We can learn a lot about risk from academia. University environments embody the whole data privacy world in microcosm. Colleges and universities handle a broad range of personal information — from students, staff, alumni, donors, and other community members — with their functions in financial services, food services and housing, student stores, and medical services.

On average, educational institutions report 1.3 million records compromised per year, based on statistics from Privacy Rights Clearinghouse. (Check out this infographic from Open Site, for an overview of data breaches in higher education.)

Nobody understands the privacy and security risks in the academic world better than Grace Crickette, chief risk officer for the University of California, a sprawling system that includes ten campuses and five medical centers. She shared her insights, which can be translated into 3 lessons on risk:

1. Take a “holistic” approach to risk management
“In 1996, our regents adopted a comprehensive framework (called COSO) for Enterprise Risk Management (ERM),” Ms. Crickette says. “This framework requires that we examine our complete portfolio of risks, and consider how those risks interrelate. Our management then develops a risk mitigation approach that addresses the risks in a manner consistent with our mission, our long-term strategy, and our overall risk appetite.”

[See also: OHN's health IT best practices -- credentialing and privileging.]

Ms. Crickette emphasizes the concept of risk appetite. “Knowing our risk tolerance allows us to balance the costs of mitigation against the potential impact on our organizational mission and goals.” All educational institutions, she says — and I would add all organizations — should know their risk appetite, to make mindful choices regarding risk mitigation program and costs.

Henry Ford Health System in Detroit, Mich., embraced this holistic approach and transformed its misaligned privacy and security efforts into a “collective mindset” that makes patient privacy and data security “a part of our standard of care.” This, from Meredith Phillips, chief privacy and information security officer at Henry Ford, at the recent PHI Protection Workshop in Boston. See my last article for more on Henry Ford.

2. Know your risk picture
Organizations should identify the kinds of privacy-related events that could impact their ability to achieve their mission, Ms. Crickette says. Ongoing, thorough risk analyses should identify “critical vulnerabilities,” and prioritize them based on their potential impact on affected individuals, the organization, and its reputation and financial health.

The HIPAA Security Rule requires covered entities and their business associates to conduct such risk analyses, and is a core requirement for eligibility in the Meaningful Use incentive program. In fact, Leon Rodriguez, director of Health and Human Services Office for Civil Rights said earlier this year, “We will have a robust [audit] program focused on high-risk areas and one thing they can absolutely count on is the risk analysis.”

The University of California uses the PHI Value Estimator (PHIve) model, published in the report The Financial Impact of Breached Protected Health Information by the ANSI Identity Theft Prevention and Identity Management Standards Panel (IDSP), “to assess the impact of potential breaches of health information on our medical facilities,” Ms. Crickette says. This estimator is a five-step method for assessing security threats and evaluating the “at risk” value of an organization’s PHI.

3. Understand the Positives and Negatives of Risk
Ms. Crickette cites a recent paper published by the National Association of Colleges and University Business Officers (NACUBO) and PricewaterhouseCoopers that points out the upsides of risk. It presents a business risk continuum, in which perceptions of risk correlate to certain business operations:

• Risk as a hazard centers on crisis management and compliance.
• Risk as uncertainty focuses on protecting business continuity.
• Risk as opportunity is more strategic, focusing on “improved returns through value-based management.” Henry Ford Health System is a good example of this.

“It is important to manage both for the downside and for the upside to enhance the possibility that good things will occur,” the paper notes. “A balanced view of risk is best, one that tries to minimize hazards, influence and control uncertainties, and manage opportunities.”

Conclusion
Data breaches are a fact of life. Managing risk — both good and bad — is critical to helping organizations achieve their privacy and security objectives. As U.C. and Henry Ford both demonstrate, organizations must also adopt a holistic approach to risk management for positive, lasting change. Doing that starts with knowing your risks, prioritizing them, and taking steps to mitigate them in a way that puts “the mission of the institution foremost,” as Ms. Crickette puts it. In doing so, she says, “you will naturally make the choices that protect that mission for the long term.”

Rick Kam, CIPP, is president and co-founder of ID Experts. Rick is also chairing the “PHI Project,” a research effort to measure financial risk and implications of data breach in healthcare, led by the American National Standards Institute (ANSI), via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), in partnership with the Shared Assessments Program and the Internet Security Alliance (ISA).

Related articles:

5 tenets of OMB's 'open and machine readable' federal data policy

Q&A: Mac McMillan on why IT security keeps getting more complex

The 5 (PHIve) steps you can take now to protect PHI