The information systems under your control may be exposed to unauthorised access, fraud, other abuse or misuse or even major disaster.

Senior management is often unaware ofhow poorly protected their information systems really are. Experience of examining the security issues in a number of health care establishments (HCE) across Europe strongly suggests that much is needed to be done to improve the security of health care systems to a level which management itself would find acceptable.

The objective of SEISMED (a Secure Environment for Information Systems in MEDicine) was to develop a consistent, harmonised framework for the security of medical data throughout Europe. The specific technical proposals of SEISMED are supported by a high level security policy which describes the underlying principles.

Part of the overall SEISMED process was the development of a relatively fast and simple method for understanding the risks faced by IT systems in a health care environment and the measures which could be taken to counter those risks. The relevant risks were identified from the results of risk analysis exercises carried out as part of the SEISMED project at a number of health care establishments across Europe. The risk analysis method proposed in this guideline has evolved from that work and is described in detail in the accompanying guideline “Guidelines on IT Security Risk Analysis for IT and Security Personnel”. A separate guideline is available for system users.

Whilst the resultant method will be applied by technical staff acting as security reviewers, the user community will have a significant role to play in providing the basic information necessary to a proper understanding and quantification of the risks. The involvement of users and the technical staff to carry out the review implies the commitment of resources. This can only be achieved with the full support of management whose role will be to make resources available and provide the support and authority to allow the review to proceed effectively.

These guidelines explain the basic theory of risk analysis in terms of the consequences of failures in security combined with the likelihood of events which could bring about such failures. No one can afford to be complacent about the risks faced by their IT systems and the consequences for the organisation as a whole. Nor should they react blindly to possible problems of which they have an imperfect understanding. Risk analysis provides that proper understanding and improves the quality of decisions on what constitutes appropriate security. A specific approach to risk analysis is described and the management role in ensuring its success is emphasised. The results will be a profile of risks across a range of issues and a package of countermeasures to meet those risks. Where there are insufficient resources to apply all those measures, at least in the first instance, management’s task, in combination with Health Professionals and other users, will be to decide which risks should be met and to what extent, and which risks should be accepted.

It is important to understand the nature of risk in automated information systems. It requires particular training and expertise and attention needs to be given to the selection of those appointed to carry out a risk analysis exercise. Because of the specialised resources required and the elapsed time it may take to develop the required results, some alternative lines of action may be pursued as an interim measure.