Risk Management Action Plan

Who:

Scripps Health
8925 Rehco Road
San Diego, CA 92121 

When:

January 2014 

What:

The client needed to comply with meaningful use and address open risk items by either accepting, transferring or remediating identified risks.



The Challenge

500+ existing identified risks to either accept, remediate or transfer.  Key staff struggled to address identified risks in their responsible areas.  This put meaningful use compliance in jeopardy.  A limited understanding of the overall level of effort (LOE) involved to remediate known issues also existed.  And, an inconsistent approach to prioritization with no timeline and agreed commitments contributed to a lack of responsibility and accountability. 

The Solution

Developed RMAP including qualifying and quantifying existing identified issues.  The plan was presented, approved and executed.  It’s worth noting some remediation was trivial (1-2hrs LOE) and other items involved significant LOE (400+hrs); just for a single finding.  Therefore, in addition to the timeline, a cost estimate was also provided.


The Result

The plan developed included resulted in Scripps meeting 'meaningful use'. Over the course of the following year and a half, the executed RMAP resulted in a 90% reduction to the Risk Register.  Remaining were some of the more difficult and costly remediation efforts.  For example, multi-factor authentication and building an Enterprise CMDB to name a couple.  Both of these and others were addressed in years two and three.  In the mean-time, compensating controls were added.


About Scripps

Scripps is a private, nonprofit health system in San Diego, California that includes four hospitals on five campuses, dozens of outpatient clinics, thousands of affiliated physicians, home health and hospice care.  Scripps provides audiology, behavioral health, cardiology, cosmetic surgery, critical care, elbow surgery, foot care, hand therapy, heart failure treatment, x-rays and other medical services.