Tag Archives: risk management

Risk Management and Insurance word cloud

ENTERPRISE RISK MANAGEMENT IN HEALTHCARE: MORE THAN MANAGING INSURANCE RISKS

The Enterprise Risk Management (ERM) concept in healthcare may be familiar to some individuals and organizations, unfamiliar to others and/or perceived by still others as an overwhelming concept. Essentially, ERM is a strategy to increase the economic and noneconomic value of an organization.

ERM was first implemented in the financial services sector. Since then, more and more organizations across all industries began to imbed the concept of ERM into their culture.

Implementing an ERM strategy involves a systematic method of risk identification and prioritization of those risks. The risk identification and prioritization of risks evaluates the frequency of an event occurring and the impact to the entity’s ability to achieve its vision and mission.

All organizations face an array of risks in the normal course of doing business, both internally (administrative, operational and financial) and externally (economic, environmental, regulatory, legislative and taxes).

There are multitudes of ways an organization can address its risk exposure(s): accept the risk, spread the risk, segregate the risk, share the risk, completely eliminate the risk exposure and/or transfer the risk contractually through the purchase of insurance.

Traditionally, ERM categorizes risks into “domains” or “spheres of influence.” The overarching categories of risk an organization needs to be cognizant in addressing are defined as:

Strategic Risks: Do all stakeholders in an organization — from the top of the organization to the bottom — have a clear understanding of the organization’s vision, mission, goals and objectives?

For example, why are you in business in the first place? Where is the organization today? Where is the organization headed? What does the organization aspire to be in the future? How is the organization going to get there?

Hazard Risks: Risks that are traditionally attributed to a physical loss or a reduction in the value of an asset or real property. Hazard risks can be mitigated and managed through various loss-control techniques and/or through risk transfer, e.g., the purchase of insurance.

Examples of managing hazard risk through the purchase of insurance include medical professional liability insurance to protect a physician’s reputation and property insurance to protect an office/building and its contents. A non-insurance approach to mitigating loss-control risk would be to install cameras and a security system to better protect the safety of patients, employees and the physical office.

Operational Risks: The ERM process evaluates the efficiency and effectiveness of an organization’s administrative and operational processes that could potentially adversely impact the organization from achieving its goals due to inadequate or failed internal processes, people or systems.

For example, the advent of ERM systems is a prime example in mitigating operational risk. There are many benefits to the effective implementation and utilization of an EMR system: medical records are more secure, maintained in a consistent format, are easy to access and share with the appropriate parties and promote improved medical documentation in the treatment of patients.

Human Resources Risks: An organization needs to evaluate its ability to attract, develop and retain key individuals. Do we have the right number of people? Are those people in the right roles to leverage our strengths and mitigate our weaknesses?

The overall emphasis should be on having the appropriate mix of human capital in terms of staff size and the appropriate skill sets for an organization to achieve its vision and mission, e.g., to ensure the utmost in patient safety and care.

Financial Risks: How to succeed and thrive in an ultra-competitive global economy. An organization needs to take measures to leverage all of its resources: financial capital, human capital and competitive advantages to attain sustainable profitability; create balance sheet strength in order to generate positive cash flow during favorable and unfavorable economic cycles.

Examples for mitigating financial risks include: implementing expense management and cost containment programs; changing policies and procedures to improve the collection of accounts receivable; leveraging payment terms and discounts with vendors and suppliers.

Legal/Regulatory/Compliance Risks: With healthcare being a highly regulated industry, organizations must address risks from licensure, accreditation, legislative policy, regulations, case and common law as well as taxes.

Healthcare organizations need to have policies and procedures in place to demonstrate that they are in compliance with current legislation and regulations, e.g., HIPAA and Protected Healthcare Information guidelines. They also need to be agile in reallocating human capital and financial resources to address legislation and regulatory changes that are known and have yet to be fully implemented.

Ultimately, implementing and benefiting from an ERM strategy does not need to be complicated or expensive. Many of the methods to manage and mitigate the various risk domains described here have been available for years. An ERM strategy can be “right-sized” to benefit any size organization.

The direction, implementation and commitment to an ERM strategy must start at the top of the organization and needs to be communicated clearly and frequently to all levels and areas of the organization, e.g., corporate finance, human resources, operations, marketing and sales, legal, etc.

An organization must realize that all of the identified risks cannot be addressed at one time. Reductions in the frequency and severity to an organization’s risk exposures over time will result in incremental gains in both economic and noneconomic value.

As an organization successfully manages, mitigates and/or eliminates current risks, other risk factors will develop from internal and external events that were not previously identified or were unknown. ERM is a continual and evolutionary process that helps organizations manage more than their insurance risks.

Mobile Device Security and Patient Data

More and more physicians are using mobile devices, such as phones and tablets, to interact with patient data. Check out the below infographic from Skycure to see how doctors are using mobile devices, and what some of the risks of this usage might be. According to these figures, the number of physicians using mobile devices to manage inpatient data has increased from only 8 percent in 2013 to 70 percent in 2015. Similarly, 80 percent of doctors now use mobile devices in their day-to-day practice, and 28 percent have patient data stored on a mobile device.

Unfortunately, security may not be keeping pace with usage. For example, 14 percent of doctors have patient data on a mobile device with no passcode set up on it. Similarly, many doctors are using services like WhatsApp that may not be secure enough for sharing patient information. With more than 260 major healthcare data breaches occurring in 2015 (9 percent involving mobile devices) it is more important than ever for physicians to be aware of cyber security concerns when using mobile devices to interact with patient data.

Skycure_HealthcareInfographic-v14

What You Need to Know: Hospital Ransomware Attacks

Tom Andre, Vice President of Information Services at the Cooperative of American Physicians, Inc. (CAP) sat down with Healthcare Matters to discuss the recent ransomware attack at Hollywood Presbyterian Medical Center in Los Angeles, California and its implications for hospitals and the healthcare sector. During our discussion, Mr. Andre explained what a ransomware attack is, how hospitals can protect themselves from being victimized, and whether the healthcare sector can expect more attacks in the future.

Cyber security is a vital part of any hospital’s risk management program, and Mr. Andre described several techniques for protecting computer systems, including having proper email filters and anti-virus software. However, Mr. Andre also pointed out the importance of appropriate training for employees, as many attacks come in by email. These so-called phishing attacks may take employees unawares, as the emails are designed to look legitimate, and may appear to come from a colleague or even the company CEO. To learn more about ransomware, cyber security, and how to protect your system, see our full interview below. To watch Parts I-VII, click here.

 

Protecting Patient Data During Hospital Ransomware Attacks

In any cyber-attack, patient data may be at risk. In the final part of our series, What You Need to Know: Hospital Ransomware Attacks, we ask Tom Andre, VP of Information Services at CAP, Inc., about what hospitals should do to ensure that patient data and medical records are kept safe in the event of an attack.

Mr. Andre explains that hospitals need to have a disaster plan (such as the ability to use paper forms if a computer system is unavailable) and that it is vital to regularly backup hospital data. In fact, if data back-ups are sufficient, it may be possible for a hospital to avoid paying a ransom and just restore their system from the backup. However, there is no firm rule about how frequently systems and data should be backed up, so it is up to the hospital’s discretion. Additionally, having a backup will only restore data and systems. It will not protect or prevent data from being stolen. To learn more, watch Part VII of our series below. To watch the full interview, click here.

 

Should Hospitals Negotiate with Hackers if Hit with Ransomware?

In Part VI of our series, What You Need to Know: Hospital Ransomware Attacks, we ask guest Tom Andre, VP of Information Services at CAP, Inc., about the implications of negotiating with ransomware attackers. We also discuss whether hospitals and the healthcare system can expect to be targeted more frequently, in the light of the successful attack on Hollywood Presbyterian Medical Center.

Mr. Andre brings up several important points. First, ransomware attacks have generally been opportunistic and random, but there is no reason that they cannot be more targeted. Attackers are growing in sophistication and in their ability to penetrate into a computer network, so it is possible that they will use these skills to target particular industries or organizations, including hospitals and other healthcare targets.

Secondly, it is very difficult to catch cyber criminals, as they are often located in other countries and use digital means to hide their operations. Additionally, ransoms are usually paid in electronic currency, such as Bitcoin, which is difficult to trace. Hospitals need to remain vigilant and aware of the types of attacks that are happening, as well as new trends in cyber-crime. To learn more, watch Part VI of our series below. To watch the full interview, click here.

 

Risk Management Tips for Hospitals to Avoid Ransomware Attacks

In Part V of our interview series, What You Need to Know: Hospital Ransomware Attacks, Healthcare Matters asks Tom Andre, VP of Information Services at CAP, Inc., about what hospitals can do to protect themselves from ransomware and other types of cyber-attacks. Mr. Andre describes the idea of a ‘layered defense,’ which includes things like email filters and anti-virus programs.

Mr. Andre also discusses technologies that can limit the types of programs that can run on a computer system. Called Application Whitelisting, this technology allows an organization to identify the programs that should be running on the computer system and prohibits anything else from running. Mr. Andre notes that Application Whitelisting can be very effective, because “…if somebody clicks on something and it tries to install… malware, it can stop it right in its tracks.” To learn more, watch Part V of our series below. To watch the full interview, click here.

 

The Surprising Ways a Hospital can be Infected with Ransomware

In Part IV of our interview series, What You Need to Know: Hospital Ransomware Attacks, we ask Tom Andre, VP of Information Systems at CAP, Inc. about the various ways that ransomware and other malware gets into a computer system in the first place. These include phishing attacks, in which an email is sent with infected links or attachments. Once the recipient clicks on the infected link or attachment, malware can be installed on the computer, which can then go on to infect the entire system.

Mr. Andre also describes how these emails are frequently designed to appear legitimate, often seeming to come from someone in the company. In addition to phishing attacks, for example, many companies have been taken in by attacks in which hackers create a fake email account to impersonate the company’s CEO. The fake account will then be used to request things like wire transfers or confidential company information from unsuspecting employees. See below to watch Part IV of our series, or click here for the full interview.

 

How Common are Ransomware Attacks on Hospitals?

In Part III of our Healthcare Matters interview series, What You Need to Know: Hospital Ransomware Attacks, we ask Tom Andre, VP of Information Services at CAP, Inc., how common a problem ransomware attacks are for hospitals. Though it is difficult to determine exact numbers, as many hospitals and other organizations will not disclose when they are victimized, Mr. Andre discusses how new ransomware programs can rapidly affect computers and systems, putting everyone at risk.

For example, Mr. Andre details how Locky, a recently-arisen ransomware program, “…was infecting computers at a rate of 90,000 per day.” Though the ransoms requested are often small (according to Mr. Andre, the average ransom is only about $500) the large numbers of computers being infected can make these schemes highly profitable. To learn more, watch Part III of our series below, or click here for the full interview.

 

Top Two Risks a Hospital Faces in a Malware Attack

In Part II of our Healthcare Matters series, What You Need to Know: Hospital Ransomware Attacks, we continue our conversation with Tom Andre, VP of Information Services at CAP, Inc., with a discussion of the risks and harms associated with a hospital being unable to access its computer system. Mr. Andre identifies two main risks: a risk to the facility’s reputation and, of course, a financial risk.

Hospitals and other companies and organizations will often try to avoid going public when hit with a ransomware or other malware attack. However, if the damage and disruption is great enough, this may not be possible. In the Hollywood Presbyterian Medical Center (HPMC) case, the hospital was unable to access records for several days, making publicity impossible to avoid. If medical records or patient financial information is compromised, hospitals will need to report this as well.

In addition to a risk to the hospital’s reputation, there is, of course, a financial risk associated with any type of malware attack. The amount of ransom paid out in the HPMC attack was only $17,000, not a very large amount. However, Mr. Andre pointed out that the hospital also lost productivity during the period its systems were down, which had to be made up once the system was fully functional again. See below to watch Part II of the series. To view the full interview, click here.

 

Explaining the Recent Ransomware Attacks on Hospitals

Cyber-security is of increasing concern to all types of businesses, and healthcare providers are no exception. Following recent ransomware attacks on Hollywood Presbyterian Medical Center and other hospitals around the country, Healthcare Matters sat down with Tom Andre, Vice President for Information Services at the Cooperative of American Physicians (CAP) to discuss what happened and its implications for hospital cyber-security.

In the first part of our interview series, What You Need to Know: Hospital Ransomware Attacks, Mr. Andre describes what a ransomware attack is and how it targets its victims by holding data and systems ‘hostage.’ Mr. Andre explains how hackers use file encryption to do this, only providing a decryption key after the ransom is paid. See below to watch Part I of the series. To view the full interview, click here.