**5.2 Example findings library**

An open-source library example from Schmeelk [26] is seen in **Figure 8** applying an example-consistent risk language. The library needs to be expanded from industry working groups, similarly to MITER's CWE and NIST's BF.

Some important elements for language specification and risk clarification are seen in **Figure 8** [26]; they are the following: vulnerability short descriptive name, vulnerability expanded description, techniques to remediate or mitigate the vulnerability, estimated likelihood factors, estimated impact factors, related organizational policies/standards, related NIST Controls, related HIPAA regulatory requirements, other related legal requirements such as non-disclosure agreements, and estimated breach cost factors for insurance and related required patient identity-theft protection costs/notifications.

These categories listed in the prototype can arguably be expanded or removed. Historically, vulnerability standardization libraries [20–22] are maintained by major organizations (e.g. MITER) and/or government entities (e.g. NIST). Based on healthcare operation needs, we developed the following descriptions of the prototype categories.

*Risk in Healthcare Information Technology: Creating a Standardized Risk Assessment Framework DOI: http://dx.doi.org/10.5772/intechopen.96456*


#### **Figure 8.**

*Risk assessment library prototype.*
