A renewed focus on IT risk management

Since the dawn of enterprise computing around the mid-1960s, managing the risk inherent in information technology (IT) has been part of owning computers. By 1974, a framework for IT risk management was beginning to emerge (Control Objectives for Information and Related Technologies, first informally as CoBiT, then formally as COBIT in 1996). The tenets of this and other related frameworks served users well through the decades, both operationally and as a method to measure risk. In recent years, however, enterprise computing environments, especially in healthcare, have gotten so complex that some previously sound risk management practices have become strained and less reliable.

IT risk management

What is it about an IT environment that makes risk management so hard? Some of the most significant risks include:

• Industry complexity. Healthcare, for example, is home to one of the most complex computing environments: the electronic medical record and related integrated clinical systems. The rise of technologies related to cloud computing has created new opportunities for patient outcomes, but it also has added complexity in unforeseen ways.

• Cybercrime. Following the rise in complexity, malicious misuse of computing platforms has grown from a nuisance to organized crime. Organizations and patients alike have been held hostage or victimized by cybercrime perpetrators, often with high monetary costs and unmeasurable resource hours.

• System instability. Complexity and system instability are directly related. Instability can be dampened over time, though, through hardware and software expenditures, but given Moore’s Law about circuit complexity and the speed of transmitter growth, expenditures will resolve the issues related to instability for only a finite amount of time.

• End-user empowerment. End-user empowerment, which is the ability of end users to perform their own information processing through query tools, PC programs, and low-code systems, has long been part IT strategic frameworks. However, with this empowerment comes a bevy of misuse issues, only a fraction of which are intentional.

• Semantic and ontological issues. Organizations struggle with wide variations in what a piece of information is called (semantics) by end users and what that information means (ontology) to them. This inconsistency creates risk in decision-making as groups struggle to find common ground to work from.

• Computing errors. Among other things, computers are meant to help avoid computational errors, with the caveat that they are only as accurate as they are programmed to be. When an algorithm is wildly complex with multiple changing variables and weights, the consequences of miscalculations could be severe, especially in healthcare when computers are used to calculate titratable medications, radiation levels, and chemotherapy doses.

IT risk management in healthcare

With IT risks having the potential for dire consequences especially in the healthcare industry, it is important to define and acknowledge the problem. While cyberattacks make the news regularly and regulators react with new requirements, cybercrime is just one area of risk related to healthcare IT. A good IT risk management plan for healthcare organizations should prioritize all of the areas of risk that they face. On a similar note, an effective plan recognizes that organizations change, especially when it comes to people. Whatever the structure, buy-in from senior leadership is necessary to establishing buy-in across the board.

The fundamentals of today’s risk management processes are as sound as they have been through the decades. An organization’s risk measurement and assurance can be made even stronger through outsourced internal audit, or with dedicated leadership like a chief information security officer. However, while the fundamentals might be sound, the methodologies need to continue to evolve.

IT risk management historically has been measured by the standard internal audit methods of analyzing small samples of process results and interviewing IT leadership. Because of the data sets’ size and the magnitude of the risks involved, these methods are too risky to use going forward. Instead, measurement and assurance should be done by analyzing the entirety of the data available when possible. And while the necessary data is readily available, the volume of data available can be overwhelming. Organizations looking to implement effective risk management plans would be wise to use the modern processing machines and techniques already available to them, like machine learning, to actively monitor IT risk on a minute-by-minute basis. Doing so can help catch risks as they begin to develop, instead of after they have occurred.

Looking ahead

Given how bright an organization’s future can be with properly managed IT risk, the stakes of getting it right and the potential for significant productivity and cost savings make it important for senior and board leadership at healthcare organizations to keep it top of mind when making all strategic decisions.

Learn more

Dan Yunker

Principal, Internal Audit Leader, Crowe

+1 312 899 1514

dan.yunker@crowe.com

John Norenberg

Healthcare Consulting, Crowe

+1 630 574 1634

john.norenberg@crowe.com