A risk management approach to the security of hospital information systems.

Risk management in today's technologically advanced health care system demands proactive rather than reactive strategies. Risk management is defined as a planned program for liability control and involves the identification, analysis and evaluation of legal risks followed by strategies to reduce or eliminate these risks. The concept of risk management is most often associated with quality assurance and direct patient care activities. For current purposes, the risk management concept is borrowed from arena of patient care and applied to the security measures surrounding hospital information systems. In this context, risk management/liability control is viewed as proactive activities designed to protect both the hospital information system and the confidentiality of patient information.