Risk management and control of information systems in the hospital

In the last years, hospitals became increasingly dependent on digital information systems. Patient safety is at risk if information systems are not working properly. Therefore, the hospital SKB decided that the development and implementation of a system of Risk Management and Control (RMC) is required to guarantee a safe, consistent and suitable use of information systems in patient care. To control risks and to comply with prescribed standards and legislation, it is necessary to create a link between the design, development, implementation and use of information systems. In traditional organizations, the responsibility to manage IT resources often lies only by the IT department. The hospital SKB stated that the new system of RMC should contribute to a shared responsibility in managing IT resources, in order to improve business-IT alignment. 

In an iterative, multidisciplinary approach (co-creation) a comprehensive dashboard to control risks in the entire life cycle of a information system is designed. With this dashboard it became possible to steer on quality management (IT governance) and to prioritize the need of new instruments for risk control during the working processes in the hospital (like role description, risk method and acceptance protocol for new information systems, see figure). Benchmarking with other hospitals and international standards were important during the creation of the designed system.  

As a result of this project a complete system of risk management in informatics is integrated into the working processes of the hospital. The iterative multidisciplinary approach has created involvement, awareness and cooperation of all stakeholders in the hospital. Health care professionals, managers, technicians and the director of the hospital mention the great added value to be in control over the risks of information systems by the designed system.