations in the event of a disruptive event.
• A hot site is a location that an organization may relocate to following a significant disruption or disaster. It is a data center with a raised floor, power, utilities, computer peripherals, and a fully configured computer. The hot site has all the necessary hardware and critical application data mirrored in real-time. The hot site will have the capability to allow the organization to resume critical operations within a brief period of time-sometimes for less than an hour.
• It is essential to note the difference between a hot and redundant site. Hot Sites can quickly recover critical IT functionality; it may even be measured in minutes instead of hours. However, a Redundant Site will appear as generally operating to the end user no matter what the state of operations is for the IT program.

Business Continuity Plan

Business continuity plans are plans put in place to ensure that the critical parts of business remain functional and generate revenue as the disaster recovery measures are taking effect. BCPs also have a preventive arm, where incoming threats are handled and mitigated before they hit, while the business remains ongoing. The results of risk can be detrimental and far-reaching for a company, mainly when the risks directly affect the clients. A sound BCP can make a business resist failure in the face of a disaster by increasing its chances of withstanding the sudden changes brought about by the threat. A company’s resilience and recovery efficiency are, therefore, dependent on how foolproof their BCP is, and how much the members of each department can adapt to its implementation.

Critical Business Functions Recovery Process

Perhaps the most vital part of a BCP is an efficient recovery process for the aspects of the business that are considered crucial for its survival. In the case of the Health Network Inc., the main elements critical to the company are its websites, the client information,  the systems involved in linking their clients to each other, and those enabling the payment transactions. For this reason, part of the recovery process would be re-launching the vital software, replacing damaged hardware, using the backup data to gain access to client information, and ensuring the critical employees are kept on duty to keep their responsibilities running. All data protection protocols should be reinstalled and reinforced to ensure they do not malfunction as the business recovery process is still ongoing.

Activating Remote Continuity of Critical Functions

For cases where the disaster involved the damage of or inaccessibility to offices, the critical functions should go through a preset activation protocol to enable the essential employees to run their duties remotely. This aspect of recovery ensures that all vital services of the business remain active even as the physical offices undergo rehabilitation. Activating remote continuity means that the business functions will be run outside of the usual local area network domains. For such cases, the BCP should include a protocol that allows employees to have remote access to the company data. Setting up a secure network for remote accessing should be an integral part of the company’s risk management plan.

Disaster Recovery Plan

The DRP includes the implementation of processes put in place to ensure that the business fully recovers from a disaster and resumes normal operations. DRP execution is a costly venture, mainly when it results in the loss of business, client loyalty, essential data, or valuable resources. The recovery plan should, therefore, consider all possible scenarios of the different kinds of disasters and make a priority plan for the systematic resumption to full operation. Part of the DRP should include a reliable source of funding for its implementation. The sources could consist of insurance policies, disaster management kitty, or investor funding. The choice should be dependent on the ease of accessibility of the financing when needed. Vital processes for the company’s recovery should be given priority, finalizing with the crucial but non-urgent issues.

Data Backup and Storage

Health Network Inc.’s primary business involves data management. The company’s DRP should, therefore, prioritize the recovery and reinstitution of data and data management software. For adequate recovery, there should be sufficient backup. An efficient data backup and storage system should be in place, which ensures all data history is accessible in case of a disaster that wipes out the immediately available data. The magnitude of space required to sufficiently back up all data generated by Health Network Inc., maybe the reason for outsourcing the services to third party companies. While this is an understandable move, the risk involved is high, and there is always a chance that the third party companies are hit by the same disaster. The company should, therefore, have its data management, backup, and storage mechanisms in place.

Computer Incident Response Team Plan

CIR Process

The CIR process follows an incidence response lifecycle that should be identifiable by every department’s employee. The method includes Detection, where the threat is identified, and containment, where the spread of the danger is prevented by initiating containment response protocols. An investigation is next, which entails following the markers of the risk to identify its source and to what extent it would have affected business, followed by remediation, which includes putting measures in place to ensure the danger does not recur. Recovery, where the threatened systems are cleaned and put back up and running; Finally, the preparation that uses the information gathered from the previous threat to improve the system and prepare for any other potential risks.

Protective Measures

Health Network Inc.’s CIR protective measures should include data protection mechanisms that prevent malicious or unauthorized access to data. It should also include the protection of all technological resources against malware attacks. This could be in the form of installing firewalls and antimalware software. The LAN and internet protocols used by the company should be highly secured from access by outsiders. Identity login protocols ensure that only the employees of the company have access to the LAN and databases.

Conclusion

Risk management plans are an integral and highly important part of a company. Risks occur suddenly and can cause insurmountable damage. For Health Network Inc., the amount of personally identifiable data and health data in its possession makes it a high-risk venture, with high costs should malicious access or other risks happen. Having an RMP ensures that the company has measures in place to mitigate all foreseeable sources of threats. It also ensures that data is not lost in case of an unforeseeable event. Recovery processes put in place to ensure that the company can bounce back and resume operations following a disaster. A sound and up-to-date RMP is, therefore, an asset to the Health Network Inc., and should be implemented for the success and longevity of the company.