Risk Management in Healthcare
Following security risk assessment, security risk management is the second step of the security management process standard, which is the first administrative safeguard required by the HIPAA security rule. It aims to “implement policies and procedures to prevent, detect, contain, and correct security violations” through the whole process and to “implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level” through risk management, particularly in order to optimally protect ePHI that are created, received, stored or transmitted by the health care organization.
While risk assessment is concerned with identifying potential threats, risk management involves taking action. Indeed, risk management should be performed by all the departments of the organization that collaborate in order to react as a post-incident corrective measure to reduce negative consequences as much as possible and avoid them as well as other incidents in the future. More importantly, it aims to anticipate and prevent the increase of risk of potential threats and vulnerabilities through risk intelligence and strategic risk management by a centralized incident management and/or reporting system that:
- Enhances synergic interactions between the departments of the organization;
- Allows the organization to save money;
- Make the process more efficient; and
- Allows the organization to keep an eye open for potential danger.
Consequently, this enhances the organization’s ability to provide quality care.
Several strategies can be adopted while managing risk: the risk can be transferred elsewhere, skipped or avoided, its side effects reduced or partially/fully accepted. When it comes to security management, the applied strategy depends on the risk assessment.
Like risk assessment, risk management is an ongoing process and both complement each other; their processes should be correctly applied in order to make sure that ePHI’s confidentiality, availability and integrity are preserved.
Risk management plays a crucial role in:
- “Protect[ing] against any reasonably anticipated risks to the security or integrity of the information.”
- “Protect[ing] against reasonably anticipated uses or disclosures of such information that are not permitted or required under the HIPAA Rules.”
- Complying with the HIPAA security rule in preparing the organization for potential audit.
- Enhancing the attestation to the EHR Incentive Programs by submitting relevant records to The Centers for Medicare and Medicaid Services (CMS) about how security management is done and implemented to protect ePHI.
- Identification, evaluation and prevention of all sources of risk that are involved in the health care stockholders and the organization’s financial protection.
- Allowing relevant education of the employees based on the organizational data tracked and analyzed by the security management process.
- Having an up-to-date security database regarding adverse events and that is continuously enriched to become a reference and a must to optimize the functioning of the health care organization.
The risk management process is flexible in that every organization can adapt it to its own and unique use, according to its characteristics, needs, available resources and environment.
Below is an example of steps to follow for a comprehensive process to manage risks:
- Risk management plan creation and implementation
The risk analysis done in the previous step of the security management process will allow the organization to have data about existing vulnerabilities, how and when a threat can use those vulnerabilities and its potential negative consequences on the organization. Consequently, the analysis gives insights for an informed decision-making about risk prioritization and mitigation in order to “reduce risks to reasonable and appropriate levels.”
The risk management plan is a skeleton that shapes the risk analysis data in order to make security measures more concrete and guide their prioritization, implementation and evaluation. It provides information about what risks should be addressed, what security measures to implement and how to implement them.
The HIPAA security rule requires taking into account five types of safeguards while creating the action plan:
- Administrative safeguards: Risk management plan, security officer, etc.
- Physical safeguards: Alarm systems, locking offices, etc.
- Technical safeguards: Data encryption, audits, etc.
- Organizational standards: Agreement reviews and updates.
- Policies and procedures: Written documents, trained workers, reviews and updates.
Nowadays, risk management and quality assessment go hand in hand in order to ensure patient safety and quality care. Indeed, matching the two processes allows for better decision making and enhances protective measures to be more accurate and realistic. Moreover, it allows the organization to identify opportunities to improve clinical, operational and business areas and make internal policies and procedures compliant with the existing laws and regulations.
- Security measures implementation
In order to comply with the HIPAA security rule, organizations are required to implement security measures through projects and activities that take into account its financial resources (through cost-benefit analysis) and the involvement of its decision makers and employees. Other important aspects, such as the time frame of the project or activity and the potential benefits if they are part of other projects, should also be taken into account in the implementation, though they are not required by the HIPAA security rule.
Security measures implementation is often determined by its generated costs. Indeed, organizations tend to choose the cheapest option. However, sometimes cost without other factors is not enough to settle on cheap measures, which might be ineffective, or to exclude appropriate but expensive measures. On the other hand, there are some simple and low-cost, yet highly effective, measures that the organization may consider to secure its data:
- The server:
- Lock it in a room accessible only by authorized personnel.
- Run anti-virus analyses regularly.
- Monitor employee access randomly (after notification).
- Data encryption:
- Prohibit the use of unencrypted data outside the organization.
- Make sure of encryption while sending ePHI.
- Other IT related measures:
- Destroy the hard drives of old computers.
- Employees should not share their passwords or make them too simple.
- Non-IT related:
- Have a fire extinguisher that works properly.
- Security measures evaluation, sustainability and improvement
The health care organization is constantly subject to changes both internally (for example, in its operations) and externally, and ePHI likewise are subject to the increase/decrease of risks.
Risk management, like risk assessment, is a dynamic and continuous process that should be regularly reviewed, modified if needed and updated according to those changes. Implemented security measures should be assessed and monitored, following the principle that risk analysis new outputs serve as inputs for risk management in order to “maintain risk at a reasonable and appropriate level” and/or adopt new measures for newly detected risks.
The HIPAA security rule requires that the evaluation standard should cover both technical and non-technical aspects but it does not have any requirement about the periodicity of doing so. Indeed, it depends on the specifics of each organization and the events that it faces. However, it is preferable and good practice to review processes when, for example, the organization plans to adopt a new technology. In this case, risk management would be concerned with checking if the existing security measures are enough and, if not, creating and implementing security measures as needed in order to make its use “safe” and to protect ePHI by minimizing the risk related to this new technology.
The musts for an efficient risk management process:
- Having an incident reporting system
- Having a complaint system
- Taking preventive OR corrective measures
- Having an accurate, complete and updated documentation
- Educating employees on the matter
- Encouraging inter-departmental collaboration
Risk management is only performed to comply with the HIPAA security rule: FALSE! It also concerns the HIPAA privacy rule.
Risk management is only the responsibility of top management: FALSE! It is the responsibility of every worker using the organization’s systems directly by reporting as well as indirectly by contributing to the creation of the risk management plan even though it is the top management decision.
Employees risk sanctions while reporting: FALSE! It is not the aim. Moreover, in case of lack of reporting, all the analysis done could be biased.
External resources cannot be used to implement security measures: FALSE! The organization is free to use internal and/or external resources. The HIPAA security rule does not have any requirement in this matter.
Risk management is an integrated part of the security management process that allows the healthcare organization to protect its finances, ensure employees and patient safety and provide quality care.
It is the role of health care risk managers to develop, implement, evaluate and sustain risk management plans by taking into account the changing internal and external environment of the organization.
The HIPAA security rule draws the headlines of the risk management process and gives guidelines in order to make its adoption easier. At the same time, it gives freedom to the organization to adapt it according to its available resources and needs. Moreover, due to the possible complexities related to the performance of security management, the HIPAA security rule encourages health care organizations to take into account the general concepts in order to comply with it.