Healthcare IT systems are intertwined with operations, policies and processes along with a bunch of systems, application and data. Sometimes the systems are so complex that one breakdown can last for days and cost the organizations hundreds of thousands of dollars in lost time and money. Therefore, it is imperative that healthcare organizations dependent on IT, perform a risk assessment in order to estimate and mitigate any possible risks which may surface on a bad day.

Let’s discuss some steps which can help organizations do a healthcare risk assessment.

Plan and brainstorm

Sometimes it is hard to imagine a data center submerged in water due to natural hazards, such as excessive rain, snowstorms, a ceiling leak or accidental water spray from the fire sprinklers. Make sure you consider all of these hazards and prepare yourself accordingly. The likelihood of each disaster occurring based on historical and environmental data should be recorded. For the purpose of a scientific healthcare risk assessment, you should assign 25% weighted average out of the total risk score to this section. Additionally, employees working in data centers should undergo thorough training on safety protocols and disaster preparedness, which can be obtained through OSHA training online.

Evaluate level of impact for each risk

After considering all the risks, you should measure the likely impact of all of these factors. For instance, the total impact of a power outage, loss of life due to accidents, partial to complete system outage or even a breach of protected health information (PHI), and other factors which can affect millions of people, must be measured. Like the first section, this section should also be assigned 25% weighted average score.

Review plan of action for each item

The next step should be to carefully review a plan of action for each risk item, or the lack thereof. You need to put in writing the measures that would be taken in case you have to face any disasters. Such plans come in very handy in a disaster situation and will save plenty of time and effort. Assign numerical values (one to five) to each item based on the level of planning you have put in place. This section should be given 50% weighted average score of the total risk score.

Quantify risk level

Finally, you should quantify the risks that you face as an organization. This can be done by assigning numerical values to the risks after a discussion with your staff. Although many of the risks are largely subjective in nature, it is always good to assign them numerical values in order to have a starting point. After assigning the risk levels, you should document them in a spreadsheet in order to calculate the total weighted score for this part of the assessment.

Assess the results

After completing all four steps above, you should be able to get a score of your healthcare risk assessment. A higher or lower score does not matter as long as you have given consistent weighted scores to each of the risks. A lower score will mean that the risk item poses a bigger risk. You must have a risk mitigation action plan for each item that has a score of three or lower. Having a solid disaster recovery plan and a tested downtime process will mitigate most of the risks for any organization.

Remember, proper risk assessment will save you plenty of hassle and money when you are in an emergency situation. It is also important to understand that this is an on-going process, and must be run periodically to be prepared for dealing with any kind of adverse situation.