Today, Information Technology (IT) has become necessary for the provision of efficient healthcare services. As computers are becoming integrated in almost every technology, healthcare is a domain that has benefited significatly from technological innovation. Healthcare workers rely ever more on the timely availability of acurate, quality information in all aspects of patient care, public health and healthcare management. Trustworthiness in stakeholder communication and co-operation throughout the complete lifecycle of health data, starting with an informed consent, while respecting an individual’s rights (including the right to privacy) is fundamental, expected by the stakeholders and necessary. These reasons and others bring to the forefront a new source of concern for patients, healthcare workers and other stakeholders: Informational Risk. The management of Informational Risks, in a formal organisational process, in a healthcare organisation is what we define as Healthcare Information Risk Management or HIRM. The goals of HIRM are:
- To ensure the privacy of patients and the confidentiality of health care data by the prevention of the unauthorized disclosure of information;
- To ensure the integrity of health care data by the prevention of unauthorized or accidental modification of information;
- To ensure the timely availability of health data for authorized persons by the prevention of unauthorized, accidental or unintended withholding of infomation or resources.
The word risk finds it’s origins in the middle-age Italian word risco, meaning sharp rock. In the 17th century, as the early insurance companies where involved in maritime shipping, risk evolved from meaningt sharp rocks that where a source of danger for ships to signify the danger that future expected results may be negatively impacted. Since the introduction of probabilities by Blaise Pascal and the early work of french philosopher Jean-Jacques Rousseau on uncertainty, the idea has developed that risk is something that can be studied and managed. Risk stems from uncertainty surrounding potential future states and the consequences of those states should they occur. In epidemiology, it is most often used to express the probability that a particular outcome will occur following a particular exposure. Informational Risk is defined as risk that my impact the timely availability of acurate quality information.
There are many different types, or category’s, of risk. Most will be familiar wit financial risks, environmental risks, operational risks, and insurance risks to name only a few. As risk is present in all endeavors there is a near infinite list of different types of risks. An organization must identify the activities where risks are the most significant for the organization. This may be motivated by several factors such as its legal obligations, the expectations of its stakeholders or for other reasons considered significant by managers in the organization. When an outcome is certain that we do not have risk, we have a certainty.
Risk can be defined in the mathematical fashion by a simple equation.
Risk = threat x likelyhood x impact
While risk is directly proportional to the likelihood of their realization of a threat and is directly proportional to the impact, risk is inversely proportional to risk mitigation measures that are implemented by an organization. There is a limit at which the impact no longer affects risks in a significant fashion, for example, when a building is damaged in such a fashion that it can no longer be used and must be destroyed, it is likely that additional damages would have much significant impact. As well this relationship between risk and impact should not be understood to be a linear one. The same fashion risk mitigation measures will reduce risk to a certain limit. There is a point where risk mitigation measures may actually begin to increase risk, for example because of the increase in complexity it may bring to information systems.
While several theories have been developed in the past, particularly in relation to gains and financial investments, there is no single mathematical representation of risk that can apply to all situations. This is why risk can be regarded as a state of mind than as a quantifiable object.
In any business activity, operation or opportunity, internal or external forces will generate pressures, that we see having an influence on the amount of risk perceived from within. These internal or external forces are seen as threats to the achievement of the expected outcome. If by looking at the processes we are able to identify these forces that it may be possible to get an understanding of risk at a moment in time in an organization. The probability of the realization of a threatening situation while considering the risk mitigation processes in place in an organization formed the basis of risk management. There are various types of risk such as financial risks, insurance risks, health risks, environmental risks and many other categories. Our principal interest is in risks that affect information technology, systems and data as well as risks that are generated by the integration of information technology in organizations, which we refer to as Informational Risks.
Informational Risk is composed of the following three component parts:
For risk to exist requires the presence of a threat or of several threats that may materialize and have a negative effect on the expected outcome. The possible negative outcome, the impact, should have an effect on how much resources an organization should reasonably put forward to mitigate the impact of the realization of the threat or to put in place tools or processes to reduce the likelihood that the threat materializes. Risk Management is concerned about threats that may have a negative impact, however it should be noted that this may not always be the case. Risk assessment methodologies tend to give more significance to events that may negatively impact the desired outcome.
In assessing HIRM, an organisation must consider its requirements. These can be constructucted from a variety of sources such as:
- Applicable laws and regulation;
- International treaties and conventions;
- Healthcare authority rules and directives;
- Codes of ethics and of deontology;
- Standards, Best practices and guides such as this one;
- Internal organisational policies, procedures;
- Organisational requirements, objectives and goals.
Additional sources can also be used, in accordance with the specific situation of a particular healthcare organisation. Overall, these requirements need to be transferred into IT security requirements, generally expressed in relation to Confidentiality, Integrity and Availability. For example, [ISO17799] does not define exact requirements for how to proceed, it requires an organization to put in place a formal process to identify, quantify and prioritize risks against criterias and objectives relevant to the organization. This implies that an organization must first define what these criteria and objectives are, expressed in relation to the seven attributes of risk (confidentiality, integrity, availability, non repudiation, control of the origins of data, controls of the origin of user access and access controls).
Organisations who have built a capacity to perform risk assessments and achieved a certain level of maturity in risk assessment may want to further detail these requirements. This, however, should not be attempted in initial risk assessments. Detailed requirements in healthcare may include many of the requirements identified in the list below:
- Limiting Collection;
- Management controls;
- Processes to enable Challenging Compliance;
- De-identification of data;
- Secure transmission of data;
- Accountability and Non-repudiation;
- Informed consent;
- Identifying Purposes;
- Access to information by patients (right to withhold, segregate, amend and copy);
- Limiting Use, Disclosure, and Retention;
- Full disclosure (No secret databases shall exist);
- Non-commercial use (No medical record shall be sold, utilized for marketing purposes without the prior informed consent of the individual);
- Documentation and training
Once these objectives have been identified, the organisation can determine the presence of a threat or of several threats (recognition of threats) that have some probability to materialize. The likelihood that a threat may materialize and the significance of the impact taken together, should help the organisation priorizatize its risk treatment options, as identified in figure 1, and mobilize resources as required, achieving a level of risk within the organisation’s capacity to tolerate it.
At the strategic levels of healthcare organisations, HIRM techniques should be used proactively to measure, reduce and maintain risk to an acceptable level for the organisation and its stakeholders. Because of the complex interactions on IT throwout healthcare organisations, HIRM management activities should have high level management support and involve all stakeholders, at a level commensurate with their role. At a high level, HIRM activities, while considering organisational goals, capacities and constraints, include:
- Identification of threats and vulnerabilities;
- Priorisation of these threats and vulnerabilities;
- Mobilisation of ressources to eliminate unacceptable risk or reduce the impact of threats and vulnerabilities to an acceptable level.
HIRM is often viewed a subset of information system risk management. However, the requirements for HIRM are different that those of IT in a corporate setting. A complex mixture of organisational, ethical, legal and deontological requirements must be met in HIRM. These all need equal consideration. In a corporate setting risk is often considered in relation to a future expected yield. In HIRM future expected value should include elements than are difficult to objectively quantify. These include elements such as Quality of life, Populational Health Levels, reduction of waiting times and others. The impact of HIRM can have human, ethical, legal, financial and even criminal consideration. Ethical issues, and in particular privacy issues, are not well addressed in current Risk Management Methodologies. These risks tend to be underweighted in corporate settings, thus resulting in Ethical risks and Privacy risks receiveing less attention. HIRM must consider this when applying any Risk Assessment or Risk Management methodology.
HIRM should be an on-going activity, capable of continuously evolving and improving with the organisation’s needs and society’s expectations. While choosing to incorporate HIRM processes in a cyclical plan – do – check – act exercise, such as proposed in ISO 27001, will allow organizations to proceed in a careful and paced matter. In our experience this has proven to provide the best results.
Risk treatment, as the name implies, it is about the possible options and organization has to deal with risk. Our observations lead us to believe that all organizations have some form of the risk treatment process. Many organizations, most notably those that are lead by their founders, have implemented in formal risk management processes that can best be described as gutt feelings. Managers, who feel they have a keen understanding of their market, their organization and its environment will often make decisions about risk based on their experience, their abilities and their perception of a particular threat. While this has worked well in the past for many organizations it is no longer considered acceptable when considering laws, international treaties, ethical issues and the expectations of the general population. Organizations today need to put in place formal risk treatment processes, often referred to as a risk management framework, to fulfill its legal and contractual obligations as well as meet the expectations of its stakeholders.
In theory they are only for ways to deal with risk. Risk can be transferred, avoided, mitigated or accepted.
Figure 2: The treatment of risk (4 boxes)
Risk transfer, as its name states, has to do with the transfer of risk from an organization to an external party. An insurance policy is a form of risk transfer. In recent years, post 9-11, Cyber insurance are becoming more and more available. While this was not a popular option only if you years ago it may be an excellent way to manage certain types of risks. While it has little to do with the threat itself or which organizational assessments of the likelihood of realization of a threat, risk transfer will greatly reduce the organizational impact of the realization of a threat. In Cyber insurance, for example, the evaluation of the likelihood of the realisation of a threat will be done by the insurer who will use this to determine the price of a particular insurance policy.
In relationship to a particular threat an organization who wishes to transfer risk might choose to take an insurance policy to protect against that specific risk. An insurance policy has the benefit of providing and easily quantifiable cost for the risk mitigation decision. Evaluating the pertinence of the risk mitigation decision is therefore made simpler because a quantifiable cost is attached to it. Risk transfer is a risk mtreatment option that allows a reduction in risk levels in exchange for organizational resources, most often money.
Risk avoidance is about not undertaking a certain activity because the organization has decided that the risk associated to it, considering its risk mitigation options, is too high. It may be that the associated risk is perceived to be too high while in fact it may not be but the organization and its management feels that the risk is not worth the candle.
Risk mitigation is about the implementation of tools, business processes and organizational change to reduce the level of risk associated to a threat. Risk mitigation activities may take many forms such as the creation of an organizational risk management policy or the installation of a firewall. Risk mitigation activities in an organization need to be supported by some form of risk assessment process. This will allow organizations to measure the impact of a risk mitigation measure on organizational risk and allow the organization to maximize the use and the allocation of resources. Risk mitigation is at the heart of what we are discussing in this article. It is here that most organizations will spend the most time and money. Implementing a firewall, for example, in an organization whose computer network is connected to the Internet, is a risk mitigation activity. Reviewing business processes to evaluate the risks that are associated to them and identifying and implementing changes in the organization to better control these risks is risk mitigation.
Risk mitigation, like risk transfer is a risk treatment option that allows a reduction in risk levels in exchange for organizational resources, most likely money. Risk mitigation measures, like any change in an organization, need to be planned and implemented while respecting the organizational culture. A particular difficulty in many risk mitigation implementations has to do with change and resistance to change.
Risk acceptance is like saying: I know there’s risk but I’m willing to live with it. This should not be confused with a blind acceptance of risk. As well it should not be understood to mean that no assessment, evaluation or management can be done. Risk acceptance should be done only as a result of due diligence being performed in risk management. The organization must have given considerable thought to a threat and has determined that the risk is an acceptable level, considering the constraints of the organization, the likelihood of realization and the impact. Only then may be a reasonable treatment of risk. However, if risk is accepted without being clearly understood risk acceptance may be a very risky proposition.
One of the first things an organization can do when dealing with information risk is to determine its level of organizational maturity. The concept being that organizational change is a complex thing, a natural resistance to change and other organizational factors contribute to make it to this is necessary for change to be done at a rate that is consistent with the organizational level of maturity.
We suggest using the model proposed by the SSE-CMM standard (ISO/IEC 21827). This model is based on the capacity maturity model that is widely known in the information technology field. In this model the level of risk maturity increases with the integration of risk management in the organization. As well, the level of maturity increases with the level of organizational understanding of the different aspects and elements of risk that affect the organization. While the level of complexity increases with the level of maturity, the organization acquires the ability to deal with it more efficiently. To move from one level of maturity to a superior one requires an investment in resources, time, money and people. It also requires other elements which are specific to the organisational requirements and constraints.
Figure : Capacity Maturity Model
One of the key elements in risk management in organizations has to do with the management of change. Properly assessing where the organization finds itself any given moment in time in regards to its risk maturity will allow an organization and particularly its risk managers to put in place an action plan for the establishment of a risk management framework that will respect the organizations ability to change, its requirements as well as the culture of the organization. We have found in our practice that moving to quickly to implement a risk management framework will most likely result in failure.
Organizations who think about risk as an integral part of their business decision processes are most likely to manage risk appropriately in the short medium or long-term. Successful organizations have developed sensibilities to risk at every level. By making a risk a shared responsibility of all the members of an organization, they have developed what is called a risk culture. This should be an important goal of any organization who wishes to implement a formal risk management framework.
Developing a risk culture involves ensuring that all members of the organization have an understanding of existing and potential risks that there organization faces in its day-to-day activities. These individuals tend then include risk management thoughts as a part of what they do. So then risk will be considered in all aspects of the activities of the organization, in an area is where a risk management has always been present in some form, such as in financial activities, but also in area is such as logistics, application development, sales and all other business units within a small or large organization.
The first step towards this should probably be the nomination, or identification, of a risk champion. The risk champion should be a senior and influential individual within the organization who has a clear mandate from the highest levels of the organization. This individual should dispose of sufficient resources, such as time, staff, budgets and technology, at a level that is deemed appropriate considering the particular constraints of a given organization. His job responsibilities should be made to include those required to appropriately manage known risks to the organization as well as provide enough flexibility so the risk champion may be able to respond to risk in all areas of the organization. The risk champion can act as a single point of contact within the organization and between the organization and the outside world.
A key for the implementation of a risk culture in any organization is communication. Communicating information about risk to all members of the organization, at all levels, is a critical success factor for the implementation of a risk management framework. From the inception of the project through its implementation as well as throughout the continuous improvement process, such as we propose here, informing that all stakeholders understand how they are affected by risk management activities is the best way to manage the natural resistance to change that is often the cause of failure of these types of projects.
While there is no single best way to communicate this information, we have found that there are certain approaches that seemed to be present in successful projects. Certainly visible management involvement and ownership of the project at the highest levels in the organization is critical. This high-level ownership must be publicized throughout the organization. We also find that the creation of a communication plan which should include direct communications, using e-mail or a newsletter, is a good way to go. Throughout the project and on an ongoing basis after the initial implementation the organization needs to receive positive reinforcement about the usefulness of the risk management framework and of its risk management activities in order to maintain the perception throughout the organization that it is necessary to allocate time, money and other resources to these activities.