This entry is part 3 of 9 in the series CEO-to-CEO

At the risk of being called ‘master of the obvious’, privacy, security and compliance risk management has become critically important to healthcare organizations and most of their vendors.  These organizations that create, receive, maintain or transmit Protected Health Information (PHI)[i] are known under the Health Insurance Portability and Accountability Act (HIPAA)[ii] as Covered Entities[iii] and Business Associates[iv], respectively.

Liability and numerous other risks (e.g., financial, strategic, operational, clinical, legal, regulatory) have increased dramatically for all organizations in the healthcare ecosystem.  Recent items of interest that underscore the issues include:

  • In April 2014, the FBI released an alert warning to healthcare providers of a high level of risk for data security as adoption of electronic health records accelerates in a Private Industry Notification (PIN) entitled “Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain”.  The PIN warns:  “Because the healthcare industry is not as “resilient to cyber intrusions [as] the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely”[v]
  • In May 2014, Rand Health prepared a research report for the Office of the National Coordinator for Health Information Technology entitled “Promoting Patient Safety Through Effective Health Information Technology (HIT) Risk Management”.   Among other findings about lackluster risk management surrounding HIT, the research report asserts: “With few exceptions, awareness of the safety risks introduced by health IT is limited. The traditional departmental “silos” between risk management, IT, and quality and safety management may impede the ability of organizations to recognize and respond to health IT safety risks.”[vi]
  • In a June 2014 speech, SEC Commissioner Luis A. Aguilar spoke on “Cyber Risks and the Boardroom” at a New York Stock Exchange Conference in New York.  He observed among other things: “Clearly, boards must take seriously their responsibility to ensure that management has implemented effective risk management protocols.”[vii]

Much for CEOs to consider as the ante and standards for reasonable diligence continue to rise.

In an upcoming white paper, we will introduce the Clearwater Risk Management Capability Maturity Model™ and self-assessment tool for immediate adoption to assist organizations in building an efficient and effective risk management program best suited to their unique needs.  If you would like to review a Draft version, please contact me at: bob.chaput@clearwatercompliance.com


[ii] See Department of Health and Human Services web site – http://www.hhs.gov/ocr/privacy/

[v] FBI Cyber Division – (U) Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain http://clearwaterc.wpengine.com/wp-content/uploads/2014/07/FBI-PIN-Health-Systems-Cyber-Intrusions.pdf

[vii] Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus http://www.sec.gov/News/Speech/Detail/Speech/1370542057946#.U8G3lpRdV8B

HIPAA Privacy, Security and Compliance Risk Management Resources Available to You

Clearwater Compliance offers best-in-class HIPAA-HITECH Privacy, Security and Breach Notification software and services. Our years of direct front-line, real-world experience with deep privacy and security skill-sets will help you assess and implement the required people, process and technology controls cost-effectively.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Register for one of Clearwater’s complimentary webinars on risk analysis and risk management basics and get to grips with these issues and more.

Series Navigation<< CEO-to-CEO – Top 5 Questions CEOs Should Ask Themselves & Board About Risk ManagementCEO-to-CEO – Data Breach Creates Board & C-Suite Risk Management Turmoil >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.