Risk Management
Security risk assessment and treatment for HealthTalk.
Risk Management Framework
Based on ISO 27005 and ISO 14971 (medical device risk management).
Risk Assessment Process
1. Context Establishment
- Define scope and boundaries
- Identify stakeholders
- Establish risk criteria
- Define risk acceptance levels
2. Risk Identification
Sources of risk:
- Threat analysis
- Vulnerability assessment
- Asset inventory review
- Incident history
- Regulatory requirements
3. Risk Analysis
Risk calculation:
Risk = Likelihood × ImpactLikelihood Scale:
- Level 5: Almost certain (90% or higher)
- Level 4: Likely (50-90%)
- Level 3: Possible (10-50%)
- Level 2: Unlikely (1-10%)
- Level 1: Rare (below 1%)
Impact Scale:
- Level 5: Critical - Service unavailable, data breach
- Level 4: Major - Significant disruption
- Level 3: Moderate - Limited disruption
- Level 2: Minor - Minimal impact
- Level 1: Negligible - No real impact
4. Risk Evaluation
Risk Matrix:
- High Likelihood + High Impact = Critical
- High Likelihood + Medium Impact = High
- High Likelihood + Low Impact = Medium
- Medium Likelihood + High Impact = High
- Medium Likelihood + Medium Impact = Medium
- Medium Likelihood + Low Impact = Low
- Low Likelihood + High Impact = Medium
- Low Likelihood + Medium Impact = Low
- Low Likelihood + Low Impact = Low
5. Risk Treatment
Treatment options:
- Mitigate - Implement controls
- Transfer - Insurance, contracts
- Avoid - Eliminate the risk source
- Accept - Documented acceptance
Risk Register
All identified risks are tracked in the risk register with:
- Risk description
- Current controls
- Residual risk level
- Treatment plan
- Owner and timeline
Review Cycle
- Full risk assessment: Annual
- Risk register review: Quarterly
- Triggered reviews: After incidents
Last updated on