Provider Directory Service — Risk Register
Status: populated Owner: TBD Last updated: 2026-04-17
| ID | Risk | Likelihood | Impact | Owner | Mitigation | Residual |
|---|---|---|---|---|---|---|
| R1 | Expired credential allowed to keep ordering privileges | Low | Critical | Credentialing | Nightly scanner + privilege cascade + audit | Very low |
| R2 | Duplicate practitioner from race on identifier insert | Medium | Medium | PD lead | DB unique constraint; idempotency key | Low |
| R3 | Search drifts out of sync with Postgres (OpenSearch lag) | Medium | Medium | Platform | Event-driven incremental index + weekly full rebuild | Low |
| R4 | Cross-script (ps ↔ en) search misses candidate | High | Low | PD lead | ICU transliteration analyser; multi-field query | Medium |
| R5 | Credential PII leak via FHIR Practitioner search | Low | High | Security | Minimum-necessary projection; credential numbers excluded | Low |
| R6 | Endpoint healthcheck causes partner rate-limit | Low | Low | Platform | Probe every 5 min; back-off on 429 | Low |
| R7 | Terminology service change breaks specialty validation | Medium | Medium | Interop | Version-pin specialties; soft-fail + re-validate | Low |
| R8 | National registry bridge introduces PII residency issue | Medium | High | Compliance | Deployment-scoped; data in-region only | Medium |
| R9 | Merge duplicates misapplies survivorship on credentials | Low | High | PD lead | Deterministic survivorship rules; audit; manual approval | Low |
| R10 | FHIR projection lag causes partner integration failures | Medium | Medium | Interop | SLO; DLQ replay; health-based pause | Low |
| R11 | Privilege cascade on revoke causes clinical workflow disruption | Medium | High | Clinical ops | Gradual migration; communication template; undo window | Medium |
| R12 | OpenSearch cluster failure → search slow | Low | Medium | SRE | DB fallback; alarm | Low |
Review
Weekly during M0–M1; monthly steady-state.