Jason Tahaney, Director of Information Security, Hunterdon Healthcare
Gerry Blass, President & CEO, ComplyAssistant
ComplyAssistant contributed an article on how risk registers help healthcare organizations consolidate and manage risk, avoid duplication of work and support a long-term, transparent risk management strategy to Compliance Today, which was published in November 2019. The following blog post covers some of the key points.
A typical healthcare system might perform up to 22 different types of security risk assessments each year. In decentralized health systems, information gathered during assessments is most likely siloed and not necessarily actionable.
Because of these challenges, healthcare organizations may spin wheels and waste time, energy and money trying to make sense of the results of their annual security risk assessments. Imagine if one department discovered and mitigated a data security risk, but another department with the same or similar risk was not aware, and thus created its own risk management project. There is no need to recreate the wheel every time.
Manage risk across silos using a risk register
When performing SRAs, healthcare organizations typically end up with a variety of disparate risk reports from different areas of the organization, including meaningful use, PCI, finance, SOC, third-party vendors, facilities, cloud, and both acute and non-acute care sites. If different teams perform the SRAs, there are likely inconsistencies in how the assessment data is gathered and reported. How can organizations improve this paradigm for a universal view of risk across the enterprise?
A risk register, with the support of your risk management or governance committee, can help organizations:
- Visualize common risk across departments;
- Plan and prioritize risk mitigation; and
- Be more transparent with senior leadership.
Risk registers are best managed with GRC software that can help organize risk based on level and manage projects based on priority.
Advantages of a risk register
With a centralized repository of risk assessments for the enterprise, you can:
- Avoid duplication of information and reduce multiple audits that gather the same information.
- Create a single source of truth for easier, more transparent tracking of risk.
- Estimate a more comprehensive and accurate risk tolerance level.
- Provide a more complete picture of risk across the organization to the information risk management committee or governance committee.
- Proactively gather data in future assessments that can be used in multiple ways.
Challenges with a risk register
Consider these potential challenges and questions as you evaluate using a risk register for your enterprise:
- How is your organization structured? Is it too large or fragmented to manage a single register?
- Does your corporate culture allow for centralized ownership across service lines, or do you need to consider a federated model?
- Do you have resources that can be dedicated to consolidating your risk reports into a single register?
- Do you have an existing governance model and enforcement? Are the right stakeholders – including human resources, finance, nursing, IT, compliance, privacy, legal, and ancillary practices or alternate site facilities – committed to enterprise governance? Do you have an executive sponsor?
Though healthcare organizations must perform SRAs to comply with HIPAA, you don’t need to start from scratch each year. Instead, use a consolidated risk register as the starting point, and update and reprioritize based on new vulnerability findings each year. The register then becomes the backbone of the strategic direction for the enterprise and guides decision-making and budgeting.
For more on using risk registers, read the full article in Compliance Today.