Wednesday, June 13, 2012

Setting Compliance Priorities

Today we begin the first of two compliance planning retreats at BIDMC as part of the Summer of Compliance 

Recognizing the importance of compliance projects and the need to jointly set priorities between compliance experts and IT leadership, we're putting all the stakeholders together for discussion, debate, and project ranking.

Our agenda is here.

There are very large number of possible projects to address the constant stream of regulatory change.

To set priorities, we need to understand risks, change management complexity, and resource requirements.

As a first step, stakeholders were asked to bring an inventory of their risk concerns which vary from the challenge of personal devices used to check email to website defacement.

All technology projects require the joint participation of business owners and IT service providers.   Projects are a function of scope, time and resources, all of which are limited.

The challenge of addressing regulatory requirements is that demand (which can be infinite) must be balanced with supply (which is fixed).    Without prioritization it's like a farmer trying to put 100 pounds of manure into a 50 pound bag (sorry for the agricultural analogies).

I'm sure that other organizations have the same challenges, so I'll openly describe the process and our conclusions.   Governance is a great way to set priorities when the projects as discretionary.   With regulatory requirements, nothing is discretionary and everything is about the spectrum of risk.

I look forward to our work over the next two weeks.


Unknown said...

With the iPhone4's iOS 4.3 you get a personal hotspot which you can use to neteork your cameras. Here's the link:


HealthITGuru said...

I would encourage you to think about what it means to be a "Privacy Aware Organization." All too often IT stakeholders evaluate the risk surface area with acute focus on mitigating technological risk. Your largest exposure area for compliance is people.

There is no technology that could have mitigated Stanford's vendor from posting the PHI of 20,000 patients online last year. ( This, as with almost every breach, was due to the careless act of an individual. People not actively thinking about privacy.

As a consultant for the 2nd largest public hospital company in the United States, I stay almost every night in a hotel. Starwood, as with most large merchants, follows strict standards in the safeguarding and encryption of customer credit card numbers. Yet I heard that guests were scammed the other day because a fraudster called guest rooms, stated that she was with the front desk, that the guest's credit card did not go through and that they would need the information again to put on file for incidentals. Many guests simply gave the caller their card information without question.

If a stranger called an average staffer at your hospital, how much information could he or she get pretending to be a member of the staff? Does your staff actively think about the privacy of patient data? Does your staff actively think about the privacy of their security credentials? Would they do a screen sharing session with a caller?