Risk management and assessment in healthcare organisations
Risk management and assessment in healthcare organisations
Risk management is an essential process for any organisation, including healthcare organisations. The European Union Agency for Cybersecurity (‘ENISA’) defines risk management as “the process of identifying, quantifying, and managing the risks that an organisation faces” (ENISA, n.d.). This process is (or should be) on a continuous cycle, in order to enable organisations to act on potential or active risks, and to prioritise on which to act.
See ENISA’s webpage on Risk Management and related topics for more information: https://www.enisa.europa.eu/topics/threat-risk-management/risk-management.
Risk management in healthcare
According to NEJM Catalyst (NEJM Catalyst, 2018), risk management in healthcare has undergone two significant changes in the last few years, namely a shift in focus and a shift in approach:
- Healthcare organisations shifted from a patient and staff centred focus to an organisation-wide focus.
Previously, risks were mainly identified in the context of patient safety, occupational health of workers, and liability issues that may arise. Currently healthcare organisations have shifted focus towards including organisation-wide challenges in their risk assessments. This means an evaluation of risks to IT systems, medical devices and applications, data protection, privacy, and many more.
- Healthcare organisations shifted from a reactive approach to a proactive approach.
Historically organisations responded only directly to risks, based on prior (security) incidents. Now, organisations evaluate and act on potential risks before they manifest in practice.
To read more about risk management in healthcare, see: https://catalyst.nejm.org/what-is-risk-management-in-healthcare/.
As a result of these transformations, healthcare organisations increasingly invest in Enterprise Risk Management (‘ERM’). This takes into consideration all processes and their interrelations within the healthcare organisation. According to a recent survey, ERM-maturity is still a core priority for healthcare organisations (HIMSS Analytics, 2018).
You can find more information on the survey outcomes through this link: https://www.himss.eu/himss-analytics-annual-european-ehealth-survey-2018.
While risk management is predominantly the responsibility of management level staff, the outcomes and decisions that follow the assessment affect the entire organisation. Cultures (within the organisation) can have a significant impact on the success of new cybersecurity measures (Vanlanduyt, 2016). Therefore, it is important to involve more aspects in the risk management chain than ‘just’ IT, when conducting a risk assessment.
Standards and certification
Standards, such as the ISO/IEC 27001, can support organisations in addressing risk management and their strategy. ISO 27001 is possibly the most well-known standard of requirements for Information Security Management Systems (‘ISMS’). In the words of ISO (2019): “An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process”. However, standards do not always contain detailed guidelines (SecureHospitals.eu, 2019), meaning that reaching compliance can be complicated. However, it may be worth pursuing certification to meet standards as these can be of added value to any healthcare organisation.
As part of the certification process, a risk assessment must be conducted, and it should be supported by the appropriate reports and documentation. Helpful guidelines for writing ISO 27001-compliant risk assessment procedures are available from Chloe Biscoe (2018) at this site: https://www.itgovernance.co.uk/blog/how-to-write-an-iso-27001-compliant-risk-assessment-procedure.
Risk management methods and tools
ENISA provides an Inventory of Risk Management / Risk Assessment Methods and Tools. These are designed to support risk managers or those in similar roles to evaluate current risks or conduct risk assessments. You can find the inventory here: https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory.
Tips for further reading and learning
For further information on these topics, in addition to the referenced texts, these sites provide further means of support around risk management and assessment processes:
- ENISA (2016). Smart Hospitals. Security and Resilience for Smart Health Service and Infrastructures: https://www.enisa.europa.eu/publications/cyber-security-and-resilience-for-smart-hospitals.
- HIMSS Europe. Resources for Information and Technology experts: https://www.himss.eu/media.
- Calyptix (2018). Top 5 Cyber Security Frameworks in Healthcare: https://www.calyptix.com/hipaa/top-5-cyber-security-frameworks-in-healthcare/.
- Hermeneut (2019). White paper on cybercrime and cyberterrorism – Healthcare: https://www.hermeneut.eu/download/cybercrime-cyberterrorism-healthcare-sector/.
- Maqueda (2016). Cybersecurity in the healthcare supply chain: https://www.himss.eu/himss-blog/cybersecurity-healthcare-supply-chain.
- Sun (2019). Cybersecurity Risk Assessment course on EdX: https://www.edx.org/course/cybersecurity-risk-management-2.
Calyptix. (2018, June 11). Top 5 Cyber Security Frameworks in Healthcare. Retrieved 14 August 2019, from Calyptix Security website: https://www.calyptix.com/hipaa/top-5-cyber-security-frameworks-in-healthcare/
ISO. (2019). ISO/IEC 27001 Information security management. Retrieved 22 February 2019, from ISO website: http://www.iso.org/cms/render/live/en/sites/isoorg/home/standards/popular-standards/isoiec-27001-information-securit.html
Maqueda, Ó. (2016, September 22). Cybersecurity in the healthcare supply chain. Retrieved 14 August 2019, from HIMSS Europe website: https://www.himss.eu/himss-blog/cybersecurity-healthcare-supply-chain