Mapping Risks and Resources to the Healthcare Environment

A world-renowned international healthcare system was facing an increase in risks, significant growth plans and a need to better allocate limited resources. Like many organizations, the Security Department, was dealing with staff turnover, legacy decisions around resources and executive leadership questions about their strategy and leadership.  

Corporate Security Advisors was engaged to assess the present state of the security organization and collaboratively develop a forward-looking strategy that addressed the healthcare system’s business model and future growth. Of particular importance was the need to identify security risks, prioritize them, and map the necessary controls to address those risks.  This was critical to determine the optimal use of resources, ensure fiscal responsibility, and effectively manage those risks.

Our Solution

CSA worked closely with security leadership to develop a security risk framework that would be comprehensive in scope, standardized, defensible and scalable across the growing business enterprise.

The initial phase focused on identifying security risks and defining which were in scope for the security management program. This involved a thorough review of both internal and external data sources and understanding the client’s compliance requirements. Defining the scope of the security management program was critical to ensure that the framework would cover all relevant risks.

Once risks were identified, CSA conducted a detailed analysis to prioritize the risks before any controls were determined. This effort was grounded in data, aligned to the organization’s enterprise risk management system and calibrated based on risk committee input. The input from the risk committee was crucial in fine-tuning the prioritization process, ensuring that the most critical risks were addressed first.

A critical component of the framework was the inclusion of a governance process. This requires participation from organizational leadership in discussions and decision-making regarding risk and helps drive consensus on how risk should be managed, which controls are appropriate and what costs may be supported.

After reaching agreement on how to treat each identified security risk, a series of controls – e.g. technology, staffing, processes, training, and communication - was mapped to each risk. The organization then decided on the appropriate controls based on cost considerations and overall effectiveness. In addition, documented controls were evaluated for their performance in addressing risk. This approach provided the organization with a consistent and documented process that weighs the organization’s risk and financial tolerance, adds objectivity, provides consensus and prioritizes resources. It served as a natural extension of existing business practices and is durable in the face of a changing risk environment.

Our Approach

Security Assessment

Our assessment included an in-depth review of existing risks, security capabilities and current financial investments in controls. We identified the need for a comprehensive risk framework to enable leadership alignment on key decisions, whether staffing, technology, or policy. Working in collaboration with security leadership we designed a process that is appropriate for their organization and iterative in nature to adapt to future needs.

Impact

CSA understands that a business has many drivers, security being only one of them. That’s why our focus is “The Business of Security.” Too often, businesses do not know how value is generated from security investments. We guided the client in defining and articulating the value generated by a security organization that is business-focused, risk-based, and intelligence-led. This approach aligns security closely to the organization's overall business objectives The result is a security program that the client now views as a potential differentiator in the competitive healthcare landscape, positively impacting their current state and future growth.

‍