By Ed King

With the healthcare industry facing unprecedented challenges, uncertainty is the only constant. On the care-delivery front, the industry faces aging baby boomers, a shortage of healthcare professionals and healthcare reform. On the business and IT fronts, the industry faces an increasing compliance burden, including SOX, HIPAA, HITECH and state-level privacy and breach-notification laws.

With security threats reaching record levels, healthcare has become a high-value target for identity thieves. ARRA’s push for electronic medical records makes more data accessible to healthcare professionals and researchers, but also creates security and privacy risks for healthcare organizations.

Governance, risk and compliance (GRC) solutions – a broad collection of disciplines that cover legal, finance, ethics, IT, care delivery and human resources – can help manage and scale risk and compliance programs. Figuring out where to start with GRC investment can be daunting and confusing. Here are some recommendations:

Improve the integrity and efficiency of compliance
Most organizations have deployed basic security technologies, such as intrusion prevention, identity management and vulnerability scanning, to ensure that mandated controls are in place. These technologies allow an organization to demonstrate that it has implemented the necessary controls to meet regulatory requirements, but the process of actually demonstrating compliance and reporting is still expensive and manual. Inefficiency and duplicate work across different compliance programs may be prevalent. Data integrity and audit-readiness may be poor. Remediation and gap-management processes may be prone to mistakes.

GRC solutions can improve both the integrity and efficiency of an organization’s compliance program.

• These solutions provide a single repository for all compliance requirements, policies, deployed controls, assessment results, gaps and remediation. This consolidation of data enables an organization to have a comprehensive view of its compliance posture, and provide faster access to higher-quality data for compliance assessment and reporting needs.
• Regulations and standards often overlap. For example, HIPAA, PCI, and SOX IT all have strong password-strength requirements. GRC solutions can map overlapping requirements across different regulations and standards, eliminating audit fatigue, redundancy of processes and confusion. When combined with assessment automation, a GRC solution can test a control once and use the test results to report on multiple compliance mandates, achieving the goal of “test once, comply with many.”
• Many compliance requirements involve IT and security controls that are being enforced and tested using automation. Reporting on the test results for these controls, however, is still largely a manual task. GRC solutions can automate the tasks of importing control test results directly from control technologies, mapping the results to compliance requirements, and then calculating a compliance score.

Improve visibility and effectiveness of policies
A large percentage of business and IT controls are implemented using policies. Policies come in all varieties and this diversity can translate into inconsistent policy formats, overlapping policies and versions, scattered policy repositories, non-standard review and approval processes, poor policy communication and training, and lack of measurement for the effectiveness of these policies.

GRC solutions can help to improve both the integrity and the effectiveness of an organization’s policies.

• Consistency is critical when managing a large number of policies. GRC solutions provide consistent policy templates, verbiage, version control, review processes, approval requirements and ownership. Using a central policy repository, GRC solutions can enforce policy templates, ensuring policies are comprehensive, well designed, and easy to read. GRC solutions also support work flow to help protect the integrity of the policy during authoring and review processes involving multiple stakeholders.
• GRC solutions can surgically distribute policies to affected employees based on rules and employee attributes, thus preventing the desensitization of employees to non-discriminating policy communications. GRC can also help administer the necessary training, attestation or comprehension testing to ensure the proper level of comprehension.

Improve awareness of and ability to mitigate risks
Organizations that have taken a periodic, audit-centric approach to risk management are increasingly finding themselves exposed to threats. GRC solutions can help to improve an organization’s ability to identify, track and mitigate its various risks.

• GRC facilitates proper risk identification by polling stakeholders and aggregates inputs to create composite risk models. Stakeholders can provide qualitative opinions and quantitative estimates, such as likelihood, impact and business criticality.
• Many IT-related risks are effectively measured by mapping controls to these risks; controls that are already being tested for compliance. GRC solutions can help map control test results to risks to produce real-time risk scores, then further aggregate risks by functional areas or geographic locations to create key risk-indicator dashboards.
• When a risk indicator exceeds programmed thresholds, GRC dashboards can help alert the response team and stakeholders. Work flow helps automate the mitigation process and ensures that proper information-gathering, review, approval, delegation and escalation tasks are completed. GRC can also integrate to help-desk systems to ensure tickets are created and tracked for proper closure.

Ed King is vice president of marketing and product management at Agiliance.