Risk Assessment for Telehealth

When dealing with any networked system, risk is an inherent part of the situation. This is true even for the big boys and girls at the NSA. However, there are tried and proven methods to minimize risk before a breach happens and to curtail damage once it does. Any plan and response to the risks of online hazards starts with a risk assessment. Like this one, later stages differ in details for each individual case, but all include making a plan, implementing it, and mitigating the effects of a breach. These will be considered in later posts, but in this article we will be focusing on the initial risk assessment stage. The thing to remember for the moment is that the risks for telehealth are identical to those found in other areas and thus the responses are the same as well.

Risk assessments come in two varieties: Quantitative and qualitative. Quantitative risk looks at the magnitude of potential losses and the probability that a given type of breach will occur. Qualitative risks look at the same basic types of information, but tend to be more subjective and are used when it is difficult to assign specific values in making the assessment. Virtually all areas of modern industry and commerce perform these types of assessments, but especially those depending in part on government funding. Part of the qualitative process is deciding what types and levels of risks are acceptable and which are not. This may depend in part on the social perception of risk. That is, even if a breach is minor or irrelevant, people knowing about it can be disastrous. So making it known in advance that a risk assessment has been done and a plan put in place to prevent intrusions and respond to them is an important part of this stage and the early parts of formulating the plan itself.

An assessment must also recognize that relative levels of different existing risks change over time and new ones will crop up. This means that periodic review of risk must be conducted. Depending on your circumstances, this may be as often as quarterly but should be done at least once per year. They should also be done whenever there are new networked equipment additions or a major change in procedures. No assessment or plan derived from it is going to be perfect. But being thorough, honest, and timely will keep the potential for danger to a minimum.

If your organization is considering doing a risk assessment, do it. There are plenty of firms out there qualified to help with that, including telehealth providers. In fact, most of them have already done assessments with regard to their equipment and will provide copies when asked. However, the risk assessment is just the first step in preventing, responding to, and minimizing the losses from risk.

Avizia was acquired by American Well in July of 2018. Information on this page refers to activities that occurred prior to the acquisition and are presented for historical context. Together we provide a comprehensive acute care offering—a full end-to-end telemedicine solution for health systems and their providers.