Lately I have been thinking about risk in the context of information security and the healthcare industry. I have written an article that you can find here about using risk management to help healthcare organizations manage their information security, privacy and compliance programs more effectively and efficiently. For the most part using risk to manage information security is new territory for the healthcare industry. Yet it has been common practice in the financial services sector for more than ten years. Why it that the case?
In the late 90’s financial services companies in New York, London and Tokyo went through a dramatic change in the way they managed their information security programs. Risk management took over as (and remains today) the dominant paradigm for running an information security program and enabling business in the financial services sector.
Why did that happen? Well, the financial services world is about transactions. By the late 90’s the infrastructure of the internet had evolved to the point where financial transactions were realistic and could done reliably on a scalable basis. The requirements for enabling electronic transactions were (are) as follows:
• Non-reputable communications between two parties, each of whom can verify the time, value and content integrity of the message.
• Counterparty authenticity
• High availability
All of these requirements are information security issues. So information security became a competitive differentiator. A major element of winning in the financial service market was managing information security in the most effective and efficient manner. Risk management is the way to do that.
The financial services sector was a natural place for adoption. First, financial institutions are risk-intermediation businesses; as the most sophisticated of them came to realize, the ability to describe, price, and manage risk should be among their core competencies. Second, this sector is rich in data, and thus the raw fuel for risk analysis already exists. Third, and perhaps most important, they are typically highly leveraged and are monitored by regulators who, concerned about the potential impact of failures, pushed for improved risk management. So risk management was and is at the core of the business and the extension of processes and methods to information security was evolutionary rather than revolutionary.
I don’t think the same severe pressures on information security that exist in the financial services industry are present in healthcare. However, by making poor decisions around information security, privacy and compliance organizations can destroy patient trust, increase costs, damage brand and create major liability. I think healthcare IT leaders need to borrow the financial services information security playbook and aggressively adopt risk management.