Is anyone actually thinking about risk?

By Chris Davis
October 16, 2013
01:31 PM

The idea of risk management in information security has always been a bit difficult to pin down.  For example, there is too little historical and behavioral data to identify trends or make predictions with confidence.  Also, the type and magnitude of potential data breaches always leads to Armageddon-like predictions that are easy to write off as hyperbole.  Finally, there are few people that have the scope of experience and depth of knowledge needed to pull the pieces all together. On top of all that, the things that can hurt us the most (i.e. such as the dreaded “zero-day” attacks) are, by definition, things we can’t know about nor predict nor, sad to say, potentially protect ourselves against.

Information security risk management is hard. And with most things in business, hard problems aren’t always solved but instead businesses often times work around them.

When it comes to health IT security risks, these workarounds have amounted to basic checklists that address the requirements of the HIPAA security rule, or by deferring to the opinions of external auditors on whether risks have been sufficiently mitigated.

Neither of those workarounds have anything to do with risk.

The HIPAA security rule was specifically written not to be a checklist, which is why the phrase “reasonable and appropriate” is found throughout.  It is intended to make health organizations engage with their IT and business environments to identify smart and cost-effective ways to stopping the bad things from happening. And when it comes to external auditors, assessing risk just isn’t their job.

So who in healthcare IT is actually thinking about risk?

Without an appropriate risk analysis, how do healthcare entities know if there aren’t gaping holes in their health IT ecosystem? And if no one’s actually analyzing or managing risk, is anyone compliant with the law? The industry and its regulators must make an effort to build tools to help analyze health IT risks, just as it has done for drug interactions or invasive treatments, to keep data breaches and their associated recovery costs from spinning out of control.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

David Nickelson of Cella by Randstad Digital
In 2025, look for more digital-first patient engagement and data-driven decisions

Most Read

Cyberattack roundup: Ransomware hits Georgia hospital and Colorado pathology services
Google sets mandatory MFA deadline for all cloud accounts
What Trump's election means for healthcare
HIMSS launches veterans health IT workforce program
Protect your IoMT devices against evolving cyberattacks
Deploy RFID technologies to streamline controlled substance management

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

More Stories

Muhammad Babar at the Pakistan Ministry of Health_Las Vegas skyline Photo by halbergman/E+/Getty Images
How Pakistan is tackling some key digital health challenges
Hospital colleagues share article on tablet
Top 10 most-read stories of 2024
server room
Top 15 largest U.S. healthcare provider data breaches of 2024
HHS building
HHS releases notice of HIPAA Security Rule update
Aashima Gupta at Google_Doctor typing on computer Photo by Everyday better to do everything you love/iStock/Getty Images Plus
Physicians can get back to patient care with genAI
A person placing a medical test tube inside a plastic bag
Korea starts recruiting for 1 billion bio data project
Healthcare workers in meeting
Healthcare execs more optimistic heading into the new year, survey finds
Business people shaking hands at a meeting
Predictions for mergers and acquisitions in 2025