Skip to Main Content


In this chapter, you will learn to

  • Understand the basics of risk-based decision making

  • Look at leading information risk management frameworks for their use in healthcare

  • Comprehend the concept of risk tolerance and methods of handling residual risk

  • Address categories of information asset controls

  • Know the importance of communicating risk management activities and findings

  • Learn how to support third-party relationships and minimize their risk to the healthcare organization

The concept of risk in healthcare organizations has several definitions depending on where you work. From a clinical perspective, risk is the measurement of the quality and safety of healthcare provided. Risks that put patients at harm are identified, and actions are taken to prevent or control the risks. Because here we are concerned with information protection, risk is defined as the potential harm caused by a purposeful or accidental event that negatively impacts the confidentiality, integrity, or availability of the information. Information risk can also result in patient harm. As you read this chapter, note that the use of the term risk will apply to information risk unless otherwise specifically mentioned. We cover the organized, systematic approach to managing risk and decision making in information protection. There are several frameworks for doing this important work. Once you understand what your risks are, you can begin to decide what you want to do about it. We cover several approaches to managing risk. For example, organizations must decide whether to mitigate, accept, or transfer risk. There are a few other approaches to managing risk that we will introduce. In the end, your role is to measure the risk and communicate the alternatives to leadership with regard to how information protection integrates with business strategy, clinical practices, and third-party relationships.

Using Risk Management to Make Decisions

Making decisions about managing information requires a systematic and organized approach. Otherwise, emotions or personal preferences can influence actions and actually increase the chances of an event happening or increase the extent of the impact. No matter what format you ultimately choose to make decisions about risk, you must use some methodology. Before we introduce some of the leading risk frameworks, we need to define the following terms:

  • Threat A specific source of information loss or damage relevant to your organization

  • Vulnerability A weakness that may expose the organization unnecessarily to the threat

  • Probability The likelihood that a threat can happen (increased based on vulnerability)

  • Impact The extent of damages expected by a threat event happening

  • Mitigation and controls Actions or processes put in place to either prevent (control) or lessen (mitigate) the impact of exploited threats

When structuring a decision that measures risk around these variables, you can use a risk management framework, discussed next, to weight cost against benefit or risk versus reward. In all cases, you can ensure that you are implementing controls that are relevant and cost-effective to ...

Pop-up div Successfully Displayed

This div only appears when the trigger link is hovered over. Otherwise it is hidden from view.