Blogs Home
Tuesday, September 19, 2017 12:00 PM

Ignorance, Bliss, and the Zen of Risk Management

Written by Rob Rhodes, CHCIO, CISSP, HCISPP, Executive Vice President - iatricSystems

We all probably have heard the old saying “Ignorance is Bliss.”  Many of us, as we get older, look back fondly on our childhood and remember how true that was. Children often have the luxury of being able to go through life without knowing what it's like to have to work to eat, clothe, and shelter themselves and their family. Adulthood, on the other hand, quickly brings the realization that life brings on a multitude of challenges and lots of stress. The simplicity of life and the bliss that accompanies it is what Thomas Gray was talking about when he coined the phrase.  Ahh, to be a child again…

I propose to you, however, that when we're talking about information security and privacy, ignorance is not bliss...good risk management is!

Risk management is one of the most basic things we humans do in life. We are constantly evaluating risk, every minute of every day. Take for example primitive man. Our earliest ancestors asked themselves risk-based questions such as these:

  1. Should I eat that berry? I’m starving, but it may be poisonous.
  2. Should I fight that animal or run?
  3. Should I cross that river or try to find a safer way across?
  4. Should I sleep in that cave, on the ground, or in a tree?

Evaluating risk in our personal lives is the same today. We just normally answer different questions:

  1. Should I eat that hamburger or should I eat the salmon?
  2. Should I smoke?
  3. Should I drive my car or take an airplane?
  4. Should I buy that home in the flood zone?

Although many “experts” would say that humans are not necessarily good at risk management, it is still something we innately do in our day-to-day lives.  Why then, are we so challenged when we try to do it in IT?

I often have seen and heard about organizations that fail to do basic IT risk management. OCR audit findings frequently show the lack of a risk assessment and risk management plan as top areas of deficiency. This is extremely alarming, but it's not surprising based on my almost 27 years in healthcare IT.  Organizations just plain ignore this requirement in many cases. Sometimes because they are shorthanded, sometimes because there are other priorities, sometimes because they think it's hard and sometimes because they are just plain unaware.

It is imperative that all organizations start doing real risk management and documenting what risks they can and will address and what risks they will need to accept, mitigate, transfer, or avoid. Without true risk management, organizations will continue to deal with a bevy of vulnerabilities that get easily exploited and suffer the harm that accompanies it. 

Crypto malware attacks that have recently affected the availability of crucial healthcare data will continue to threaten the health of our patients and the financial viability of an already strapped healthcare system. These types of attacks, which were once thought of as “fear mongering” by healthcare executives, have become our reality and we must all step up our game to prevent them. Only then will we be able to sleep well. Ignorance of your IT assets, vulnerabilities, and risks should not make anyone feel blissful. IT Ignorance should be the nightmare that keeps you up at night. A strong risk management program in your organization should be the engine that drives your sweetest dreams. Knowing you’ve managed your risk as best you can should give you bliss…not ignorance. Neither you, nor healthcare IT, is a child anymore.

You may be interested in how one of your peers handles their risk.

In this brief article by Healthcare IT News, hear how Beaufort Memorial Hospital ─ with the help of technology ─ manages the assessment of risk with their 200 vendors. Read this interview and see if the approach they took could work for your hospital.

If you would like more information on the solution that Beaufort Memorial uses, you can click here to request a personal demo.