This entry is part 1 of 9 in the series CEO-to-CEO

CEO-to-CEO – Top 5 Questions CEOs Should Ask About Information Risk Management

In this current climate, it’s an absolute necessity that CEOs become actively involved in business risk management in general and information risk management risk_management_iStock_000018036134Small_335x251specifically.  This mandate crosses all industry sectors while the requirement in healthcare is especially important right now.

In this brief post, I invite CEOs to start an important dialog in their businesses by asking these top five starter and related questions:

  1. Are you and your top team formally engaged in the process?   Is there a chartered risk management committee? Do you meet on a regular basis?  Have you articulated your risk appetite? Is there a chartered ‘working committee’ producing specific, tangible recommendations and information for you and your committee to action?  Have you helped your organization understand the direct connection between high quality care, access to care and timeliness of care with the confidentiality, integrity and availability of Protected Health Information (PHI)?
  2. Is your information risk management program business-driven?Have you set key business maxims or imperatives? Have information risk management maxims have been derived from these business maxims?  Is your information risk management program directly tied to our enterprise risk management program?  Are your Privacy / Security / Compliance teams working closely with your Enterprise Risk Management (ERM) team? Are you following industry standards such as those based on NIST or ISO risk management frameworks?
  3. Are you really doing bona fide risk analysis and risk management work? Does your standard vocabulary and process include information assets, threat sources, threat actions, vulnerabilities, controls, likelihood and impact? Do we have an operative, usable risk register that facilitates improved decision-making?  Have you had this work reviewed by outside experts?
  4. Are you proactively refining your information risk management program into a mature business process? Are you actively developing skills, knowledge and experience in the risk management discipline?  Are you as an executive team and your company aware of benefits and value of risk management?  Are you using standards, tools and software to institutionalize the program?  Are the outcomes becoming more consistent, repeatable, reliable and predictable?
  5. Are you producing the required outcomes of good risk management program?  Bottom line: is all sensitive information being reasonably and appropriately safeguarded?  Do you maintain an active “risk register”? Are you evaluating proper risk response alternatives?  Are you making higher quality, more informed decisions?  Are you prepared for an audit by an enforcement agency?

HIPAA Risk Analysis and Management Resources Available to You

Clearwater Compliance offers best-in-class HIPAA-HITECH Privacy, Security and Breach Notification software and services. Our years of direct front-line, real-world experience with deep privacy and security skill-sets will help you assess and implement the required people, process and technology controls cost-effectively.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Series NavigationCEO-to-CEO – Top 5 Questions CEOs Should Ask Themselves & Board About Risk Management >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.