Managing technological and physical risks

Technological risks are the vulnerabilities arising from digital infrastructure. Meanwhile, physical risks are threats that could lead to physical disruptions to operations, like a power outage. According to a study in BMC Medical Informatics and Decision Making, “Health technologies are developing at a rapid pace and while it is possible to envisage ways in which they can impact cost-effectiveness... they also subject systems to new risks and challenges.”

These differences can be condensed into:

• Nature: Technological risks impact virtual systems while physical risk harms tangible infrastructure. 
• Source: Software, network, and cyber threats fall under technological threats. Physical risk consists of environmental factors. 
• The mitigation: Technological risks require cybersecurity measures. Physical risk needs infrastructure resilience and disaster planning.

Creating clear distinctions between technological and physical risk management

The risk management involved for technological risks and physical risks is different, making tailored approaches to mitigating risk a logical choice for healthcare providers. The creation of distinct policies allows for resources to be allocated more efficiently so that addressed domains do not overshadow one another. 

Through clear distinctions, measures like the implementation of specialized teams for handling physical and technological security improve the effectiveness of risk mitigation. As technological risks evolve quicker than physical risks, separate teams handling technological security and risk management allow for a more dynamic update to those specific strategies. 

Why integrating risk management systems benefits organizations in the healthcare sector 

Many healthcare organizations lack the resources necessary to implement departments responsible for physical and technological security. The integration of risk management is often one of the few options available. 

An integrated approach to risk management looks like: 

• A single risk management team could monitor physical access to facilities and digital systems. 
• Staff could be trained in protocols that cover physical emergencies and technological threats, like phishing attacks. 
• Integrated risk strategies could include procedures to address both forms of disruptions. 
• Use secure forms of communication, like the HIPAA compliant email platform Paubox, to share incident reports relating to both physical and technological incidents. 
• Risk assessments could evaluate physical and technological vulnerabilities compiling them into reports for the Security Officer.

FAQs

What is the Security Rule? 

A regulation under HIPAA that sets the standard for securing electronic protected health information (ePHI).

What are risk assessments? 

Systematic evaluation of the potential risks to ePHI. 

What are the safeguards?

The safeguards are the guidelines under the Security Rule for the protection of ePHI. They include: 

• Administrative safeguards
• Physical safeguards 
• Technical safeguards