Through a case scenario approach, this article seeks to demonstrate the inadequacies of current Risk Assessment Methodologies used today. In particular, Risk Assessment Methodologies used in a Healthcare setting fail to adequatly weigh the value of ethical and public health. Therefore different approaches, relying on different paradigms, could be used. Two possible candidates are proposed, Prospect Theory and Nash’s Equilibrium.

1. Introduction

Healthcare professionals and organisations need information. Evidence based medicine; healthcare system administration and medical research all rely on data produced throughout the system. Information systems are increasingly present in all aspects of clinical practice, in administrative functions and in many other areas. The emerging importance of the Electronic Health Record (EHR) as well as the increase in the use of information technology (IT) in healthcare activities is progressively providing access to large quantities of data concerning patients, healthcare delivery and research [1] [2] [3]. Because of this reliance on information and because information needs various technologies to carry it, information security has become an issue. Healthcare organizations, to perform optimally, with regularity, over time, need to identify the predictable [4], they need to manage risks associated to its need for information. This is what we call Healthcare Informational Risk Management (HIRM).

There are many additional factors that justify the need for HIRM. The limited availability of financial and human resources, motivates organizations to be very careful about how it allocates them. Because Information Technology (IT) can be expensive to acquire and maintain and require specialized resources, HIRM can be used as part of the solution to keep their costs under control. The nature of Healthcare imposes complex requirements for availability, integrity and confidentiality. All of these reasons and others require Healthcare organisations to implement a Risk Management program. For others, contractual requirements are a catalyst. Managing risks is paramount to accurate financial reporting and optimal decision-making [5]. For these and other motivation, there has been significant interest in the Québec Healthcare system to find a HIRM solution, expressed through Request for Proposals (RFP) published in the last year. As well, many regional jurisdictions in Canada, the Federal Government and Canada Health Infoway have shown interest in HIRM. In this article, we look at HIRM through an example in our specific local context, we therefore present an overview of the Québec Healthcare system.

2. Methodology

This discussion paper presents a research hypothesis that has emerged from on-going research being performed as a requirement for the obtention of a Doctorate degree in Clinical Sciences at the Faculty of Medecine of the University of Sherbrooke. The article uses a case scenario approach to illustrate a research problem that has evolved into a hypothesis.

3. Case scenario

3.1 Brief overview of the Québec Healthcare system

Since 1971, the Québec Health and Social Services Agency, known as the MSSS (Ministered de la Santé et de Services Socaux), has been the sole provider of Healthcare in the Province of Québec, where approximately 25% of the population of Canada reside. In 2005 it employed 269 600 individuals in 1786 worksites, representing 6.7% of the active population of Québec [6]. At the local level, 95 Health and Social Services Centers (CSSS) and associated Local Services Network (RLS) offer health and social services to a given population. In December 2004, the Act respecting local health and social services network development agencies (Bill 25) created CSSS by merging local community health centres (CLSCs), residential and long-term care centres (CHSLDs) and general and specialized hospital centres (CHSGSs). The objectives of health and social services centres are the following:

• To promote health and well-being
• To bring together the services offered to the public
• To offer more accessible, better coordinated and seamless services
• To make it easier for people to move through the health and social services network
• To ensure better patient management, particularly of the most vulnerable users

All CSSS and RLS are connected to a province-wide private network implements a top down infrastructure with a national datacenter (TCN) linking several regional datacenters (TCR), known as the RTSS [26]. Typical Information management services, like email or word processing, are provided at the local level. In some cases, databases are supported by database management systems shared (s-DBMS) among multiple establishments within a TCR. Internet access is provided at the TCN level.

3.2. Our scenario

To illustrate the problem we find in HIRM, we present a simple scenario. A resident of the Province of Québec, in the city of Montréal, accesses the RLS through a nearby community health center (CLSC) for the flu. He is very worried because he watches the news and fears that he may have Bird flu (H5N1). Arriving at the reception, his identity is verified as he presents his Québec Medicare card. At this point the resident is considered a patient (P) and goes to an isolated waiting room while his Health Record (HR) is retrieved and until the appropriate Healthcare Professional (HP) becomes available. In the CLSC, the patient’s HR is in part on a paper support (covering pre-1998 visits by the patient) and electronic format (eHR). Due to the RTSS, part of the eHR is retrieved from a local database and another portion from the s-DBMS located in the Montreal TCR. Once P has met with the HP, in this case a General Practitioner MD, blood tests are ordered, the eHR is amended to include the new information and P leaves with a recommendation for rest and hydration. The HR suspects P has a common cold and may suffer from an anixiety related disorder. Once the laboratory results are returned, a few hours later, the patient is informed via phone by the CLSC that he has a simple cold. We will expand on this scenario through the remainder of this article to illustrate our hypothesis.

4. What is Risk?

The word risk finds it’s origins in the middle-age Italian word risco, meaning sharp rock. In the 17th century, as the early insurance companies where involved in maritime shipping, risk evolved from the sharp rocks that where a source of danger for ships [11]. Since the introduction of probabilities by Pascal and the early work of Rousseau on uncertainty [11], the idea has developed that risk is something that can be studied, it is not magical nor an Act of God. The Uncertainty of the future, a condition of affairs is designated by Knight [12] in the 1920’s with the term « risk ». Later authors [13] suggest that the terms risk and uncertainty have become interchangeable, and one can often be found in the description of the other. For Browning [15], risk stems from uncertainty surrounding potential future states and the consequences of those states should they occur. In epidemiology [16], it is most often used to express the probability that a particular outcome will occur following a particular exposure. Risk is composed of the following three component parts [17]:

• Threat
• Vulnerability
• Impact

4.1 Formal Risk Assessment Methodologies

In an organisational setting, risk is managed in a mixture of formal and informal processes. Formal risk management processes are what we refer to as Risk Management, defined as the coordinated activities used by an organisation to direct and control risk. It generally includes risk assessment, risk treatment, risk acceptance and risk communication activities [7][8][9] to balance the costs of risk mitigation measures to maximize organisational benefits by protecting assets that support their mission [10].
Formal Risk Assessment Methodologies (FRAMs) determine risk as the “product” of the likelihood of a security incident affecting a particular asset and the impact cost in a qualitative paradigm. In FRAMs the likelihood (probabilities) of a threat and the severity of the impacts must be determined by individuals in the organisations. This makes them subject to how individuals perceive risk and its components. According to Savage [20], the very assignment of numerical probabilities, even if subjective, implies that it represents choice under risk. These probabilities are expressions of what is ultimately belief and seem more like uncertainty. Matters where, according to John Maynard Keynes [21], there is no scientific basis on which to form any calculable probability whatever. In the field, we have observed that the subjective nature of uncertainty may introduce internal validity problems with FRAMs. We have observed noticable differences with individual determination in vivo. We believe that this subjectivity is a potential source of error in risk assessment since there is little evidence of internal validity controls, similar to what is used in research methodologies (e.g. triangulation), in FARMs.

4.2. Validity issues in FRAMs

In an empirical analisys of risk assessment methodologies used in Québec organisations, we found little evidence of internal validy controls or that internal validity controls had been validated by the creators of these methodologies. Using validity criterias used in Clinical Research presented in Whittemore [27], illustrated on the table below, we believe that there is evidence that some criterias are not addressed.

Table 1: Primary and Secondary Criteria of Validity in Qualitative research [27]

In particular we believe that criterias of Authenticity, Integrity, Vividness, Thoroughness, Congruence and Sensitivity appear problematic in relation to FRAMs we have examined. These should warrant empirical investigation to verify. We therefore believe that it is therefore necessary to look at decions about risk are made to try to understand how this source of error can be better understood.

4.3. Decisions about risk

Models of individual preferences about risk have their historical roots in the school of social philosophy known as Utilitarianism [22], proposed in the late 18th century. In Utilitarianism, the goal of all actions is to maximize general utility, with utility defined as any quantitative index of happiness satisfying certain basic properties. Utilitarian theory, neoclassical economic theory and game theory are the basic principals of rational choice theory or RCT [23]. The fundamental core of RCT is that social interaction is basically an economic transaction that is guided in its course by the actor’s rational choices among alternative outcomes. Decisions are taken only after its benefits and costs have been weighed, considering prices, probabilities and indivual preferences. The unit of analysis is the individual decision made by an individual decision maker. RCT defines rational actions of rational individuals as occurring under several constraints:

• Scarcity of resources
• Opportunity costs
• Institutional norms
• Information

In an organisational setting, with the classic top-down management structure, the sum of these individual decisions, with different weights in respect to the position of the decision taker, are what make it function. These individuals in a social, while using RCT to maximise utility, are affected by the above mentionned constraints and by other influence of a psychological and cultural nature as well as by external pressures. Risk Assessment Methodologies mentionned previously all implement processes to account for the consideration of the abovementionned constraints of RCT in risk assessment. In short, Rational Choice Theory is the theoritical model behind these methodologies. While we believe this is more due to historial and cultural reasons rather than on epistemological positionning, it appears to be supported by empirical evidence.

5. Application of RCT to our risk scenario

In this section of our article, we present an example of HIRM using Rational Choice Theory. This expands on the scenario presented earlier. In the scenaro we presented before there are several stakeholders. The most obvious ones are the Patient (P) and CLSC Staff. As well, TCR staff that manage the s-DBMS and MSSS staff that manage the Quebec Healthcare system are also stakeholders in our scenario.

To illustrate the Expected utility (EU) for each of the stakeholder category in relation to the relative value of the information assets, se we have build the table presented below. For this purpose we have made an informed guess at the relative value using data from a previous study [24] in a scenario where the informaiton asset was divulged or destroyed (high impact). We present only the most relevant results in table 1 for convinience.

Table 2: Relative value of information assets by stakeholder category.

Let’s limit our scope to the eHR information asset. What is, in our scenario, the risk associated with the eHR. Risk, as we cited from Smith [17], consist of Threat, Vulnerability and Impact. If we consider the threat as the divulgation or destruction of the eHR and the Vulnerability as being use of the RTSS network to gain internet access to the eHR we can propose the following table.

Table 3: Impact of the divulgation of the eHR and Risk by stakeholder category

In such a scenario, the risk is function of the impact. Comparing the impact of the realisation with the non-divulgation state we are in before we added the Threat, we would estimate the risk from each stakeholder’s point of view as has indicated in the last column of the previous table. If, as we cited previuosly, the objective of Risk Management is to balance the operational and economic costs of risk mitigation measures to maximize benefits by protecting the eHR, then from the point of view of each stakeholder the justification is for low risk mitigation expenditures, with the exception of the Patient. In the case MSSS, because the aggregate the combined risk of the 7 million residents of Québec, the combined risk cand be perceived as more significant. Using RCT to maximise utility, we would expect the MSSS and the patient to give more value to protecting the eHR, while it would have less value for other stakeholders. In the field and in previous empirical research [24], we have noticed that TCR staff, when given a choice, allocated more ressources to operating performance than to Risk Management activities. At the MSSS level, the suggested high aggegated risk may supported by reality, as significant effort is devoted to ensure that the link between the TCN and the InterNet is secure.The Patients, while concerned, have little say in HIRM.

5.1. Application of a Formal Risk Assement Methodology to our risk scenario

We performed a Formal Risk Assessment, in our scenario making basic assumptions based on our knowledge of the Québec Healthcare system from a previus study [24]. This was done using IVRI™. This methodology was choosen necause it was created by the author of this article and because it is available at no cost on the Internet (www.leger.ca) so this risk assessment scenario may be duplicated. It was published in french [8] in 2003 and uses a Spreadsheet to assist the Risk Assessment, which produces the graphic presented below.

The IVRI Risk Index (IRi) was 1570 with a baseline (IB) at 727.

Figure 1 Estimated Risk by Threat category with IVRI™

By comparing the results obtained using the FRAM with the resultus of the application of RCT to our scenario, we believe that there is the appearance of congruance. A possible explanation for this is that FRAMs, such as IVRI, implements a form of RCT. This needs to be confirmed through empirical investigation. Our hypothesis is that FRAMs available today in Québec implement a form of Rational Choice Theory.

5.2. Where is the problem?

The problem that we see, having done research in the field of Healthcare Informatics, has to do with Ethics. In Healthcare, a long Ethical tradition, first expressed through the Hypocratical oath and reenforced by experice of the Nuremburg Code, has evolved to be suppported by law, Charters of rights and Codes of Deontology. The rights to privacy and confidentiality are intimately connected with the right to respect for one’s dignity, integrity and autonomy are constitutionally enshrined in the Canadian Charter of Rights and Freedoms and Quebec’s Charter of Human Rights and Freedoms [25]. They are the principal drivers of the requirement for adequate treatment of risk in healthcare organisations [26]. In assessing risk in an HIRM setting it is necessary to value Ethical considerations as well as the EUprovided by RCT. In our previous scenario, Ethical considerations, such as loss of privacy if a single patient’s information is divulged, has a relatively low Risk for the MSSS, but has a high potential of Risk for the patient, as we illustrated in Table 3.

In a review of litterature, we have identified that there are several components to risk in a Healthceare setting [27][28][29][30][31][32][33][34]:

• A requirement for formal Policies, Documentation and training;
• Privacy;
• Confidentiality;
• Integrity;
• Availability;
• Safeguards;
• Openness.

In the context we have presented, most of these components could be applicable. Either because of the leal obligations that affect the eHR, described in [35] or the ethical requirements [29], in an ideal scenario of Risk Assessment, all of these could have an influence on Risk. Of all of the components of Risk, many may not be easily assigned a value. How much value can be given to the quality of the informed consent? Perhaps a value can be put on Pivacy by refering to Jurisprudence, but it is likely to be always too low for the indivual victime and always too high for the responsible party. If we look at informed consent, we find that it may be difficult to determine, in HIRM activities, the quality of that consent. In many of these ethical issues our intuition suggests that there is no linearity between Threat and Impact but rather the Risk likely increases by increments, like a stairway with uneven steps. Because it is difficult to assign a value to these components of risk, any FRAM that use financial or replacement costs in the calculation of the Impact as a principal component of risk will necessarely undervalue all of the intangible components, components with little monetary value or difficult to perceive as an EU expressed in menetary terms. We believe there is a link between this problem and the validity issues mentionned earlier. We therefore make the hypothesis that FRAMs are, at best, of an undetermined acuracy.

6. Why not look at different approaches?

Throught a litterature review we have performed for an ongoing research project, we have identified areas of litterature that where not covered in the tradition fields of Healthcare or Information technology. This has led us to look at different theories that can be used to understand Risk Management. Looking to the field of econometric and epidemiology, we have seen evidence that there are risk assessment models that have been developped in other fields which could be applied to HIRM. We have not found any evidence that this possibility has been evaluted in the IT security litterature or in the Healthcare litterature. In our revue of litterature on risk, we have found that there are different theories that have been developped. We have also seen evidence that Game Theory is used in the field of insurance for risk calculation. So we are proposing the hypothesis that perhaps a different approach could be used to estimate HIRM. Looking in litterature, we suggest two possible condidates to replace RCT as the basis for risk assessment in FRAMs.

6.1. Possible candidate 1: Prospect Theory

According to Edwards [36], Prospect theory was formulated first by Kahneman and Tversky in 1979 as an alternative method of explaining choices made by individuals under conditions of risk, as a substitute for theory. Kahneman and Tversky realized the fact that the EU theory model did not fully describe the manner in which individuals make decisions in risky situations and that therefore, there were instances in which a decisionmaker’s choice could not be predicted. Kahneman and Tversky [37] demonstrate that subjects’ choices of lotteries exhibit a wide range of anomalies that violate EU theory and show that predictable and dramatic shifts in preference can be generated by changing the ways in which options are framed. Prospect theory can be viewed [36] as a parsimonious summary of most of the important risky choice anomalies. A HIRM approach based on Prospect Theory in wich Risk takes into account framing could be used, at least it could be possible. Futher study is required to explore this, but it shows a possibility to view risk in a different light than it is possible to do with EU.

6.2. Possible candidate 2: Nash’s Equilibrium

John Forbes Nash suggested that EU may not be the best way to describe how individuals make risky decisions. ‘Adam Smith needs revision’, as is quoted in the movie A beautifull mind. Nash [38] formally defined an equilibrium of a noncooperative game to be a profile of strategies, one for each player in the game, such that each player’s strategy maximizes his EU payoff against the given strategies of the other players. If the behavior of all the players in such a game can be predicted, then the prediction must be a Nash equilibrium, or else it would violate this assumption of intelligent rational individual behavior. Should the predicted behavior not satisfy the conditions for Nash equilibrium, then there must be at least one individual whose expected welfare could be improved by educating him to more effectively pursue his own best interests, without any other change [38]. It would appear that a Nash’s Equilibrium could better account for non monetary impacts of risk in Healtcare Information Systems, such as ethical violations because it approaches the problem as one of strategy rather than as one of probabilities. Rather than viewing risk as a function of threats, probability of realisation and impact, it views risk as a variance from a dominant strategy in a non-cooperative game between an organisation, an environnement and a third player (e.g. hackers). Approaches based on Nash’s Equilibrium have been used in Econometrics to create mathematical models of economies and in other fields to develop models to assess insurance risk. We believe that empirical research should be done to explore this possibility in HIRM. Such an approach could integrate the various monetary, non-monetary and ethical concerns of Healthcare organisations.

7. Conclusion

We are suggesting that different approaches to the HIRM problem should be considered. We believe that using a case scenario approach as we did in this article, we are able to demonstrate the likelyhood that the current approach is limited. It is our pretention that Nash’s Equilibrium could better account for non monetary impacts of risk in Healtcare Information Systems, such as divulgation of private information, loss of live or other Ethical violations. While we believe that empirical research should be done to explore this possibility, it is currently impossible to persue this hypothesis due, principally, to lack of funding. This paper intends to demonstrate, by a review of litterature, examples from different fields and discussion, that this idea has merit. Should this be proved, it could eventually significantly affect how IT Risk Management is done. Unfortunatly at this time there is no reserch funding available to persue this idea.

References

[1] Anderson JG. Security of the distributed electronic patient record: a case-based approach to identifying policy issues, International Journal of Medical Informatics, 2002, pages 111–118
[2] Safran, C., Goldberg, H., Electronic patient records and the impact of the Internet, International Journal of Medical Informatics, 2000, pages 77–83
[3] Sujansky, W., Heterogeneous Database Integration in Biomedicine, Journal of Biomedical Informatics, 2001, pages 285–298
[4] Watkins, M.D., Bazerman, M.H., Predictable Surprises: The Disasters You Should Have Seen Coming, Harvard Business review Online, 2003
[5] Stoneburner, G., Goguen, A., Feringa, A., NIST Special Publication 800-30 Risk Management Guide for Information Technology Systems, Recommendations of the National Institute of Standards and Technology, July 2002
[6] Ministère de la Santé et de la Sécurité Sociale du Québec: www.msss.gouv.qc.ca
[7] Hancock, Bill, COMMON SENSE GUIDE FOR SENIOR MANAGERS, Top Ten Recommended Information Security Practices, 1st Edition, July 2002
[8] Léger, Marc-André, Méthodologie IVRI de gestion du risque en matière de sécurité de l’information, Éditions Fortier Communications, Montréal, Septembre 2003
[9] Schumacher, H. J., Ghosh, S., A fundamental framework for network security, Journal of Network and Computer Applications, 1997, pages 305–322
[10] Myerson, Judith, Risk Management, INTERNATIONAL JOURNAL OF NETWORK MANAGEMENT, 1999, pages 305-308
[11] Beucher, S., Reghezza, M., (2004) Les risques (CAPES Agrégation), Bréal
[12] Knight, Frank H. (1921) Risk, Uncertainty, and Profit, Boston, MA: Hart, Schaffner & Marx; Houghton Mifflin Company, 1921. [Online] available from http://www.econlib.org/library/Knight/knRUP1.html ; accessed 11 December 2005
[13] Beck, Ulrich (1986) Risk Society: Towards a New Modernity, Sage Publications
[14] US Army (1998) US Army tarining manual FM100-14
[15] Browning, T. R. (1999) Sources of Schedule Risk in Complex System Development, Lean Aerospace Initiative at Massachusetts Institute of Technology, John Wiley & Sons
[16] Last JM, (2001) A dictionary of epidemiology. 4th edition. New York: Oxford University Press
[17] Smith, E., Eloff, J.H.P. (1999) Security in health-care information systems—current trends, International Journal of Medical Informatics, vol. 54, pp.39–54
[18] Jøsang, A., Bradley_, D., Knapsko, S. J. (2004) Belief-Based Risk Analysis, Australasian Information Security Workshop 2004 (AISW 2004), Dunedin, New Zealand. Conferences in Research and Practice in Information Technology, Vol. 32
[19] Cusson, R. (2002), Étude comparative des méthodologies d’analyse de risque, Conseil du Trésor du Québec
[20] Savage, L. (1954). The Foundations of Statistics. Dover, New York.
[21] Keynes, J.M. (1937) The General Theory of Empoyment, QJE
[22] Lo, A. W. (1999) The Three P’s of Total Risk Management, Financial Analysts Journal, January/February 1999, pp.13-26
[23] Levi, M. and als. (1990), The Limits of Rationality, University of Chicago Press, Chicago, Illinois in Zey, M. (1998) Rational Choice Theory and Organizational Theory: A Critique, Sage Publishing, February 1998
[24] Léger, Marc-André, Un processus d’analyse des vulnérabilités technologiques comme mesure de protection contre les cyber-attaques, Rapport d’activité de synthèse, Maîtrise en Informatique de Gestion, UQAM, Juin 2003, 110 pages
[25] CIHR (Canadian Institutesof Health Research), Secondary use of personal information in health research: Case studies, Canadian Institute of Health Research, November 2002
[26] MSSS, Ministère de la Santé du Québec, Le réseau RTSS C’est, site internet du MSSS, http://www.msss.gouv.qc.ca/rtss/, 2003
[27] Whittemore, R., Validity in qualitative research, Qualitative Health Research, vol 11, no 4, july 2001, pages 522-537.
[28] Belmont Report, Ethical Principles and Guidelines for the Protection of Human Subjects of Research, The National Commission for the Protection of Human Subjects of Biomedical andBehavioral Research, April 18, 1979
[29] WORLD MEDICAL ASSOCIATION, DECLARATION OF HELSINKI, Ethical Principles for Medical Research Involving Human Subjects, Helsinki, Finland, June 1964
[30] Nuremberg code, Directives for Human Experimentation, 1947
[31] Harkness, J., Lederer, S.E., Wikler, D., Laying ethical foundations for clinical research, Bulletin of the World Health Organization, 2001
[32] CSA (Canadian Standards Association), Model Code for the Protection of Personal Information (Q830-96) , 2003, http://www.csa.ca/standards/privacy/code/Default.asp?language=english
[33] CIHR (Canadian Institutes of Health Research), Guidelines for Protecting Privacy and Confidentiality in the Design, Conduct and Evaluation of Health Research: BEST PRACTICES, CONSULTATION DRAFT, April 2004
[34] Buckovich, Suzy A. et als, Driving Toward Guiding Principles: A Goal for Privacy, Confidentiality, and Security of Health Information, Journal of the American Medical Informatics Association Volume 6 Number 2 Mar / Apr 1999, Pages 122-133
[35] Boudreau, Christian et la CAI, Étude sur l’inforoute de la santé au Québec : Enjeux techniques, éthiques et légaux, document de réflexion, octobre 2001
[36] Edwards, K., Prospect Theory: A Literature Review, International Review of Financial Analysis, Vol. 5, No. 1, 1996, pages 19-38
[37] Laibson D., Zeckhauser, R. (1998) Amos Tversky and the Ascent of Behavioral Economics, Journal of Risk and Uncertainty, pp 7–47
[38] Myerson, Roger B. (1996) NASH EQUILIBRIUM AND THE HISTORY OF ECONOMIC THEORY, Journal of Economic Literature 36:1067-1082 (1999), revised, March 1999, accessed online on March 8th, 2006, http://home.uchicago.edu/~rmyerson/

The author wishes to thank Professors Andrew Grant and Johane Patenaude of the Faculty of medicine of the University of Sherbrooke and the CIHR Health Informatics PhD/Postdoc Strategic Training Program (Canadian Institutes of Health Research and the BC Michael Smith Foundation for Health Research) for funding and support.