Ask ECRI: Taking an ERM Approach to Cybersecurity Risks

January 17, 2024 | Health System Risk Management


​​​​​A member recently asked for guidance about policy templates and procedures for completing cybersecurity risk analyses, monitoring log-in attempts, and reporting discrepancies. In our response we encourage an enterprise risk management (ERM) approach to identify and understand the risks associated with cybersecurity.

Many aspects of cybersecurity risk identification are technical and within the expertise of information security and information technology (IT) professionals. However, risk management and patient safety professionals have broad experience and expertise in risk identification. Thus, these professionals can use an ERM approach to help their colleagues identify and comprehensively understand the risks that cybersecurity problems pose to the organization. In fact, regulators emphasize the importance of assessing risks collaboratively and using ERM to identify, communicate, and categorize cybersecurity-related risks.

​For more information, see ECRI's Enterprise Risk Management: An Overview, the National Institute of Standards and Technology's (NIST)![](/_layouts/images/icpdf.png)Integrating Cybersecurity and Enterprise Risk Management (ERM), and the US Department of Health and Human Services' (HHS) cybersecurity guidance for![](/_layouts/images/icpdf.png)small healthcare organizations and![](/_layouts/images/icpdf.png)medium/large organizations. ...

Access Full Content

Contact us today at 610.825.6000.