Virtual Care Service — Service Risk Register
Status: populated Owner: TBD Last updated: 2026-04-18 Companion: Service Template
1. Risk Register
| ID | Risk | Probability | Impact | Owner | Mitigation | Status |
|---|---|---|---|---|---|---|
| RISK-VC-01 | Intermittent 3G/2G connectivity in Afghanistan causes frequent session failures | High | High | Platform team | Bandwidth fallback chain (video→audio→async text); grace reconnect (60s); async visit as primary alternative; UI connectivity indicator | Open |
| RISK-VC-02 | Jitsi Meet self-hosted infrastructure unavailable (single point) | Medium | Critical | SRE | Multi-availability-zone Jitsi JVB deployment; fallback video backend configured (Mediasoup) for critical tenants; async visit always available | Open |
| RISK-VC-03 | Recording consent bypass (recording enabled without patient consent) | Low | Critical | Security team | Recording consent enforced server-side in CreateVirtualSessionUseCase; integration test covers consent gate; audit event on recording enabled | Open |
| RISK-VC-04 | Join token stolen or replayed | Low | High | Security team | Short expiry (15 min); HMAC-HS256 per-tenant secret in KMS; single-use design (token invalidated after join); HTTPS only | Open |
| RISK-VC-05 | FHIR Encounter not created post-session (delayed care record) | Medium | High | Platform team | Retry job reconciles within 5 min; alert if unreconciled after 30 min; session encounterId: null surfaced in UI for clinician awareness | Open |
| RISK-VC-06 | AI-generated summary pushed to chart without clinician review | Low | Critical | Clinical governance | HITL gate mandatory (AcceptAiSummaryUseCase); no auto-push path exists; accepted via explicit accepted: true; AI provenance fields in chart | Open |
| RISK-VC-07 | Jitsi branded build update breaks session functionality | Medium | High | Frontend team | Branded build version pinned in tenant config; change tested in staging before rollout; Jitsi version recorded in ops config | Open |
| RISK-VC-08 | Audio/video traffic routed outside Afghanistan sovereignty | Medium | High | SRE / MoPH | Jitsi TURN server co-located in Afghanistan; media traffic routing confirmed; WebRTC ICE candidates restricted to local TURN | Open |
| RISK-VC-09 | Concurrent session mutations causing optimistic lock storm | Low | Medium | Backend team | 409 handling with exponential backoff in client; optimistic lock designed for low-contention writes; monitoring of lock conflict rate | Open |