At the risk of being called ‘master of the obvious’, privacy, security and compliance risk management has become critically important to healthcare organizations and most of their vendors. These organizations that create, receive, maintain or transmit Protected Health Information (PHI)[i] are known under the Health Insurance Portability and Accountability Act (HIPAA)[ii] as Covered Entities[iii] and Business Associates[iv], respectively.
Liability and numerous other risks (e.g., financial, strategic, operational, clinical, legal, regulatory) have increased dramatically for all organizations in the healthcare ecosystem. Recent items of interest that underscore the issues include:
- In April 2014, the FBI released an alert warning to healthcare providers of a high level of risk for data security as adoption of electronic health records accelerates in a Private Industry Notification (PIN) entitled “Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain”. The PIN warns: “Because the healthcare industry is not as “resilient to cyber intrusions [as] the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely”[v]
- In May 2014, Rand Health prepared a research report for the Office of the National Coordinator for Health Information Technology entitled “Promoting Patient Safety Through Effective Health Information Technology (HIT) Risk Management”. Among other findings about lackluster risk management surrounding HIT, the research report asserts: “With few exceptions, awareness of the safety risks introduced by health IT is limited. The traditional departmental “silos” between risk management, IT, and quality and safety management may impede the ability of organizations to recognize and respond to health IT safety risks.”[vi]
- In a June 2014 speech, SEC Commissioner Luis A. Aguilar spoke on “Cyber Risks and the Boardroom” at a New York Stock Exchange Conference in New York. He observed among other things: “Clearly, boards must take seriously their responsibility to ensure that management has implemented effective risk management protocols.”[vii]
Much for CEOs to consider as the ante and standards for reasonable diligence continue to rise.
In an upcoming white paper, we will introduce the Clearwater Risk Management Capability Maturity Model™ and self-assessment tool for immediate adoption to assist organizations in building an efficient and effective risk management program best suited to their unique needs. If you would like to review a Draft version, please contact me at: firstname.lastname@example.org
[i] See 45 CFR §160.103 Definitions – http://www.ecfr.gov/cgi-bin/text-idx?SID=3ea90d18e76a4da7c8d48b25b696a693&node=45:184.108.40.206.220.127.116.11&rgn=div8
[iii] See 45 CFR §160.103 Definitions – http://www.ecfr.gov/cgi-bin/text-idx?SID=3ea90d18e76a4da7c8d48b25b696a693&node=45:18.104.22.168.22.214.171.124&rgn=div8
[iv] See 45 CFR §160.103 Definitions – http://www.ecfr.gov/cgi-bin/text-idx?SID=3ea90d18e76a4da7c8d48b25b696a693&node=45:126.96.36.199.188.8.131.52&rgn=div8
[v] FBI Cyber Division – (U) Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain http://clearwaterc.wpengine.com/wp-content/uploads/2014/07/FBI-PIN-Health-Systems-Cyber-Intrusions.pdf
[vi] Promoting Patient Safety Through Effective Health Information Technology Risk Management – http://clearwaterc.wpengine.com/wp-content/uploads/2014/07/Promoting-Patient-Safety-Through-Effective-Health-Information-Technology-Risk-Management_rr654_final_report_5-27-14.pdf
[vii] Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus http://www.sec.gov/News/Speech/Detail/Speech/1370542057946#.U8G3lpRdV8B
HIPAA Privacy, Security and Compliance Risk Management Resources Available to You
Clearwater Compliance offers best-in-class HIPAA-HITECH Privacy, Security and Breach Notification software and services. Our years of direct front-line, real-world experience with deep privacy and security skill-sets will help you assess and implement the required people, process and technology controls cost-effectively.
Please avail yourself of any of these free resources which you may access now by clicking on the links below:
- Risk Analysis Buyer’s Guide
- Clearwater Compliance White Paper: Risky Business: How to Conduct a Bona Fide HIPAA Security Risk Analysis
- Clearwater Recorded Webinar event entitled How to Conduct a Bona Fide HIPAA Security Risk Analysis
- Clearwater HIPAA Security Risk Analysis™ software DataSheet
- Clearwater HIPAA Security Risk Analysis™ software Free Trial for qualified organizations
- AboutHIPAA.com Risk Analysis Resources
Register for one of Clearwater’s complimentary webinars on risk analysis and risk management basics and get to grips with these issues and more.
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – What Level of Detail is Adequate? - April 29, 2017
- HIPAA Risk Analysis Tip – How Comprehensive Must Your HIPAA Security Risk Analysis Be? - April 25, 2017
- HIPAA Risk Analysis Tip – Does OCR really use the “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”? - April 23, 2017