• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to secondary sidebar
  • Skip to footer

  • Opinion
  • Health IT
    • Behavioral Health
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Patient Engagement
    • Population Health Management
    • Revenue Cycle Management
    • Social Determinants of Health
  • Digital Health
    • AI
    • Blockchain
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • M&A
  • Value-based Care
    • Accountable Care (ACOs)
    • Medicare Advantage
  • Life Sciences
  • Research

HIT Governance: 7 Key Metrics For Your Quarterly Report Card

by Gerry Blass is President and CEO of ComplyAssistant 10/29/2019 Leave a Comment

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print
HIT Governance: 7 Key Metrics for Your Quarterly Report Card
Gerry Blass is President and CEO of ComplyAssistant

Healthcare organizations use data to support decision-making for nearly every area of operations. But what about your security and compliance strategy? What metrics are the most valuable to determine how your organization should allocate funding for health IT projects related to governance, risk, and compliance?

Top Seven Metrics to Gather For A Quarterly Report Card

With an ocean of data at your fingertips, it’s best to determine the metrics that will best support your strategy, and any budget requests for human, technical, or consultative resources. What you need is a primer to focus on what data to gather and when. The best place to begin? Use a quarterly governance report card.

1. Risk Assessment Results

Document the top five high-risk gaps found in your latest assessment, along with the cost to mitigate. This will help focus budget discussions on the risk areas that require the most attention.

2. Vulnerability Findings

Include the riskiest vulnerabilities found for ePHI at all locations, such as cloud hosting (SOC 2 if available), and physical security.

3. Third-Party Vendor Audit Data

While your business associate (BA) count may be in the hundreds, prioritize the highest risk gaps here as well. Remember to include direct BAs, downstream BAs, and medical device vendors.

4. Workforce Training Results

Document the results of the latest phishing tests and other simulations. Understanding gaps here can focus the governance team on future training efforts and whether additional resources are needed.

5. Policy and Procedure Audit Data

Include information from the latest operational procedure audits. Are you missing documented information? If so, you may need resources to fill this gap.

6. Disaster Recovery/Business Continuity Plans

Report on the existence and status of your strategic response plans, especially if your organization has experienced any major operational or infrastructure changes, such as a merger, acquisition, or implementation of a new EHR.

7. Industry Threat Information and Assessments

Gather, report, and learn from industry trends. For example, with the increase in breaches from third-party vendors, should you focus more attention here?

To manage this data, healthcare organizations are moving toward a structured model, typically using governance, risk, and compliance software solution. Other tools, including learning management systems, technical tools, and outside resources, such as an Information Sharing and Analysis Organization (ISAO), should also be used as sources for the data to include in your report card.

How to baseline your current state

As the adage goes, “You have to start somewhere.” Set a goal to update the data on your report card periodically (e.g., each quarter) to coincide with your regular governance committee meetings. 

If you do not have a current baseline, use your next governance meeting as a deadline to gather your initial data and use it as your baseline moving forward. From there, each quarterly update will reveal new data and potential trends that need attention. Ideally, the more effort you devote to your governance, risk, and compliance strategy, the better your report card scores will be quarter over quarter.

In addition to the data gathered for the report card, document your average risk score and average maturity score. These are both high-level baseline metrics that are measured by a combination of likelihood and impact and can be used as a top-line proxy for discussion at quarterly governance meetings.

For example, in light of recent ransomware attacks and other threats to data centers and networks, your organization should have an operational documented disaster recovery and business continuity plan, which should be tested periodically. The range of testing required will depend on the scope and complexity of your organization, and should include tabletop tests on business continuity procedures should automated systems become unavailable. The likelihood of a potential disaster can still be considered high. But, with a solid disaster recovery/business continuity plan in place, the impact can be mitigated by controls that have been tested and updated based on results and change management.

Governance and budget allocation 

Once you have a complete and accurate risk rating, along with documentation of the cost to implement controls—all documented on your report card—prepare for logical discussions with your governance committee on resource allocation to reduce risk. 

Decision-making by your governance committee should be based on cost, risk, and impact to your organization’s mission. To prioritize your efforts, consider which of your recommendations will have the biggest impact on preventing a breach. We all know it’s not possible to solve every problem, given the lack of funds or internal political struggles. Start with the items of the highest impact and work your way down the list.

Using a governance report card to bring real data to your governance committee on a regular basis will help educate leadership on gaps and impact, align needs across disciplines, and guide budgetary decision-making for improved strategic governance, risk, and compliance operations.

About Gerry Blass

Gerry Blass is President and CEO of ComplyAssistant, which provides GRC software and managed service solutions to healthcare organizations of all sizes. Designed to help clients organize and manage complex security and compliance processes, ComplyAssistant’s solutions work for a variety of security frameworks and compliance regulations.

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print

Tagged With: cloud, Disaster Recovery, Health IT, HIT, Medical Device, model, Phishing, Ransomware Attacks, risk

Tap Native

Get in-depth healthcare technology analysis and commentary delivered straight to your email weekly

Reader Interactions

Primary Sidebar

Subscribe to HIT Consultant

Latest insightful articles delivered straight to your inbox weekly.

Submit a Tip or Pitch

Featured Insights

2025 EMR Software Pricing Guide

2025 EMR Software Pricing Guide

Featured Interview

Kinetik CEO Sufian Chowdhury on Fighting NEMT Fraud & Waste

Most-Read

2019 MedTech Breakthrough Award Category Winners Announced

MedTech Breakthrough Announces 2025 MedTech Breakthrough Award Winners

WeightWatchers Files for Bankruptcy to Eliminate $1.15B in Debt

WeightWatchers Files for Bankruptcy to Eliminate $1.15B in Debt

KLAS: Epic Dominates 2024 EHR Market Share Amid Focus on Vendor Partnership; Oracle Health Sees Losses Despite Tech Advances

KLAS: Epic Dominates 2024 EHR Market Share Amid Focus on Vendor Partnership; Oracle Health Sees Losses Despite Tech Advances

'Cranky Index' Reveals EHR Alert Frustration Peaks Midweek, Highest Among Admin Staff

‘Cranky Index’ Reveals EHR Alert Frustration Peaks Midweek, Highest Among Admin Staff

Madison Dearborn Partners to Acquire Significant Stake in NextGen Healthcare

Madison Dearborn Partners to Acquire Significant Stake in NextGen Healthcare

Wandercraft Begins Clinical Trials for Physical AI-Powered Personal Exoskeleton

Wandercraft Begins Clinical Trials for Physical AI-Powered Personal Exoskeleton

Chipiron Secures $17M to Transform MRI Access with Portable Scanner

Chipiron Secures $17M to Transform MRI Access with Portable Scanner

Abbott to Integrate FreeStyle Libre Glucose Data with Epic EHR

Abbott to Integrate FreeStyle Libre Glucose Data with Epic EHR

5 Ways New Trump Administration Tariffs Are Impacting U.S. Healthcare Now

5 Ways Trump Administration Tariffs Are Impacting U.S. Healthcare Now

iCAD, GE HealthCare Integrate to Advance Breast Cancer Detection with AI

RadNet to Acquire iCAD for $103M in All-Stock Transaction

Secondary Sidebar

Footer

Company

  • About Us
  • Advertise with Us
  • Reprints and Permissions
  • Submit An Op-Ed
  • Contact
  • Subscribe

Editorial Coverage

  • Opinion
  • Health IT
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Population Health Management
    • Revenue Cycle Management
  • Digital Health
    • Artificial Intelligence
    • Blockchain Tech
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • Value-Based Care
    • Accountable Care
    • Medicare Advantage

Connect

Subscribe to HIT Consultant Media

Latest insightful articles delivered straight to your inbox weekly

Copyright © 2025. HIT Consultant Media. All Rights Reserved. Privacy Policy |