Risk Assessment and Analysis

Risk Analysis and the Security Survey

The following risk analysis and security survey report will be centered on the hospital as an organization. Vulnerabilities can be classified as crime opportunities, opportunities for breaking rules and regulations, opportunities for profiting and also for loss. By definition, vulnerability can be a gap or a weakness inside a security program that might be exploited by opponents to acquire unlawful access. Vulnerabilities include procedural, human, structural, electronic as well as other elements that offer opportunities to damage assets (Vellani and Owles, 2007).

A vulnerability assessment can be classified as a systematic method utilized to evaluate an organization's security position, assess the efficiency of current security infrastructure, as well as, recognize security limitations. The basic approach of a Vulnerability Assessment (VA) first measures what precise assets require protection. Subsequently, VA recognizes the protection measures previously being used to protect those assets, as well as what limitations exist in their protection. Lastly, the VA evaluates the security program's efficiency against valid protection metrics and offers suggestions for improvements to those in charge of security. In essence, VA helps an organization's security managers in figuring out whether they need added security systems, tools upgrades, procedure and policy revisions, opportunities for training, along with requirements for manpower. VA recognizes security limitations that might be misused by an adversary to gain access to the organization's assets (Vellani and Owles, 2007).

An asset's vulnerability is established by its weaknesses in operational procedures and processes, weaknesses in physical security apparatus, as well as technical limitations that can be misused by opponents. Vulnerability assessments are utilized to recognize these limitations through a survey of security. A security survey therefore is a fact-finding procedure whereby the evaluation team collects information that mirrors the how, what, where, who, when, as well as, why of an existing security program. The goals of the security survey are to gauge the facility's vulnerabilities by calculating what opportunities are present to misuse security procedures and policies, equipment being used for physical security, as well as security personnel (Vellani and Owles, 2007).

Vulnerability and Threat Identification

Introduction of Organization

The following risk analysis and security survey is undertaken for Brandon Regional Hospital and Brandon Hospital Annex. Brandon Regional Hospital (BRA) is a fully equipped and staffed medical facility. The BRA has specialty services including the Heart & Vascular Center, the Women's Center, the Reflux Center, the Pediatric Center, the Behavioral Health Center, the Spine Center, the Orthopedic Center, and the Emergency Center. Brandon Hospital Annex conducts Human Resources and Employee Health and Education. The organization is located at Oakfield Drive in Brandon, Florida. The risk analysis and survey information was provided by Ms. Chris Taramassco, the Chief Operating Officer of the organization. The security survey was undertaken on a visit to the facilities; data gathered provided firsthand information as to how the security of the organization is arranged. In general, there are a number of risks that the Brandon Regional Hospital and Brandon Hospital Annex are vulnerable to, as partially revealed in the security survey and analysis report. However, the report will offer the top three threats to the organization. These can be described in the following section.

Brandon Hospital Risk Management

The risk management program instigated by Brandon Hospital aims to offer an incorporated and harmonized determination of risk management that acts in accordance with relevant standards. It also helps the facility to enhance the safety level for the patients by decreasing the incidences that create harm to visitors, patients, personnel; as well as the repute of the hospital and associated centers. Through the program, the hospital purposes to safeguard itself from negative outcomes of inadvertent losses associated to professional and general liability (Risk Management Plan, 2012). In relation to the privacy laws at the state and also at the federal level, the information of all patients involved is expected to be confidential and protected at all costs. Any information that is released to external sources or unauthorized individuals ought to be only sanctioned by the laws.

It is imperative to note that all facilities and organizations face a certain level of risk that is related and linked to different threats. These threats might come about as a result of accidents, natural events, and even premeditated acts, resulting in havoc and harm. Irrespective of the nature of the threat, the owners of the organization have a duty and obligation to minimize or manage the risks from these risks to the greatest extent possible (Renfroe and Smith, 2010).

The basic process of a vulnerability assessment involves the following: [1] a determination of what assets are in need of protection by the facility's security program; [2] identification of the protection measures already in place to secure those assets; and [3] realization of what gaps in protection exist. In accordance with the information given from the security survey, the following are the threats and vulnerabilities that Brandon Regional Hospital and Brandon Hospital Annex faces.

i. Natural Disaster -- Hurricanes

Natural disasters are threats to just about all facilities and organization within a region that is prone to such circumstances. The main natural disaster that Brandon Hospital is susceptible to is hurricanes. When hurricanes take place, this could bring about immense damage to facilities from the impact of not just the water but also the wind forces. As a result, this can bring about failures in terms of the utilities set in place, injuries to individuals, as well as other occurrences that differ in severity from negligible to catastrophic, contingent on the strength and intensity of the hurricane (Lin et al., 2012). As mentioned by Ms. Chris Taramassco during the security survey, the health care facility is only 45 miles inland from Tampa Bay and the Gulf of Mexico. In addition, Ms Taramassco goes on to mention that in the year 2013, the organization was faced with a natural disaster when a tropical storm hit the Tampa Bay area. Even though this event did not lead to loss of lives, it implies that the organization is vulnerable. Being not so far away from the coastal area that is prone to strong hurricanes, it can be said that weather is one of the major risks and threats that the organization faces; expected frequency is on the order of twice in ten years. The lack of destruction of the organization implies that the level of exposure of Brandon Hospital is not as severe compared to the other organizations which are located closer to the Tampa Bay and the beach.

ii. Terrorism is another threat that Brandon Hospital faces. In the present day world, the heightened potential of terrorist attacks positions distinctive encumbrances on health care facilities and health care personnel. Hospitals and hospital personnel are nowadays obligated to be equipped to respond instantaneously to such events. Terrorism can be defined as the methodical employment of terror particularly as a way of intimidation and oppression. The eventual objective of terrorists might not be the maximum number of deaths, but to engender fear and cause disorder (Chung and Shannon, 2005).

In previous periods, terrorists might have depended predominantly on mechanical artillery to attain their objectives, but with the dawn of contemporary technology, they currently have a bigger selection of modalities to realize their purposes. There is amassing acknowledgment that biological, chemical, and nuclear weapons can be formed, implemented, and dispersed to a gullible population without considerable difficulty. These kinds of discharges might be unconcealed and theatrical, or clandestine and fear-inducing (Chung and Shannon, 2005). The main reason(s) why hospitals are susceptible to these kinds of attacks is because they harbor numerous individuals, and therefore be an area that can produce mass casualties, but also because they are a source of infectious agents. Biological weapons are created from either naturally arising infectious agents such as microbes or viruses or non-replicating venoms that are formed by living creatures comprising plant life, animals, and microorganisms. These microorganisms, infections, or venoms can be adjusted or weaponized to increase their poisonousness or virulence, and in so doing get the most out of incapacitation after exposure (Chung and Shannon, 2005).

Another aspect of terrorism is that of mass casualty -- this can come in the form of the annihilation of large public buildings. Brandon Regional Hospital and Brandon Hospital Annex is a large public building that sits over 74,600 feet. These are buildings and facilities that are largely susceptible to the threat of terrorism. As mentioned by the Chief Operations Officer of the hospital during the security survey, the facility or the hospital in general is designated as a public disaster area.

iii. Theft (Physical Loss and Data Loss)

Another major threat that Brandon Hospital faces is theft from the organization. The potential of theft includes not only physical assets (ranging from drugs to equipment), but also theft of data. Referring to the information provided in the security survey, the organization faces considerable risk in terms of theft. For example, it is mentioned that cash/monetary proceeds from sales are secured in the cafeteria back office. The night manager counts the funds and makes a nightly deposit at Bank of America, located south of Brandon Regional Hospital. This shows a great deal of susceptibility to theft because the manager deposits money devoid of any security while headed to the bank. There is also the probability of the theft of equipment and apparatus found within the hospital. For instance, there might be the loss of syringes, pharmaceuticals, bandages, foodstuff, from the cafeteria and the like. Obviously, the most immediate area where theft is potential is the pharmacy or drug-area. These are all items from areas within the hospital that have not been mentioned to have secure system and procedures to ensure their safekeeping. Therefore it can be easily assumed that these instances can take place more frequently (Renfroe and Smith, 2010).

In addition, in the present day, healthcare organizations hold and manage a great deal of sensitive information. Ranging from Electronic Health Records (EHR) and patient pecuniary data to Personal Health Information (PHI), healthcare establishments hold considerable private information. They are accountable for safeguarding these important data assets from inadvertent loss or deliberate data breaches. A negative perception from patients, families, and other individuals as a result of a data breach can have long-lasting significance, declining patient confidence, and result in decreasing and/or injuring an establishment's standing (Code Green Networks, 2009). Brandon Hospital operates its data virtually and all the information of visitors, vendors, and non-employees is placed into a data base that is stored by the company. In the same manner, the information and data of the patients are stored by the company in a data bank. In the information provided in the security survey, it has not been mentioned whether this data is secured by the hospital. This implies that it might potentially be easy for hackers to hack into the information system of the hospital and steal confidential patient information stored by the company. In the same manner, the consumer database could also be lost due to theft of data; it could also be lost in the event of a sudden power outage if the company does not have data back-up plans in place.

Evacuation Plan

The evacuation plan established by Brandon Hospital is intended for employment in tandem with appropriate plans relating to emergencies, such as fire, explosive threat, and/or chemical threat. These plans are also used for the rare in-house or peripheral catastrophe that impacts the hospital's patients, visitors, personnel, volunteers and medical staff (The Evacuation Plan, 2014). The key factor that determines the evacuation strategy to be employed by the hospital is the kind of disaster. Three command centers are set up so as to facilitate the necessary evacuation of the hospital. The two threats mentioned above, hurricanes and terrorist threats, would necessitate a complete, and likely immediate evacuation of the hospital. The evacuation plan established by the facility appears to encompass the majority of aspects that ought to be taken into consideration. However, two of the three command centers for emergencies are inside the buildings that would need to be evacuated. This would in fact cause disorientation if there was a need for complete evacuation (The Evacuation Plan, 2014).

Annual Loss Expectancy

Considering the data gathered, it is imperative to consider the probability of the risk taking place, the assets that are impacted, and the costs that come about with every risk. Assets will have dissimilar risks related with them, and it is necessary to associate appropriate risks with each of the assets inventoried in an association or organization. For instance, there are a number of risks that affect all of the assets of a corporation, such as the risk of a colossal fire terminating a building and its contents. In other circumstances, collections of assets will be impacted by explicit risks (Shimonski, 2002). Once it has been ascertained which assets might be impacted by risks, then the probability of such risks taking place can be determined. Despite the fact that there might be several threats that could impact a business or organization, not all of them are probable. For instance, in this case, a hurricane is quite probable because of the actual physical location of the hospital in a hurricane-prone area. However, this might not be the case for another organization that is located elsewhere. As a result, it is imperative to undertake a genuine and realistic evaluation of the risks (Shimonski, 2002).

Historical data and information can offer details regarding the likelihood of a risk turning out to be an actuality within a certain period of time. For this reason, appropriate research ought to be undertaken to ascertain the likelihood of such risks in the expense being considered. By calculating and ascertaining the likelihood of a risk taking place within a year, the Annualized Rate of Occurrence (ARO) can then be determined (Shimonski, 2002). In accordance with Tan (2002), the Annualized Rate of Occurrence (ARO) can be properly defined as the projected and assessed frequency that a certain threat will take place within a year; the ARO is represented on a yearly basis. This implies that a threat or risk that takes place once in every ten years has an ARO of 0.1. On the other hand, a threat or risk that takes place ten times in every year has an ARO of ten. After calculating the ARO for every risk mentioned, this figure can thereafter be compared to the financial loss that is linked to an asset. This is the monetary value that signifies how much money would be deemed as a loss if the risk did actually take place. This can be calculating by taking into consideration the cost of repairing or replacing such assets. For instance, if a particular software malfunctioned on a network, it would be necessary to acquire or procure new software, and allocate funds and personnel to have the new software installed. Additionally, the corporation would also have to recompense for lost or hampered work time, such as personnel who cannot undertake their duties and tasks because they are unable to gain access to the network. This indicates that the financial loss would encompass the cost of new apparatus, the hourly remuneration of individual(s) interchanging the apparatus, and the cost of personnel unable to accomplish their work (down-time expenses). When the monetary value of the loss is considered, these factors comprise the total expense incurred due to the risk. This is referred to as the Single Loss Expectancy (SLE) (Shimonski, 2002). Annualized Loss Expectancy (ALE) is determined by multiplying the Single Loss Expectancy (SLE) and the Annualized Rate of Occurrence (ARO) (Tan, 2002).

The Annualized Loss Expectancy (ALE) of the risks mentioned above that Brandon Hospital faces will be calculated as shown below.

Asset

Risk

Asset value

Exposure Factor

Single Loss Expectancy (SLE)

Annualized Frequency

Annualized Loss Expectancy (ALE)

Building

Hurricane

$1,000,000

24%

$240,000

0.2

$48,000

Domain Controller

Power failure and outage

$16,000

24%

$3,840

0.2

$768

Customer Database

Loss of Consumer Data due to data loss

$160,000

38%

$60,800

0.65

$39,520

Assets from the cafeteria

Physical theft

$82,000

75%

$61,500

0.65

$39,975

Company and Client Assets

Terrorism Attack

$2,000,000

10%

$200,000

0.10

$20,000

According to Moreilli (2014), the last hurricane to take place in the Florida and Tampa area, including the Bay of Mexico, was in 2013 and 2014. Therefore in this analysis, it is assumed that the annualized frequencies of hurricanes that can hit Brandon hospital are twice in ten years; this results in an annualized rate of hurricane occurrence of 0.2. However, with the last hurricane not affecting the organization, the exposure factor is less than 25%. Another assumption made is that if a terrorist/bomb attack would adversely impact the assets of the hospital, ranging from the building to include even the parking lot. The expected asset value is assumed to be roughly $2 million. Assumptions for theft assume a large exposure value. For theft, there is also a higher potential for occurrence, given that security seems insufficient, as provided from the security survey.

Recommended Actions Execution and application of the recommended security methods, as well as structural upgrades, ought to have a constructive influence on the impact of loss; they should also have a positive effect on the ratings for vulnerability for the threats mentioned. The last phase in this risk analysis process is to re-assess ratings for threats from the perspective of recommended upgrades (Renfroe and Smith, 2010). There are a number of recommendations made for Brandon Regional Hospital and Brandon Hospital Annex to cope with the threats and vulnerabilities that it faces as an organization.

i. Hurricane Preparedness

Hospitals such as Brandon Regional Hospital play a vital role in the event of a disaster or health emergency. They are fundamental to ensuring the health and safety of individuals within its vicinity, as well as for the community at large. The hospital needs to ensure that its facilities are prepared for the event of a hurricane; it should also be able to increase its capacity to react and respond to any such natural disaster.

As mentioned by Ms. Chris Taramassco (COO of the hospital) during the security survey, the health care facility is only 45 miles inland from Tampa Bay and the Gulf of Mexico. In addition, she mentioned that in 2013, the organization was faced with a natural disaster when a tropical storm hit the Tampa Bay area. Even though this did not lead to loss of lives it clearly implies that the organization is vulnerable. The recommendation for the health care facility is, first, to invest in barriers that can partially protect the facilities from the effects of the hurricane. These are equipment and materials that the COO indicated that the organization does not have. In addition, it is important for the hospital to invest in electrical and other backup power sources to maintain full operations even after any hurricane hits (Franco et al., 2006). Hospitals become a place of refuge during natural disasters; therefore, they have to provide not only the usual and necessary standard of care for the sick patients in the hospital, but also provide for incoming patients injured during an event such as a hurricane. The organization requires power for lights, operating rooms, and all patient mechanical/electrical machinery such as dialysis machines and mechanical ventilators (Franco et al., 2006).

Another recommendation for Brandon Hospital is to have a Hospital Incident Command System (HICS). This is an organizational structure fashioned to undertake and execute response measures that are appropriate within a hospital's emergency operations plan. The entire hospital strategy includes: account of procedures and actions; an organizational chart with detailed responsibilities; an outline for incident command system situations; and includes job action slips. The HICS will enable all of the departments and areas of the hospital to be fully equipped and prepared to take action when emergency threats take place (Moynihan, 2009).

ii. Terrorism Recommendation

The United States Federal Emergency Management Agency (FEMA) supports an approach that considers all hazards in emergency preparation; this should be an incorporated plan that includes the safety approaches to terrorist actions and accidental and/or natural public health disasters. This method augments pecuniary and organizational efficacy (Chung and Shannon, 2005). FEMA recommends that hospitals prepare concurrently for terrorist occasions, in addition to more probable public health disasters such as tornadoes, cyclones, harmful material occurrences, and infectious epidemics such as severe acute respiratory syndrome (SARS) and/or the Ebola virus. The principles behind this concept are that, while precise emergencies might be different, the general situations faced in large scale public health disasters are quite similar. First, it is imperative for Brandon Hospital to have a basic plan/strategy that outlines the hospital's emergency response coordination and guidelines. This should include clear-cut plans for communication when a catastrophe materializes; it should include formation of an emergency operation center. The hospital also has to have in place specific plans that consider those threats which carry the highest risk. As well, there should be detailed strategies for bioterrorism, chemical, and nuclear attacks (Chung and Shannon, 2005).

There are a number of recommendations that focus specifically on preparation for bombings. One aspect is to consider an external explosive threat. Brandon hospital should ensure that it has installed security window films, including window retrofits, and also wire meshes on some windows. While such window security cannot halt or deter an explosive attack, they can decrease the impact of injuries and losses caused by dangerous flying glass. While window updates may not lower the level of vulnerability, the rating of impact of loss in the event of an explosive threat would improve (Renfroe and Smith, 2010). Another recommendation is to consider the possibility of an explosive inside the facility. Bearing this potential threat in mind, one recommendation for Brandon Hospital is to ensure that all packages or materials entering the hospital be screened or x-rayed. This suggestion has obvious and inherent difficulties. This is because a hospital has an immense number of daily deliveries, from food items for the cafeteria and patient kitchens, to medicines, and bandages and other items that are a part of patient care. Implementation of a routine inspection of all deliveries might diminish susceptibility to an attack. As well, the loading dock area, where packages are routinely delivered, could be centralized, and then be enhanced for greater safety. Lessening of either the effect of loss ranking or the susceptibility rating has a constructive outcome on the decrease of general risk (Renfroe and Smith, 2010).

iv. Recommended Actions for Theft (Physical Loss and Data Loss)

In accordance with Ernst & Young (2011), data loss prevention can be defined as the process of discovering and precluding loss of confidential data from an establishment's precincts for unsanctioned and unlicensed use. Data might be materially or logically taken out from the organization either deliberately or by mistake. To start with, Brandon Hospital has to ensure security controls in terms of the personnel that have access to the sensitive data and information. In accordance with the security survey given by the Chief Operating Officer of Brandon Hospital, there is no distinction between the data managers and the managers who secure the cafeteria. It is imperative for the hospital to institute data security personnel who are solely accountable for ensuring that the data possessed by the organization is secure and cannot be breached.