Risk Profile: Information Management/Technology – Breach/loss of information

Risk Profile: Information Management/Technology – Breach/loss of information (PDF version)

Intentional or unintentional breach or loss of information can result in significant harm to patients and healthcare organizations. Breach or loss of information may result from inadequate technical controls, inadequate administrative practices, information security awareness and cyber-attacks such as hacking, malware or ransomware attacks. This document contains information entered by your peers in the Risk Register application to help you manage this risk.


  • Likelihood – average score 3.32
  • Impact – average score 3.68

The Risk Register allows for risks to be assessed on a five-point likelihood and impact scale, with five being the highest.

Key controls/mitigation strategies

  • Information technology controls
    • User authentication (e.g. multifactor authentication)
    • Unique user IDs, strong passwords
    • Role-based access controls for network, applications and processes within applications
    • Encryption of all external hard drives, USB keys, laptops and phones
    • Intrusion detection and notification solutions
    • Penetration tests
    • Antivirus systems
    • Web and email proxy servers to protect against malware and viruses
    • Timely application of security patches and upgrades
  • Best administrative and management practices
    • Regular audit (manual and system generated)
    • Assessments on new and existing critical information systems (privacy impact assessment, threat risk assessment)
    • Formal privacy and information security policies and procedures (e.g. “lockbox”, breach protocols, mobile devices, social media, research)
    • Training, education and communication for all staff, volunteers, contractors and independent practitioners (e.g. education on phishing attacks)
    • Senior management accountability
  • Vendor management (e.g. contracts, due diligence)
    • Strong privacy and information management/security clauses in contracts
    • Assessment of organization’s privacy and information security protocols
    • Adherence to industry information security standards
    • Breach notification process


  • System audits, password audits, high-profile patient audits
  • Incidents involving:
    • Unplanned system downtime
    • Virus infection incidents
    • Breaches or unauthorized access
    • Complaints of privacy breaches (including complaints to the Office of the Privacy Commissioner of Canada)
    • Lost USB keys, external hard drives, phones, etc. (with or without encryption)
    • Inappropriate use of the internet
  • Multi-disciplinary representation in information security teams
  • Staff training (frequency, attendance)

[1] As of January 1, 2017

Note: information presented in this document has been taken from the shared repository of risks captured by HIROC subscribers participating in the Integrated Risk Management program. 

© 2017 HIROC. For quality assurance purposes.