By Tim Swope, CISO, Catholic Health Services of Long Island
In order to deliver value to our customers, patients, employees, communities and shareholders, we Healthcare organizations must understand and manage the risks faced across our entire organization. Risks are inherent in our business activities and can relate to strategic threats, operational issues, compliance with laws, and reporting obligations. As part of an overall IT risk management process, Information Security, Governance and Risk (ISGR) departments are responsible for various activities that are important to regulatory compliance, information security, data protection and risk management. This group commonly has the authority and responsibility to investigate and assess compliance in all activities relevant to the Security Governance Program and to report on compliance status to IS Management.
The “Framework” that encompasses a Risk Management Program has the primary functions to:
- Determine categorization of IT risks
- Define the common framework used to identify and manage potential events that may affect information within the IT infrastructure
- Define accountability for IT risk management
- Determine the governance and oversight of IT risk management activities
However, we need to be more proactive in the identification, remediation and management of potential risks. My wife, who speaks Cantonese mentioned that “risk” is translated into two words in English….Danger and Opportunity. By employing a “Proactive” Risk based approach to IT security, we have the ability to identify the “Dangers” to our organization and the “Opportunity” to remediate them before they are exploited. Some examples are; Ransomware, Privileged Access, and Incident Response preparedness.
Internal and external risks affecting our ability to achieve our security and operational objectives are identified at various points in the business cycle. During strategic and business planning and review processes, business unit management assesses the market and competitive environment to identify risks and opportunities facing their business. The various risk management functions within or assigned to that business unit provide expertise, support and input into the process. Each of the risk management functions is represented on applicable management committees to enable effective risk identification and business partnership.
In addition, throughout the year, risk assessments, scans and surveys are performed by the ISGR team to identify internal and external events that might affect the achievement of the Company’s objectives. A key part of the annual risk assessment process are vendor risk assessments. Vendor risk assessments are conducted to determine overall risk and for every vendor that has access to, host/maintain or share corporate information deemed sensitive and/or confidential, such as PHI/PII/PCI. To underscore the importance of these assessments, it is estimated that in 2019 business associates (vendors) were involved in over a quarter of the major health data breaches. After all, we can outsource our systems and services but we can’t outsource our risk!
Finally, risk management functions review the output from internal monitoring and assurance activities to identify gaps and emerging risk areas. Risks are analyzed, considering likelihood and impact of a given outcome to determine how they should be managed.
If we can take a way one lesson from the need for a risk management program it is the following:
Risk Management is the number one process for Identifying potential risks and creating a plan to eradicate or manage them!!
We don’t accept Risk, we continually Manage it!