SECURE HEALTH ORGANIZATIONS - Meeting the Challenge
eHealth 2005
Track: Privacy, security, ethical and legal aspects of health information systems
By
Marc-André Léger, MscA (MIS), PhD Candidate in Health Informatics,
University of Sherbrooke, Sherbrooke,Québec, www.cred.ca
Correspondence: marcandre@leger.ca
and
Guy Paterson, CISA, CISM, FHIMSS, CPHIMS, CHS, BSP, PhC, President
IHI - Health Informatics Resource Group Inc, Saskatoon, Saskatchewan
e-mail: guy.paterson@sasktel.net
Abstract
Implementing a comprehensive and successful Risk Management culture, related to security and privacy in health organizations, can be a significant endeavour. Several organizational issues may impede success beyond the complexity of the technology such as: resistance to change; lack of understanding of the benefits of security; inability to adequately assess and manage risk; and discordant management signals.
The technical elements of IT Security in healthcare are complex, costly and require constant attention. They challenge the most advanced organizations. We suggest that, even when the technical elements of IT security are known in a healthcare organization, the dominant culture often makes it difficult to successfully implement a security culture or alternately, a knowledgeable risk culture.
Introduction
Organizations today want to manage risk. There are many factors that justify this. The limited availability of financial and human resources, motivates organizations to be very careful about how it allocates them. Adequate levels of investment in Risk Management are one of the ways to ensure that resources are used in the most efficient manner. In some cases laws and regulations require organizations to implement a Risk Management program. In other cases it may be contractual requirements that are the catalyst. Whatever the reason, Risk Management has become a subject of much interest to organizations of all sizes in all regions of the world.
In the health care arena, information systems are increasingly present in all aspects of clinical practice, in administrative functions and in many other areas. The emerging importance of the Electronic Health Record (EHR) as well as the increase in the use of information and communication technology (ICT) in healthcare activities, including administration and research, is progressively providing the access to large quantities of data concerning patients, health care delivery and research [1] [2] [3]. Thus healthcare should benefit significantly from the introduction of formal ICT management activities, notably Risk Management, in healthcare organizations.
In this article we look at Risk Management in the healthcare context and discuss a fundamental element of the implementation of Risk Management in the healthcare organization: culture. Change in an organisational context affects culture. To implement Risk Management, adaptation of the overall values and paradigms to include understanding of Risk Management issues by all the stakeholders in the organisation is a critical success factor. Before we discuss cultural aspects, we first briefly introduce key concepts of risk in general and in the context of healthcare. From there we present the arguments and solutions for the establishment of a Risk Culture. We then propose the use of certain ISO standards that can be used to assist organizations. Finally, we conclude with some recommendations.
Risk in healthcare
Everywhere there is an opportunity for change, there is an opportunity for things to go wrong, and this is what risk is about. Risk should be viewed as a natural occurrence, a force that results from the pressures of the environment[4]. To a certain extent we can say that risk is unavoidable, it's there and we need to deal with.
Risk = threat likelihood x impact
mitigation
Risk is often defined as the combination of the probability of an event (likelihood of their realization of an adverse event) and its consequence (impact) while considering mitigation measures in place[5]. As ICT play a significant role in all aspects of organisations, to perform optimally, with regularity, over time, organisations, which need to identify the predictable[6], need to manage ICT risks. Managing risks in ICT, what we call Information Risk Management (IRM), is paramount to accurate financial reporting and optimal decision-making[7].
The requirements for IRM in healthcare are different that those of ICT used in other areas[8]. IRM processes generally implement sub-processes of risk assessment, risk evaluation, and risk mitigation[9] [10] [11]. The main objective being to balance the operational and economic costs of risk mitigation measures to maximize organisational benefits by protecting ICT that support their mission[12]. In healthcare, a complex mixture of organisational, ethical, legal and deontological requirements must be met [13] that are not addressed in most current IRM methodologies[14]. IVRI™ [15], developed by Marc-André Léger, is an example of an IRM methodology that is designed to deal with organisational, ethical and legal issues.
Developing a risk culture
Organizations who think about risk as an integral part of their business decision processes are most likely to manage risk appropriately. Successful organizations have developed sensibilities to risk at every level. By making risk a shared responsibility of all the members of an organization, they have developed what we call a Risk Culture. In our view this should be an important goal of any organization who wishes to implement IRM. The banking industry and the military are prime examples of highly developed risk cultures. They are often cited examples of how to best approach IRM.
Developing a Risk Culture involves ensuring that all members of the organization have an understanding of existing and potential risks that their organization faces in its day-to-day activities. These individuals tend to include Risk Management thoughts as a part of what they do. Then risk will be considered in all aspects of the activities of the organization, in area is where IRM has always been present in some form, such as in financial activities, but also in areas such as logistics, procurement and all units within an organization. The organisation needs to understand its organisational culture and evaluate what needs to be done to incorporate or modify the relation of the various sub-cultures within the organisation. Management, at the highest levels, must lead the charge in creating a Risk Culture based on individual awareness and personal accountability. Creating such a culture is a challenge, but it can be done[16].
The first step towards this should probably be the nomination, or identification, of a Risk Champion. The Risk Champion should be a senior and influential individual within the organization who has a clear mandate from the highest levels of the organization. This individual should dispose of sufficient resources, such as time, staff, budgets and technology, at a level that is deemed appropriate considering the particular constraints of a given organization. His job responsibilities should be made to include those required to appropriately manage known risks to the organization as well as provide enough flexibility to be able to respond to risk in all areas of the organization. The Risk Champion can act as a single point of contact within the organization and between the organization and the outside world.
A key for the implementation of a Risk Culture in any organization is communication. Communicating information about risk to all members of the organization, at all levels, is a critical success factor for the implementation of IRM. From the inception of an initial IRM project through its implementation as well as throughout continuous improvement processes, ensuring that all stakeholders understand how they are affected by IRM is the best way to manage the natural resistance to change that is most often the cause of failure of these types of projects.
While there is no single best way to communicate this information, we have found that there are commonalities in successful IRM implementation:
- Visible and publicized management involvement and ownership of the project at the highest levels in the organization;
- The creation of an organization-wide communication plan which should include direct communications, using e-mail or a newsletter;
- Positive reinforcement about the usefulness of IRM and IRM activities in order to maintain the perception throughout the organization that it is necessary to allocate time, money and other resources to these activities.
By communicating to all stakeholders about IRM, the organization can focus the attention on the benefits while building acceptance of the organizational and technological changes required.
Using of standards as a driver of change
In the same way that ISO 9000 project teams motivated organizations to drive them through the certification process, the organization-wide deployment of IRM standard can be used as a catalyst of change. This, combined with management actions to implement a Risk Culture in the organization, can create leverage to help bring on the changes.
Likely the most popular IRM standard around today is ISO 17799[17] (Code of Practice for Information Security Management). It requires an organization to put in place a formal process to identify, quantify and prioritize risks against criteria’s and objectives relevant to the organization. This implies that an organization must first define what these criteria and objectives are, expressed in relation to attributes of risk. Once these objectives have been identified, the organisation can determine the presence of threats and help the organisation prioritize its risk treatment options, select controls from the approximately 133 proposed in ISO 17799 and mobilize human and financial resources as required.
Another very popular Risk Management standard is BS 7799-2[18] (Information Security Management Systems or ISMS), which has recently become ISO 24743, it proposes the implementation of a management system modeled upon the Deming PDCA model, similarly to ISO 9000. Like ISO 17799, ISO 24743 requires that the results of risk assessment processes guide the organization and help it determine appropriate actions and priorities. It requires organizations to put in place management controls to ensure that risks are mitigated to an acceptable level taking into account:
- Organizational objectives;
- Requirements and constraints of legislation;
- Operational requirements and constraints;
- Cost in relation to the risks being reduced, and remaining proportional to the organization’s requirements;
- The need to balance the investment against the harm likely to result.
As in an ISO 9000 project, implementing an ISMS is a significant endeavour that should be limited to mature organizations who can allocate the significant resources that this can require. Other international standards that can be strong drivers of change in IRM are the ISO 13335 family (Guidelines for the Management of Security in IT) and ISO 21827 (Systems Security Engineering - Capability Maturity Model) which we will not discuss here. Organisational Risk Management Frameworks, which include IRM, such as COBIT can be implemented in larger organisations.
Engaging stakeholders at all levels of an organization into a common goal to achieve conformity or compliance to an international standard, can create a synergy to bring acceptance of changes. Using an external audit process as a milestone can solicit individuals in the organization with the Risk Champion at their command in a way that will catalyze change. Participation in healthcare standardization activities, for example through the Canadian Institute for Health Information (www.cihi.ca ), can be another driver of cultural change.
Using external help
Changing organizational culture can be accelerated by the use of external help. By using recognized and accredited IRM specialists that have been involved in Risk Culture implementation and in IRM projects, an organization can avoid many of the common mistakes that are made. As well, using an external specialist can help the Risk Champion by providing him with the theoretical and practical framework of IRM. It should be mentioned that the external specialist should not be assigned the duties of Risk Champion, as this is very likely to cause increased organizational resistance. In some cases, the external specialist can be used as a sacrificial lamb, preserving the organizational sanctity while focusing the resistance. External help can be very useful to provide training in Risk Management and in Standards adoption (link to U of S Standards program).
External help, in the form of IRM consultants, can assist healthcare organisations acquire knowledge about sub-processes of risk assessment, risk evaluation, and risk mitigation. They can help adapting existing methodologies, tools or standards to their specific requirements. Consultants can also guide the organisation through various dimensions of the IRM maze. This is particularly true for organisations who wish to implement a more emcompassing RMF, such as COBIT, which covers IRM but also other types of rsks, such as financial and operational risks.
When selecting the external specialist that will work within an organization, managers should be very selective. The specialist must be a senior individual with a combination of education, IRM field experience and healthcare knowledge. An ideal candidate will have graduate training in Health Informatics. He must master social and communications skills. Organizations should be wary of ad hoc certifications, which have become very popular, they should look to experience, leadership, communication skills and training.
Conclusion
We have presented four directions that healthcare organisations can consider to implement formal Information Risk Management. We suggest that all of the proposed avenues should be explored by healthcare organisations that are looking to invest in IT security and Information Risk Management. These proposed actions which can be implemented together to maximize success. As Risk Management has become an important issue to many healthcare organisations, we strongly believe that the four avenues proposed here can be of great help. Of course, further research should be done to investigate implementation issues and propose more far-reaching recommendations.
References
[1] Anderson JG. Security of the distributed electronic patient record: a case-based approach to identifying policy issues, International Journal of Medical Informatics, 2002, pages 111–118
[2] Safran, Charles, Goldberg, Howard, Electronic patient records and the impact of the Internet, International Journal of Medical Informatics, 2000, pages 77–83
[3] Sujansky, Walter, Heterogeneous Database Integration in Biomedicine, Journal of Biomedical Informatics, 2001, pages 285–298
[5] International Standards Organisation (ISO), JTC1-SC27, A Comparison of Terminology: ISO Guide 73 (Draft November 2001), PDTR 13335-1 (for terms used in all parts of TR 13335), Draft 17799 (N 3184) and compared to IS 17799:2000, and SC 27 SD 6 (2002-03-31), 2002
[6] Watkins, Michael D., Bazerman, Max H., Predictable Surprises: The Disasters You Should Have Seen Coming, Harvard Business review Online, 2003
[7] Stoneburner, Gary, Goguen, Alice, Feringa, Alexis, NIST Special Publication 800-30 Risk Management Guide for Information Technology Systems, Recommendations of the National Institute of Standards and Technology, July 2002
[8] Kane, Beverly Guidelines for the Clinical Use of Electronic Mail with Patients, Journal of the American Medical Informatics Association, Volume 5, Number 1, Jan / Feb 1998, pages 104-111
[9] Hancock, Bill, COMMON SENSE GUIDE FOR SENIOR MANAGERS, Top Ten Recommended Information Security Practices, 1st Edition, July 2002
[10] Léger, Marc-André, Méthodologie IVRI de gestion du risque en matière de sécurité de l’information, Éditions Fortier Communications, Montréal, Septembre 2003
[11] Schumacher, H. J., Ghosh, S., A fundamental framework for network security, Journal of Network and Computer Applications, 1997, pages 305–322
[12] Myerson, Judith, Risk Management, INTERNATIONAL JOURNAL OF NETWORK MANAGEMENT, 1999, pages 305-308
[13] Buckovich, Suzy A. et als, Driving Toward Guiding Principles: A Goal for Privacy, Confidentiality, and Security of Health Information, Journal of the American Medical Informatics Association Volume 6 Number 2 Mar / Apr 1999, Pages 122-133
[14] Thompson, Paul B., Privacy, secrecy and security, Ethics and Information Technology, 2001, pages 13–19
[18] [BS 7799-2]
| Marc-André Léger, MScA (MIS), resides in Montréal (Québec). He is a PhD candidate in Clinical Sciences at the Faculty of Medicine of the University of Sherbrooke, Directed by Dr Andrew Grant MD, MB, ChB, MRCP, FRCPC, Dphil, Professor. He is a participant in the Canadian Institutes of Health Research and Michael Smith Foundation for Health Research Health Informatics PhD Strategic Training Program. His principal research interest is Risk Management in healthcare, most particularly in Electronic Health Records and Clinical Data Warehouses.In 2003, he developped the IVRI™ Risk Management Framework which is commercially available from Technology Partners (www.tpz.ca) . |
|