A few years ago I read an article in Harvard Business Review titled ‘Six Ways Companies Mismanage Risk’ by René M. Stulz. It largely addressed financial companies and how they were blindsided by the ’07-08 meltdown, but the six bullet points in the article seemed appropriate to almost any business risk management scenario.
In my recent conversations with healthcare providers regarding HIPAA compliance and security risk analysis, it occurred to me that these six points could be applied to the current healthcare environment with a little contextual modification. Much like financial companies medical organizations collect, produce, and store confidential and mission critical information which must be protected. The compromise or misuse of this information can result in significant or even catastrophic loss to the business, so a rigorous risk management program should be in place. The following points are common mistakes to be aware of when considering your exposure to risk.
1. Relying on historical data.
Risk-management modeling draws from past experience and data. However, healthcare is rapidly and constantly changing. Technologies have changed. And so have the laws and legal requirements. Change and innovation bring new threats and vulnerabilities that are not revealed by past experience or statistics.
Example: Many new aspects of healthcare are uncharted territory, including – The use of mobile and portable devices; Cloud based EMR; Growing numbers of mergers and acquisitions; The recent exponential increase in security breaches; Increased enforcement of HIPAA regulations; Etc.
2. Focusing on narrow measures.
I have often heard the phrase “Oh, we have that covered” or some variation of it when I ask a practice manager or compliance officer about security and compliance. This is usually followed by a supporting statement such as “Our EMR provider handles security”, or “Everybody has been trained and we have a big binder of policies and forms.” Granted there are many organizations that are covering all of the touch points involved in a thorough compliance and risk management program, but many more are wearing blinders and focusing on one or two aspects of a multi-faceted and complicated subject.
Example: Many managers have conducted a ‘checklist’ audit of their operations and consider it sufficient. However, a checklist alone is not up to the task of determining or mitigating risk. A number of healthcare companies have suffered multi-million dollar losses due to insufficient scope in their compliance effort. A valid security risk analysis that covers a wide range of variables is required by regulation, and many organizations have not recently completed one, if ever.
3. Overlooking knowable risks.
Managers occasionally just miss something. Sometimes it is a matter of just having too much to do and too little time. Other times it is an error of omission caused by not thinking through the possibilities and ‘what if’ scenarios.
Example: A practice buys new laptops – Are there policies and procedures that cover portable devices? Are the laptops going to access or store PHI? Are they encrypted? Are they going to be taken outside of the facility? What is going to be done with the old laptops? Etc.
A Deep-dive Into Specialty Pharma
A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.
4. Overlooking concealed risks.
People in positions of responsibility sometimes take shortcuts. Sometimes if they know it is against policy or regulations they do not tell anyone. And sometimes they just do not know that their action or inaction could have unforeseen consequences so they disregard the need to share or document important information. These types of risks can accumulate in an organization over time.
Example: If there are insufficient policies in place, or no likely consequences for violating policies, then staff may do what is expedient as opposed to what is prudent. The risk will tend to expand if left unmonitored. This also applies to sharing PHI with improperly vetted business associates who may have insufficient security controls in place.
5. Failing to communicate.
Policies and procedures will not reduce risk if they are not clearly communicated to everyone involved.
Example: I have read quite a number of P&P documents that are vague, out of date, inapplicable to the type of facility or system, written in opaque legalese, and / or just insufficient. In addition, few staff members have the desire to read through them, and sometimes the main points are not even included in staff training. Clarity, availability, awareness, and appropriate information sharing are important to effectively managing risk and building a culture of compliance.
6. Not managing in real time.
Change can occur quickly. Failure to adapt privacy and security measures to new situations may introduce new risk. Another important issue is the need for rapid response in the event of complaints or a security breach.
Example: Staff members come and go. Systems are changed or updated. External threats to security arise constantly. Flexibility and consistent monitoring are important. Regular risk assessments and timely remediation of identified vulnerabilities or adverse events are critical. Compliance and security are constant, ongoing processes.
Keeping these six items in mind may be helpful when considering the implementation of compliance and risk management programs for your organization. Some of the pitfalls associated with these types of oversights can be avoided by utilizing a formalized risk management approach, and conducting a thorough security risk assessment based on the regulatory standards and a recognized cybersecurity framework (i.e. NIST). If you don’t have in-house personnel with the knowledge to perform a rigorous assessment, bringing a third party expert in to assist is a wise investment.
While common sense will generally keep your business out of harm’s way, some additional thought and effort is called for to reduce the chances of suffering a security or compliance related loss.
Reference:
René M. Stulz, “6 Ways Companies Mismanage Risk”, Harvard Business Review, March 2009, Volume 87, Number 3
