Although there are many obstacles facing the health care industry, one of the biggest challenges for any multinational company is navigating the matrix of regional regulatory requirements, while working to further grow the business successfully.
Philips Healthcare, a Netherlands-based company with U.S. headquarters in Andover, Mass., found assistance in meeting compliance requirements for its operations in over 60 countries supporting more than 30,000 employees.
Kristen Knight, director, privacy compliance at Philips Healthcare, says that the company works hard to understand how best to meet the international requirements that impact its business, customers and patients.
“Philips plays an active role in industry consortia and lead efforts aimed at addressing these challenges within our industry,” she says. “We work both internally and with outside resources to keep abreast of changes in the privacy realm and how those changes may affect our business and our customers.”
As with any type of risk management, one must understand the scope and breadth of potential risks to an organization, she adds. And that's where an IT-GRC platform, called Agiliance RiskVision, filled the bill. Agiliance is a leader in IT governance, risk and compliance (IT GRC) management solutions based in San Jose, Calif.
“Philips Healthcare is looking to use the Agiliance compliance software tool to aid in measuring, reporting and managing privacy risks,” Knight says. The goal is to improve compliance and reduce risk, while achieving cost and resource savings.
“Right now, my goal is to be able to see and measure the big picture for privacy compliance,” she says. “Because we are so large and we have so many processes, we believe it will be extremely beneficial to automate our assessment process and create a uniform way to assess privacy compliance and privacy-related risk across the board.”
Manually working through privacy impact assessments one by one in a company that has thousands of processes — it's just not possible, she adds. The goal is to automate that process and then review the assessment to develop appropriate mitigation plans, while also having a standardized way to report privacy risk to management.
“Automating the process allows me to reach more people, and the more people you reach, the more insight you have on internal processes and potential risks. From a compliance standpoint, awareness is half the battle.”
Sara Gates, vice president of strategy and marketing at Agiliance, agrees that companies need to reduce the burden of compliance demands.
“Philips, in particular, is an example of a company with offices worldwide, so it needs to comply with privacy legislation across the globe,” she says.
Then, there is the issue of IT budgets facing increasing pressure as the economy lags. By automating data aggregation, analysis and reporting, companies realize value from a reduced spend for audits, says Gates. The Agiliance software suite pulls data from systems and people and correlates data across categories. “Agiliance RiskVision arms companies with a cost-effective, repeatable and continuous process for IT compliance that provides the accurate intelligence and analytics required to ensure informed business risk decisions are made with ease and confidence,” sge says.
Philips is looking at thousands of processes. There is simply no way for them to manually accomplish this, Gates says, adding, “Test once, comply many.”
And with the current laggard economic climate, she says that ultimately everyone is headed toward transparency and visibility. No matter which candidate wins the presidential election, everyone is anticipating more oversight.
“We believe it's about to get worse. Companies like Philips are getting proactive to handle current, as well as an expected new wave of regulations,” she says.
Although Philips is still very early in the implementation phase with the Agiliance tool, Knight believes the product will be key in its short- and long-term goals to automate compliance processes and standardize risk reporting.
While Philips experienced some typical challenges of deploying a new solution, Knight says the Agiliance product is easy to use, and support for the deployment has been excellent.
The first deployment is for Philips Healthcare Privacy Compliance Program. But there are further plans.
“We first want to explore the full potential of this application in the privacy compliance space. Eventually, because of the scalability, we envision a structured, uniform way to evaluate and report risk to the appropriate stakeholders within the company,” Knight says.
GRC: A primer
IT governance ensures strategic goals and objectives for IT are set respective to acceptable levels of risk in relation to stakeholders, including industry mandates and government regulations.
Risk management is a process that assesses, measures and monitors IT operational and security risk in relation to strategic goals and objectives, including assessment of risks and controls required to protect IT assets and the business.
Compliance management ensures appropriate actions are taken to execute governance objectives based on stated risk tolerance for the business. Compliance tests the effectiveness of technical and business controls in meeting internal policy as well as industry and regulatory requirements.