From the Change Healthcare attack to the increased enforcement of penalties for HIPAA breaches, the last year has sent a clear message to healthcare leaders: a refreshed approach to risk management is needed.
But what exactly should that approach look like? And do emerging models like integrated risk management (IRM) deliver on their promise?
This article answers those questions, providing a complete overview of IRM and explaining how it differs from existing models.
An Introduction to Integrated Risk Management
What is Integrated Risk Management?
Integrated risk management (IRM) is a comprehensive approach to risk management that unifies all areas of risk under a single function. Rather than treating regulatory concerns, third-party threats, and various other forms of risk as separate concerns, IRM creates a single view of organization-wide risk.
How Does IRM Work?
Integrated risk management is a relatively new concept, having only emerged in the last decade. As a result, there is no consensus about exactly how IRM should be implemented.
However, there are a few key factors that all effective IRM programs share:
- Centralized Data: IRM requires data from all risk assessments to be available within the same system, creating a unified risk register. This enables leaders to quickly view and compare different vulnerabilities, assess the relative urgency of each threat, and make informed decisions about remediation, mitigation, and risk tolerance.
- Cross-Department Collaboration: IRM requires individual risk managers and personnel within areas like operations, finance, and cybersecurity to collaborate proactively. The goal is to foster a risk-aware culture where there is clear ownership and accountability for specific risks, as well as an understanding that “risk is bigger than my department.”
- Comprehensive Risk Policies: IRM will ultimately produce new policies and procedures that reflect an organization-wide view of risk. For example, while many organizations have contingency plans for cyberattacks, an integrated approach may redraft these policies to reflect a wider view of risk and how it relates to other business areas and overarching strategic objectives.
In combination, these factors produce a significantly more “unified” and effective risk management process.
Integrated Risk Management: Is it the Best Approach for Healthcare?
5 Reasons Healthcare Organizations Need IRM
Few industries operate with stakes as high as healthcare. A single cybersecurity incident can lead to delayed care, regulatory fines, and even increased patient mortality – making effective risk management almost uniquely important.
However, healthcare organizations also face a series of factors that make risk management more challenging:
1. Complex Vendor Networks
The average healthcare organization has over 1,300 vendors within their IT network, creating an extremely large attack surface for cybercriminals. This has made third-party risk a major concern for leaders in recent years, but the concern is not purely a cybersecurity or compliance concern – it impacts all areas of the organization.
A single vendor attack can create ripples across all other parts of the business, impacting your patient care, financial performance, and reputation. It is, therefore, important to “zoom out” on the risk and consider it from a truly organization-wide perspective.
2. Fragmented Risk Data
Another feature of complicated healthcare IT systems is the relative lack of interoperability – which creates persistent data silos throughout the organization. Some studies suggest that just 60% of data is actually used to inform business choices, which means that risk management decisions are often made without a full view of their impact.
3. Limited Budget and Resources
The average healthcare risk management program is chronically underfunded. Just 6% of IT budgets is spent on cybersecurity, while nearly half of all organizations struggle to hire cybersecurity talent. As a result, remediation efforts are limited – making effective risk prioritization essential to ensure the biggest threats are properly dealt with.
4. Care Delivery Disruptions
Cybersecurity vulnerabilities within healthcare IT systems can disrupt care delivery and ultimately pose a risk to life. 50% of organizations have experienced increased medical procedure complications due to cyber incidents, with 23% of organizations that were attacked reporting higher mortality rates as a result.
The industry therefore has a far lower “risk tolerance” threshold than others, and organizations must be hypervigilant against all forms of risk across the entire attack surface.
5. Lack of Clarity About Liability
Many healthcare organizations are unaware of their liability for data breaches, cyberattacks, and other potential threats. As a result, they often struggle to accurately assess and measure risk – meaning vulnerabilities may be either overlooked or simply underestimated.
Each of these factors is a challenge in itself, but they are heavily exacerbated by traditional risk management programs. Operating multiple risk teams and often 10+ risk initiatives simultaneously, often without any unifying system or official ownership, leaves leaders in the dark about organization-wide risk – which is exactly why more organizations are pursuing IRM.
4 Ways IRM Benefits Healthcare Organizations
With a unified risk register, increased cross-departmental collaboration, and more comprehensive risk management policies, integrated risk management produces four key benefits:
1. Increased Risk Visibility
A unified risk register creates a true “executive view” of risk, helping to more accurately assess trade-offs and prioritize remediation efforts that will produce the greatest net benefit to the organization. Healthcare organizations routinely struggle with “blind spots” in their cybersecurity and risk policies, but IRM helps you see around the corner and stay ahead of emerging threats.
2. Improved Operational Efficiency
Healthcare risk assessments and remediation efforts are notoriously cumbersome, with a majority of security teams experiencing “assessment fatigue.” An integrated approach helps to reduce this burden by streamlining risk workflows and accelerating the implementation of new risk projects at scale – without difficult data and communication silos.
3. Clearer Accountability
An integrated approach to risk helps foster a risk-aware culture – and that solves the “pass the buck” issue many healthcare organizations struggle with. While IRM may appear to make risk management a purely “executive” function, it actually helps to ensure more individuals feel responsible for risk – and therefore unlocks greater collaboration around assessments, prioritization, and remediation.
4. Enhanced Communication
From documenting assessments to tracking internal communications, IRM platforms allow risk teams to more accurately, quickly, and confidently track their efforts. This makes integrated risk a clear benefit to all parties – but is it the best approach for healthcare?
Integrated Risk Management vs. GRC: Which is Better?
Some readers will notice that IRM shares certain characteristics with Governance, Risk, Compliance (GRC) – an older model that offers similar benefits. As the name implies, GRC offers an overarching framework for managing governance policies, IT risk management programs, and compliance procedures.
Many healthcare organizations have some experience with GRC – and that experience may put them off the prospect of IRM. But there are a few important differences between the two:
1. Scope
While GRC typically operates at the behest of centralized governance and compliance teams, IRM spreads risk awareness and activities throughout the organization. As a result, the IRM approach is more holistic and takes into account the full range of threats your organization faces.
This is particularly important in healthcare because the sheer scope and range of risks an organization faces are so great – and any weakness can lead to significant costs.
2. Risk Posture
The GRC model takes a reactive approach to risk management, while IRM proactively addresses threats. This is essential for healthcare organizations, as the threat landscape is constantly evolving, and organizations cannot wait until after an attack to identify the problem.
3. Implementation
Many leaders find GRC needlessly complex, making the implementation process long and expensive. In contrast, IRM is an evolving model that can be developed over time and (with the right software and support) produces more immediate results.
Ultimately, this makes IRM a more comprehensive approach for healthcare organizations – and one that your organization could start adopting today.
Enable Integrated Risk Management with Intraprise Health
Intraprise Health offers a comprehensive set of software and services to support the adoption of integrated risk management:
- Innovative Software: Our BluePrint protect™ platform creates a single platform to manage all risk programs.
- Expert Services: Our team leverages decades of healthcare cybersecurity expertise to work directly with your team to introduce, monitor, and proactively evolve your IRM program.
Curious how we could help your organization centralize and enhance risk management?
