Ghasi e-Prescribing Gateway Service — Service Risk Register
Status: populated Owner: TBD Last updated: 2026-04-18 Companion: Service Template · 03 platform-services · 02 DDD
Risk Register
| ID | Risk | Likelihood | Impact | Owner | Mitigation | Status |
|---|---|---|---|---|---|---|
RISK-EPRX-001 | Dual-entrypoint confusion: first-party services call wrong URL, bypassing audit/policy | Medium | High | Engineering | Clear consumer guides; ADR-0043 B1 documented; CI contract tests enforce endpoint | Open |
RISK-EPRX-002 | Persona enforcement bypass: crafted JWT grants wrong write persona | Low | Critical | Security | Persona claim validated server-side on every request; automated persona enforcement tests; penetration test | Open |
RISK-EPRX-003 | RLS regression exposes cross-tenant prescription data | Low | Critical | Engineering + Security | CI tenant-isolation gate; migration review checklist; quarterly security audit | Open |
RISK-EPRX-004 | IG profile drift: national IG package updated without re-pinning; valid prescriptions start failing | Medium | High | Engineering | Pin IG packages per tenant; CI golden fixture gate; versioned IG registry | Open |
RISK-EPRX-005 | Subscription DLQ grows unbounded; pharmacy misses prescriptions | Medium | High | SRE | DLQ depth alert; on-call runbook; SLA with pharmacy team on endpoint availability | Open |
RISK-EPRX-006 | Zod validator allows a non-conformant MR through; clinical error downstream | Low | High | Engineering | Phase 2: HAPI FHIR validator replaces Zod; golden fixture regression suite | Open |
RISK-EPRX-007 | Incomplete HIPAA audit trail (missing MR/MD mutation events) | Low | Critical | Engineering | Audit event coverage test in CI; security reviewer sign-off on audit completeness | Open |
RISK-EPRX-008 | ETag concurrency storm when many clients update same MR simultaneously | Low | Medium | Engineering | 412 with current resource body; client backoff; operations dashboard for conflict rate | Open |
RISK-EPRX-009 | Phase 3 third-party onboarding without adequate contract tests | Medium | Medium | Product | Contract test harness required for each third-party client; partner qualification gate | Open |
RISK-EPRX-010 | Multi-region deployment without data-placement ADR allows cross-border PHI transfer | Low | High | Legal + Architecture | Phase 4 gated; region boundary enforcement in Kubernetes network policy | Open |