With patient and other hospital related information increasingly going online, it is time CIOs of hospitals take cognizance of the importance of securing data in the healthcare industry. In the last two articles named An Approach Paper on Cyber Risk Management in Healthcare: Part 1 and An Approach Paper on Cyber Risk Management in Healthcare Part 2: What is a Risk?, information on cybersecurity concerns in healthcare and the risks involved was provided, respectively. In this series, let us take a look at some of the risk management methodologies.
Risk Management methodology has a systematic approach to:
-anticipating unknown risks,
-prioritizing known risks, and
-placing resources and attention toward those most likely to threaten the critical success of the processes.
There are, in effect, two types of risks associated with Health Care IT processes: process risks and organizational risks.
These risks need to be managed meticulously in order for the organization to realize the business benefits and value of the process outcome.
Network Situational Awareness brings hope. Time-tested tools and techniques aid in defining, responding, and managing the risks created by the complexities of the IT Network. The systematic thinking inherent in the project management discipline brings order to chaos. The science and art of project management, the mix of hard-skills and soft-skills, setting “SMART” goals, and utilizing standard methods and a common lexicon add value to decision making and problem solving.
Managing risk is the systematic process of identifying, analysing, prioritizing, and responding to risk. Managing risk is not new! We do it every day. Buying insurance is just one example. However, varying scales of situational complexity and potential risk impact deserve variation and flexibility in applying risk management strategies based on scale, probability, and order of magnitude.
Planning and Identification of Risk:
One method for planning and identifying project risks is as follows:
4-step process to manage risks
- identify the risk
- assess the frequency and severity of the risk
- reduce or eliminate the risk
- cost the risk
Know how to apply risk management principles by identifying, assessing and reporting hazards and potential risks in the workplace
- the activities used for gathering information about risk
- fitness to practise requirements
- personnel accountability for managing risk
- know how to report known risks or hazards in the network
- keep accurate and complete records
- self-assess to reduce the risk of errors caused by inadequate knowledge and skills
- participate in meetings that discuss risk management and patient safety
- respond appropriately to complaints
Qualitative and Quantitative Risk Assessment Techniques
Risk assessment rating and analysis techniques help us better understand the magnitude of the risk and its potential consequences. The degree of severity of the risk’s consequence is the driver to plan a response and be ready for action if the event actually happens.
Qualitative risk is a nonnumeric (subjective) estimate of the chance of a risk happening and an analysis of the best methods for countermeasures. The input to this method comes from the subject matter experts (SME), and from historical evidence found in documentation and lessons learned from previous engagements.
Quantitative risk analysis usually follows qualitative. The decision to use one method versus the other, or use both methods, depends on the need and the comfort level of the practitioner.
Risk Response Planning (RRP)
The main methods for risk response planning are:
-Risk Avoidance, such as changing the implementation methods, resources, or the project plan.
-Risk Acceptance, for example, having a contingency plan prepared as a back-up system.
-Risk Mitigation, for example, adding countermeasures to the project plan.
-Risk Transfer/Shifting risk, for example, by contracting externally or outsourcing.
Establishing a reporting procedure for cybersecurity events also is critical. All stakeholders should be encouraged to report any suspected breaches.
Wireless network security requires focussed risk assessment
One example in a wireless network security risk assessment might be to imagine, “What is the worst-case scenario that can happen if a doctor hooks up his home wireless router to our network and a hacker uses this rogue access point as an on-ramp to our EHR system?” From there, one aims to prevent data breaches by either implementing a hardware solution or writing a hospital policy forbidding the setup of such rogue access points — or both.
Whatever risk assessment and mitigation method you choose, make sure it’s done for every device used on the hospital wireless network, whether it’s a medical device tracking information on patients or a new iPad a physician is using for email.
Assign each device a risk score that’s related to how much patient data it handles and how frequently, and whether it holds or transmits data, or does both. For the most effective policy, address first the devices that score the highest for risk.
Beyond that, it pays to partition the hospital wireless network. That way, patients or visitors on laptops, tablets and wireless-enabled MP3 players stay away from network areas where patient data is flowing.
Boost wireless network security by encrypting patient data
Security risk assessment isn’t just a one-time exercise. It’s an ongoing process from which policies arise — and must be enforced — for compliance to occur.
Consider encrypting all protected patient data. On the device level, encryption can be a thorny process, a reality that is leading some facilities to decide that virtual private networks, or VPNs, are the most cost-effective way to encrypt. Moreover, many hospitals use legacy systems and equipment that
isn’t designed to handle data encryption, so integrating data encryption into a wireless network can prove problematic.
Draft a social media policy
- There are issue with smartphones in a health care setting is their built-in cameras. To bolster compliance, limit or prohibit their use in your social media policy. Encrypt all data sent to and from mobile devices.
- Many smartphone apps plug directly into feeds for social media sites, such as Twitter and Facebook.