Healthcare organizations use data to support decision-making for nearly every area of operations. But what about your security and compliance strategy? What metrics are the most valuable to determine how your organization should allocate funding for health IT projects related to governance, risk, and compliance?
Top Seven Metrics to Gather For A Quarterly Report Card
With an ocean of data at your fingertips, it’s best to determine the metrics that will best support your strategy, and any budget requests for human, technical, or consultative resources. What you need is a primer to focus on what data to gather and when. The best place to begin? Use a quarterly governance report card.
1. Risk Assessment Results
Document the top five high-risk gaps found in your latest assessment, along with the cost to mitigate. This will help focus budget discussions on the risk areas that require the most attention.
2. Vulnerability Findings
Include the riskiest vulnerabilities found for ePHI at all locations, such as cloud hosting (SOC 2 if available), and physical security.
3. Third-Party Vendor Audit Data
While your business associate (BA) count may be in the hundreds, prioritize the highest risk gaps here as well. Remember to include direct BAs, downstream BAs, and medical device vendors.
4. Workforce Training Results
Document the results of the latest phishing tests and other simulations. Understanding gaps here can focus the governance team on future training efforts and whether additional resources are needed.
5. Policy and Procedure Audit Data
Include information from the latest operational procedure audits. Are you missing documented information? If so, you may need resources to fill this gap.
6. Disaster Recovery/Business Continuity Plans
Report on the existence and status of your strategic response plans, especially if your organization has experienced any major operational or infrastructure changes, such as a merger, acquisition, or implementation of a new EHR.
7. Industry Threat Information and Assessments
Gather, report, and learn from industry trends. For example, with the increase in breaches from third-party vendors, should you focus more attention here?
To manage this data, healthcare organizations are moving toward a structured model, typically using governance, risk, and compliance software solution. Other tools, including learning management systems, technical tools, and outside resources, such as an Information Sharing and Analysis Organization (ISAO), should also be used as sources for the data to include in your report card.
How to baseline your current state
As the adage goes, “You have to start somewhere.” Set a goal to update the data on your report card periodically (e.g., each quarter) to coincide with your regular governance committee meetings.
If you do not have a current baseline, use your next governance meeting as a deadline to gather your initial data and use it as your baseline moving forward. From there, each quarterly update will reveal new data and potential trends that need attention. Ideally, the more effort you devote to your governance, risk, and compliance strategy, the better your report card scores will be quarter over quarter.
In addition to the data gathered for the report card, document your average risk score and average maturity score. These are both high-level baseline metrics that are measured by a combination of likelihood and impact and can be used as a top-line proxy for discussion at quarterly governance meetings.
For example, in light of recent ransomware attacks and other threats to data centers and networks, your organization should have an operational documented disaster recovery and business continuity plan, which should be tested periodically. The range of testing required will depend on the scope and complexity of your organization, and should include tabletop tests on business continuity procedures should automated systems become unavailable. The likelihood of a potential disaster can still be considered high. But, with a solid disaster recovery/business continuity plan in place, the impact can be mitigated by controls that have been tested and updated based on results and change management.
Governance and budget allocation
Once you have a complete and accurate risk rating, along with documentation of the cost to implement controls—all documented on your report card—prepare for logical discussions with your governance committee on resource allocation to reduce risk.
Decision-making by your governance committee should be based on cost, risk, and impact to your organization’s mission. To prioritize your efforts, consider which of your recommendations will have the biggest impact on preventing a breach. We all know it’s not possible to solve every problem, given the lack of funds or internal political struggles. Start with the items of the highest impact and work your way down the list.
Using a governance report card to bring real data to your governance committee on a regular basis will help educate leadership on gaps and impact, align needs across disciplines, and guide budgetary decision-making for improved strategic governance, risk, and compliance operations.
About Gerry Blass
Gerry Blass is President and CEO of ComplyAssistant, which provides GRC software and managed service solutions to healthcare organizations of all sizes. Designed to help clients organize and manage complex security and compliance processes, ComplyAssistant’s solutions work for a variety of security frameworks and compliance regulations.