Risk Profile: Information Management/Technology – System/technology failure

Risk Profile: Information Management/Technology – System/technology failure (PDF version)

Failure of critical biomedical technology, information systems, networks, hardware and communication technology can lead to unscheduled downtime, service interruptions, communication breakdown, missing important clinical information, productivity loss, excessive workloads, etc. Technology failure can significantly compromise patient care and lead to patient safety issues. This document contains information entered by your peers in the Risk Register application to help you manage this risk.

Ranking/ratings[1]

  • Likelihood – average score 3.75
  • Impact – average score 3.75

The Risk Register allows for risks to be assessed on a five-point likelihood and impact scale, with five being the highest.

Key controls/mitigation strategies

  • Operation/technical
    • Regular monitoring and updates to systems, software patches and security notifications
    • Business impact identification and analysis of critical processes and applications
    • Virtual server management, firewall, anti-virus, anti-spyware, intrusion detection system
    • Regular preventative maintenance of all systems and equipment
    • Third-party hosted services (e.g. Tier 1 data centre)
  • Business continuity and recovery
    • Comprehensive business continuity or disaster recovery plans in place for all systems
    • System downtime processes and protocols (for all programs and services) with temporary solutions and after-hours protocols
    • Redundancy in power grid and backup generator, ensure critical systems are connected to emergency power system
    • Redundancy in critical communication components, network and network switching technology
    • Regular backup of data, files, equipment and systems (e.g. offsite/offline tape and electronic backup solutions)
    • Data/system recovery drills and tests
    • Harmonization of all relevant policies and procedures with respect to downtime protocols and contingency planning
  • Vendor management
    • Strong vendor management program and contracts with emphasis on optimal operations and timely support to avoid failures
    • Reliable hosted services
  • Communication/education/training
    • Effective communication strategy to ensure business continuity and downtime protocols are well understood by appropriate personnel
    • Inclusion of all staff, volunteers, students and physicians in education and training
    • Regular training on acceptable and safe technology usage
    • Education for all staff on recognizing harmful emails with malicious links and attachments
  • Strategic
    • Capital planning to replace aging systems and invest in new technology
    • Disaster recovery site equipped with critical applications and services
    • External strategic partnerships (e.g. Ministry of Health, associations, community groups) on issues such as disaster recovery and common information systems/technology issues

Monitoring/indicators

  • Unplanned system downtime
  • Obsolete systems and equipment still in use
  • Staff complaints
  • Internal and external system security audit results
  • Automated network monitoring, system alerts of technology issues
  • Recalls and warnings
  • Data/system recovery test results
  • Industry news, security reports, patch notifications, system updates
Note: Technology failure can occur as a result of intentional or unintentional breach of systems and networks. For more information, please refer to the Risk Profile, Information Management/Technology – Breach/loss of onformation.

[1] As of January 1, 2017

Note: information presented in this document has been taken from the shared repository of risks captured by HIROC subscribers participating in the Integrated Risk Management program.

© 2017 HIROC. For quality assurance purposes.