Five Key Risk Management Steps in any
Healthcare Organization's Information Security Management Program

1. Identify stakeholders
   First select an information security official (ISO) and establish the information security team or committee (ISC).  The ISO must have ready access to and the support of the organization’s senior management and must serve as leader of the ISC. The ISC should be charged with and given the necessary authority for overseeing the organization’s information security management program (ISMP) including its risk analysis and risk management elements.    In addition to the ISO, the ISC should include representatives from information technology and clinical engineering.  The ISC should also include, at least on an ad hoc basis, representatives from medical/clinical departments, risk management, quality assurance, administration, human resources, staff education and others as appropriate.  The ISC should be educated on information security issues including relevant portions of the HIPAA rules and regulations.  The ISC must insure that all aspects of the security management, risk analysis and risk management efforts are adequately documented.                                  

2. Identify information risks
   To effectively assess risks the ISC must first identify and inventory sources of electronic Protected Health Information (ePHI) and other critical information as appropriate.  Sources of ePHI typically include information technology and medical devices/systems.  Additionally, the ISC must take stock of the organization’s existing security processes, resources, and safeguards. 

3. Analyze and assess information security risks
   The multidisciplinary ISC must establish guidelines for assessing and rating information security risks.  Using these guidelines, the ISC must then analyze and assess the information risks it previously identified.

4. Establish security risk management plan
   Following its risk assessment, the ISC must develop its risk management plan.  That plan should address each identified risk either by conscientiously accepting the risk or by defining appropriate steps to adequately mitigate the risk.  Where steps are defined and safeguards established to mitigate risks, they should reflect industry best practices.  The risk management plan should establish priorities for addressing identified risks where the highest priority is given to addressing both the most serious risks and the most easily resolved risks (e.g., low hanging fruit) first.  The plan should include a timetable and budget for implementation and should designate the responsible party or parties.

5. Provide on-going testing and monitoring
   The ISC must monitor the implementation of the risk management plan and make adjustments to that plan as necessary to ensure its effectiveness.  The ISC must establish appropriate testing, auditing, and reporting mechanisms that facilitate an on-going performance assessment of the organization’s security management and risk management efforts.  The ISC must use the results of these performance assessments to continually improve those efforts.

© SHCTA