The resources required to carry out a detailed risk analysis can be very significant both in terms of skilled manpower and elapsed time. Competing demands for these resources in health care often make it difficult to justify such an investment. Experience of conducting a number of detailed risk analysis studies in various health care establishments (HCEs) in different European countries as part of the SEISMED project, has been used to develop a specific approach to risk analysis which is simple to use and produces speedy results. Recommendations on security measures appropriate to the assessed level of risk are included.

The objective of SEISMED (a $\underbar{{\rm S}}$ecure Environment for Information Systems in $\underline{{\rm MED}}$icine) was to develop a consistent, harmonised framework for the security of medical data throughout Europe. The specific technical proposals of SEISMED are supported by a high level security policy which describes the underlying principles.

The method of risk analysis has been designed to be applied by technical staff acting as security reviewers. However, the user community will have a significant role to play in providing the basic information necessary to a proper understanding and quantification of the risks. The involvement of users and the technical staff to carry out the review implies the commitment of resources. This can only be achieved with the support of management whose role will be to make resources available and provide the support and authority to allow the review to proceed effectively. Reviewers should ensure that sufficient time is devoted to securing management commitment to the project and obtaining authority to carry it out. Accompanying guidelines are provided for management and for end users.

These guidelines explain the basic theory of risk analysis in terms of the consequences of failures in security combined with the likelihood of events which could bring about such failures. No one can afford to be complacent about the risks faced by their IT systems and the consequences for the organisation as a whole. Nor should they react blindly to possible problems of which they have an imperfect understanding. Risk analysis provides that proper understanding and improves the quality of decisions on what constitutes appropriate security. A specific approach to risk analysis is described and the management role in ensuring its success is emphasised. The results will be a profile of risks across a range of issues and a package of countermeasures to meet those risks. Where there are insufficient resources to apply all those measures, at least in the first instance, reviewers will need to consult with management and users on which risks should be met and to what extent, and which risks should be accepted.