Healthcare provider organizations face difficult choices about where to best allocate their financial capital and human resources. While trying to minimize undue risk exposure and enhance return on mitigation efforts, organizations are confronting an inflationary economy made worse by increased competition, more frequent cyberattacks, and shortages of clinical, IT, and risk professionals.
A successful decision-making process begins by knowing where risks are hiding, how various risks are interconnected, and how these risks affect an organization’s patient care capabilities and reputation.
Kodiak Solutions defines a risk area as anything that might impede a healthcare organization’s ability to achieve its goals in critical areas, like:
To manage an environment of increasing risks and limited resources, healthcare internal audit and compliance departments must align their risk assessments and audit work plans to areas most vital to achieving the strategic goals and business objectives of their organizations. This risk-based approach prioritizes areas of highest risk and suggests that providers spend less effort, if any, on low-risk areas.
The better the alignment between the internal audit and compliance plans and the most critical risks to the organization, the greater the return on risk generated for the organization’s internal audit and compliance investment.
Kodiak has identified five top management risk areas facing healthcare organizations that internal audit and compliance leaders should assess and keep on their radar screens as they plan for 2024. The five top management risks, in alphabetical order, are:
These five top management risk areas were identified based on input from:
Every healthcare organization is different. A top risk area for one healthcare organization might not be a risk for another organization.
It is also important to note how these five top risk areas interconnect and affect patient care and an organization’s reputation. The report also includes a recommended reading list of materials that support the identification and mitigation of each of the five risk areas.
The benefit to the healthcare industry from using generative AI, machine learning (ML), and other new technologies can be significant over the next several years. Though the industry has already been using such smart technologies for years, as more use cases are developed and AI and other tools become more accepted across the industry, healthcare providers could enjoy:
At the same time, the substantial benefits will create new risks for those using new and innovative technologies. Here are some new risks associated with AI and new technologies:
Cybersecurity and data privacy. Along with the many benefits of AI and new technologies, healthcare organizations need to be aware of several security and privacy risks. As organizations obtain and store more PHI and sensitive patient data, the risks surrounding data breaches increase as these organizations become more valuable targets. Healthcare organizations also must secure their data effectively, as these systems could be targeted with ransomware, theft, or inappropriate changes by cyber criminals.
Financial performance. Healthcare organizations might achieve efficiencies and lower employee and process costs due to the implementation of AI and other technologies. However, weighing the cost of AI or new technology against its benefits can present dilemmas at a time when much of the industry is experiencing financial challenges.
Workforce. As the healthcare industry implements more AI and advanced technologies, how work is done and who does it will change. The tech-savvy skills required to operate in this new environment could lead to turnover of employees who lack those skills. That turnover could raise an organization’s legal, reputational, and cultural risks. Organizations might need to provide education and training to prepare their workforce for the advanced technology-supported future state.
Many significant benefits of AI and new technologies relate to improved patient care from enhanced diagnostic and treatment capabilities. However, many of those same benefits can be eliminated or even reversed should the underlying data become compromised, resulting in incorrect diagnoses and ineffective treatment protocols. Additionally, there is a risk that AI models have limitations based on the data used to build them, resulting in biased clinical assumptions for certain underrepresented patient populations.
Incumbent health systems have been competing against each other for decades and now face competition for patient business from nontraditional companies entering the healthcare delivery space. Recent market entrants include Amazon, CVS Health, Walgreens, Walmart, Best Buy, and Costco. Their growing interest in providing primary care, home health, and other health services is expected to have a big impact on the competitive landscape in healthcare.
Examples of such market penetration by nontraditional companies include:
Although many of these acquisitions and partnerships are still relatively new, the competitive landscape in primary care as well as other healthcare services is likely to change as large retail and technology companies enter the market and create new competitive risks for incumbent health systems.
Cybersecurity and data privacy. Much of this new market vertical integration is taking place outside of the traditional healthcare market. Inexperienced retailers and consumer technology companies might bring cybersecurity and data privacy risks as they integrate with other provider organizations’ disparate IT systems and applications.
Financial performance. Most new market entrants are diversifying into primary care, home care, or other ancillary healthcare services. As a result, revenue from those targeted services might take a hit at incumbent hospitals, health systems, and medical practices as the new competitors siphon off patient volume and patient revenue in coming years.
Workforce. The entry of nontraditional companies into the healthcare market might increase competition for healthcare workers who are already in short supply. This increased competition, along with the “deep pockets” of new entrants, many of which are publicly traded investor-owned companies, could raise the wage levels required to retain current staff within hospitals, health systems, and medical practices.
Although it might be too early to conclude, the entry into the primary care market by large retail and technology firms could increase the competition for primary care physicians, reduce the number of physicians employed by traditional physician practices and health systems, and potentially reduce access to primary care services for patients that currently rely on health systems and physician practices.
The healthcare industry continues to be a top target for cybercriminals due to the sheer number of IT systems and applications healthcare organizations maintain. The systems and applications include electronic health record (EHR) systems, imaging machines, lab and pharmacy applications, scheduling applications, patient monitoring equipment, telehealth platforms, and voice over internet protocol (VoIP) phones. Healthcare is also attractive for bad actors because of the large volume of valuable PHI, increased IT connectivity between providers and vendors, and the industry’s financial challenges that restrain investment in more secure technologies and cybersecurity best practices.
Cybersecurity and ransomware risks could continue to increase as healthcare organizations become more dependent on IT to run and support most of their operational, clinical, and financial processes and as IT complexity accelerates each year. These risks affect patient care, financial losses, legal and regulatory compliance, and reputation risk.
During the first six months of 2023, more than 40 million patients were affected by 327 data incidents reported to the U.S. Department of Health and Human Services Office for Civil Rights, according to Fortified Health Security’s “2023 Mid-Year Horizon Report.” That’s a 104% increase in the number of data breaches over the same period in 2022 (160 incidents). Hacking and IT incidents were the most common type of data breach in the first half of 2023, accounting for 75% of the breaches.
Although cyberattacks and ransomware events aren’t the only ways to slow or shut down clinical operations (others include employee strikes and natural disasters), cyberattacks throughout 2023 have served to highlight the importance of an organization’s ability to become operational again after a full or partial IT shutdown. Being prepared to respond to an extended IT shutdown while continuing to care for patients and communities remains one of the most significant risks facing healthcare providers.
Financial performance. According to a study conducted by researchers at the University of Minnesota, patient volume at hospitals falls by roughly 20% during the first week of a ransomware attack. The drop in patient admittance can be attributed to an organization’s lost ability to provide care through testing and images while technology systems are down or being repaired. Additional costs come from time associated with claims submitted and IT downtime recovery.
Workforce. The stress on a healthcare organization’s workforce from an extended IT outage caused by a cybersecurity incident can’t be understated. The workplace disruption experienced by all workers within an organization goes beyond transitioning from EHR systems to paper and pencil clinical documentation. Every workflow could be challenged, such as delayed communication of imaging and lab test results or the need for nurses to spend more time in a patient’s room while monitoring systems are offline. Most workers will experience a high-stress work environment during the outage. Stress will continue after the outage as workers try to recover clinical documentation and related revenue cycle functions during the months following the incident.
A healthcare organization’s ability to provide high-quality care and to continue to serve its customary volume of patients likely will diminish during a cybersecurity incident. Without immediate access to EHRs, test results, electronic patient monitoring equipment, and other information technology, caregivers are put at a potentially life-threatening disadvantage. The impact to a healthcare organization’s ability to provide patient care during a cybersecurity incident can have a significant effect on its reputation in the community.
Although inflation rates eased in 2023 compared with 2022, healthcare providers still are experiencing increased costs of medical equipment, supplies, and prescription drugs without a corresponding increase in payor reimbursement rates, leading to lower margins.
Labor-related issues such as worker shortages, labor strikes, and staff turnover also contribute to rising expenses.
Further, the cost to access capital related to new loans or refinanced debt has significantly increased over the past 18 months. The federal funds rate has increased from near 0% pre-2022 to a range of 5% to 5.5% at the end of 2023. Lower margins compounded by higher costs to borrow money make it more difficult for providers to invest in patient care capabilities, upgraded or new equipment and facilities, service line or geographic growth, cybersecurity, new technologies, and more.
Cybersecurity and data privacy, and AI and new technologies. Because healthcare organizations are experiencing increased financial pressures, they are challenged to make necessary investments in AI and other new technologies; information security professionals to maintain IT systems and necessary security, cybersecurity infrastructure, and software; and cybersecurity assessments.
Inflationary pressures might force providers to focus more management time on cost containment rather than their patients’ experiences. That could affect the quality of care they deliver to patients, which, in turn, can affect patient outcomes and satisfaction.
Healthcare organizations face workforce challenges including recruiting, hiring, and retaining qualified employees as the demand for healthcare services increases with the aging U.S. population and the competition for healthcare workers intensifies. Workers leaving the healthcare sector due to pandemic-related burnout and retirements have exacerbated the challenge over the past three years.
In addition, strikes in 2023 intensified workforce issues. Nurses, allied health professionals, and mental health workers cited their concerns over wages, benefits, staffing levels, patient safety, working conditions, and employee retention as reasons to walk off the job. The strikes put stress on hospitals, health systems, and medical practices and served to reset compensation at higher levels after the strikes.
“As hospitals continue to wrestle with workforce and financial challenges, the value of strong and capable leaders in healthcare has never been more important,” said Deborah Bowen, president and CEO of the American College of Healthcare Executives, in a prepared statement.
That statement aside, the stress caused by the pandemic, caring for an aging population, managing fiscal challenges, and dealing with workforce issues might put hospitals, health systems, and medical practices at risk for higher turnover in the C-suite in 2024.
Financial performance. Costs associated with travel nurses have been declining, while costs to hire and retain clinical staff and health system leadership have increased and have affected financial performance.
Labor strikes, staff shortages, and the retirement of experienced clinicians result in an increased risk to patient care as temporary and/or less experienced staff serve patients.
Kodiak offers both proprietary technology and deep industry experience to more than 1,850 healthcare organizations to address these five top management risks for 2024 and many other risks as identified in our previous annual top risks reports.
Please contact us today to discuss how our team can use our technology, deep expertise, and experienced resources to support your organization’s 2024 internal audit work plan and address these top risk areas.