Healthcare organizations are rapidly adopting ‘digital first’ strategies in response to the coronavirus pandemic.
While the pandemic continues to play an influential role in the fast-paced adoption of new, consumer-driven healthcare technologies, healthcare organizations have grappled for more than a decade with how to modernize systems and services, moving away from paper-based medical records, billing, and accounting services into electronic systems. More technology and more systems mean more healthcare data to effectively manage and safeguard. Along with all the digitization comes a host of new regulations and compliance mandates to assure the confidentiality, integrity, and availability of individual’s personal and sensitive data.
In this post, I provide:
- Tactical tips to stop accruing more ECRM debt as new technology is deployed; and,
- Strategic tips to fund the establishment, implementation, and maturation of your ECRM program
First, Stop Accruing ECRM Debt
I define ECRM debt as dollars that should have been spent on managing cyber risk while other dollars were rapidly being spent implementing new data solutions, systems, and devices. Said another way, managing risks was at best an afterthought and not proactively considered as part of the deployment of the new technologies. Few, if any, organizations adopted security-by-design principles or built security into these new solutions.
The hard reality is that many, if not most, healthcare organizations have moved forward with new digital deployments without a key component included in the initiative’s budget-sufficient funding for enterprise cyber risk management.
ECRM debt has generally increased over the past decade. Without taking cyber risk management costs into account at the time of project conception and implementation, many healthcare organizations are now playing catch-up. Worse yet, many continue to accrue ECRM debt.
So, how do you close the gap or prevent your organization from following suit? If you’re looking to prevent accruing additional ECRM debt, here are two suggestions:
- Starting today, force security-by-design by adopting the concepts of “authorization to operate” and “authorization to use” before approving deployment of new solutions
To do this, become familiar with NIST Special Publication 800-37, Revision 2 “Risk Management Framework for Information Systems and Organizations”. While NIST typically applies to government organizations subject to the Federal Information Security Management Act (FISMA), it’s also terrific guidance applicable to any organization, including, healthcare, regardless of federal information systems status.
While NIST Special Publication 800-37, Revision 2 highlights many important concepts, two I want to focus on here are these concepts of authorization to operate or authorization to use.
In SP 800-37, NIST suggests that, before a new system can be deployed, there should be an “authorization to operate” or an “authorization to use” issued by senior management (authorizing official, in government speak), contingent on the assessment of security and privacy risks.
NIST defines authorization to operate as “the official management decision given by a senior … officials to authorize operation of an information system and to explicitly accept the risk … based on the implementation of an agreed-upon set of security and privacy controls.”
NIST defines authorization to use as “the official management decision given by an authorizing official to authorize the use of an information system, service, or application based on the information in an existing authorization package generated by another organization, and to explicitly accept the risk … based on the implementation of an agreed-upon set of controls in the system, service, or application.” The authorization to use is a streamlined version of the authorization to operate.
The concepts of authorization to operate or authorization to use force appropriate privacy and security risk analyses to be completed so that risks can be identified and managed before new technology solutions are deployed. I’ll come back to risk analysis and risk management.
If your organization is serious about stopping the accrual of ECRM debt, then now is the time to implement authorization to operate and authorization to use as part of your product or system development lifecycle. Withhold approval of any initiatives, projects, or programs involving healthcare data, systems, or devices, unless formal authorizations are completed.
- Integrate enterprise cyber risk management into the ordinary process of doing business
As part of doing business, most leaders automatically partake in activities to protect the operational resilience of the business, but if your organization hasn’t incorporated enterprise cyber risk management into your normal processes, you may fall short.
So, how do you integrate enterprise cyber risk management into your organizational culture?
One way to do this is to establish a policy that limits the adoption of new health data systems, projects, or programs unless specific and appropriate funding is allocated for cyber risk management in the project’s budget. Said another way, simply withhold approval of any initiatives, projects, or programs involving healthcare data, systems, or devices, unless and until specific and appropriate funding has been designated for cyber risk management.
What might happen if you don’t? Here’s an example:
A mid-sized health system with several hospitals and ambulatory centers, clinics, and other services and operations is looking to implement a new EHR system that’s expected to cost tens of millions of dollars.
When looking at the budget and planning, an outside consultant asked the project manager about how much money was allocated for enterprise cyber risk management.
Unfortunately, after deeper review, the project manager realized there were no funds set aside for cyber risk management.
This is an all-too-common issue for healthcare organizations and it’s one of the key points that can create more ECRM debt. It’s important to always ensure that healthcare data projects and initiatives do not proceed without an ECRM budget.
Your organization should have a clear understanding of what needs to be done from an enterprise cyber risk management point of view; it’s imperative that you understand your unique risks and then budget for and implement reasonable and appropriate controls to protect your information systems and devices.
Second, Use Innovative Ways to Fund a Business-Aligned Sustainable ECRM Program
- Go After That Meaningful Use Money. I know this one may be a long shot! While it may be true that the bulk of Meaningful Use incentive dollars has come and gone, this does not mean that healthcare organizations can ignore the cybersecurity risks they incurred while building out the digital side of their enterprises. Depending on how your organization accounted for your share of the of the $38 billion invested by the U.S. government, there may be some unused monies available to fund your future program or reduce your ECRM debt.
2. Lower your capital costs. Specifically, consider if your organization can lower the amount of interest paid borrowing funds. Think that sounds difficult, if not nearly impossible? It isn’t. Because most all major credit rating agencies are now including cyber risk when they assess credit ratings. Implementing a cyber risk management program can go a long way in affecting your current and future credit ratings, and, therefore, lower your cost of capital. These savings may be used to fund your ECRM program.
3. Lower the cost of your executive risk and liability insurance portfolios. Large healthcare systems are already seeing success in doing this by building direct relationships with their executive risk brokers, their underlying carriers, and their executive teams. These organizations are also reviewing the gaps, clashes, and redundancies within their existing policies. Savings here can help establish, implement, and mature your ECRM program.
4. Request a captive insurance grant: Many large integrated delivery networks, healthcare systems and large physician groups have their own captive insurance program, which is a form of self-insurance. If you haven’t already done so, consider requesting a grant from your captive so you can conduct an OCR-Quality Risk Analysis®. It’s also worth noting that if you receive a grant from your captive, it doesn’t affect your operating entity’s profit and loss (P&L) statement or balance sheet negatively. It’s also a great way to jump-start your enterprise cyber risk management program.
ECRM Debt and How to Spend Your Budget
When it comes to effectively spending your ECRM budget with the longest lasting and most positive impact on your organization, you should conduct OCR-Quality Risk Analysis® and develop an OCR-Quality Risk Management plan. Having, by way of a risk register, a rank-ordered list of your unique exposures is the best way to make informed and optimal decisions about how to manage your organization’s unique risks.
To ensure leading healthcare organizations are optimizing the budget they have available, they are analyzing cyber risk across the enterprise to drive effective risk management decision making. A comprehensive risk analysis for the entire enterprise can inform an organization not only where it has the most highly-rated cyber risks but also what the most common control deficiencies are.
Some risk management investments may not be feasible immediately, but there are some things you can do in the interim. You’re not forced into the response of, “I’ve got to do all of them.” Selecting from alternatives based on an informed understanding of effectiveness, feasibility, and cost is a thoughtful approach that anyone reviewing your ECRM program will most certainly assess positively.
Next Steps and How to Make Optimal Decisions About ECRM Spending
Now that you have a better understanding of Funding Your Enterprise Cyber Risk Management Program, here are a few important takeaways.
- Discuss whether your organization has an adequate level of current ECRM funding. Can you address the ECRM debt your organization has built over the last several years? What can you do to prevent this number from increasing?
- Consider adopting authorization to operate and authorization to use procedures throughout your organization.
- Discuss your ability to implement a policy that’s designed to limit new healthcare data, systems, or devices programs, projects, and initiatives funding when those new programs don’t have an ECRM line item included in the budget.
- Examine your organization’s current cost of capital and learn how your credit rating agencies are considering your ECRM program when they set your rating.
- Conduct a gaps/clashes/redundancy review of your liability insurance portfolio with your executive team. (Examples)
- Consider the possibility of seeking out grants from your organization’s captive insurance program to help implement or mature your ECRM program.
- Conduct enterprise wide, comprehensive, OCR-Quality Risk Analyses® to understand your unique risks. Prioritize the work by starting with your “crown jewel” information assets.
Have questions? Take a deeper dive into how you can improve your organization’s cyber risk management funding practices and reduce debt by checking out Episode 22: Funding Your ECRM Program in Clearwater’s ongoing video series I created about ECRM. You can find a full list of all of the episodes in the series here.