2.3 Risk Management
Risk Management
In response to environmental changes and organizational restructuring, the hospital continuously reviews its mission, vision, and strategic objectives. Potential risks are identified and integrated into daily operations through a structured risk management mechanism, enabling early warning, effective control, and mitigation of risk and crisis impacts.
Risk Control
In order to strengthen risk management and crisis response mechanisms, Zuoying Armed Forces General Hospital has established a Risk Management and Crisis Response Task Force, chaired by the Superintendent as the head of steering group, and is responsible for coordinating the implementation of related policies and strategies. A risk management and crisis handling review meeting is held every six months to evaluate the effectiveness of mitigation efforts for identified risks. During the review, each risk is assessed based on its impact level and likelihood of occurrence to determine whether the risk level has been effectively reduced. This mechanism enhances the hospital’s capability to identify and respond to risks, thereby ensuring operational stability and patient safety.
Adhering to the core principles of ‘prevention before the event, monitoring during the event, and resolution after the event’, the hospital conducts biannual reviews of its risk management and crisis response operations. A cyclical process is implemented, encompassing background data collection, risk identification, risk assessment, risk treatment, monitoring and review, as well as information sharing, communication, and consultation, to ensure the appropriateness and effectiveness of the risk management framework. This mechanism enables the hospital to evaluate the performance of its risk control measures, and to timely adjust relevant policy objectives, organizational structures, workflows, and procedures.
Emergency Response
In order to effectively respond to crisis events that may arise from inadequate risk control, the hospital has established a comprehensive crisis emergency response mechanism. In accordance with specific crisis emergency response plans, the relevant procedures can be activated swiftly. This mechanism is built upon six core steps:
- Establish a responsive and efficient alert and reporting system.
- Immediately form a crisis management team to coordinate response actions.
- Coordinate cross-departmental tasks to ensure seamless collaboration.
- Conduct timely and appropriate media communication to protect the institution’s reputation.
- Carry out effective coordination and negotiation to resolve conflicts.
- Implement proper follow-up and review to promote system improvement.
For emergency disaster events (including both medical and non-medical), the hospital classifies incidents into red, yellow, and green levels based on the response time and the crisis impact level. According to the designated level, the hospital promptly assesses healthcare needs and deploys corresponding manpower resources in order to ensure the continuity and stability of healthcare services.
Following the conclusion of any incident, the hospital convenes a review meeting to conduct an in-depth analysis of the cause, response process, outcomes, and the effectiveness of risk control and crisis response measures. Revised documents, including the Crisis Management and Risk Assessment Form, Risk Mitigation Plan, and Emergency Response Measures, are submitted for approval and recordkeeping. These updates are also presented during the semi-annual review meetings to ensure the continuous improvement of the hospital’s crisis management capabilities.
緊急災害事件分類
2.3.2 氣候風險
為強化氣候風險管理並邁向淨零排放目標,本院參考氣候相關財務揭露(Task Force on Climate-related Financial Disclosures, TCFD)框架,將氣候變遷風險納入整體風險管理機制。由院長擔任治理單位召集人,並由風險管理與危機處理推動小組負責統籌與執行,確保氣候相關風險的有效辨識與管理。
根據2024年風險評估結果,風災、疫病傳染、停(缺)水等氣候相關風險被列為中、低度風險。本院將持續監測氣候變遷對醫療營運的潛在影響,並採取相應措施,以提升醫院的韌性與應變能力。
氣候風險與機會
2.3.3 資安風險
為強化資訊安全管理與病人隱私保護,本院已取得 ISO 27001及ISO 27701資訊安全管理系統認證,並透過全面管理人員、作業流程及資訊科技,確保醫療資訊處理作業的安全與有效運作。此舉旨在防範可能影響醫療資訊機密性、完整性、可用性、合法性及隱私性的安全事件,以保障民眾的個人醫療資訊隱私權益為首要前提。此外,本院亦致力於整合基層醫療資訊系統的服務提供,進而建構完整的醫療體系全景。
資安政策實踐
依據國軍資通安全責任等級分級作業,本院被歸類為B級單位,需從管理、技術、認知與訓練三大面向全面推動資訊安全管理。
- 管理面:
本院建立健全的資安政策與規範,確保所有資安措施具備可執行性,並定期檢視與更新,以因應不斷變化的資安威脅。 - 技術面:
本院運用先進的資安技術與防護系統,保障院內資料不受威脅,並持續強化系統的防護能力,以確保資訊系統的穩定運作。 - 認知與訓練面:
本院透過定期舉辦資安教育訓練與宣導活動,使全體同仁與資訊人員充分了解並遵守相關資安規範,確保在日常工作中能夠有效落實資安管理,防範潛在風險與威脅。
透過上述三大面向的整合與實施,本院致力於建立一個全面且持續強化的資訊安全管理體系,以保障病人隱私、維護醫療資訊的機密性,並確保醫療服務的穩定與可靠。
資訊安全管理措施
資安事件應變
當本院發生資訊安全事件時,將依據「資訊室電腦機房緊急應變計畫」迅速啟動應變機制。為提升應變效能並預防潛在風險,每月定期舉辦一次醫療資訊系統(HIS)當機緊急應變演練。演練由政策指導組、計畫管制組及作業執行組等任務小組共同協作,模擬危機情境,全面檢視系統異常時的應對流程與復原能力,確保全院具備即時應變與持續營運的能力。此項措施不僅強化本院對資訊安全事件的處置能力,也提升整體醫療服務的穩定性與可靠性。
資訊事故應變作業流程圖
