HIPAA-HITECH compliance is really part of the broader business discipline of information risk management (IRM). Many healthcare organizations overestimate the strength of their IRM programs— and some are beginning to use so-called “maturity models” to determine how they actually stack up against key benchmarks.

This article was originally published in HCCA’s “Compliance Today” magazine .

This article explores the essentials of a new methodology called the Information Risk Management Capability Advancement Model (IRMCAM), a maturity model designed to help compliance, privacy, security, and risk management professionals accurately assess how their IRM programs measure up to important benchmarks.

Although the use of maturity models is relatively new in healthcare, they’ve long been a mainstay in the Quality field. For example, the Six Sigma methodology is an ongoing effort to assess and improve an organization’s quality processes. In writing about Six Sigma maturity models, authors Sripad Srinivasan and M.A.N. Murthy have come up with a concise description of what those models are intended to achieve:

Process maturity is an indication of how close that process is to being complete and capable of continual improvement through qualitative measures and feedback. Thus, for a process to be mature, it has to be complete in its usefulness, automated, reliable in its information, and continuously improving.

Maturity models that meet this definition are being used widely around the world, in fields ranging from supply chain management to business intelligence. The consulting firm Accenture even has a “green” maturity model to assess its clients’ environmental and sustainability programs.

The Risk Management Society, headquartered in New York City, has developed a risk maturity model for enterprise risk management, but it applies generically to all industries, not just healthcare. But, now we’re starting to see the first maturity models strictly for the healthcare system. HIMSS Analytics (a division of the Healthcare Information Management Systems Society) has introduced two significant maturity models: the Electronic Medical Record Adoption Model (EMRAM), an eight step process for measuring an organization’s level of EMR adoption against national benchmarks; and the Ambulatory Electronic Medical Record Adoption Model, which is similar, but focuses solely on EMR adoption in the ambulatory setting.

Risk exposure growing dramatically The rapid growth of the eHealth exchange means that the visibility, vulnerability, and value of patients’ protected health information (PHI) will increase significantly in the next few years.

“The eHealth Exchange is soon expected to connect more than 1,600 hospitals… plus 10,000 medical groups,” says Mariann Yeager, Executive Director of Healtheway, the non-profit organization that operationally supports the exchange. “Exchange participants are expected to serve nearly 100 million patients—almost a third of the country’s population,” she adds.

To date, tens of millions of Americans have had their PHI impermissibly disclosed or compromised—and this push for increased connectivity will only make the situation worse. But mature IRM involves much more than safeguarding technology. In their last report to Congress concerning data breaches, Health and Human Services (HHS) officials noted that sophisticated hacking is just a small part of the problem. They reported that theft is still the most common cause of reported data breaches (53%), followed by unauthorized access or disclosure at 18%. The report also found that the majority of compromised PHI was on laptop computers, while 23% was on paper.

Cyber-espionage is a growing threat, like the hacking incident that compromised an estimated 4.5 million patient records at for-profit hospital giant Community Health Systems last year.

Far more data breaches can be traced to costly mistakes made by healthcare organizations’ own employees and business associates: loss or theft of laptops, improperly discarded paper records, unauthorized snooping, and so on. In the past, many healthcare organizations have dealt with data breaches in an ad hoc fashion—perhaps introducing a laptop check-out procedure after one incident, then implementing anti-snooping measures following a separate incident. But, by using a maturity model, healthcare organizations can steadily turn this patchwork of piecemeal solutions into a comprehensive IRM program.

Overestimating your readiness Some healthcare organizations think that their IRM programs are robust, far-reaching, and mature, but that’s an attitude reminiscent of the French military following World War I. The French built the supposedly impregnable Maginot Line, yet the guns faced east and couldn’t rotate. The German army simply outflanked them and captured the forts from behind. It’s wise to remember that in managing risk, there are many threats—from international cyber-espionage to people who simply want to peek into celebrities’ health records (not to mention an organization’s own employees who unwittingly use insecure Wi-Fi hotspots or leave a laptop in the backseat of a cab).

The best way to assess an IRM program is to use a maturity model that grades an organization’s current performance. IRM professionals typically measure that performance in five major benchmarking categories in risk management.

1. Governance and awareness of benefits and values

This category helps determine whether an organization’s risk management activities align with the enterprise’s opportunities and loss capacity—along with senior leadership’s tolerance of that loss. In short, the risk management strategy needs to closely mirror the organization’s overall business strategy. It’s essential for board members and executives to insist upon and actively participate in this.

2. People, skills, knowledge, and culture

This category assesses whether an organization truly has a risk-aware culture that is alert to the breadth of IRM threats. For example, a hospital or health system may be keenly aware of what’s involved in losing a laptop with unencrypted PHI, yet be blind to the fact that small-scale snooping into patient records poses an equally serious challenge.

3. Process, discipline, and repeatability

This benchmark helps ensure that an organization has formal, well-documented, and consistently followed policies and procedures in risk management. The goal is to have a risk management process that is measurable and consistent.

4. Use of standards, technology tools, and scalability

This measures how well an organization has automated its risk management workflows to make them easier to scale as the enterprise grows. Some organizations create their own surveys and spreadsheets for risk analysis, but these home-grown solutions rarely scale. Technology plays a key role here. An organization matures by using standards based automation (such as software tools based on National Institute of Standards and Technology guidelines) in order to achieve predictable, repeatable results.

5. Engagement, delivery, and operations

This category determines whether risk issues are embedded in all corporate decision making. There should be one consistently used framework for measuring the IRM program and processes. When individual divisions or departments implement their own risk management plans (which is sometimes a wise course of action), the plans still must integrate into the organization-wide framework.

Getting a report card After an exhaustive performance review in each category, IRM professionals then produce a report card. As in school, the lowest grade is an “incomplete”—and the equivalent of a straight A is “mature.” Here are the six capability levels: ·

  • Level 0: Incomplete – This is the “anything goes” ranking. There’s no risk management governance; practices are ad hoc and chaotic. ·
  • Level 1: Performed – There is far too much variance in risk practices; the organization has achieved a few successes, but has also experienced many failures. ·
  • Level 2: Managed – The key word here is “some.” The organization has some risk management processes defined, documented, and practiced, and some employees are trained in them. But, there are still many glaring omissions. ·
  • Level 3: Established – At this level, there’s board-issued guidance; risk management processes are consistent across the entire organization. ·
  • Level 4: Predictable – This grade indicates that the organization views risk management as a business catalyst; predictive risk scenarios are used. ·
  • Level 5: Mature – For organizations deemed mature, risk is considered in all decisions. Real-time, continuous monitoring of risk events is standard; processes and tools are constantly enhanced.

Pathway to continuous improvement Just as a report card focuses a student’s efforts to improve a D in algebra to match the A in English, an IRM maturity model helps healthcare organizations focus risk management resources where they’re needed the most. For example, a health system may shine in four of the five risk management benchmarking categories, yet come up short in the crucial Governance category.

The organization would  then need to educate board members and senior executives on the strategic value of a comprehensive IRM program. By working with IRM professionals and using a maturity model, healthcare organizations can get a highly accurate picture of their risk management strengths and weaknesses. The pacesetters in healthcare IRM are those that welcome an honest appraisal—and use it as a springboard to steady improvement.

This article was originally published in HCCA’s “Compliance Today” magazine .

For more information about how our solutions help you to address the issues above, contact us today.

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.