Population Health Service — Service Risk Register

Status: populated Owner: TBD Last updated: 2026-04-18 Companion: Service Template

1. Risk Register

ID	Risk	Probability	Impact	Owner	Mitigation	Status
RISK-PH-01	DHIS2 API version breaking change from MoPH upgrade	Medium	High	Platform team	Adapter version-pinned; smoke test on DHIS2 deploy events; staging environment mirrors MoPH DHIS2 version	Open
RISK-PH-02	De-identification k-threshold suppresses too many research records (small populations)	High	Medium	Data governance	Document suppression behavior clearly; provide analyst guidance on cohort design; allow aggregate-only fallback export	Open
RISK-PH-03	PHI leak via diagnostic logs or error messages	Low	Critical	Security team	Log redaction enforced in telemetry layer; PHI audit in CI pipeline; structured log review in readiness gate	Open
RISK-PH-04	MoPH indicator definitions change without notice	Medium	High	MoPH integration	Indicator mapping stored in configurable YAML per tenant; versioned; change notification SLA agreed with MoPH	Open
RISK-PH-05	Cohort refresh jobs overwhelm PostgreSQL during peak analytics load	Medium	Medium	SRE	Job concurrency limits; read replica routing for analytics queries; resource limits per job	Open
RISK-PH-06	Researcher misuses secondary-use export for re-identification	Low	Critical	Data governance	IRB reference required; de-identification enforced server-side; audit trail; presigned URL expires in 24h	Open
RISK-PH-07	Offline facility aggregate reports diverge from server projection after long sync gap	Medium	Medium	Platform team	Sync conflict policy documented in SYNC_CONTRACT; dataFreshness metadata visible in all responses	Open
RISK-PH-08	NATS stream full (14-day retention) causes event loss for slow consumers	Low	Medium	SRE	Monitor consumer lag; alert before stream full; extend retention for long-term events (90-day policy for compliance events)	Open
RISK-PH-09	Differential privacy epsilon budget exhaustion across many sequential exports	Low	Medium	Data governance	ε budget tracked per cohort per period; refuse new exports when budget consumed; reset quarterly	Open