Introduction
Medical Data Processing Inc. is a medical organization involved in the data processing on behalf of other health institutions in America. It has an employee base of over 50 dedicated professionals spread across five departments, i.e. administration, sales, human resource, data processing and finance department. Each department has a departmental manager and line supervisor. The company has an annual turnover of over $2, 7,000 accrued from the safe storage and dissemination of medical information to health institutions subscribed to it.
Medical Data Processing Inc. faces the risk of data loss and unauthorized access in their information systems because of lack of professional standards and effective security measures. Therefore, this calls for an elaborate risk analysis strategy, which can strengthen organizations information flow and storage.
This paper outlines the steps, which Medical Data Processing Inc. has established to address the issue of medical data loss and unauthorized access. Moreover, the paper describes ways in which the facility arrived at designing a risk plan to address the issue of data loss and unauthorized access. Further, the paper explores the steps the organization is taking to remedy the issue of data loss and unauthorized access to their information processing systems. Lastly, the paper compares the risk management practices of Medical Data Processing Inc., and other facilities providing similar services.
Risk Management
A risk can be defined as the probability of an unscheduled happening leading to dire consequences, unless it is mitigated. For established businesses like Medical Data Processing Inc., a risk means a devastating disaster in waiting; if left unchecked. Because of the sensitive services, it offers to its clientele in the health sector.
Steps Undertaken by Medical Data Processing Inc. to address the Issue of Data Loss and Unauthorized Access
Risk management is an important issue that organizations managements need to address. The risk plan existing at Medical Data Processing Inc., utilizes the right procedures and processes to manage the occurrence of risks. The facility continuously deems to execute various strategies to mitigate the danger that can arise because of data loss and unauthorized access to the organization’s information systems.
One of the steps considered to address the issue is systematic risk assessment. Systematic risk assessment is anticipated to assist Medical Data Processing Inc. to safeguard data against any unforeseen threat to its operations. Information systems manager will head systematic risk assessment. He will be responsible for overseeing; coordination of risk management, and related IS function in the organization. The IS manager will constantly, monitor capture, analyze risks-related information, and apply fitting remedies on behalf of the organization (Knight, 2009).
Another important strategy to be adopted by the facility is planning for risk mitigation. The information collected by the system manager will be used in planning for risk mitigation. This means, the data collected will be analyzed, and forecasts made for possible risk’s mitigation (Knight, 2009).
Conversely, strategy to be adopted by the organization will give the IS manager responsibilities to use his expertise and implement information processing systems that will grant organizational or operational safety. This will involve working closely with other departments to ensure all systems are working to needed standards; where there is a security breach, the IS manager will apply recommended standards and models to devise remedies.
Lastly, the organization will help in creating risk awareness among its employees. This will be through formal training at which risk issues will be discussed. Such measures will help in ensuring that there is a continuous improvement of safety measures in the organization. Continuous risk related training, will also assist all employees get involved in risk management, thus yielding good results for the organization.
Ways of Determining the Path
Determining an efficient strategy to safeguard data threat and unauthorized access is challenging. This is because; a threat can emerge without being expected. However, Medical Data Processing Inc. was determined to thwart the risks before they could happen. One of the strategy taken was involving key stakeholders in information processing unit. They comprised of the IS manager, health information handlers and data entry personnel.
The key aim was to determine the security issues of information stored in the systems. After noting many security risks on data, as pointed out by the stakeholders, the IS manager mapped out a plan on how the threat will be better handled. The agency outlined the framework on which risk planning and management was to be based. This was aimed at minimizing the effect of disaster, if it happens.
Methods Adopted by other Facilities
Various facilities dealing with medical data processing have formulated standards, which assists them in mitigating data loss and unauthorized access. Such standards are based on international data protection and access. One of the standards embraced by other facilities is the new international Standard, AS/NZS 31000. This risk assessment outlines a guideline, which an organization has to embrace in order to mitigate risk’s prevalence on their information systems.
The initial step, undertaken using this standard is identifying the risk. Risk identification involves the process of locating, recognizing and analyzing risks. It encompasses factors such as identifying risk sources. Events associated with it, the causes and the consequences the risks might have on organization information systems. In this method, risk is clearly identified; using forecasting bases such as historical data, informed or expert opinions, theoretical analysis and involving employees.
The second aspect of the standard is risk analysis. Through analyzing the causes or sources of risks, other facilities have ably applied prompt measures to protect data loss and unauthorized access to their Information processing systems, hence improving survival mechanisms and ensuring success.
Additionally, prioritizing of the course of action and providing safety precautions in case other measures do not work has been a tradition of other facilities. Having alternative methods of action is critical for ensuring business recovery in case risks strike. This has been vital for other organizations because it has assisted them in business recovery and planning.
The second strategy adopted by other facilities is organizational policies. In this method, various guidelines have been addressed by individual organizations. One of the guidelines is observing a strict policy on password security. According to Findlay (2006), the policy grants accountability to authorized users of data systems. The systems have been designed in a way that it connects the person who keys in the password and the type of data to be accessed. A policy further forbids sharing of passwords with third parties; this is to minimize the risk.
Additionally, the policy of tracking mechanism has also been part of risk mitigating measure in other organizations (Findlay, 2006). They have installed software’s, which encompasses tracking systems changes to help monitor data breach and other security issues. These tracking systems have minimized data exposure due to loss, accidental erasure or unauthorized access.
Backing of data reliably as part of HIPAA security regulation has also been used by other similar organizations. This ensures retrieval is possible when the hardware or other risk situation occurs (Findlay, 2006). Backing up data is also tested regularly to ascertain appropriate data is stored and that restoring is possible.
The third strategy adopted by other facilities is the UK Association for Project Management’s, ‘Project Risk Analysis and Management (PRAM)’ (Khatta, 2008). This strategy provides a guide for new users on project risk analysis and management. It involves studying and organizing risks on different projects. By embracing this approach, facilities are able to identify measures to prevent and minimize risks. It also Include; implementing plans to respond to risks. In addition, investigation of useful information in order to reduce uncertainties is carried out beside transferring risks and its consequences to a third party (Khatta, 2008).
Comparison of the Risks Strategies of Medical Data Processing Inc. and other Facilities
Medical Data Processing Inc risks management strategy differs slightly with other facilities providing similar services. For instance, Medical Data Processing Inc. will encompass systematic risk strategy in mitigating risks. Other facilities have already embraced the international Standard, AS/NZS 31000 Standard, and organizational policy for data protection and unauthorized access. By AS/NZS 31000 Standards, the facilities are able to identify the risk, analyze and apply safety precautions.
With organizational policy, an organization is able to provide guidelines in using passwords, devise tracking mechanism and safe backing of data. Moreover, Medical Data Processing Inc. procedures involve; a plan for risk mitigation, an IS manager using his skills in implementing information security strategy and creating awareness among employees on issues of data security. Lastly, other organizations have embraced risks management using the Project Risk Analysis and Management. This provides an opportunity for transferring risks to third parties, if it does occur.
Conclusion
Risk management is not just about threats from the external environment. It also ensures internal sources of risks are well looked into. There are international standards that provide guidelines or a blue print; making risk management easy and effective. Medical Data Processing Inc. in line with established international risk management standard such as AS/NZS 31000 will play a critical role in aligning health information systems to prevent loss and unauthorized access.
References
Findlay, D. (2006) Authenticating the Electronic Medical Record. Healthcare Risk Manager. (12), 30.
Khatta, R. S., (2008).Risk Management, New Delhi: Global India Publications.
Knight, W. K., (2009), Future ISO 31000 Standard on risk Management, ISO Focus, Web.