COBIT Case Study: Using COBIT to Aid in Hospital Risk Management, Part 2 


The author’s first article “Using COBIT to Aid in Hospital Risk Management,” (COBIT Focus volume 1, 2012) ended at the starting point of the system integration. This article picks up where the first left off. Next, the organization needed to clearly distinguish clinical and IT risk management subjects/objectives, define appropriate system requirements and new business processes, clearly identify performance indices, and establish appropriate new business and IT management/control processes.

To perform these tasks, the organization established the following hospital information systems (HIS) integration teams:

  1. Decision-making steering committee—Members of this committee included top management people and the team leaders of the other teams.
  2. System integration and business process reengineering (BPR) promotion team—Group leaders and sub leaders were added to this team. These working groups completed the design and implementation of new business processes based on the new IT environment. As a consultant for this project, the author provided model HIS requirement specifications and typical HIS functions and process flow diagrams for their discussions. Under this team, the following working groups were established:
    • Doctor working process innovation working group
    • Nurse working process innovation working group
    • Ward working process innovation working group
    • Medical matter (e.g., accounting) process innovation working group
  3. System integration control team—Team leaders and sub leaders were members of this team. This team controlled the following groups:
    • Internal system division
    • System development vendor

Distinction Between Clinical and IT Risk Management Subjects/Objectives

Risk management subjects/objectives, which were described in a mixture state in the previous article, now needed to be distinguished. Then, the parties (e.g., doctors, nurses, medical staff, IT department staff) responsible for risk management at the point at which their roles come into play (e.g., planning phase, design phase, development phase, implementation phase, operation phase) had to be identified.

Why Was COBIT Used?

The hospital’s risk management maturity level was at level 1, ad hoc. In almost all cases, the hospital and its staff reacted to incidents in firefighting risk-response manner. While they realized the importance of IT risk management, their management style was not planned.

Establishment of appropriate, well-organized, effective and efficient risk management was a critical issue for the hospital, because its HIS are very complicated and critical to its operation. The hospital staff was short on time and lacking knowledge of risk management; therefore, it needed to quickly understand the necessities for the establishment of IT risk management.

As a result, COBIT 4.1 was chosen and proved very useful when considering which IT-related risk management/controls to establish for this hospital within the limited time span. The hospital’s team examined COBIT carefully to identify what to do to establish appropriate IT-related risk management.

COBIT as the Reference Material (From a Risk Management Point of View)

Of course, as described in the author’s previous COBIT Focus article, the COBIT 4.1 process PO1: Define a strategic IT plan was very important, as the hospital addressed business-IT alignment (PO1.1). The following describes the other important COBIT 4.1 processes that the hospital implemented for IT-related risk management, broken up by each phase.

Planning Phase

  1. PO6 Communicate management aims and direction—Definition of the elements of the control environment for IT alignment with the hospital’s management philosophy and operation styles, as described in PO6.1. PO6.2 Enterprise IT risk and control framework, PO6.3 IT policies management, PO6.4 Policy, standard and procedures rollout and PO6.5 Communication of IT objectives and direction must be considered. Until now, communication among doctors, nurses, medical clerks and top management was not strong. There were no official meetings among the groups. With the implementation of the HIS project, official meetings among these groups became regular, improving the lines of communication.
  2. PO7 Manage IT human resources—This project involved the implementation of completely new systems; therefore, human resources (HR) management was very important, especially PO7.3 Staffing of roles, as many new roles and responsibilities were defined and, thus, new role assignment was essential. For example, new medicines, new medical treatments and new clinical passes are continually coming out; therefore, evaluation of these and the updating of dictionaries in the HIS were important new roles. Insurance points are also frequently updated, thus updating the table of medical care treatment fees in the system is important. With PO7.4 Personnel training, an IT-security-related training program and awareness were important, and PO 7.5 Dependence upon individuals was key. Patient case records are delicate personal information; therefore, all staff must understand and be aware of the importance of data security. If patient case-record data are breached, the hospital could lose the trust of the community, in addition to the potential financial losses of a lawsuit.
  3. PO9 Assess and manage IT risks—As a matter of course, these control objectives were the key. PO9.1 IT risk management framework, PO9.2 Establishment of risk context, PO9.3 Event identification, PO9.4 Risk assessment, PO9.5 Risk response and PO 9.6 Maintenance and monitoring of a risk action plan were indispensable. Project members realized the importance of a risk management framework and processes. As a result, they designed the processes and started preparation for the implementation. They also established the organization for risk management for medical, finance and IT.
  4. PO10 Manage projects—PO10.9 Project risk management must not be forgotten. PO10.11 Project change control and PO10.13 Project performance measurement, reporting and monitoring are necessary. Schedule, cost, quality and risk criteria were key. For example, the cutover date was strictly defined by top management, so project delay was not permitted. For cost savings, system utilization processes (business processes) were standardized and simplified, so redundant customizations were avoided. To attain high-quality and high-level risk criteria, all hospital staff were involved and prototyping was repeated.

Design and Development Phase

  1. AI1 Identify automated solutions—AI1.2 Risk analysis report was an important risk management resource. To establish, many indices for risk management status analysis were identified and organized, appropriate quantitative levels were assigned to indices, and personnel were assigned to measure these indices.
  2. AI4 Enable operation and use—This is important to ensure that all related people can operate and utilize the new system. Therefore, from the earliest stage of this project, keyboard training software was provided to those who were less familiar with using computers. And, many rehearsals were repeated to verify the system and identify new problems.
  3. AI7 Install and accredit solutions and changes—It was a difficult time as the cutover date approached. Without preparation in line with AI7.1 through AI7.9, on-time cutover may not have been possible. Within a certain period from the cutover, many troubles were expected to occur. Therefore, the preparation of many backup measures and repeated trouble response trainings at this stage were critical.

Operation Phase

  1. DS1 Define and manage service levels—DS1.1 Service level management framework is operating within the hospital. No outsourcing was utilized. Based on this fact, a framework was established. For example, a very high service level must be assured for clinical purpose systems. DS1.2 Definition of services, 24 hours per day, 365 days per year is matter of course for clinical purposes, but this is not the case for medical staff. According to business characteristics, a service-level framework must be defined. DS1.5 Monitoring and reporting of service level achievements, for continuous improvement, is indispensable.
  2. DS3 Manage performance and capacity—All control objectives (DS3.1 to DS3.5) in this process were necessary. System slowdown, for example, is not allowed for critical clinical systems. Therefore, many backup systems were prepared and tested.
  3. DS4 Ensure continuous service—This is a matter of course for HIS. Many trouble cases, disasters and so on were identified and responses were discussed and determined.
  4. DS5 Ensure systems security—Of course, patient data are critical and, as such, very high-level security environments must be ensured. Utilizing PO7, high-level information security environments were established, and continuous monitoring and evaluation were put in place.
  5. DS7 Educate and train users—Doctors must utilize personal computers (PCs). If they do not, they cannot spare enough time for patients and mistakes will occur. Continuous training is very important. After the medical examination time, doctors were trained to utilize new systems efficiently.
  6. DS11 Manage data—Same as DS5, this is a matter of course. Very high-level data management was put in place. As already mentioned, new medicines and new medical treatments are continuously being developed. Keeping dictionaries up to date is necessary. Data backup and protection procedures were defined and put into practice.
  7. DS12 Manage the physical environment—DS12.2 Physical security measures and DS12.3 Physical access are important. The number of terminals and IT-related devices was drastically increased. Also, the number of servers was increased. Terminal custody places were newly installed, and personnel were assigned responsibility for these places. Also, the environments of the server rooms were examined and enforced.

Identification of Performance/Monitoring Indices

New business and IT processes must be appropriately measured and monitored. The following high-level indices were set for each balanced scorecard (BSC) area, utilizing the COBIT ME1 processes. The following were categorized according to the BSC areas, so they can be used for reporting to the hospital executives (ME1.5). By these indices, IT performance is monitored and evaluated (ME1.1, ME1.3 and ME1.4). Therefore, top management can grasp the current hospital status in a timely manner and decide next steps (ME1.6).

  1. High-level indices:
    • Top-management-vision-related:
      • Security level of personal information data protection
      • Raising and keeping a high level of medical services
      • Minimizing medical mistakes (malpractices)
      • Rapid response to medical needs of the community
      • Information sharing between the hospital and the community
      • Raising staff’s skills and knowledge
      • Searching for new chances of challenge
    • Mission-statement-related:
      • Cooperation between each facility within the group (systems and information)
      • Total supporting system of health care, treatments and nursing care
      • Establishing good supporting systems and then developing the doctors’ research activities environment, and returning results of research activities to health care site
  2. Customer-satisfaction-related indices:
    • Improvement of level of patient satisfaction:
      • Percentage of medical treatment reservations
      • Waiting time for medical examination
      • Average treatment periods (classified by disease)
      • Satisfaction level of provided information
      • Increasing use of consultation from patients
      • Satisfaction level resulting from consultation
      • Percentage of informed-consent executions
    • Improvement of cooperation level among hospitals and clinics in same community (medical care zone):
      • Ratio of patients with a letter of referral from clinics within the same medical care zone
      • Ratio of patients transferred to clinics in the same medical care zone (patients who can receive medical care from clinics near their home)
      • Quickness of response to patients who transferred clinics
      • Satisfaction level of cooperating clinics
      • Utilization rate of high-level medical equipment with cooperating clinics
      • Increasing ratio of trusted medical tests
    • Improvement of the local government’s satisfaction:
      • Adoption rate of the local government’s Community Medical Program
      • Acceptance of ambulances at the hospital
      • Acceptance of emergency patients (admission to the hospital)
    • Improvement of the general public’s satisfaction:
      • Patients from outside of the secondary medical care zone
      • Satisfaction level of people living in the medical care zone
  3. Finance-related indices:
    • Growth:
      • Rate and number of omissions of a request to the health insurance society for remuneration for medical treatments (hereafter referred to as “request”)
      • Ratio of request denials
      • Delay and delayed amount of the request
      • Accuracy of correspondence between medical treatments and a request
      • Status of profit (classified by medical divisions and other divisions)
    • Profitability:
      • Billing amount and cost (classified by patients, disease and day)
      • Ratio of cost of medicines
      • Procurement cost and billing amount of medicines
      • Procurement cost and ratio of medical supplies
      • Bed utilization ratio (classified by medical division)
    • Liquidity:
      • Recovery rate of uncollected income
      • Effective utilization of lease
      • Ratio of fixed asset
      • Stock turnover
      • Squeezed dead stock
    • Stability:
      • Ratio of personnel expenses (e.g., reduction of messengers, medical clerical workers)
      • Utilization of outsourcing
      • Ratio of fixed cost
  4. Internal-process-related indices:
    • Improvement of the quality of medical services:
      • Applied ratio of clinical paths
      • Ratio of patients who are applied to a clinical path
      • Result of variance analysis
      • Average hospital stay in days (classified by disease)
      • Number of papers and presentations by doctors; number of quoted papers of doctors
      • Number of surgeries
      • Substantial nursing status
      • Ratio of special region professional nurses
      • Ratio of planned admission and departures
    • Medical risk management:
      • Incidence of medical mistakes (e.g., errors, malpractices)
      • Incidence of hospital infections
      • Incidence of bed sores
      • Rate of carried-out instruction on medical management
      • Rate of providing information about side effects
    • Improvement of business process:
      • Reduction ratio of volume of hospital business processes
      • Ratio of automated business processes of mechanical processes
      • Ratio of automated business processes of standardized processes
      • Ratio of professional processes that are supported by systems
    • Utilization of information:
      • Ratio of expansion and utilization of shared information and knowledge
      • Ratio of PC capacity utilization
      • Status of end-user computing (EUC) utilization
  5. Learning- and growth-related indices:
    • Improvement of professionalism of staff:
      • Expansion status of intellectual properties and professional knowledge within the hospital
      • Status of electronically gathered new knowledge and its utilization
      • Status of information literacy of staff
    • Optimization of roles and responsibilities:
      • Substantial information support for decision-making processes
      • Improvement of transparency of decision-making processes
      • Matching status of organizational roles and responsibilities assignment and access authorization assignment of information systems
      • Status of information security environment
    • Becoming an always-learning organization:
      • Utilization status of intellectual properties and professional knowledge
      • Substantial staff education and training programs and participation status
      • Updated and expanding status of knowledge-sharing systems

Consideration of Regulatory Aspect

Regulations are constantly being updated and new ones are coming out. Therefore, flexibility and quick response are very important. For example, the following are current big issues:

  • Response to Diagnosis Procedure Combination (DPC) (Japanese regulatory issue) (similar to Diagnosis Related Group/Prospective Payment System [DRG/PPS])—To appropriately adopt this, detailed cost analysis functions were integrated into the HIS. They enabled the cost tracking of each patient and each disease.
  • Regional general hospital coordinating community health care—Information exchanges with the hospital and many clinics in the same medical care zone are very important. As a result, patient case record data protections are a critically important issue.
  • Introduction of electronic itemized statement of medical expenses (hospital to medical insurance)—Interface of these functions is defined by the Japan Ministry of Healthcare, Labor and Welfare (MLHW). Therefore, quick and accurate response is required.

To appropriately respond to these, controls related to ME3 Ensure compliance with external requirements are essential. To comply with many new regulatory requirements, management must keep abreast of regulations (mainly MLHW). To comply with such regulations, updating or renewal of HIS is critical. Sometimes, external audits for the medical care records and related process are required by MLHW. Therefore, hospitals must be prepared for the external audits.

Application Controls

As described in COBIT 4.1, application controls are also important for appropriate risk management. Appropriate IT audit should be in place as follows:

  1. AC1 Source data preparation and authentication—Patient records are very critical. Predicated on a need-to-know, need-to-do basis, data preparation is authorized to appropriate personnel. Access rights are carefully categorized (for doctors, nurses and medical staff), and IDs and passwords are assigned to them. Updates to access rights are done via links with HR management.
  2. AC2 Source data collection and entry—Decisions about medical care for patients are permitted only by doctors. All other personnel are prohibited from inputting or updating patient case records. All updates for patient case records are recorded and protected from deletion. Also, all access logs are recorded and examined periodically.
  3. AC3 Accuracy, completeness and authenticity checks—Expert medical matter staff members are always checking this based on their knowledge and experience. For example, the auditing of patient case records is ordered by law. With patient case records now in the HIS, the role of the IT auditor becomes very important.
  4. AC5 Output review, reconciliation and error handling—For example, the accuracy of the request to the health insurance society for remuneration for medical treatments directly impacts financial liquidity. Calculations of medical treatment fees for patients are now done automatically, so the burden on medical clerks is lessened—they can now concentrate on checking the accuracy of the requests to the health insurance society.


COBIT 4.1 proved extremely useful for the establishment of IT-related risk management/control.1

IT goals must be connected to business goals, and IT output cannot automatically become outcomes. Therefore, continuous monitoring and evaluation from a business point of view is necessary. The baseline of the IT-related risk management of this hospital was established; however, issues remain that require continuous improvement. For example, medical institutions’ specific IT-related risk has not been completely identified. Therefore, continuous improvement of the risk management system is indispensable. Rapidly and frequently, new medicines, new medical treatments and new regulations are coming out, requiring constant risk management.

Author’s Note

I think there is always uncertainty relating to risk management. We can try to list what will happen, but we cannot predict correctly when, how, to what level, where, etc. And, when reality strikes, “strength” may be “weakness,” “opportunity” may be “threat,” and vice versa. After the 11 March 2011 disaster in Japan, the hospital is updating its business continuity planning (BCP), business continuity management and disaster recovery. In many cases, the traditional approach of BCP would and did not apply. Following DS4 Ensure continuous service, the hospital's staff is now updating its BCP. In DS4, continuity is strongly emphasized, describing what to do to establish an efficient and effective IT continuity plan. With this in place, the hospital staff now recognizes what will happen in the event of a huge disaster, and as a result, staff will be able to easily establish new IT continuity plans.

Masatoshi Kajimoto, CISA, CRISC
Is an IT auditor and independent consultant providing services in business process reengineering (BPR), human resources management, IT governance and IT-related risk management for educational, medical and financial institutions. He currently serves as technical advisor for the Ministry of Internal Affairs & Communications (Japanese government). He is a director of the ISACA Tokyo Chapter and is a cofounder and executive director of ITGI Japan. He also serves on ISACA’s Government and Regulatory Advocacy (GRA) Subcommittee Area 1 and is a member of the GRA Committee.


1 To respond to the need for a risk management framework, ISACA developed Risk IT, which is based on COBIT. However, this project began prior to the release of Risk IT; therefore, the hospital developed its own risk management framework based on COBIT. Risk IT is now incorporated in COBIT 5.