Enterprise Risk Management in Healthcare

Posted by John Dimaggio on Oct 5, 2016 3:58:24 PM

In Cyber Security

Cyber-risk in the healthcare industry is not just an issue for IT Departments, it is a major problem for healthcare executives and stakeholders. The technical security defenses employed by an IT Department cannot fully protect an infrastructure, because cyber criminals are adept at exploiting those defenses or finding alternate points of entry. Cyber-crime threatens a provider’s legal, financial, reputational and operational position, making it a corporate challenge that requires executive and board-level oversight.  

Technical defenses such as malware detection, data encryption and firewalls can be thwarted by savvy hackers, and don’t completely cover the cyber-exposure gap.  In fact, some common cyber-crime entry points are those that technical defenses simply can’t prevent, such as social engineering ploys against untrained or unaware users, ineffectively enforced policies and procedures, and unsafe employee browsing habits. Since IT Departments cannot fully safeguard an organization’s assets, healthcare leaders should recognize this threat as an enterprise-level risk.  

As with any enterprise-level risk, cyber-risk should be a prominent component in an organization’s Enterprise Risk Management (ERM) plan.   Perhaps even more so, given that the healthcare industry is widely known for weaker cybersecurity defenses, and thus considered an attractive target to cyber criminals. A good ERM plan will identify, strategize and proactively address cyber-risks that can potentially threaten the organization.  Framework for the plan should include the following steps:

  • Assess cyber-risk elements from all possible sources and entry points to determine the probability and magnitude of impact to the organization.
  • Determine which cyber-risks to accept, avoid, mitigate or insure against.
  • Develop and enforce policies and procedures to avoid/mitigate corporate exposure.
  • Formulate cyber-risk response strategies.
  • Monitor new and emerging cyber-threats.
  • Integrate cyber-risk prevention strategies into all corporate decision-making.

Failure to recognize cyber-risk has cost healthcare providers millions of dollars, generated negative publicity and created reputational damage.  The Ponemon Institute partnered with IBM to create the 2016 Cost of Data Breach Study, which concluded that the average cost of unauthorized data access is between USD $149 USD and $167 per record, with the total cost of a data breach ranging from USD $3.7 million to USD $4.29 million.  Healthcare providers are under attack from all directions, and IT technical defenses can no longer be the only battle strategy.  True cyber-protection requires strategic business discipline, executive and board level engagement, and an effective Enterprise Risk Management plan to evaluate, prioritize and manage risk exposure.

For more information, download our Cybersecurity eBook by clicking on the below link:

 Download Our Cyber Security eBook

BlueOrange Compliance has been providing privacy and security assessments, remediation, training and guidance since the inception of HITECH.  Our team is comprised of former healthcare IT executives and top security, privacy and technology analysts.  Our national client base consists of hospitals, physician provider practices, Nursing Facilities, LTC Pharmacies, senior living organizations, homecare, hospice and business associates.  If you want to learn how BlueOrange Compliance can help you turn HIPAA complexity into HIPAA compliance, visit us at blueorangecompliance.com.