Research Paper - ERM

profileSinners0043
ResidencyResearchPaper.docx

Running Head: ENTERPRISE RISK MANAGEMENT 1

ENTERPRISE RISK MANAGEMENT 9

How Enterprise Risk Management Supports HIPAA Compliance

Student

University

Enterprise Risk Management and HIPAA Compliance

Today, an effective enterprise risk management (ERM) program helps provide a crosscutting method that entails identification, control, and mitigation of risks faced by an organization (Dorsey, 2017). The primary care field has been presented with legal requirements, especially when it comes to the safety of patients’ data. HIPAA is one of the conditions where the data handlers must ensure it is safeguarded from exposure to third parties when stored or when being transferred. In the event of a breach, an organization can be fined heavily, which, must be avoided. For the best outcomes to realized, the ERM efforts need to expand beyond the individual risk, to achieve an integrated ERM that will view all the risks holistically (Hampton, 2009). This creates an environment where all the chances are focused on to reduce their effects on organizational operations. When it’s done, an organization will likely promote compliance with the HIPAA requirement that calls for safe and secure handling of patient data. An integrated ERM supports HIPAA compliance because it allows for a holistic approach against enterprise-level risks.

An integrated ERM means that the focus on risks is collective as opposed to a situation where only the individual risks focused on at the functional or the departmental level. This model also means that there are mutual goals that need to be achieved, which makes the model effective when it comes to realizing mitigation of risks in a manner that meets the regulations put in place such as the HIPAA. An integrated ERM has several attributes and aspects that will ensure that an organization is leveraging the strategies and achieving full compliance with the HIPAA, which is a standard for all organizations in the primary care field.

A vital element of an integrated ERM is a risk assessment that is about identifying all the vulnerabilities in the set IT systems. This is followed by an evaluation of the potential impact that can be caused by the said risks. HIPAA regulation is clearly about safeguarding patient information and ensuring that the confidential data can never exposed to unauthorized third parties (Janssen, Wimmer & Deljoo, 2015). The risks faced by an organization's IT systems must be assessed before the necessary measures can be taken. This is the first step that should be taken so that the specific risks can be identified. This is one of the steps for promoting HIPAA compliance. When the risks have identified, the measures put in place will address them, lowering their potential impact on the organization’s data. Notably, the assessment process should be meticulous to ensure that all the significant risks are identified and communicated to the relevant parties such as the IT teams and the managerial staff.

To ensure continued HIPAA compliance, the risk assessment processes should be a routine where they will be carried out after a stipulated period. This is because risks are evolving as per the rapid evolution of hacking tools (Janssen et al., 2015). Hackers and other cybercriminals are continually targeting primary care providers, which introduce new risks every day. As such, the risk assessment process must be a routine to enable the realization of the desired results and outcomes.

Besides, the risk assessment process should be a routine to ensure that the involved teams and parties can monitor and continually evaluate the tools that have been put in place. There have been situations where the parties involved did not examine put in place an effective plan for making follow-ups and evaluations. This leads to a job where the system is not maintained correctly, leading to obsolete applications and outdated hardware components. Such outcomes should be avoided if the desired results are to be realized.

Further, the risk assessment process can focus on the requirements and regulations outlined in HIPAA compliance. For instance, it has described the physical and technical safeguards that should be met by the primary care providers. One of the technical safeguards entails ensuring that data has been encrypted before storage or transmission (Janssen et al., 2015). When doing the risk assessment, the team can determine whether there is a possibility of work teams sending or transferring data without encrypting it first. It is one example that indicates how the risk assessment process can be carried out in a manner that looks into the requirements outlined in the HIPAA Law.

Gap analysis is a critical element of an integrated ERM that also helps with promoting HIPAA compliance. It refers to the evaluation of the ERM program against the industries and regulation standards. This is an additional practice that a team can carry out after putting in place an ERP program. Its components and elements will be measured against specific standards that already exist, especially when it comes to regulations (Janssen et al., 2015). First, a gap analysis carried out against HIPAA requirements can be done. Typically, this is about looking into the specific needs and establishing whether the ERM program has met them. For instance, if the HIPAA requirement calls for integrity control and device security, the team can evaluate whether the program meets such requirements. In essence, a gap analysis is an essential element of an integrated ERM and can promote HIPAA compliance. It should be carried out after a program has been put in place in a bid to ascertain there are no weaknesses that could amount to a failure to meet HIPAA violations.

An additional element of an integrated ERM is risk mitigation that is about lowering the potential impacts of the identified risks concerning safeguarding data from incidents. First, it is worth noting that HIPAA law is mainly about achieving mitigation of risks that data faces when stored or being transmitted. The law requires the data handlers to effect measures that ensure the information is not exposed to third parties. In light of this, risk mitigation will be about measures that reduce the risks in line with HIPAA compliance as well as doing even more (Janssen et al., 2015). For instance, the encryption of data that is required under HIPAA can be done using more sophisticated technologies through the deployment of the latest encryption key. This is an effort for achieving even a better outcome when it comes to avoiding exposure of data in the event of an unforeseen security incident.

Besides, an integrated ERM ensures that risk mitigation efforts are in line with the requirements of the existing laws. There have been numerous cases where some organizations have employed methodologies that have been rendered ineffective. For instance, some institutions have failed to encrypt data before transmission, arguing that it was only transmitted within their private networks. This was found to assume that such data is not under threat of exposure, which is untrue. Today, there are hackers able to intercept data being transmitted even in private networks. As such, all data being transferred should be encrypted first as required under the law. This indicates the risk mitigation process should adhere to the requirements of the set law. The risk mitigation strategies must conform to the conditions before any new or more measures, and procedures can be put in place.

Today, integrated ERM has assurance and support of the relevant parties, such as the top management. Studies have shown that an ERM’s success is dependent upon the help of senior management with the required resources and motivation (Shostack, 2014). A lack of an integrated ERM means that risks are mitigated at the departmental or functional level, meaning that the top management teams are not directly involved. This creates organizations with independent goals and objectives, which leads to a situation that lacks uniformity in risk mitigation. Such challenges are addressed through an integrated ERM that seeks assurance and support of the top management. This enables the allocation of sufficient resources for addressing the risks and vulnerabilities. This is an essential effort towards the mitigation of risks in line with the requirements of the HIPAA law.

Monitoring the current IT system is a critical element of an integrated ERM. It was earlier noted that some processes are routine to enable identification of new risks before they can escalate. An IT system faces a host of risks, including hardware malfunction and infiltration. Though there are tools put in place against such outcomes, it is worth noting that monitoring the system is critical. A team of experts and professionals should be set up and assigned the responsibility where any performance issues and risks will be identified before they can escalate (Toohey, 2014). A sophisticated IT system requires active monitoring where every aspect of the order will be evaluated and performance against the expected outcomes measured. This helps meet the requirements of the HIPAA law, which calls for audit controls whose aim is to identify new risks and address them.

Further, an integrated ERM allows for internal mechanisms for ensuring that private parties such as users do not pose risks to the IT system. In IT, the user domain presents the weakest link, and internal controls are required to mitigate the risks. Some institutions have already invested in efforts such as training workers and putting in place user policies (Shostack, 2014). These are vital efforts whose aim is to realize safe and secure use of the system by the workers among other users. An integrated ERM treat users as sources of risks in a bid to minimize all the risks faced by a system. Some workers are not knowledgeable about the safe use of networks and may be targeted by cybercriminals through phishing attacks. They might end up clicking on links or downloading files that contain infected content. As such, even users can be a source of threats.

Efforts to control the behaviors of the user aligns with the requirements of HIPAA. Under the law, a primary care organization is supposed to have policies for use and access to the workstations and electronic media. The users should only be allowed to access the resources they need with no privileges (Shostack, 2014). This should also apply when it comes to physical access to electronic media. Physical and access controls are vital in meeting HIPAA requirements, where the risks associated with the private parties are sufficiently minimized. In essence, this indicates that an integrated ERM enables an organization to deal with threats related to the use of the system, which complies with the HIPAA requirements.

As it was earlier noted, the users pose significant risks, and the organization must ensure that no vulnerabilities are being created. It is worth noting that under HIPAA, an organization should prevent not only access to patient data by the external parties but also the private parties who may be unauthorized. In response, it is deemed a good practice if there are proper access controls such as access control policies that will block access to data by any unauthorized internal parties. In so doing, the requirements under HIPAA willfully complied with.

To promote compliance with HIPAA, which applies to all the organizations in the primary care and associated fields, an integrated ERM approach must be taken. The reasons for this are as follows. First, the path leads to a holistic approach to risks being faced by an organization. This is a better approach when compared to the traditional model that was mainly about looking into risks from a functional or a departmental level. This approach ensures that all risks, especially in the IT sector, have been identified and addressed. The requirements of the HIPAA law are met in the process.

Besides, it was earlier shown that the integrated ERM model enables the team to adopt risk mitigation strategies that align with the requirements of a particular standard such as the HIPAA. This can be done by first selecting policies that are required from the standard before any new or more procedures can be put in place. This is an important attribute that will enable an organization to adhere to the requirements, hence promoting the overall performance of the IT system.

Moreover, the integrated ERM model allows for a practical gap analysis that is about comparing the program to the requirements contained in the HIPAA requirements. This means that an organization can determine whether the application meets the desired performance outcomes and whether the required strategies have been put in place (Smallwood, 2014). If all the requirements have not been met, the organization can modify or adjust its program to meet the needs. This can quickly be done when using an ERM program because assurance and support are guaranteed through the direct involvement of the top management.

In summary, an effective ERM program can be used to leverage HIPAA compliance, especially in this age where information security is becoming a significant hurdle for most organizations. The requirements outlined in the HIPAA are direct, and an organization can realize them when putting in place an integrated HIPAA program. An integrated ERM means that all teams can work together in the realization of a secure IT system with minimal vulnerabilities and risks, especially when it comes to the user domain. Going forward, business organizations in the primary care field should focus on implementing an integrated ERM that will help them attain full compliance with HIPAA.

References

Dorsey, R. (2017). Data Analytics. New York, NY: CreateSpace Independent Publishing Platform.

Hampton, J. (2009). Fundamentals of Enterprise Risk Management. New York, NY: AMACOM.

Janssen, M., Wimmer, M. A., & Deljoo, A. (2015). Policy Practice and Digital Science. New York, NY: Springer.

Shostack, A. (2014). Threat Modeling: Designing for Security. New York, NY: Wiley.

Smallwood, R. F. (2014). Information Governance. New York, NY: Wiley & Sons.

Toohey, T. J. (2014). Understanding Privacy and Data Protection. New York, NY: Thomson Reuters.