An adviser’s guide to risk management

Risk management in the healthcare sector aims to keep data secure, from personal details to medical histories and more. Once a cutting-edge system is implemented, advisers are free to capitalise on opportunities for their valued clients.

While the number of global healthcare data breaches has greatly reduced over the past three years due to an estimated 90% of healthcare facilities migrating to the cloud, it is still important to be aware of what a large incident could entail. One such incident was the Change Healthcare breach of 2024, when an estimated 190 million individuals had their data compromised.

Impact of industry breaches in South Africa

In South Africa, the consequences of healthcare data breaches involving companies such as Experian in 2020, Life Healthcare in 2020, and NHLS in 2024 have included:

• Disrupted patient care, with major operations being postponed due to the inability to process test results and other vital pre- and post-operative services;
• Data security concerns as healthcare organisations continue to be targeted due to the wealth of information they have on hand;
• Potential for ransomware attacks, where figures of up to US$500 million have been demanded to restore stolen files; and
• Exposure of sensitive data, such as the personal information of up to 24 million South Africans and 793 749 business entities (names, surnames, and ID numbers) in the August 2020 Experian breach.

Buckle up security with these key solutions

The experts at globally recognised software development company Arkenea believe there are five key ways for medical scheme representatives to remain one step ahead of the hackers.

1. Healthcare advisers should undergo regular training to increase their risk awareness, and to help them recognise and report anything suspicious.
2. A risk-management matrix, implemented by a healthcare company’s data security team, can go a long way towards alerting managers to the seriousness of a threat and what needs to be done next.
3. A streamlined and transparent reporting culture is vital to ensure cross-functional cooperation between advisers, managers, and other staff members so managers can make decisions based on reliable data.
4. Communication plans should be accurate, clear, and updated in anticipation of new compliance protocols.
5. A contingency plan that reduces response time (by helping to identify, respond to, and side-step a data-security risk) should be ready for activation at all times to protect equipment, healthcare software, and data.

Curtailed risks mean more rewards

According to Dr Mahboob Ali Khan, a master hospital management advisor, “There’s no one-size-fits-all definition of risk management in healthcare because a risk is broadly defined as the likelihood of a particular threat triggering or exploiting a particular vulnerability, resulting in harm or damage to a patient, an organisation, or its workforce.”

Khan advises that, instead of managing risks in silos, organisations should implement a comprehensive framework that addresses vulnerable risk domains across the entire organisation. These are:

• Operational risks – vulnerability in an internal process or system
• Clinical/patient safety – medication errors, surgical mistakes, patient misidentification, hospital-acquired conditions, and patient or visitor injuries
• Strategic risks – associated with the focus and direction of the organisation, including the need to make changes with changing regulations
• Financial risks – fraud, malpractice lawsuits, regulatory fines, as well as increasing equipment costs and interest rates or unpaid bills
• Human capital risks – those that impact on the well-being of the workforce
• Legal/regulatory risks – failure to identify, manage, and monitor compliance with local and industry-related laws and regulations
• Technology risks – software and data, the systems they run on, the devices on which the systems run, operational processes, and automated technologies
• Unforeseen hazards – risks that could cause business interruption, such as natural disasters, facility issues (construction or renovation) and preparedness for coping with the unexpected (such as a pandemic)

"Instead of managing risks in silos, organisations should implement a comprehensive framework that addresses vulnerable risk domains across the entire organisation.”

“Every member of a healthcare organisation’s workforce is a risk manager,” emphasises Khan. This includes every member of a brokerage. “A full-on enterprise-wide risk management model is the best way to communicate, coordinate, and oversee the protocols necessary to prevent losses and optimise profitability.”

Khan suggests implementing “customisable software for managing risks that can be configured by the risk management team with guided risk assessments and automated corrective action plans for each business unit … to prevent unmanaged risks resulting in harm, damage, or the loss of a value opportunity.”

Once such a system is in place and medical scheme advisers feel confident in their ability to service clients without undue risk, they are free to forge ahead, innovate, and take advantage of exciting opportunities. The experts expect several benefits, including:

• Stronger long-term industry relationships and loyalty programmes;
• Better internal change management;
• Cost savings and greater value for all;
• Increased efficiency in automated claims processing and billing; and
• More personalised industry offerings.

"Once medical scheme advisers feel confident in their ability to service clients without undue risk, they are free to forge ahead, innovate, and take advantage of exciting opportunities.”

By reducing risk and encouraging more innovative thinking, advisers can create happier customers. In turn, these customers will be more likely to add products and services to their health and financial portfolios.

Written for Medihelp by Vanessa Rogers