As part of the Summer of Compliance, we completed our first prioritization meeting.
We reviewed more than 50 risks in deal and devised a process to prioritize them.
After much discussion, we decided to assign 3 workgroups the task of intensively reviewing the risks as follows
Teams
There were fifty-five items in the list. We clustered them into eight categories.
1 - Access management (7 items)
2 - Policy and other (7 items)
3 - Content management (9 items)
4 - Monitoring and containment (9 items)
5 - Desktop (8 items)
6 - Mobile computing (4 items)
7 - Data network (6 items)
8 - Facilities (5 items)
Those related to Facilities are part of our multi-year disaster recovery project. They involve mechanical, electrical and environmental monitoring. Although disaster recovery is a component of HIPAA's security rule, we'll decided to exclude these from our scoring activity. The projects already underway and are largely managed by dedicated IS teams.
To collapse the rest into the three groups, we clustered our risks into categories and teams as follows:
Team 1 - Access management and policy/other (14 items)
Team 2 - Content management and monitoring/containment (18 items)
Team 3 - Desktop, mobile computing and data network (18 items)
We assigned 5 members to each team including appropriate representatives from IS and compliance. We also designated team leader.
Deliverables
We created a scoring spreadsheet and gave each team the following instructions
"For items 1 to 5, please use a 1 to 5 Likert scale for your ratings. As you can see, the lower the rating the less work, less impact, and less risk. Vice versa for higher ratings.
1. Rate the workforce impact or "disruption factor". Rate from 1 to 5; minimal to significant. Do this for both the initial (first 6 months) and on-going impact.
2. Probability the vulnerability we are trying to protect against will occur. Rate from 1 to 5; unlikely to very likely.
3. Impact if the vulnerability does manifest itself. Rate from 1 to 5; minimal to significant.
4. Overall Compliance effort required. Rate from 1 to 5; minimal to significant.
5. Overall Information Systems effort required. Rate from 1 to 5; minimal to significant.
6. One-time capital estimate. Consider application software, professional services, training, hardware, data base software, and other items normally charged to one-time capital for projects such as these.
7. One-time internal labor. Estimate in FTE's. For example, a project requiring 520 hours of internal labor would be (520/2080) or .25 FTE. Consider the full range of activities normally undertaken to bring a system into production.
8. Recurring internal labor. Post-go live support also expressed in FTE.
9. Recurring maintenance and purchased services. Annual cost.
10. Recurring - other. Any remaining recurring support cost not included above. Annual cost.
11. Overall priority - 1 to 14 for Team 1 and 1 to 18 for Teams 2 and 3.
In addition to filling in the spreadsheet, please document whatever other factors you considered or would recommend with regard to the risk item. For example, you may suggest that an item be broken up into two or more projects to address the most important elements (80/20 rule) and keep parse the costs."
Deadlines
We asked the team leaders to submit their completed spreadsheets by June 22 so that everyone has a chance to review their work before our next planning meeting on June 27.
On June 26th, the team leaders will meet with me to consolidate all their recommendations into a single list.
On Wednesday, June 27th from 2-4pm, we will meet with all the stakeholders to present a summarization of Team deliverables, complete a consolidated ranking of all risk items, set a tentative timeline for each item by fiscal year, and identify a sponsor or lead for each item.
The end result will be a multidisciplinary compliance priority list and work plan for the next two years.
I'll let know if this formal process works to bring order to a large body of work. At the point, I'm optimistic
skip to main |
skip to sidebar
Site Feed
As president of the Mayo Clinic Platform, I lead a portfolio of new digital platform businesses focused on transforming health by leveraging artificial intelligence, the internet of things, and an ecosystem of partners for Mayo Clinic. This is made possible by an extraordinary team of people at Mayo and collaborators worldwide. This blog will document their story.
Site Feed
Dispatch from the Digital Health Frontier by John D. Halamka MD is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License
Blog Archive
-
▼
2012
(224)
-
▼
June
(22)
- Cool Technology of the Week
- The SCOTUS Healthcare Reform Decision
- Our Cancer Journey Week 27
- The Compliance Consensus
- Outbound Spam Blocking
- Taking Sustainability to the Next Step
- Cool Technology of the Week
- Our Cancer Journey Week 27
- The June HIT Standards Committee
- Meaningful Consent
- Assessing Risk
- Cool Technology of the Week
- Our Cancer Journey Week 26
- Setting Compliance Priorities
- A Protagonist at the Harvard Business School
- An Honest Graduation Speech
- Cool Technology of the Week
- Our Cancer Journey Week 25
- The Summer of Compliance
- A Night at the NERD Center
- Living Things First
- Our Cancer Journey Week 24
-
▼
June
(22)
About Me
- John Halamka
- As president of the Mayo Clinic Platform, I lead a portfolio of new digital platform businesses focused on transforming health by leveraging artificial intelligence, the internet of things, and an ecosystem of partners for Mayo Clinic.
1 comment:
What an excellent series this is going to be? I work with hospital compliance officers, and therefore I will be following the specifics with great interest.
Post a Comment