Ok, I agree, talking about Risk Management is boring. There are way more exciting topics to discuss, but with the recent cyber-attacks, threats of more to come, hijacking of data, and so on, we really can’t avoid it. In this age of bits and bytes the need to manage and monitor the flow of data has become a normal daily practice. Every time we click the send button on an email, hire a new employee, or invite an outside vendor into our realm, we expand our need to evaluate and plan for the worst. Having a well thought-out Risk Management (RM) plan is critical to protect and sustain any business, and in health care, it’s a must.
When discussing RM, let’s start by answering two basic questions: what is a risk and who is susceptible?
There are various ways to define a risk. In essence it is a potential occurrence that causes a disruption in normal operation or prevents the completion of a task. Since we’re looking at RM from a data security perspective, particularly as it relates to healthcare and other sensitive data, our focus will be on the disruption of service, to include loss of data.
The truth is, everyone is at risk. No matter how advanced a business’s security practices are, there are various levels of risks throughout multiple aspects of any organization. Here there is no room for being naive, arrogant, or complacent. Simply know that there are areas of vulnerability and do your best to identify them.
RM plans can be very in depth, perhaps a little too complex sometimes. Keeping it simple, here are the fundamental components:
- Identification of all risks
- Determine the level of impact for each risk – often a rating scale is defined
- Understand who is impacted
- Develop methods to mitigate the risk, or at least minimize the impact
- Create a plan of action to react
The findings of an initial RM analysis may be overwhelming, but don’t be too alarmed. This is common for most organizations that haven’t maintained an RM strategy. As part of the identification and evaluation process you will discover that by enforcing adherence to policies and adjusting procedures, the number of risks can be reduced. As I mentioned earlier, you can’t eliminate them all. For those risks, it is important to minimize the impact and develop a plan of reaction.
I’ve seen a variety of approaches for the identification and impact analysis components. The key here is to have the right personnel involved. IT is an integral part of this team and will have the most knowledge in terms of data security and protection practices, however they can’t do it alone. To be comprehensive, each primary department head should be involved.
Although I’m not going to break down the entire RM process (I think I just heard an applause), I do want to discuss the ability to recover. I have to say, this is an area where there is often a “disconnect” between IT and senior management. Let’s use a ransomware attack as an example. Your data becomes encrypted and unless you pay a fee you are unable to decrypt the data, making in inaccessible. To what extent can data be lost? This is where senior management must make a determination on the tolerance of data loss and system downtime as it relates to the organization. What can the company handle, and what would cripple the operation? The danger here is when the ‘perception’ of the IT department does not line up with the ‘assumption’ of senior management.
Having a well-documented Risk Management plan is only one piece of the puzzle. Annual reassessment, review of new potential risks, and the continuous education of those impacted, turn documentation into a practical tool to protect your business.
If you have any questions, or would like our help reviewing your current plan, please give us a call.