Risk Acceptance Procedure

Overview

Changes to the Medical Center's computer networks, for example through the addition of a new system or the major upgrade of an existing one, result in shifts in the risks to the network that must be managed and accepted by the Medical Center. The UVa Medical Center's risk acceptance strategy depends on three key processes: conducting risk assessments, performing risk mitigation, and obtaining the informed approval of senior management.

Purpose

This standard defines how risks originating from the procurement process are assessed and approved so that senior management for the Medical Center network use a recorded and repeatable strategy to help control risks to the network and its business functions.

Scope

This standard applies to Medical Center System Owners, project managers, vendors, procurement personnel, senior managers, and Health IT security team members.

Description

Risk Assessment

Primarily when new systems are added to the Medical Center’s computer network, or when existing systems are upgraded to such an extent that procurement processes are triggered, the Health IT risk acceptance strategy requires that a risk assessment be completed before the new risk profile is accepted. The risk assessment should evaluate the environment of the system, identify any vulnerabilities in the system, and any threats to the system to determine a qualitative measure of risk posed to the organization.

Typically, new systems fall into one of four categories: black box, cloud, medical deivce, or standard. Each type of system is assessed according to a different set of criteria. Some systems may stradle two or more of these categories, in which case, a separate assessment occurs following each of the different sets of criteria, and the overall assessment of risk is a qualitative mean of the assessments resulting from each different category.

Risk Mitigation

Risk mitigation is the process of reducing the severity or likelihood of an identified risk.  When a risk is identified, it is the obligation of the system and application owners to work with the Health IT security office to develop a risk mitigation plan.

Risk Acceptance and Approval

If a risk cannot be mitigated, the appropriate level of senior management must acknowledge in writing that they understand the risk to the organization. Based on the level of non-mitigation and the severity of potential loss, additional sign off by different levels of senior management may be required.

 

      Specific Risk Assessment Processes

      All Black Box Devices – Black box devices are those in which the input and outputs are clearly defined but the inner workings are opaque to end-users and controlled by an external vendor, e.g., a vending machine. For all black box devices, the following process should be followed.

      1. Standard Risk Assessment Questionnaire: The standard black box risk assessment questionnaire is completed by the vendor and sent to the Health IT security office for review.
      2. Risk Assessment: The Health IT security office reviews the questionnaire and creates a risk assessment report based upon the information provided in the questionnaire.
      3. Senior Leadership Risk Acceptance/Approval: Senior management reviews and accepts or in some cases may deny the request for black box deployment. If approved, the risk assessment report is signed by the appropriate member of senior management.

      All Cloud Deployments – Cloud deployments are considered any situation where Medical Center data may be housed in a location outside the Medical Center’s physical access controls.  For all cloud deployments, the following process should be followed.

      1. Standard Risk Assessment Questionnaire: The standard cloud/software as a service risk assessment questionnaire is completed by the vendor and sent to the Health IT security office for review.
      2. Risk Assessment: The Health IT security office reviews the questionnaire and creates a rsk assessment report based upon the information provided in the questionnaire.
      3. Senior Leadership Risk Acceptance/Approval: Senior management reviews and accepts or denies the request for cloud deployment. If approved, the risk assessment report is signed by the appropriate member of senior management.

      Regulated Medical Devices – Medical devices are connected to the Secure Clinical Subnet (SCSN) and/or FDA network. All new acquisitions of medical devices are required to follow procedures laid out in Medical Center Policy No. 0075: Management of medical devices used in patient care.

      1. Standard Risk Assessment Questionnaire: The standard medical device questionnaire is completed by the vendor and sent to the Health IT security office for review.
      2. Risk Assessment: The Health IT security office reviews the questionnaire and creates a rsk assessment report based upon the information provided in the questionnaire.
      3. Senior Leadership Risk Acceptance/Approval: Senior management reviews and accepts or denies the request for medical device deployment. If approved, the risk assessment report is signed by the appropriate member of senior management.

      Exceptions to risk assessments for regulated medical devices – Medical devices must be reviewed before they are allowed to be plugged into the SCSN or FDA network. For those that do not meet the security standard, an exception request is required.

      1. Exception Request: The Security Exception form must be completed per the SCSN standard. This may require the assistance of PC system specialist or department affiliate IT staff member.
      2. Risk Assessment: The Security Exception Committee completes a risk assessment based on the exception request details.
      3. Risk Acceptance: The Security Exception Committee approves, denies, or escalates the Security Exception Request. [See Secure Clinical Subnet (SCSN) Standard]

      Standard Systems – Standard IT systems are connected to the Medical Center network but use typical operating systems and interfaces that are managed and administered by the Medical Center. All new acquisitions of standard systems must be installed and configured according to the standard secuirty templates used by the Medical Center. This can only be done fully when the system supports all of the security features implemented on the Medical Center network.

      1. Standard security exihibit: The vendors of the standard system must review the Medical Center security exhibit document, which defines all of the security features that the system must support. Any items that the vendor must change or cannot agree to are noted in the security exihibit document and returned to senior management for review.
      2. Risk Assessment: The annotated security exihibit is reviewed by appropriate senior management.
      3. Risk Acceptance: Senior management approves or denies the security exihibit.

      Exceptions to Security Standards – Exceptions to the standard system security exhibit include any corrections that the vendor included in the exhibit to specify security standards that the system cannot support. Examples of an exception to the security standard include nonstandard patching or encryption processes.

      1. Ad hoc risk assessment/exception requests: The application deployed does not meet the standard security requirements. Ad hoc risk assessments are created by the Health IT security office to address unique and specific situations. This type of risk assessment is created on a case-by-case basis. 
      2. Senior leadership risk acceptance/approval: Senior management reviews and accepts or denies the ad hoc risk assessment/exception. If approved, the risk assessment report is signed by the appropriate member of senior management.

      Document Supporting Resources