Running head: Risk Assessment of IT systems in healthcare

Risk Assessment of IT systems in healthcare

 2
Risk Assessment of IT systems in healthcare

Table of Contents

Introduction ..................................................................................................................................... 3

Major risks related to IT system components ................................................................................. 3

Consequences of technical failure .................................................................................................. 4

Inherent risk assessment ................................................................................................................. 4

Ways to minimise the risks ............................................................................................................. 5

Residual risk assessment ................................................................................................................. 5

Risk assessment matrix ................................................................................................................... 6

Conclusion ...................................................................................................................................... 7

Reference ........................................................................................................................................ 8

Appendix ......................................................................................................................................... 9
 3
Risk Assessment of IT systems in healthcare

Introduction

Aspen Medical based in Canberra, Australia provides health services internationally, with
an emphasis on helping rural and far-off communities and responding to crises and emergencies.
In 2008, Aspen has provided their services in remote areas in Australia by setting up RAHC to
offer Primary Health Care to the indigenous communities living in the Northern Territory. The
organisation has also developed, for multiple gas and oil companies operating in the North West
Shelf, the Western Australia Resources Aero-Medical Evacuation. Aspen Medical received the
gold medal at the IMPA awards held in Poland for its contribution to healthcare in 2016 (Aspen
Medical, 2019).

Information Systems, abbreviated as IS, refers to the sociotechnical, formal system of

organisation that is designed to gather, process, hold and distribute data. An Information
Technology system, or an IT system, denotes a system that is made up of individuals and
computers that addresses or interprets data. An information system is the ICT (Information and
Communication Technology) that a company utilises, and it also refers to how people engage
with this technology on behalf of the various business processes.

Major risks related to IT system components

IT systems have undoubtedly improved the effectiveness and efficiency of the daily
activities of people as well as businesses. Nevertheless, it has also exposed the organisations
using IT systems daily to excruciatingly complicated and sophisticated risks, irrespective of
external or internal. It has been observed that the more dependent organisations are on IT, the
more IT risks they are exposed to. Various studies suggest that IT risks usually conceived from
the operational or technical failure of the IT components. In the case of hardware, using faulty or
defective products can harm not only the other hardware and software components but also other
systems that are interconnected on the same network. For instance, although warranties provided
by the manufacturers cover products that are defective after they are bought, electrical short-
circuiting occurring in the hardware can threaten other hardware and software systems, along
with the information and data that is stored in them (Jiang et al., 2019).
 4
Risk Assessment of IT systems in healthcare

Consequences of technical failure

Hardware failures are one of the most damaging problems that a business can face. The
inability to access the IT system because of a hardware failure can lead to a huge loss of money,
time and effort. Patient record data is critical information for any healthcare organisation and is
stored in the organisation’s data system. In the event of a sudden technical failure, the data can
be lost as they become inaccessible. Worse situations can arise if the data is not backed up and is
therefore permanently lost. This is a severe violation of patient trust, loyalty, and confidence
(Das et. al., 2017).

Inherent risk assessment

The IT systems auditor has to examine the inherent risk in an organisation. Multiple
factors can influence the level of inherent risk in an enterprise. The process of inherent risk
assessment is subjective, as the auditor must evaluate the susceptibility of the business to the
risk. IT system auditors have to consider several factors while assessing inherent risk including
financial misstatements, and inventory becoming outdated due to rapid technological
advancements. Also, the lack of an audit history of a company will make it tremendously hard
for the auditor to check its previous audit results for any misstatements of finances. This will
increase the level of inherent risk in the company (Shameli-Sendi, Aghababaei-Barzegar &
Cheriet, 2016).
 5
Risk Assessment of IT systems in healthcare

Figure 1: Inherent Risk Assessment Rating Scale

(Source: Rothrock, Kaplan & Van Der Oord, 2018)

Ways to minimise the risks

Hardware failures arising out of irregular electrical power supply is very common.
However, this issue can be resolved by using a generator or backup battery, even if temporarily.
Overheating can also lead to a technical failure in the hardware of IT systems. Electronic
components produce a good amount of heat. This energy must be exhausted away from the
system to prevent any damage to the hardware. The solution to this issue is to keep the room
temperature low and improve circulation throughout the room (Rothrock, Kaplan & Van Der
Oord, 2018). Loss of data, which is by far the most devastating impact of hardware failure, can
be minimised by establishing and keeping a regular schedule for maintaining the file and
physical management facets of the system. Regular checks will recognise and even rectify
possible troubles before they affect the system (Wang, Zhang & Xu, 2017).

Residual risk assessment

Residual risk refers to the threat that remains even after all efforts have been made to
recognise and eradicate the risks. It is the responsibility of the IT system auditors to mitigate the
residual risks that can pose a threat to the company’s system. To combat the residual risks, Risk
Management Information System is used to supervise and minimise known residual risks.
However, reducing the unknown residual risks is a major challenge for auditors (Steinbart et. al.,
2018). Nonetheless, while performing residual risk management, auditors must recognise and
pinpoint the essential GRC. They should determine the strengths and weaknesses of the
company’s control framework and at the same time acknowledge the risks that already exist.
 6
Risk Assessment of IT systems in healthcare

Figure 2: Risk Assessment steps

(Source: Learner)

Risk assessment matrix

Probability of Catastrophic Serious Moderate Minor

occurrence

Very likely Medium Low High High

Likely High Medium High High

 7
Risk Assessment of IT systems in healthcare

Unlikely Negligible Negligible Medium Low

Remote Low Medium High High

Conclusion

Thus, it is evident that even though the advent of technology and IT systems has been a
blessing, they are not completely immune to technical glitches that can have tremendous impacts
on the business and its management and reputation. Organisations must follow a routine risk
assessment of their IT systems to ensure that their sensitive data is not jeopardised.
 8
Risk Assessment of IT systems in healthcare

Reference

Aspen Medical. (2019). Home. [online] Available at: https://www.aspenmedical.com/ [Accessed

16 Sep. 2019].

Das, S., Mukhopadhyay, A., Saha, D., & Sadhukhan, S. (2017). A Markov-Based model for
information security risk assessment in healthcare MANETs. Information Systems
Frontiers, 1-19.

Rothrock, R. A., Kaplan, J., & Van Der Oord, F. (2018). The board's role in managing
cybersecurity risks. MIT Sloan Management Review, 59(2), 12-15.

Shameli-Sendi, A., Aghababaei-Barzegar, R., & Cheriet, M. (2016). Taxonomy of information

security risk assessment (ISRA). Computers & Security, 57, 14-30.

Steinbart, P. J., Raschke, R. L., Gal, G., & Dilla, W. N. (2018). The influence of a good
relationship between the internal audit and information security functions on information
security outcomes. Accounting, Organizations and Society, 71, 15-29.

Sun, X., Chakrabarty, K., Huang, R., Chen, Y., Zhao, B., Cao, H., ... & Jiang, L. (2019, June).
System-level hardware failure prediction using deep learning. In Proceedings of the 56th
Annual Design Automation Conference 2019 (p. 20). ACM.

Wang, G., Zhang, L., & Xu, W. (2017, June). What can we learn from four years of data center
hardware failures?. In 2017 47th Annual IEEE/IFIP International Conference on
Dependable Systems and Networks (DSN) (pp. 25-36). IEEE.
 9
Risk Assessment of IT systems in healthcare

Appendix

Figure 1

Figure 2