As the adoption rate of electronic health record continues to accelerate, the need to enhance information risk management has become more critical to create, compliant health care environment. Healthcare providers and payers are increasingly turning to automation tools to improve operation and efficiency while ensuring the safety, quality and security of patient care. While automation can lead to improved patient care workflow and reduced costs, it also creates new challenges. The high volume of patient information being created , transmitted, accessed, managed and stored within the healthcare organization has led to a complex IT environment with an expanded user community and new security risks to be addressed. In Kenya however, current practices incorporate risk management as an afterthought. One of the primary reasons is the lack of feasible and efficient risk analysis approach to guide in efficient implementation of funsoft security. This study looked at the various information security risks brought about by the implementation of funsoft which is a health management information system with a view of managing and mitigating the risks in a coherent and systematic manner. The study has used a positivist approach with a research design that employed quantitative descriptive study of funsoft users and focus group discussions with system administrators and records officers. The study population was eighty five with a sample size of forty six calculated using Yamane's formula with a precision of ten percent. The study reviewed current risk management practices used within the HMIS and IT in general and using a case study of three public hospitals in Kisumu county that are at different implementation levels of funsoft, it further explored current potential obstacles encountered in the implementation of systemic risk management strategy. This study finally implemented a strategy for managing risk within funsoft in a systematic and continuous manner which was enriched by material documented in the literature. It was unearthed in the study that all the three health facilities have no focal person to coordinate information security, lack policies and procedures on computer and information security and had never undertaken a risk assessment of the funsof in HMIS platform since its deployment.