Nov 21
2014
From Checklist to Culture: How to Protect Sensitive Data with Comprehensive Information Risk Management Practices
Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US, CEO and founder, Clearwater Compliance.
HIPAA-HITECH regulations have never been more strictly enforced, yet reported breaches continue to pile up in record numbers and data has never felt so unsafe. So, what gives? For one, it’s no secret to those who are paying attention that healthcare is the next cyber security battleground. We have entered an unprecedented era where cyber attacks are becoming more frequent and more sophisticated with every passing day. Medical ID theft is on the rise, and it seems hackers have healthcare squarely in their sights.
Of course, cyber threats are only part of the equation. Healthcare organizations are even more vulnerable to insider breaches caused by the actions of their employees (both intentionally and unintentionally).
The simple truth is that information risks are growing faster than most organizations can adequately respond to them. And while most organizations are completing their compliance checklists, few have embraced a comprehensive approach to information risk management. A shift in terminology, philosophy and approach are all needed. And fast.
In response to a changing healthcare landscape; a stark increase in the threats posed to maintaining the confidentiality, integrity, and availability of healthcare information; and a shift in focus by the Office for Civil Rights (OCR) and other regulatory bodies from compliance to risk management, healthcare organizations need to fortify their capabilities around safeguarding sensitive data across their entire enterprise.
This includes ensuring you are aware of all information assets used to create, receive, maintain or transmit all sensitive data across your organization; the vulnerabilities of those assets; the various threat agents and the controls you currently have in place to safeguard those information assets from exploitation of those vulnerabilities by those threats.
This shift requires that you establish a “culture of risk management” and maintain a balanced privacy, security and compliance business risk management program that includes reasonable and appropriate policies, procedures, people programs and safeguards/controls.
But what does a thoughtful and holistic framework for information risk management look like?
At the end of the day, there is no “right answer” to this question. What’s important is that you assess how mature your current risk management processes are and make a conscious, informed decision about whether that is good enough. And if you find yourself lacking, set a plan to get where you need to be.
For starters, make sure you address the following five key areas:
Governance, Awareness of Benefits and Value?
Including processes and controls that ensure that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-upon enterprise objectives.
People, Skills, Knowledge and Culture?
Including board and senior level engagement, creating a risk-aware workforce and establishing risk management discipline across the organization
Process, Documentation, Discipline and Repeatability?
Including predictable, measurable, controlled and standards-based processes, protocols and procedures
Use of Standards, Technology Tools/Scalability?
Including automation of risk management workflows and key activities and controls monitoring
Engagement, Delivery and Operations
?Including embedding risk issues in decision making and using a consistent framework for continuously improving risk management programs and processes
If information privacy and security risks are not properly identified and managed, there can be significant ramifications, affecting your company’s brand, bottom line, and ultimately, shareholder value. And even more importantly, consumer trust can be lost. It’s not about compliance. Or a checklist. It’s about information risk management. The sooner we embrace this body of work as an industry, the sooner we’ll enhance our collective, and individual, ability to protect patient information.