There’s no question that cyber and other risks for hospitals have grown more complex. In fact, the AHA Center for Health Innovation report titled “Why & How to Incorporate Cyber Risk Management Into Enterprise Risk Management,” asserts that “Even without an extraordinary public health event, system-wide cyber risk exposure was rising because of the growth in IoT devices, government requirements to demonstrate meaningful use of technology, and data sharing agreements related to value-based payment models.”
While this is true, unfortunately, the process and practices that hospitals use to manage the assessment, prioritization, prevention and response to current and future risks has not grown to keep up with this increased complexity.
We continue to see hospital systems rely on manual and often error-prone spreadsheets as the primary source of risk management analysis, tracking and reporting. As a first step, the availability of spreadsheets provided a cheap and simple to use way to build a risk register.
While we must acknowledge that these spreadsheets have been built with the best of intentions by risk professionals to serve the needs of their hospitals, it is also time to admit that they have serious shortcomings that can leave a hospital’s patients and finances exposed.
Spreadsheets do not easily support the dynamic data integrations needed to provide a timely and accurate projection and assessment of risk magnitude and probability.
The quality of any risk assessment and management program is determined 1) by the quality of the data used to understand risk and 2) by the actionability of the interpretations of this data.
For many hospitals, limitations in data quality and actionability have led to the adoption of the “red, yellow, green” ranges of risk assessment typically used today. While this is better than nothing, the frequency at which data about risk-related threats, fines, and legislation is updated means that many of the spreadsheet models used to determine the color-based labels are quickly outdated unless that data can be updated in real time.
Realistically, the gathering, cleansing and integration of new data and data sources into existing spreadsheets is not manageable. And if it were, there’s also the challenge of constantly managing version control so each member of the team has the most up-to-date version.
This is further complicated by the demand for hospitals and their boards to quantify the financial impact and probability of a risk. Incomplete or inaccurate data can lead to inaccurate calculations and poor investment decisions.
Spreadsheets are not meant for the cross-functional collaboration necessary to address today’s shifting healthcare landscape.
Not only are spreadsheets insufficient for the data complexity of today’s risk environment, they are also insufficient for the organizational complexity of modern hospitals.
By nature, hospitals can be siloed. As a result, spreadsheets used to track and manage risk even when the risk crosses functional areas (risk, compliance, IT, etc.) are unique to the specific business area. We see the same issues tracked in different ways in different spreadsheets.
The reliance on individual spreadsheets makes cross-functional communication and understanding difficult. It also results in executive leaders being presented with disconnected and sometimes conflicting information.
According to the AHA report, “Addressing cyber risk at the enterprise level could contribute directly to reducing vulnerability if it brings alignment among various roles in the organization. Stakeholder alignment is the second-most important variable to healthcare cybersecurity.”
Spreadsheets are not ideal for the “what if” modeling needed to weigh the risk investment decisions that will lead to the best outcome for their hospitals.
Most risk spreadsheets are used to track current issues and remediations. They support a reactive approach to risk management where an issue is identified and the hospital acts to address the risk.
Today, hospitals need to be able to make decisions more proactively in order to offset vulnerability to patient safety and the financial impact of a potential threat. This type of decision making often means choosing between multiple risk investments to make the most out of a limited budget.
To inform decisions accurately requires modeling that can predict the what-if magnitude and probability of a specific decision. Spreadsheets, while capable in the right hands, are not designed for the risk quantification modeling and reporting needed to guide a hospital's risk strategy.
Similar but not the same
Asking your risk professionals to give up their spreadsheets is not just a change in tools, but also a change in process. For many, spreadsheets are used to guide their work and as a source of accountability in the case of a threat.
This is why any replacement of spreadsheets needs to reflect current practices happening in hospitals while also extending these capabilities to include improved communication, more accurate reporting, easier to manage processes and more robust risk quantification features.
As important as the new capabilities are, any new solution must demonstrate its clear understanding of the structure and needs of hospital systems. While risk threats may be similar, the added complexity of human life raises the stakes of decision making to a new level that those unfamiliar with healthcare may not understand.
Spreadsheets have been an important starting point to addressing and managing risks in hospitals. Just like other tools that have evolved over time, so must the reliance on the spreadsheets evolve to embrace new tools that can better reduce the blindspots and exposure in ways that allow hospitals to invest smarter and protect their people and patients better.
To learn how HealthGuard has helped hospitals secure their risk management practices and transition away from their spreadsheets without significant disruption to their work, schedule a call here.