Governance Report Card


Striving for A+: Report Cards Aren’t Just for School Anymore. We’re bringing the quarterly report card back, and our aim is to help you get the highest score possible on your security and compliance efforts.

13 Data Points to Report to Your Governance Committee

Did you dread getting that quarterly report card from your teacher? The kind where you got a C- in gym class, or a “Needs Improvement” in math. Or maybe you were an overachiever and got all A+ scores!

Well, we’re bringing the quarterly report card back, and our aim is to help you get the highest score possible on your security and compliance efforts. With 13 distinctive data points, our quarterly governance report card will help you:

  • Understand and track any high-risk areas within your organization
  • Gather data and trends to report at your quarterly Governance Committee
  • Track industry breaches for learnings you can apply
  • Manage change within your organization
  • Prioritize and set budgets for needed resources

Let’s take a look at the 13 data points you should include in your quarterly governance report card.

  1. Current high-risk gaps Based on results from security risk audits or assessments, document your top 5 to 10 high-risk areas, along with the cost to mitigate the risk. Having this information ready for your governance committee meeting will enable informed conversation about the risks and decision-making about budget allocation.
  2. ePHI vulnerability risks Where have you uncovered vulnerable areas for breach of protected health information? Review areas such as email, portable devices, cloud-based solutions, WiFi networks, servers and workstations for any vulnerabilities of leaking ePHI. Document any vulnerabilities found on your report card, and use that to build an action plan for mitigation.
  3. Physical security risks Record any risks associated with physical security, such as unauthorized building entry or stolen equipment. Think about the old hardware stored in a basement somewhere. How secure is your facility itself, and thus the data within?
  4. Status of medical device security While treated as business associates (BAs), medical devices need even further scrutiny. Document the timing and findings from your latest assessments of all medical devices. How secure is the connectivity between those devices and your network? Is staff access properly controlled by role? These are data points you need to track to make it more difficult for attackers to access patient data via a medical device.
  5. Status of BA management Document your highest risk areas. What have your BA audits uncovered? Are BAs responding appropriately? The governance committee should be aware of this data, and be armed to make any sanctioning decisions if needed. This should include both direct and downstream BAs.
  6. Disaster Recovery and Business Continuity When was the date of your last disaster recovery test? What were the results? Is your business continuity plan up-to-date based on current procedures? Are employees properly trained to carry the plan out? Using this data, you can assess the need for further testing and modification of your plan.
  7. Cybersecurity simulations How often do you perform simulations? What were the results of the last three to four simulations? We recommend tracking this information over time to determine trends.
  8. Workforce training How well did your staff fare on the latest phishing tests? Are there departments or staff who regularly fail? This may indicate the need for further training or other types of enforcement. Or, what about the departments or staff who do well? Perhaps they can be acknowledged as team advocates to build a culture of compliance at your organization.
  9. Policy and procedure operational audit Document the date and scope of your last audit. What were the results? Were there any impacts from recent changes to policies or procedures? Based on this information, any new updates required can be reviewed and approved by the governance committee.
  10. Cloud host audit Like #9, you’ll want to document the date and results from your last cloud host audit. Were there any red flags? If so, what was the vendor response? From there, the governance committee can decide if a change in strategy is needed.
  11. Latest industry breaches Learn from what’s happening to others. By staying informed of breaches in the news, you can analyze the information to see emerging trends. It’s even more important to make sure your governance committee is also aware of these trends so they can be more educated on what to look for in their own departments.
  12. Change management What impact have any governance decisions had on your business operations? Having this data available during governance committee meetings will educate the team and better inform decisions to be made regarding additional resources or training.
  13. ISAO information sharing Similar to #11, this is another way to gather and report on the latest threats. Listen to your peers in other organizations. What are they seeing and fighting on a regular basis? Do you need to operationalize new tactics to prevent unseen threats?

Ready to start gathering data for your next governance committee meeting? Download our printable Quarterly Governance Report Card.