A new approach to risk management in the health-care domain

This paper is devoted to the presentation of a risk-management methodology (RiMaHCoF) that is specifically tailored for the health-care environment. The proposed methodology includes five successive stages in all, namely initiation, domain analysis, risk assessment, risk analysis and domain monitoring. This paper focuses on the risk analysis stage. The RiMaHCoF (" Risk Management in Health Care – using Cognitive Fuzzy techniques ") methodology enhances risk management in the specific domain of health care in the sense that it deems the patient's health-care information, processed and stored in a typical health-care institution, to be of utmost importance to such institution. The methodology further enhances risk management in this domain in that it incorporates cognitive fuzzy-logic techniques − as opposed to quantitative techniques such as annual loss exposure (ALE) calculation − to assess and analyse the information-technology risks. In this way, it is ensured that full cognisance is taken of the intuitive nature of human observation when assessing the possible IT risks to be incurred in a health-care institution. In addition, the methodology takes into account the vagueness of the decision making process with respect to securing patient information. The cognitive fuzzy approach to the assessment and analysis of information technology risks in health care does not only identify the high-risk areas within a typical health-care institution, but also helps to manage risks by facilitating the decision-making process with respect to securing patient information. 3 1. INTRODUCTION Information technology is currently being employed in health-care environments across the globe, resulting in significant improvements in the efficiency and quality of all services rendered in this realm [1-6]. The prospect of storing health-care information in electronic form does, however, raise concerns about the risks that could be incurred. The occurrence of a risk, such as the exposure of highly confidential and sensitive health-care information to outsiders, could compromise not only the patient's privacy, but also quite literally his/her wellbeing. It is, therefore, imperative to be able to identify possible risks in good time and to implement the necessary security controls in order to protect the patient in the health-care institution. Broadly speaking, risk management can be defined as that process which can be used to identify and implement security controls that will, at best, prevent risks from occurring and, at worst, minimise their effect if they were to occur [7-9]. A number of powerful techniques (such as CRAMM) could be employed to facilitate the …