The increasing digitization of health information enhanced accessibility, efficiency and quality of healthcare services. However, it has escalated cyber security threat, data breaches, unauthorized access to confidential information, manipulation, destruction, distributed denial of service, among others in addition, organizations are searching for an appropriate security framework for assessing information security risks. Although numerous frameworks are available, selection of the right framework is a challenge due to lack of prescriptiveness, standard, inconsistencies, complexity, compliance, cost, and certifications. All these negatively affect the information confidentiality, integrity and availability. The objective was realized by examining Health Information Systems Security Risks and strengths and weaknesses of existing frameworks. An enhanced Framework for assessing Health Information Systems Security Risks was developed. A descriptive cross – sectional design was adopted and questionnaire given to 61 respondents in the six Public Hospitals. Data was analyzed quantitatively using the Statistical Package for Social Sciences (SPSS version 20) and Results presented in tables, charts and graphs. Results indicated that confidentiality of information was good (use of passwords 96.8%, policies 91.9%, and access privileges 68.8%.Integrity of information was poor with written information security manager’s responsibility 39.5%, monitoring of electronic systems 40%, creation of audit logs 54%, reviewing audit logs 51.5%.Availability of information was good (availability of computer inventory 69.9%), regular updates of inventory 61.3%,updates of patient data on laptops 68.2%,sharing of data confidentiality and security policy 36%, and backups of audit logs 51%.On assessment of existing security frameworks, HIPAA lacks complete valid risk analysis, not certifiable, safeguarding electronic protected health information only, does not regulate emails ,not using encryption, and commitment on security is verbal.ii/IEC 27001framework is expensive, requires specific IT budget, special expertise, and more time to apply in public hospitals. NIPP framework is expensive, and uses consequence’s assessment which is outside the scope of this study. The study concludes that the three frameworks assessed did not meet desired standards leading to development of an enhanced Framework. The study recommends training of persons authorized to access patient’s information, avail defined roles of information security manager, and review data accuracy.