Risk management and assessment in healthcare organisations

Risk management and assessment in healthcare organisations

Risk management is an essential process for any organisation, including healthcare organisations. The European Union Agency for Cybersecurity (‘ENISA’) defines risk management as “the process of identifying, quantifying, and managing the risks that an organisation faces(ENISA, n.d.). This process is (or should be) on a continuous cycle, in order to enable organisations to act on potential or active risks, and to prioritise on which to act.

See ENISA’s webpage on Risk Management and related topics for more information: https://www.enisa.europa.eu/topics/threat-risk-management/risk-management.

Risk management in healthcare

According to NEJM Catalyst (NEJM Catalyst, 2018), risk management in healthcare has undergone two significant changes in the last few years, namely a shift in focus and a shift in approach:

  • Healthcare organisations shifted from a patient and staff centred focus to an organisation-wide focus.

Previously, risks were mainly identified in the context of patient safety, occupational health of workers, and liability issues that may arise. Currently healthcare organisations have shifted focus towards including organisation-wide challenges in their risk assessments. This means an evaluation of risks to IT systems, medical devices and applications, data protection, privacy, and many more.

  • Healthcare organisations shifted from a reactive approach to a proactive approach.

Historically organisations responded only directly to risks, based on prior (security) incidents. Now, organisations evaluate and act on potential risks before they manifest in practice.

To read more about risk management in healthcare, see: https://catalyst.nejm.org/what-is-risk-management-in-healthcare/.

As a result of these transformations, healthcare organisations increasingly invest in Enterprise Risk Management (‘ERM’). This takes into consideration all processes and their interrelations within the healthcare organisation. According to a recent survey, ERM-maturity is still a core priority for healthcare organisations (HIMSS Analytics, 2018).

You can find more information on the survey outcomes through this link: https://www.himss.eu/himss-analytics-annual-european-ehealth-survey-2018.

While risk management is predominantly the responsibility of management level staff, the outcomes and decisions that follow the assessment affect the entire organisation. Cultures (within the organisation) can have a significant impact on the success of new cybersecurity measures (Vanlanduyt, 2016). Therefore, it is important to involve more aspects in the risk management chain than ‘just’ IT, when conducting a risk assessment.

Standards and certification

Standards, such as the ISO/IEC 27001, can support organisations in addressing risk management and their strategy. ISO 27001 is possibly the most well-known standard of requirements for Information Security Management Systems (‘ISMS’). In the words of ISO (2019): “An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process”. However, standards do not always contain detailed guidelines (SecureHospitals.eu, 2019), meaning that reaching compliance can be complicated. However, it may be worth pursuing certification to meet standards as these can be of added value to any healthcare organisation.

As part of the certification process, a risk assessment must be conducted, and it should be supported by the appropriate reports and documentation. Helpful guidelines for writing ISO 27001-compliant risk assessment procedures are available from Chloe Biscoe (2018) at this site: https://www.itgovernance.co.uk/blog/how-to-write-an-iso-27001-compliant-risk-assessment-procedure.

Risk management methods and tools

ENISA provides an Inventory of Risk Management / Risk Assessment Methods and Tools. These are designed to support risk managers or those in similar roles to evaluate current risks or conduct risk assessments. You can find the inventory here: https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory.

Tips for further reading and learning

For further information on these topics, in addition to the referenced texts, these sites provide further means of support around risk management and assessment processes:


Calyptix. (2018, June 11). Top 5 Cyber Security Frameworks in Healthcare. Retrieved 14 August 2019, from Calyptix Security website: https://www.calyptix.com/hipaa/top-5-cyber-security-frameworks-in-healthcare/

ENISA. (n.d.). Risk Management [Topic]. Retrieved 14 August 2019, from https://www.enisa.europa.eu/topics/threat-risk-management/risk-management

HIMSS Analytics. (2018). Annual European eHealth Survey 2018. Health-IT predictions for Europe. Retrieved from https://www.himss.eu/himss-analytics-annual-european-ehealth-survey-2018

ISO. (2019). ISO/IEC 27001 Information security management. Retrieved 22 February 2019, from ISO website: http://www.iso.org/cms/render/live/en/sites/isoorg/home/standards/popular-standards/isoiec-27001-information-securit.html

Maqueda, Ó. (2016, September 22). Cybersecurity in the healthcare supply chain. Retrieved 14 August 2019, from HIMSS Europe website: https://www.himss.eu/himss-blog/cybersecurity-healthcare-supply-chain

NEJM Catalyst. (2018, April 25). What is Risk Management in Healthcare? Retrieved 14 August 2019, from NEJM Catalyst website: https://catalyst.nejm.org/what-is-risk-management-in-healthcare/

SecureHospitals.eu. (2019). Trainer interviews report. Retrieved from https://project.securehospitals.eu/

Sun, T. (2019). Cybersecurity Risk Management. Retrieved 14 August 2019, from edX website: https://www.edx.org/course/cybersecurity-risk-management-2

Vanlanduyt, J. (2016). Patient Safety & Risk Management. HealthManagement, 16(3). Retrieved from https://healthmanagement.org/c/healthmanagement/issuearticle/patient-safety-risk-management