Medical liability and reducing an organization’s risk against unseen threats has changed exceptionally since the start of the COVID-19 pandemic. We have seen new treatment centers, vaccines, and mass staffing problems across the United States.
Risk management strategy “has traditionally focused on the important role of patient safety and the reduction of medical errors that jeopardize an organization’s ability to achieve its mission and protect against financial liability”, according to NEJM Catalyst. Unfortunately, these traditional risk mitigation techniques are not enough to combat cyberattacks on medical infrastructure.
In a sea of new mandates and best care of practice, sensitive patient information is left exposed to cyberattacks. In the 2020 Critical Insight (CI) Healthcare Data Breach report, it was found that new changes in healthcare include employee turnover, a shift to remote work for non-essential employees, and new risks from third- and fourth-party vendors. In the second half of 2020, the CI Security report concluded that more than 21.3 million records were breached.
What Is Risk Management?
Risk management strategies include enterprise risk management, or accounting for threats at each step of operations. This process aids in identifying risk from nth-party suppliers that are able to gain access to sensitive information, such as the data breaches seen in the CI report.
There was a 25% year-over-year increase in healthcare data breaches in 2020.
An aspect to consider in risk management is that risk is never truly isolated. According to a report from the U.S. Department of Health and Human Services’ Office for Civil Rights, there was a 25% year-over-year increase in healthcare data breaches in 2020. Hackers exploit all areas of healthcare, attacking research labs, hospital systems, and all variations of healthcare organizations. There will always be new forms of risk to address, but with a system in play for security and compliance, a significant amount of potential risk can be caught and mitigated.
Types of Risks in Healthcare
The digital world is an ecosystem of interconnecting levels of information that can make business operations easier to navigate but can also be presented with unforeseen risk for all aspects of operations.
One of the areas targeted by hackers is the healthcare supply chain, which is a particularly complex and interconnected ecosystem. According to Gartner, “more than three-quarters of healthcare supply chains reorganized their structure in the past three years.” Vulnerabilities in this integral part of the industry can have an extreme negative impact on a company’s operations and ability to protect sensitive information.
A simple, effective way to mitigate supply chain risk is to better understand the role suppliers play in the operations of the company.
Managing healthcare organizations can be difficult for companies to maintain. One strategy to alleviate operational stress is by using third-party vendors. Third-party vendors offer many benefits and services in the workplace, such as automating workflow, billing or insurance reimbursement services, telehealth agreements, contract employment services, and supply chain management, but the potential safety and risk compliance concerns should be evaluated.
Third-party vendors create a new unforeseen threat that is not always accounted for by risk management strategy. Each third-party vendor handles their own business operations, delegating subcontracts to their own third-party vendors; this creates fourth-party vendor risk for the primary organization.
Security and compliance strategies may reveal irregularities within the primary organization, but this protection does not necessarily extend to fourth-party vendors.
This relationship between an organization and fourth-party vendors is an open gap for data breaches. Risk management strategy for security and compliance reveals irregularities within the primary organization; however, this process does not necessarily trickle down to fourth-party vendor risks.
Organizations that use third-party vendors need added support from risk management procedures and tools to protect their sensitive information from fourth-party breaches. For an organization to be secure from potential online risk, a system of security and compliance should be integrated throughout the supply chain.
Changes in Healthcare
During the height of the COVID-19 pandemic, focus was placed on immediate patient treatment, mass access to COVID-19 testing, COVID-19 prevention, and implementation of vaccination programs. This focus on immediate patient treatment and mass health care access left open gaps for cyberattacks to breach sensitive patient information.
Further, new care facilities were created to accommodate the growing need during the pandemic. Using non-traditional locations for patient treatment and testing opens up new risks of cyberattack, as well as traditional risks. Notable gaps in risk management, specifically in security and risk compliance, creates new opportunities for cyber-attackers.
Using non-traditional locations for patient treatment and testing opens up new risks of cyberattack.
COVID-19 brought new changes to healthcare, notably the risk third-party vendors add to cybersecurity. Temporary changes seen during COVID-19 are becoming common workplace policy, such as the shift to remote work, untraditional healthcare sites, and employee turnover. All of these changes since COVID-19 have elevated the need for increased cybersecurity.
Cybersecurity policy should be a multi-faceted approach for protecting sensitive information, with safety features like encrypted data, multi-step authentication, and risk-based controlled access. For compliance, a validation process to satisfy organization and industry frameworks should be implemented. When security and compliance are working, this process can expose new emerging risks before they become data breaches.
The Need for New Risk Management Strategies in Healthcare
Risk management strategy seeks out potential risks to the organization. If a risk is not isolated, then a potential threat is not isolated; therefore, a system for security and compliance is needed in order to seek out potential risk and mitigate the potential threat.
Third-party vendors allow for organizations to focus on patient care, rather than operations, but bring added risk to the organization. Fourth-party vendors are a typically unseen risk against data breaches, and are not always caught by a system of security and compliance.
In an industry focused on saving lives, a strategy to seek out and address potential risk is vital; health care risk management protects a vulnerable system.