It’s pretty easy to make a case for why you need to develop and implement a balanced information risk management program that reduces the likelihood and impact of the compromise of sensitive information. Yet most organizations struggle to implement such programs and appropriately respond to an environment that is ripe with risk.  So, what’s the hold up? Well, there are at least four major culprits to blame for current struggles.

4 Reasons We Aren’t Responding Well to Risk

1. Lack of Alignment

Frequently, there is not strong alignment between an organization’s business strategy and its information risk management strategy. A recent Rand Health report showed that with few exceptions, “awareness of safety risks introduced by health IT is limited,” and that “traditional departmental silos between risk management, IT and quality and safety management may impede the ability of organizations to recognize and responds to health IT safety risks.”

2. Widespread Misunderstanding

Risk Management is not a well-understood or appreciated business process. As such, it is generally practiced in a very ad hoc and inconsistent manner. This results in many organizations simply not keeping up with today’s rapidly evolving world.

3. Delayed Response

Historically, health care organizations were not as focused on risks involving health care data, as the primary security strategy involved keeping it safe behind locked doors and drawers. But as we’ve fully entered the era of electronic health data, many organizations have been slow to realize the increasing danger that looms from cyber attacks and other external and internal threats. Even as federal entities such as the FBI have alerted the industry that there is a high level of risk for data security as the adoption of electronic health records accelerates.

4. Lack of Leadership

Boards, governance bodies and executives are not as engaged, supportive and ultimately, as responsible as they should be. SEC commissioner Luis A. Aguilar recently said that boards, “must take seriously their responsibility to ensure that management has implemented effective risk management protocols.” He went on to note that “there can be no doubt that cyber risk also must be considered as part of a board’s overall risk oversight.” We’ve yet to see boards fully embrace this role, but as high profile breaches involving retailers like Target and Home Depot draw a bigger and brighter spotlight, we expect more engagement and increased expectations for information risk management practices.

We live in a dynamic, constantly changing “threat landscape” where protecting sensitive data requires a well-honed risk management process. Do you know what’s holding your organization back? It could be any, or all, of the above factors. What’s important is that you quickly identify your specific internal roadblocks and work toward increased organizational understanding that information risk management is a business imperative.

——This post is an excerpt from the Clearwater Information Risk Management Capability Advancement Model™ Whitepaper. This free resource offers a way for organizations to evaluate information risk management capabilities consistently, communicate capability levels in meaningful terms, and help make informed decisions about information risk management investments.

Click here to access your copy and learn more about maturing your own information risk management process.

Michelle Caswell

Senior Director, Legal & Compliance at Clearwater Compliance
Michelle Caswell has over 14 years legal and healthcare experience and worked as a HIPAA Investigator for the U.S. Department of Health and Human Services, Office for Civil Rights where she ensured covered entities were in compliance with HIPAA, conducted complaint investigations and educated entities on HIPAA compliance. Michelle brings that experience to Clearwater Compliance as Senior Director, Legal and Compliance.