Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Why is Healthcare so Bad at IT Risk Management? (Part 2 of 2)

What will it take to make IT Risk Management a team sport in healthcare?
Created: 13 Feb 2014
David Finn's picture
0 0 Votes
Login to vote


What will it take to make IT Risk Management a team sport in healthcare? 

Unfortunately, it usually takes a disaster of one kind or another.  A really bad go-live.  A breach on a server that the IT department didn’t know existed.  Someone’s direct Internet connection.

It is time to really understand the risks - - across the board, the entire organization.  That means a good, bona fide risk assessment by all stakeholders - - and that means everyone who collects, uses, stores, moves the data.  Not just Information Technology.

If I still haven’t made it clear, let me just say it: IT Risk Management is not an IT issue.  Nor is it an IT problem to be solved.

The “system” is software, hardware, network, processes and people now.  The system is your business.  Try seeing patients or billing or ordering or reporting results with your EMR down.

When I was a CIO, it didn’t impact my department’s functions if the EMR was down - - except for the annoying calls from physicians and executives with operational functions, of course.  They always seemed very upset.

But IT didn’t need the EMR - - we needed the network and email and the ticketing system and the phones . . . and stuff like that.  So why would they make managing the risk around the EMR my problem alone?

I still shudder today when I see an EMR with no active failover system.  Everyone says they will do it after the go-live.  Actually, they usually do it after the go-dead.  And then everyone is wondering why didn’t we do that “redundant thing”.

Its just money – from the IT side, at least.  From the healthcare side it might, unfortunately be a life.  It’s probably not a technology decision if the risk really is a patient’s treatment or outcome.

IT needs to explain the risks in a business and/or clinical way and then the business needs to decide what level of risk is acceptable.

And, yes, the organization needs to be prepared to pay for the level of risk that they are willing to accept.  It’s not very compelling to tell the organization that the medication cabinets could get infected if we don’t upgrade the Operating System to accept new anti-virus software.  It’s quite different when you explain that if the medication cabinets are infected they fail shut and nurses will have to use manual over-rides on them which will add 3 minutes to each med order or two hours to every nurse’s shift which means you’ll have to add X number of nurses to each shift.

Risk management isn’t about technology; it is about patient safety and quality care and keeping the business running.  Don’t blame IT for not getting the risk management right; blame them for not explaining the risks in the proper context.  And then make them do it.