Picture this. You’re blindfolded. Walking on a frayed tightrope above a choppy ocean. The water is filled with hungry sharks, mouths open with rows of sharp teeth just waiting for you to lose your footing. The wind is blowing sideways as rain pelts you and lightening strikes all around. Oh, and you are carrying a large boulder as you wobble ahead.

Is your organization walking the tightrope, or living in fear?

While there are some within the healthcare space that are walking along the tightrope oblivious to the danger that awaits, most are gripped with fear. Medical ID theft, cyber attacks and missteps by employees (both intentional and unintentional) place their sensitive data in constant jeopardy. Neither is a healthy response.

Your organization is wrestling with new and emerging threats, enhanced obligations to protect sensitive information, intensifying scrutiny and increased enforcement from federal and state agencies. In the 360 degree, risk-filled reality of today’s environment, how is your organization responding?

Mankind has been managing risk for centuries. Still, few people really understand risk, and as a result, risk management.

Historically, risk has been regarded solely as a negative concept (i.e., something bad may happen) that organizations typically tried to ignore, avoid or transfer to others. Increasingly, information risk is recognized as a fact of life that must be “owned” and dealt with based on informed decision-making.

If we understand this risk and how it is caused and influenced, we can change its composition so that we are more likely to achieve our organization’s objectives – maybe even faster, better, cheaper and with improved outcomes. Understanding risk and taking action to change its composition is called “risk response.” Good risk response and overall risk management can occur only when organizations recognize that risk management is an important business process that requires our ongoing attention.

Risk is implicit in all decisions we make – how we make those decisions will affect how successful we are in achieving our objectives.

While all industries have, or are, undergoing enormous change due to market, technology, regulatory and other variables, nowhere are these changes more significant and sweeping than in healthcare. That’s precisely why information risk management should be at the top of your priority list.

While we have long been concerned with the confidentiality, integrity and availability of information, we have entered an unprecedented era of cyber security where attacks are becoming more frequent and more sophisticated with every passing day. The simple truth is that as information risks are growing faster than our ability to manage them.

For many, if not most organizations, information risk management is little more than ‘arts and crafts’ executed at a very basic level. Far too few organizations take a science and engineering-based approach to comprehensively manage their risks. That is a recipe for missed opportunities and adverse events.

The bottom line is this. If information privacy and security risks are not properly identified and managed, there can be significant ramifications, affecting your company’s brand, bottom line, and ultimately, shareholder value. And even more importantly, consumer trust can be lost.

 So what is a thoughtful, holistic approach?

At the end of the day, there is no “right answer” for organizations in terms of what appropriate risk response looks like. What’s important is for you to assess how mature your current risk management processes are and make a conscious, informed decision about whether that is good enough. And if you find yourself lacking, set a plan to get where you need to be, and fast!



Information Risk Management Capability Advancement Model™ (IRMCAM™)This post is an excerpt from the Clearwater Information Risk Management Capability Advancement ModelTM Whitepaper. This free resource offers a way for organizations to evaluate information risk management capabilities consistently, communicate capability levels in meaningful terms, and help make informed decisions about information risk management investments.


Click here to access your copy and learn more about maturing your own information risk management process.