This risk assessment identified twenty threats to information security for the use of mobile video calls between EMCCs and the public. None of these have a severe risk level (i.e., a combination of high consequence and likelihood). We have suggested ways to decrease or eliminate the risks, by proper implementation, organization, and staff training. Potential delays and poor sound quality were the greatest technical risks of mobile video calls. These threats are likely to decrease as technology improves.
Based on this risk assessment, we believe it is possible to implement videoconferencing from the public as a service in EMCCs with acceptable risks. However, some critical success factors of information systems in the organization will only be discovered during the implementation process [22]. A change in work environment may impose unacceptable loads on human cognitive abilities and potentially lead to errors, especially in a transition phase when new routines are being adopted [23]. When introducing a new service in the high stress environment of EMCCs, the process should therefore be closely monitored for unwanted incidents, even if unacceptable risks have not been identified at earlier stages. Risk assessment should be repeated at regular intervals to ensure that changes in environment, organization, or system do not introduce new unacceptable threats and that known threats do not increase in likelihood or consequence resulting in unacceptable risk levels for the system.
Risk assessment is a method for identification and evaluation of possible factors that may affect different aspects of change processes and their outcome, such as impact on services, organization, customers and users. Even the most thorough risk assessment process can miss out on some unforeseen consequences. ISO/IEC 27005:2008 outlines procedures for risk assessment, but several of the steps can be addressed by using different approaches. We used qualitative assessments by a multi-professional team. The composition of the team is important to cover different threats, but is no guarantee that all possible threats are found. Qualitative studies rarely give hard facts, but they can provide information and insight, and guide further research [24, 25]. Our approach was prospective and addressed a future system at a high level, and has similarities with the Structured What-If Technique (SWIFT), which is a systematic team-oriented technique for hazard identification suitable for considering systems where human and organizational factors predominate [26, 27]. Other methods for risk identification such as Hazard and Operability study (HAZOP), Failure Modes and Effects Analysis (FMEA), and Fault Tree Analysis (FTA) focus on process flow or hardware, and may be better suited for assessment of equipment details [26]. When risk assessments are carried out before new systems are implemented, sometimes even before they are constructed, it is not possible to do accurate measurements. Risk assessment as a scientific method therefore needs to be carried out in a systematic and critical fashion so that each issue can be discussed and debated openly. There is always a risk of bias in such discussions, resulting in overly positive or overly negative analysis. Our risk assessment was based on previous research in the field [7, 9, 14, 28], and a part of systematic development of knowledge.
The result of risk assessments provides information for risk treatment (Figure 1), which involves decisions on how to reduce risk in an organization. The threats identified in this risk assessment should be used as input to formal requirements when planning and implementing video calls for EMCCs. The benefit of doing risk assessment before system implementation is that information security can be incorporated from the beginning.
For all health care service there are several risks involved - for the patients, for health care workers, for the organization, and for the service itself. Our risk assessment has only focused on the purpose of a communication system, namely information exchange and storage. Risks related to different types of patient conditions should be identified through clinical studies.
A threat may have different outcomes, from common incidents with no practical implications, to (very rarely) a chain of events with disastrous results. Poor sound quality, for instance, may be acceptable in many situations, but can in other cases cause misunderstandings that lead to worse patient treatment and possible patient death. For a new service there are no measurements of unwanted events, therefore assessments of associated consequence and likelihood become approximations. We found this led to a worst-case type of thinking that may have overestimated the risk level of some threats. Further studies are therefore needed to map type of errors and problems that may arise when videoconferencing is used during real emergencies.