Laying the Foundation for Strong Healthcare Risk Management
Information originally posted on: https://healthitsecurity.com/
Covered entities and business associates must conduct regular risk assessments as part of their larger healthcare risk management
With cybersecurity threats becoming more sophisticated each day, healthcare organizations must implement necessary policies and procedures to keep sensitive data secure. A current and comprehensive healthcare risk management plan is a key component for maintaining data security.
Healthcare risk management involves entities ensuring all of their activities, processes, and policies are working to reduce liability exposure. Conducting risk management activities will help organizations keep patients safe and also ensure financial stability.
Healthcare organizations are becoming more aware of the importance of managing their risk and how risk assessments, or the lack thereof, could potentially impact their business as a whole.
The 2017 HIMSS Analytics HIT Security and Risk Management Study found that 71 percent of healthcare clinical leaders believe that risk assessments were the key driver for decisions on where to invest in IT security.
The HIMSS study also showed that the percentage of healthcare executives who spend 7 percent to 10 percent of their IT budget on cybersecurity increased from 10 percent to 24 percent from 2015 to 2016.
This is a positive change from an earlier 2017 KLAS Research and College of Healthcare Information Management Executives (CHIME) study. That research found that 41 percent of CISOs, CIOs, CTOs, and other security professionals have dedicated less than 3 percent of their IT budgets to security. Eighteen percent of respondents said they have more than 7 percent of their IT budget focused on security.
More organizations seem to be taking note of the importance of investing into cybersecurity, and how such investments can help entities prevent, detect, and mitigate potential threats.
Making the necessary investment into security is just one small aspect of a thorough approach to healthcare risk management. Organizations will also need C-suite support, a proper risk assessment, and an applicable cybersecurity framework to support ongoing improvements.
A RISK ASSESSMENT AS PART OF THE RISK MANAGEMENT PLAN
Conducting a risk analysis is part of the administrative safeguard requirement under HIPAA regulations. HHS requires that covered entities evaluate the likelihood and impact of potential risks to e-PHI, implement appropriate security measure to address those risk areas, and document the security measures.
“Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI,” HHS states on its website.
The risk analysis should review areas in which there is potential risk to the organization, such as PHI exposure. For example, covered entities should consider where all PHI is created, received, maintained or transmitted.
Additionally, changes should be made as new technologies are introduced. New tools (i.e., connected medical devices, cloud storage) could affect where ePHI is stored.
“Risk assessments, whether the synonymous risk analysis or often mistaken controls gap assessment, are integral components of the risk management lifecycle,” HITRUST VP for Standards and Analytics Bryan Cline explained to HealthITSecurity.com. “Risk management cannot be done effectively without either.”