Every day, healthcare providers make decisions that directly impact people’s health and safety. A single error on their part could cause irreversible damage to a patient’s life, and lead to expensive lawsuits, billions of dollars in damages, and a permanently tarnished reputation. To effectively manage risks, healthcare providers need to implement a robust risk management framework that is based on industry standards and best practices, and is efficient, transparent and proactive.Download a Solution Brief
Every day, healthcare providers make decisions that directly impact people’s health and safety. A single error on their part could cause irreversible damage to a patient’s life, and lead to expensive lawsuits, billions of dollars in damages, and a permanently tarnished reputation.
As if that wasn’t challenging enough, healthcare providers also have to cope with the risks of health information security breaches, privacy violations, regulatory non-compliance and internal fraud.
Mitigating these risks effectively requires a robust and efficient risk management framework. But implementing such a framework can be extremely difficult, considering the complexity of organizational hierarchies, as well as the ever-increasing number of risks and regulations.
Can risks be managed in a way that protects patients and stakeholders without draining costs? Can threats be identified and mitigated before they occur? Can risk management systems be sustainable and flexible enough to adapt to future risks?
Answering these questions is critical to the success of a risk management program. But before that, it is important to understand the major risks and challenges associated with healthcare operations.
Key Risks in the Healthcare Industry
Patient Safety Risks
Patient’s lives and health are put at risk when diseases are misdiagnosed, wrong treatments are prescribed, or accidents occur in the operating room. All it takes is a moment of laxity, ignorance or distraction to cause immense harm to patients and their families. Law suits are inevitable, and reputational damage is long-lasting.
Fraudulent Claims Risks
Fraudulent claims - be it in the form of billing for services not rendered, administering unnecessary tests and treatments, or unbundling lab services - can exhaust health benefits, and drain the economy. Every year, the US loses between $70 billion and $234 billion to fraud.1
Data entry errors, while unavoidable, can often be costly, and sometimes fatal. For instance, wrongly documented medicine dosages, or allergies to a particular drug could adversely affect a patient’s health. Billing or calculation errors could result in overpayments or underpayments which would invite questioning from RAC auditors, and cause a loss of credibility.
Over the last few years, path-breaking developments in technology have taken healthcare to the next level. However, the increasing use of technology has also introduced new levels of complexity and threats such as:
- Security Breaches: Hacking and other kinds of security breaches can cause confidential information to fall into the wrong hands. This, in turn, could expose millions of patients to hazards such as illegal altering of information, public exposure of confidential data, stolen identities and blackmail.
- Malicious Attacks: The increasing sophistication of IT viruses, worms and other malicious attacks poses a significant threat to the security, confidentiality and integrity of valuable health information. If firewalls are not strong enough, the information may not be retrievable or traceable.
- Internal IT Fraud: Healthcare organizations take great pains to safeguard themselves against external security threats. But some of the most dangerous threats lie within the organization. Insiders have broad access to sensitive data, and know which system it lies in, where the system it is, and how it works. This makes it easier for them to steal valuable information, and illegally use it for financial gain.
- System Failures: As so many healthcare services depend on IT systems, a localized failure could be dangerous. For instance, if ER data systems are suddenly disconnected from the central network, a doctor will be unable to view a patient’s record in time to make critical decisions about treatment.
- Business Continuity: Unlike banks, schools, and other institutions, hospitals need to stay up and running during disasters such as earthquakes, hurricanes, volcanoes, wars or a terrorist attack. Yet their infrastructure and facilities may be damaged during the disaster. Moreover, many members of the staff may flee. The situation may worsen as the load of patients in the hospital increases.
Healthcare is one of the most heavily regulated industries with mandates spanning HIPAA/HITECH, PSQIA and the Affordable Care Act, as well as cross-industry regulations such as SOX, PCI DSS and FCPA. Each of these mandates and regulations comes with hundreds of requirements for systems, functions and processes. Regulatory scrutiny is intense, and non-compliance penalties are heavy – not just in terms of monetary fines, but also brand impact.
Ethics and Integrity Risks
The allure of easy money prompts incidents of internal corruption such as accepting kickbacks for patient referral, stealing confidential information or wrongfully altering patient records for financial gain. Not only are these acts illegal, but they are also harmful to patient security and well-being.
Environmental and Health Risks
If medical waste is not disposed of properly, or proper hygiene and sanitation standards are not followed, they could have a devastating effect on the environment and the external public. In a worst case scenario, an infection could seep out and lead to a full-blown pandemic. To the healthcare provider, this could spell immense financial loss, and even the shut-down of operations.
Risks of Leveraging Social Media
Healthcare organizations are engaging with social media for numerous reasons, including marketing, communicating with patients, interacting with other physicians, and collecting information about new developments in the industry. But, using social media can expose organizations to potential regulatory, legal and reputational risks ranging from privacy violations, to data abuse and theft.
Important Risk Management Standards
ISO 31000: This standard establishes principles for making risk management effective, and integrating it into the organization’s overall governance, strategy, reporting practices, policies, values and culture. By adhering to the standard, healthcare providers should be able to manage any form of risk in a systematic, transparent and credible manner.
JCAHO Patient Safety and Medical/Health Care Error Reduction Standards: These standards are targeted at improving patient safety and reducing adverse patient outcomes through an integrated and coordinated approach that specifically involves participation from leadership. The standards encourage recognition of risks to patient safety, initiation of actions to reduce these risks, reporting at each stage, organizational learning, and effecting of behavioural changes to improve patient safety.
ISO 9001: Although this standard focuses on quality management systems, it enables healthcare providers to manage risks effectively by establishing a culture of patient safety, proactively monitoring the effectiveness of organizational processes, strengthening records management, and quickly detecting and correcting errors and problems.
ISO 27799: The purpose of ISO 27799:2008 is to provide guidelines and a set of detailed controls for managing health information security in accordance with the ISO/IEC 27002 standard. With the help of ISO 27799:2008, healthcare organizations and other holders of personal health information will be able to protect the confidentiality, integrity and security of health information, and minimize the risk of information security breaches.
MetricStream Solution for Healthcare Risk Management
To effectively manage risks, healthcare providers need to implement a robust risk management framework that is based on industry standards and best practices, and is efficient, transparent and proactive. Such a framework will transform risk management into a competitive advantage by providing the tools and information to protect stakeholders and customers, save costs, enhance organizational reputation, and drive value.
MetricStream Healthcare Risk Management Solution is designed to meet these requirements through a host of powerful and flexible functionalities. Built on a single GRC platform, the solution extends across the enterprise, integrating and streamlining end-to-end risk management processes, automating critical workflows, and providing real-time transparency into risk intelligence.
The key capabilities of MetricStream Healthcare Risk Management Solution include:-
Establishing a Risk Management Policy: The MetricStream solution enables healthcare executives to effectively set the tone at the top by facilitating a systematic and collaborative process for creating, reviewing and approving risk management policies. The flexibility of the underlying data model allows risks to be clearly linked with the corresponding policies and organizational objectives. A centralized repository enables all policies to be stored, organized and accessed in a simple, convenient and efficient manner. The solution also provides powerful capabilities for facilitating training and awareness of policies and procedures, and simplifying training delivery and tracking.
Ensuring Accountability: The MetricStream solution enables healthcare organizations to assign risk management responsibilities and roles based on skill sets and experience. The system alerts the responsible personnel whenever policies are updated, threshold levels are breached, or remedial action is required. It also helps define criteria for performance measurement. In addition, the solution facilitates the efficient allocation and management of resources with detailed reports of resource utilization, including total resources requested, budgeted effort, and assigned resources.
Embedding Risk management in the Organization: The MetricStream solution closely maps each risk to the corresponding policies and procedures, standards, compliance regulations, processes, controls, assessments, issues and action plans. The solution can also be mapped to complex organizational hierarchies, and easily adapt to changes in organizational roles and responsibilities. Thus healthcare organizations are able to make risk management an integral part of their business processes and strategic development.
Building a Risk Management Strategy: The MetricStream solution provides a centralized framework to define risk management objectives, scope, criteria, responsibilities, methodologies and other parameters. It also captures regulatory alerts and events from sources such as the OIG and CMS, and combines them with embedded best practices and industry guidelines, as well as internal policies, to help organizations develop a robust and sound risk management strategy.
Identifying Risks: The MetricStream solution provides an integrated framework to identify the complete range of risks faced by the organization, including fraud, IT risks, patient safety risks, documentation risks and regulatory risks. Each risk is documented in a centralized library along with relevant and up-to-date information on its source, areas of impact, causes and potential consequences. Thereby, healthcare risk managers are able to gain a comprehensive, birds-eye view of all enterprise-wide risks.
Analyzing Risks: Based on configurable methodologies and algorithms, the MetricStream solution helps risk managers assess and analyze risks to determine their causes, positive and negative impact, and likelihood that such an impact should occur. This is further enhanced by the solution’s ability to assess risks based on various quantitative and qualitative factors and scenarios.
Evaluating Risks: Based on configurable methodologies and algorithms, the MetricStream solution helps risk managers assess and analyze risks to determine their causes, positive and negative impact, and likelihood that such an impact should occur. This is further enhanced by the solution’s ability to assess risks based on various quantitative and qualitative factors and scenarios.
Controlling Risks: Once the key risks are identified and prioritized, the MetricStream solution leverages a flexible framework such as COSO to help managers define and implement a set of controls. The solution also measures residual risk to determine if it should be accepted or mitigated further. Continuous control assessments are supported based on predefined criteria and checklists with a mechanism for scoring, tabulating and reporting results. All assessments are stored in a central repository with easy access and search capabilities. This enables healthcare managers to ensure that organizational operations remain at all times within acceptable risk limits.
Monitoring and Reporting Risks: Powerful role-based dashboards, charts and heat maps in the solution provide healthcare providers with real-time information on risk management across the enterprise, including risk-control assessments, near-misses, remediation statuses, successes, failures and trends. Thereby, managers are able to constantly stay in touch with the progress on risk management programs, learn lessons, detect changes, and identify emerging risks.
Flexible reporting capabilities enable standard, ad hoc or scheduled reports to be created to view risk metrics by a variety of parameters such as by process, business unit and status. This helps the organization to continually update both internal and external stakeholders, and help them understand why certain decisions were made. Each of the reports and dashboards can be drilled down to access the data at finer levels of detail. Automated alerts for events such as exceptions and failures eliminate any surprises and make the process predictable.
Managing and Remedying Issues: Issues identified during risk or control assessments are seamlessly routed to the MetricStream Issue Management module which triggers a systematic mechanism of issue investigation and remediation. Healthcare providers are able to track the status of issues as they automatically move from one stage to the next. Automatic alerts keep the process on track, and ensure that the appropriate personnel address the issue in time.
Why MetricStream Solution?
Increased Collaboration: MetricStream GRC Platform establishes a single, integrated framework that enables healthcare providers to streamline end-to-end risk management processes across the enterprise. The platform transcends functional and operational silos, facilitating seamless collaboration across processes, departments and locations. Thus redundancies and duplicate activities are eliminated.
Flexible Data Model:The MetricStream solution is built on a flexible data model which embeds the risk management program into the organizational processes. It maps risks to processes, controls, departments/units and policies, thereby enabling healthcare providers to establish a systematic approach to risk management.
Simplified Information Management: The MetricStream solution integrates all risk management data in a single reusable library of risks, controls, assessments, issues and remediation plans with quick and easy search capabilities.
Increased Accountability: The solution enables risk and control assessments at a process level or any other individual entity level. At the same time, it rolls the information back upstream to be viewed at the enterprise level. This provides a complete view of the risk profile of the organization, and ensures increased accountability.
Real-time Risk Intelligence: Powerful dashboards and charts enhance transparency into organizational risks by providing real-time information on how risks are being managed across the enterprise. Healthcare managers are thus able to make well-informed and confident strategic decisions.
Increased Cost-efficiency: The MetricStream solution automates critical risk management workflows, thus eliminating the need for cumbersome spreadsheets or manual processes, and freeing up resources for value-added risk management activities.
- Flexibility to meet specific requirements and adapt to chang¬ing business processes
- Fast implementation with configurable forms, information flows, notifications, alerts and escalation paths
- Secure Web-based access with appropriate views and tabs for initiating actions, responding to events, managing to-do lists and assigned tasks, viewing reports and dashboards
- Built-in reporting for analytics and business intelligence with a tool to create custom reports that can be emailed or exported into formats like MS Excel and Adobe PDF
- Executive role-based dashboards providing graphical views of information that can be drilled down
- Easy integration with external systems to retrieve, store and deliver data
- Support for electronic signatures and accurate time-stamped audit trails for regulatory compliance