Industry Spotlight: Healthcare Risk Management

A healthcare risk manager can benefit from a risk management system.

Risk management in healthcare is a topic that is gaining increasing importance. A large driver of this attention is the shift from fee-for-service to value and outcome-based models. An article in the New England Journal of Medicine’s (NEJM) Catalyst blog notes, “For these reasons, hospitals and other healthcare systems are expanding their risk management programs from ones that are primarily reactive and promote patient safety and prevent legal exposure, to ones that are increasingly proactive and view risk through the much broader lens of the entire healthcare ecosystem.”

This demand for an expanded view of healthcare risks has fueled the demand for Enterprise Risk Management (ERM) solutions. The road to fully functional ERM programs, however, has proven to be a challenging one for most healthcare organizations. The NEJM Catalyst article cites a report from Healthcare Financial Management Association (HFMA) that states, “Despite the growing importance of programs today, and the raised awareness of their importance, many healthcare providers have been slow to adopt a more sophisticated approach… The current state for most providers falls between ‘basic’ and ‘evolving’ maturities for ERM programs.”

Confounding factors for the healthcare industry

Part of the reason that an ERM approach can be difficult in healthcare is because the industry faces amplified risk profiles in several key areas, with risk levels that are well above those faced by other industries. Notable examples include:

  • Cyber risk
  • Regulatory risk
  • Legal risk
  • Workplace safety

Additionally, given the critical role that these institutions play during natural disasters (and the need to stay open when others relocate), their disaster response plans are pressure tested in ways that other organizations can often avoid. Similarly, the long educational cycles and complex certification processes associated with much of the healthcare workforce makes mitigating labor shortages and talent gaps that much more difficult.

Extreme cyber risk

Two factors create an exponentially greater risk of cyber attacks.

First, as the infamous outlaw Willie Sutton may (or may not) have replied when asked why he robbed banks, “Because that’s where the money is.” Personally identifiable information (PII) data is the most valuable on the black market due to its linkage to identify theft. Healthcare institutions are essentially banks of PII in terms of the data they are obliged to store. This explains why some reports claim there has been an average of one health data breach per day this year.

The second factor relates to the critical role that technology plays in healthcare operations. While many businesses would suffer devastating losses if critical systems were locked out via a ransomware attack, any downtime in a healthcare setting can actually mean life and death. Criminals know this, and play on the industry’s tendency to pay off ransomware demands. As a result, “The healthcare industry was the victim of 88% of all ransomware attacks in U.S. industries last year.”

Outsized impacts from workplace violence

According to an OSHA report cited by the Joint Commission, 75% of annual workplace assaults occur in healthcare and social service settings. The commission notes that the voluntary nature of reporting means that even this drastic figure is likely underreported.

The constant interaction with people in pain, on drugs, and/or with mental health issues explains the discrepancy in rates of workplace violence when compared to other industries. The drastically different risks faced by healthcare organizations means that standard methods of control used in other settings may not be adequate for their needs.

Challenges with establishing a near-miss culture

The aviation industry shares at least one critical aspect with healthcare. Namely it’s the idea that mistakes, even tiny ones, can put lives at risk. To combat this, the aviation industry pioneered efforts at developing a near-miss culture, where carefully studying incidents, even when no negative outcome occurred, is a central focus. Near misses are treated as early warning indicators of the potential for similar events to cause damage in the future.

Applying this approach to the healthcare industry, however, has proven difficult. “The incident-reporting concept ‘has not caught on’,” said Dr. Ethan Fried, an advisory board member who helped develop the Near Miss Registry, in a Modern Healthcare article. In our post on How to Create a Successful and Sustainable Near-Miss Culture, we highlight the need to make sure that action is taken to correct problems indicated through near-miss reporting. Dr. James Branigan, director of the Center for Healthcare Engineering and Patient Safety at the University of Michigan echoed this concern in the Modern Healthcare article. “Analysis alone doesn’t fix anything. If you don’t take the right action, the rest is a waste of time.”

Additional challenges

If those challenges weren’t enough to test the abilities of any healthcare risk manager, there are additional aspects that add yet another layer of difficulty. The highly mobile nature of healthcare workers means technology that works fine in a traditional office setting may prove to be impractical in a healthcare facility. Frequent lifting and carrying requirements expose many employees to the same types of potential injuries associated with warehouse work. The presence of hazardous materials poses risks similar to those faced in some industrial environments.

Taken altogether, the healthcare industry is essentially a perfect storm for risks. Not only are the risk levels higher, but the threat of litigation is also more commonplace. In this environment, the most robust solutions are required.

Technology that’s up to the challenge

Yes, healthcare risk management operates on an advanced level. Armed with the right approach and the right solutions, however, this challenge can be faced down. Some key factors that any solution should offer include:

  • Flexible solutions designed for a mobile workforce
  • Support development of a near-miss culture, including automated workflows and powerful reporting to make sure issues actually get fixed
  • Audit the organizations compliance with training required, preventative programs (for workplace violence, cyber practices, and more)
  • Mimic proven approaches from other industries (warehouse safety, industrial safety, etc.)
  • A flexible approach to ERM that lets you pilot and expand as the organization’s maturity and experience increase

Origami Risk can help your organization create the processes and feedback needed to take on these challenges and control risk.


Get in touch with our healthcare risk management team today.