November 1, 2023
Healthcare providers face a host of new and ongoing challenges. As healthcare undergoes a digital transformation and prioritizes customer-centric approaches, while also emerging from the lingering effects of the pandemic, providers are confronted with a range of internal and external risks. This necessitates a fundamental reconsideration of risk management and control strategies.
In this installment of our “Let's change the way we see risk” series, Tiffany Gallagher, Health Industries Risk and Regulatory Leader, PwC US, and Audra Hulme, Director, Cyber, Risk & Regulatory, PwC US, discuss the complexities of the risk environment that healthcare providers are navigating every day.
As healthcare organizations embark on operational transformations, it’s critical to remain vigilant in identifying risks across compliance, operations, finance, technology and patient care.
Here are three common risks providers are currently facing and some mitigating actions they can take:
1. Cost management
The COVID-19 pandemic further exacerbated the nonprofit sector’s struggles with financial sustainability. Although funding relief has provided some respite, additional challenges such as rising inflation and labor costs, an evolving government payer mix and an increase in behavioral health patients have hindered financial progress. As a result, many providers are focused on correcting their margin trajectories and implementing transformation initiatives for future improvement.
As risk leaders undertake cost cutting measures, it’s crucial to keep close watch on the broader control environment to confirm that corners aren’t being cut. Many providers are undergoing ERP and EHR transformations which inherently carry their own set of risks. Influential risk leaders are making sure they have a seat at the table during these transformations, shaping the design of the process from the outset to make sure revenue cycle, clinical workflows and security are well-controlled. By proactively designing those workflow controls and supplementing them with holistic monitoring reports and dashboards, these controls can seamlessly integrate into the workflow for clinicians and staff. This approach can help reduce the effort and cost associated with later monitoring and auditing.
When risk professionals are not involved from the outset, there can be a missed opportunity to reduce downstream compliance costs. According to PwC’s 2023 CEO Survey, 42% of healthcare CEOs don’t believe they are getting value from their transformations. That’s why it’s important for risk professionals to actively participate and provide an independent view on the risks associated with not realizing the anticipated benefits from a transformation.
2. Talent management
Recruitment and retention for clinicians, especially nurses, have become major challenges for healthcare organizations. Clinicians have been grappling with considerable burnout since the onset of the pandemic. Consequently, there has been a decline in the average years of experience among frontline nurses and the reliance on temporary staff has surged. When less experienced clinicians are combined with temporary clinical staffing, it elevates the risks around clinical care and patient security. Risk professionals can prioritize mitigating these risks by confirming three key areas are addressed:
Making the right level of training and support available for front line staff
Putting controls in place to reduce the risk of human error
Monitoring and auditing to help identify and correct issues before they result in harm
Additionally, internal audit professionals should conduct regular reviews in areas such as patient security, adverse event tracking and more broadly assess compliance with other patient-related components that comprise the Environment of Care standards, which include safety, security, hazardous materials, life safety, emergency preparedness, clinical equipment and utilities.
3. Cybersecurity
According to PwC’s 2024 Global Digital Trust Insights Survey, 47% of all healthcare respondents reported a data breach of $1 million or greater in the past year, highlighting the critical importance of cybersecurity. Today’s top-rated cybersecurity concerns include:
As providers move to vendor and hosted solutions, the risks of third-party data breaches are increasing.
Larger provider entities are actively acquiring local and regional provider networks, which can subsequently become prime targets within the new organization. It’s imperative for major health systems to establish security solutions and processes as part of the transition, confirming the safeguarding of patient data and conducting thorough configuration testing.
New apps and portals allow patients to self-schedule and enable a better patient experience but there shoud be a balance between user experience and security.
Staying ahead of risks involves collective effort, which is why it’s crucial for risk professionals, no matter their specialization, to possess fundamental knowledge about cybersecurity—enough to enlist the help of a cybersecurity specialist.
The risk environment is constantly changing and evolving. As healthcare organizations adopt recent technologies, providers should seek to understand the risk to their patients, staff and business.
Providers have been using AI for awhile but its utilization is rapidly accelerating due to the availability of vast data, improved algorithms and the power of cloud computing. The critical questions that providers should consider are like other industries: How can we establish governance, guardrails, policies and practices now that generative AI can help empower an organization’s workforce? It’s important to strike the right balance, enabling innovative technology to help automate processes, support new ideas and create efficiencies for advancement while effectively managing risks. Beyond top-down governance, there are possible risks associated with AI models and how to confirm their responsible management. Model Edge, a PwC product, can help organizations manage and govern their models more effectively. Awarded the “Governance, Risk and Compliance Product of the Year” in 2023 by Risk.net, this innovative platform enables the end-to-end development, management, monitoring and governance of an organization’s AI model portfolio.
The FTC and HHS have jointly issued a letter mandating that healthcare organizations safeguard consumer data collected through technologies such as websites and mobile apps. As a result, many healthcare providers are now pausing to assess the data they collect, their agreements with vendors around data-sharing, and to establish processes and controls aimed at enhancing transparency in this realm. It’s a complex endeavor that demands coordination across the three lines of defense.
While these challenges may seem daunting, they also create opportunities. With the right approach, coordination and solutions, healthcare providers can mitigate these risks and emerge stronger to help deliver better value to their stakeholders. Learn more about how PwC can help support transformative initiatives for healthcare providers.
Check out other related risk management insights
Explore our products
Stay read for new risks and remain compliant with products and technologies designed by industry experts — and built for your needs. Our consultants are here to help you keep your business protected and prepared so you can focus on what's next.
View products