Healthcare Payers: Scalability and Risk Management-Based Prioritization

April 2020

As healthcare payers surge to meet the increasing needs of their members and health system partners, their IT and security teams are gleaning some timely reminders that scalability and adoption of a risk management framework are critically important in times of crisis.

What is Scalability in Healthcare?

Scalability is a “muscle” that all security teams will need to strengthen throughout their enterprise security program because as the COVID-19 pandemic has shown we don’t know when or what aspect(s) of the program will be tested and to what degree. Scalability may not be as important during a one-time event, like a breach or malware attack – an organization can often address a specific issue head on. However, when there is sustained pressure or a fundamental shift that increases scope, it becomes critical that the organization have scalable processes and tools.

Adoption of a risk management framework provides two specific benefits during times of crisis: 1) you will have assessed your program against a broad and comprehensive set of controls, and 2) you and your team will be experienced at applying a disciplined, nimble approach to segmenting and re-prioritizing your greatest areas of risk.

Examples of Adopting Risk Management for Healthcare Payers

Two examples of how both of these capabilities have proven critical during this time of turmoil is third-party risk management (TPRM) and security risk assessments (SRA). With the seemingly overnight transformation to a remote workforce without the time to carefully plan these transitions, a myriad of issues have surfaced, all of which present their own inherent risks. All organizations have a new digital world they are servicing, supporting and trying to keep secure. Use of new apps, technologies, devices, cloud platforms, remote access methods, authentication solutions and physical locations by users who are extremely distracted both professionally and personally present a cauldron of potential security and compliance issues.

Third-Party Risk Assessments

In an era of distraction, a scalable TPRM program that’s also flexible enough to support a more streamlined assessment process along with easy to consume findings and risk ratings is crucial before new technologies and service providers are engaged. Ensuring that we are not embedding security vulnerabilities that will increase overall enterprise security risks that may or may not be able to be remediated or rolled back is critical. Intraprise Health’s Vice Present of Information Security Services, Brian Parks, has outlined a TPRM program approach based on his work with customers responding to COVID-19 that can be responsive and scalable during a crisis like we are facing now.

Focused Security Risk Assessments

Focused security assessments that are based on a risk-based framework can also responsive and scalable. For example, once your remote workforce deployments are completed it’s probably the right time to circle back to perform an assessment of the remote working environments. How can you scale to the number of remote workers throughout your organization while still ensuring security fundamentals and best practices are and continue to be followed? Ian Terry, Information Security Consultant at Intraprise Health, has written an in depth and practical article on this topic. Read it here.

Stay tuned as we will continue to share more concepts, practical information and useful resources for the payer and provider communities as we all buckle down and band together through this challenging time for everyone.