Patient Portal Service — Service Risk Register
Status: populated Owner: TBD Last updated: 2026-04-18 Companion: Service Template · 11 risks-and-tradeoffs
1. Risk Register
| Risk ID | Risk | Likelihood | Impact | Owner | Mitigation | Status |
|---|---|---|---|---|---|---|
| RISK-PORTAL-01 | Premature result disclosure — unreleased lab or imaging result displayed to patient due to a release-policy enforcement bug | Low | Critical | Engineering Lead | Server-side policy check mandatory on every upstream call; unit + integration tests for policy enforcement; release-policy regression suite | Open |
| RISK-PORTAL-02 | Proxy scope escalation — proxy user accesses resource types beyond their granted scope | Low | High | Engineering Lead | Server-side scope check per request against ProxyDelegation.scope; dedicated proxy-scope unit tests; audit event on every proxy access | Open |
| RISK-PORTAL-03 | PHI leakage via AI prompts — patient identifiers or clinical data inadvertently included in navigation assistant prompt | Low | High | AI Product Owner | Prompt builder enforces no-PHI rule at code level; reviewed in every PR; tested in unit suite; ai-gateway-service moderation as second layer | Open |
| RISK-PORTAL-04 | Upstream service cascade failure — multiple upstream services down simultaneously leaving portal in partially degraded state that confuses patients | Medium | Medium | Platform SRE | Per-upstream circuit breakers; per-section graceful degradation with clear user banners; health dashboard aggregates upstream status | Open |
| RISK-PORTAL-05 | Account takeover via compromised MFA device | Low | High | Identity / Security | MFA mandatory; session anomaly detection (future); suspicious login → account suspension flow; Keycloak brute-force protection | Open |
| RISK-PORTAL-06 | Export job serving stale or incorrect patient bundle — export worker assembles data across multiple upstream calls; partial failure produces incomplete bundle | Low | High | Engineering Lead | Export job collects all sections before completing; any upstream failure marks job failed with errorDetail; patient retries; no partial downloads served | Open |
| RISK-PORTAL-07 | Expired proxy delegation not enforced — proxy continues to access data after validTo date if clock drift or cron delay | Low | High | Engineering Lead | validTo evaluated server-side on every request (not cached); daily cron sets status = expired for elapsed delegations; test covers boundary conditions | Open |
| RISK-PORTAL-08 | Mobile push notification delivery failure — APNs/FCM unreachable; patients not notified of new results | Medium | Low | Platform SRE | Push is best-effort; portal UI polls for new results on next session open; runbook for push gateway recovery | Open |
2. Open Questions
- Clarify MoPH policy on maximum data retention period for
portal_access_events(currently: 7 years assumed). - Confirm whether SMS OTP is an acceptable MFA fallback for patients without smartphones (Afghanistan context).