The Importance of Good Governance

Originally Posted on HIMSS' Health IT Pulse, Thursday, August 31st, 2017

By Karen Heslop, HIMSS nonprofit partner; director of content strategy and delivery, ISACA

Say the word “governance” to most people, and you are likely to witness a yawn or an eye-roll in response. To put it mildly, governance is not a sexy topic or one that most want to discuss over cocktails.

However, don’t understate the importance of governance of enterprise information technology (GEIT) in the healthcare context. Unlike many other industry sectors, mistakes in technology governance and operations in healthcare can lead to serious injuries or even death.

For example, the Therac-25 radiation therapy machine suffered from a software issue leading to at least six accidents where patients received a (potentially lethal) overdose of radiation. Thus, the consequences associated with technology mishaps are high. Additionally, applicable regulations also heavily drive the need for - and approaches to - healthcare technology governance.

Despite this, governance, often taken for granted, exists with little or not enough attention paid to it. This, in many cases, limits the value that a systematic approach to governance can have. Governance, in many respects, serves as the umbrella set of responsibilities and practices to which an enterprise’s operations are obligated to or voluntarily adhere—either because of statutory or regulatory requirements or due to an enterprise culture, ethics and behaviors. This set of “rules” is comprised of policies, procedures, protocols, security defenses, controls, level of risk appetite, etc. to ensure that stakeholders of the enterprise are receiving value.

Governance starts at the board level, cascades to the individual IT contributor and demands recognition as a concept by all. This recognition matters to these constituencies because they either set or must comply with governance policies.

  • IT management directs the deployment of IT systems, often focusing on the purpose the system will solve.
  • IT governance focuses on a higher plain, specifically on creating value for the stakeholders (e.g., patients, consumers, and healthcare corporate entities).

The various stakeholders may have competing goals and values, which complicates these process.

For example, the patient-stakeholder wants to ensure their data is kept private while simultaneously receiving the best possible treatment at the most cost-effective price. For-profit pharmaceutical company-stakeholders are interested in patient safety, but also maximizing value for their shareholders in terms of increased revenue. Good governance will balance the needs of all stakeholders to ensure the creation of value for all.

What does good governance of enterprise IT accomplish in the healthcare sector?

  • Provides the necessary responsibilities and practices to ensure benefits realization, optimize resources and optimize risks while ensuring an organization is compliant with local laws and regulations and providing value to stakeholders.
  • Requires a higher level of documented control and accountability than is needed in many other industries.
  • Facilitates a high level of trust by patients and consumers of healthcare products.

Governance of IT at your doctor’s office or hospital affects patients and consumers, and those patients should not be complacent about asking questions about the security and privacy protections in place protecting their data. In some cases, patient-initiated questions about security protocols in place can lead to improved measures on the part of the healthcare provider.

Effective technology governance can seem dauntingly complex given the regulatory context of the healthcare industry and competing stakeholder goals. Most governance requirements, however, originate with logical and straightforward principles:

  • Patient safety is always the top governance priority.
  • Any technology of significance must prove it is fit for purpose.
  • Always sustain appropriate confidentiality, integrity and availability. Records management must follow privacy and healthcare requirements.
  • Documented processes and records must include evidence that required quality levels are delivered consistently.

To learn more, download the GEIT for Healthcare white paper from ISACA.