Table of Contents
Introduction
The recent past has seen a significant increase in information systems security threats. This has also resulted in an increase in the potential threats that currently exist in the healthcare information systems (Samy, Ismail & Ahmad, 2009).Information that hospitals have such as patient records are being digitalized, the fact that further increases the danger of the said information being stolen or compromised. As such, information security has become a priority for managers of health systems across the globe. Despite the priority given to information security, health systems remain exposed to a variety of threats. The common threats include unintentional actions, insider misuse and accidental events (healthinformatics, 2017). Apart from having the potential to damage health information systems severely, the security threats may also lead to compromising of integrity and confidentiality (Narayana Samy et al., 2010). As such, it is important for healthcare organizations to constantly carry out risk assessments of their information assets. There are many tools available for carrying out such assessments, one of them being the OCTAVE Allegro process. The current report presents a risk evaluation and assessment study of the George Washington University Hospital using the OCTAVE Allegro process, the main focus being on the first four steps.
We can do it today.
The OCTAVE Allegro process
The OCTAVE method facilitates the assessing of an entity’s information security needs. Octave Allegro is the latest method under the OCTAVE platform, and its main focus is on information assets. With this approach, an organization identifies its key information assets which are then assessed for threats. The first four steps are establishing of risk measurement criteria, developing of information asset profile, Identifying information asset containers and identifying areas of concern.
The George Washington University Hospital
The George Washington University Hospital is one among the most technologically advanced healthcare providers in Washington DC. The hospital has a wide range of latest medical equipment and has also invested in the latest information technologies. As a result, the hospital has been able to provide advanced and innovative healthcare in an environment that is not only warm but friendly too. The hospital’s mission is “to provide the highest quality healthcare, advanced technology, and world-class service to our patients in an academic medical center dedicated to education and research (gwhospital, 2017).” Just like many other healthcare facilities in the world, the George Washington University Hospital Information System is also exposed to the security threats that have significantly increased in the recent past. As a way of ensuring that any vulnerability to the said threats is discovered and addressed, it is important for a risk assessment study using the OCTAVE Allegro method to be conducted. This paper focuses on the first step of the OCTAVE Allegro process which is establishing risk measurement criteria.
Step 1: Establishing Risk Measurement Criteria
This step involves identifying a qualitative set of measures and then prioritizing the identified measures based on their importance. For George Washington University Hospital, impact areas that have been considered are reputation, safety, and health, productivity as well as legal fines. It is against these impact areas that the risks impact on the hospital will be evaluated. Specific impact areas are further identified for each of the major impact areas. For reputation, key areas that are assessed are reputation from the patient’s perspective, reputation from the staff’s perspective as well as occupancy rates. For safety and health, the impact areas that will be assessed are health, life and safety. Under productivity, the focus will be on the bed turn-over rates and staff hours. Investigations, fines and lawsuits are the areas that will be considered under fines and legal penalties. In terms of prioritization, the impact area given the first priority is reputation. Second priority is then given to safety and health while productivity is given the third priority. Fines and legal penalties are given the fourth priority. The impact areas are prioritized based on the costs they might make the hospital incur and their connection to the different services offered at the hospital. Reputation is given the first priority given the devastating impact negative reputation can have on the hospital’s operations. A bad reputation not only makes the hospital unattractive to patients, but it might also result in increased scrutiny from the authorities. Safety and health is given the second priority since it is one of the reasons the hospital exists. The professionals are meant to ensure the well-being of the patients and the same time ensures that they remain in good health while dispensing their services. The hospital employs highly qualified and hardworking individuals. As a result, it does not have many productivity challenges, hence and that is the reason productivity is given the third priority. George Washington University Hospital has always been keen to operate within the set rules and regulations, meaning that it has faced very few issues when it comes to fines and legal penalties. As such, fines and legal penalties are given the fourth priority. The following tables present the risk measurement criteria for each of the identified impact areas.
Worksheet 1
| Worksheet 1 | Risk measurement Criteria- Reputation | ||
| Impact Area | Low | Moderate | High |
| Reputation from the patient’s perspective | The hospital’s reputation among patients suffers very little negative impact. Very little or no effort at all necessary for reputation to recover | Reputation of the hospital among patients suffers considerable damage. Patient become suspicious of the hospital and chose to be referred elsewhere. Admission rates start declining by between 1% and 5%. Costs required for reputation to recover not less than $ 150,000 | Severe damage of the hospitals reputation among patients. Many patients chose to seek healthcare services elsewhere and those present start refusing the doctors’ recommendations. Total costs for reputation to recover is over $ 500,000 |
| Reputation from the staff’s perspective | Hospitals reputation among healthcare professionals working within the hospital and other staff members suffers very little negative impact. Very little or no effort at all necessary for reputation to recover | Reputation of the hospital among healthcare professionals working within the hospital and other staff members is significantly damaged. Physicians start quitting the organization, with turnover rates increasing by between 1% and 5% | Reputation of the hospital among healthcare professionals working within the hospital and other staff members is severely damaged. A sizeable number of professional are considering leaving the hospital. Number of those seeking to work at the hospital also declines by a considerable margin |
| Other: Occupancy rates | The rate declines by less than 1.5% | The rate declines by between 1.5% and 5%. | Occupancy rate declines by more than 5% |
Worksheet 2
| Worksheet 2 | Risk measurement Criteria- productivity | ||
| Impact Area | Low | Moderate | High |
| bed turn-over rates | A decrease in the hospital bed turnover rates by less than 3% | A decrease in the bed turnover rates by between 3 and 6% | A decrease in the bed turnover rates by more than 6% |
| staff hours | Labor costs increase by less than $120,000 as a result of staff work hours | Labor costs increase by between $120,000 and $ 600,000 as a result of staff work hours | Labor costs increase by more than $ 600,000 as a result of staff work |
| Other | |||
Worksheet 3
| Worksheet 3 | Risk measurement Criteria- safety and health | ||
| Impact Area | Low | Moderate | High |
| health | Very little degradation in the staff as well as clients’ health with the recovery period not exceeding 2 days. Associated costs less than $120,000 | Considerable but treatable degradation in the staff as well as clients’ health with the recovery period of between 2 and 7 days. Associated costs between $120,000 and $600,000 | Severe degradation in the staff as well as clients’ health with the recovery period of more than 7 days. Associated costs for recovery more than $600,000 |
| Life | No significant threat to the life of clients and staff members. Absence of regulatory response | The lives of clients and staff members threatened. Recovery possible after treatment and regulatory response is just but minimal | Client and staff members lives are lost. Regulatory response is quite significant, with the hospital incurring significant costs |
| safety | The safety of staff members and clients under scrutiny. Regulatory response is absent | The safety of clients and staff members is significantly affected. Regulatory response is just but minimal | The safety of staff members and clients is violated. Regulatory response is quite significant and even involves investigations |
Worksheet 4
| Worksheet 4 | Risk measurement Criteria- fines and legal penalties | ||
| Impact Area | Low | Moderate | High |
| Investigations | No questions from investigating authorities | Records or information requested by investigating authorities | In-depth investigation initiated by the investigating authorities |
| fines | Fines levied do not exceed $120,000 | Fines levied are between $120,000 and $400,000 | Fines levied are more than $400,000 |
| lawsuits | Lawsuits filed against the hospital cost not more than $ 120,000 | Lawsuits filed against the hospital cost between $120,000 and $750,000 | Lawsuits filed against the hospital cost more than $750,000 |
Worksheet 5
| Worksheet 5 | IMPACT AREA PRIORITIZATION WORKSHEET |
| Priority | Impact Area |
| 4 | Fines and legal penalties |
| 1 | Reputation |
| 3 | Productivity |
| 2 | Safety and health |
- Gwhospital.(2017). About George Washington University Hospital. Retrieved from https://www.gwhospital.com/about
- Health informatics.(2017). Top 4 Threats to Healthcare Security. Retrieved from http://healthinformatics.uic.edu/resources/articles/top-4-threats-to-healthcare-security/
- Narayana Samy, G., Ahmad, R., & Ismail, Z. (2010). Security threats categories in healthcare information systems. Health informatics journal, 16(3), 201-209.
- Samy, G. N., Ahmad, R., & Ismail, Z. (2009). Security threats in healthcare information systems: A preliminary study.