Terri Nichols

Terri Morris-Nichols is system director of risk management at PeaceHealth, a not-for-profit health care system with 10 hospitals and medical facilities in Alaska, Washington and Oregon. She is a registered nurse with a master's degree in health administration. She can be reached at TNichols@peacehealth.org.

Risk Insider: Terri Nichols

Cyber Checklist for Risk Managers

By: | January 25, 2016 • 2 min read
Terri Morris-Nichols is system director of risk management at PeaceHealth, a not-for-profit health care system with 10 hospitals and medical facilities in Alaska, Washington and Oregon. She is a registered nurse with a master's degree in health administration. She can be reached at TNichols@peacehealth.org.

This article was written in conjunction with Christine Novotny, ARM, Manager, Risk and Insurance, PeaceHealth.

Advertisement




If the value of personal information makes us vulnerable, the value of health care information exponentially expands the bullseye. According to Reuters, medical records are worth up to 10 times more than credit card numbers on the black market.

As a health care organization, it is our responsibility to protect the integrity of our patient’s records, and we take this responsibility very seriously.

To help us break this threat apart into manageable steps we have created a checklist for the risk manager.

All too often the effort has been focused on preventing and managing massive cyber-attacks. However, it is critically important that we be mindful of the exposure the individual employee represents in our cyber security.

This could be the employee who inadvertently faxes data to the wrong person, leaves their computer unattended and at risk, or the employee who intentionally sets out to hurt the organization as a retaliatory measure.  This is a real exposure that is often overlooked.

It’s important that you act in lock step with network security and organizational teams in order to detect, stop, and address the untoward event appropriately.  Cyber threats can be overwhelming and a contributor to sleepless nights.

To help us break this threat apart into manageable steps we have created a checklist for the risk manager.

Checklist for Risk Managers

  • Work with board and executive leadership to ensure support for cyber initiatives.
  • Provide for strong data breach identification and management policies and procedures creating a zero tolerance culture for data breaches.
  • Ensure that education and training occurs at all levels of the organization at least annually to include basic definitions, policy content and zero tolerance culture.
  • Create a breach response team in partnership with Organizational Integrity, Finance, Legal, Risk, IT security, Human Resources, and Communications to ensure are all working together for immediate detection, response and action when a breach occurs.
  • Advertisement




  • Negotiate a robust cyber insurance policy that has breach response, liability coverages, as well as coverage for regulatory actions, fines, and penalties.
  • Create data breach preparedness planning opportunities.
  • Leverage insurance carrier for education and loss prevention opportunities.
  • Appreciate the regulatory landscape through education and training.
  • Develop contracts with external partners including forensic firms, law firms, and public relations firms to assist during a large breach event.
  • Train, test, revise, train, test, and revise!

The answer to many cyber threats is having the force of an integrated cyber security and breach response team as your shield.

Share this article:

Risk Insider: Terri Nichols

Proactive Prevention

By: | January 26, 2015 • 2 min read
Terri Morris-Nichols is system director of risk management at PeaceHealth, a not-for-profit health care system with 10 hospitals and medical facilities in Alaska, Washington and Oregon. She is a registered nurse with a master's degree in health administration. She can be reached at TNichols@peacehealth.org.
Topics: ERM | Risk Insider

As a nation, we have watched the health care landscape change.  Not only have we seen dramatic events that have shaped our processes and systems, but the appetite for accompanying risks has shifted as well.

When we think about the transition of thought that occurred as a result of the threat related to Ebola, we have seen health care organizations accepting greater risks on behalf of those they care for, and showing greater effort in mitigating risk to those who serve.

We saw organizations holding practice sessions for putting on and taking off personal protective equipment in order to protect their employees.

We saw coordination of communications with key partners to educate patients and the public about the risk to the community.

And, we saw an exponential increase in resources used to be ready for what came next.

How can we optimize resources used along a continuum to mitigate risk and protect patients, employees and the public?

It is interesting that the risk presented itself in some cases before the magnitude of the impact was imaginable. Whoever thought that a ride on the teacups at Disneyland would warrant a rapid response from the health care community due to the ever-increasing number of Measles infections?

We must ask ourselves then, how do we create a culture where risks are identified earlier, and processes and systems put in place with greater ease?  How can we optimize resources used along a continuum to mitigate risk and protect patients, employees and the public?

Of course, you can’t have been in risk management or health care for that matter, without understanding that events or issues are standing at the front door waiting to come in without warning.

However, when we use risk maps or other tools to understand the risks to the organization, we must challenge ourselves to broaden our thinking to include those risks that are on the horizon across the nation and globe.

Why must the risk present itself before we launch good, solid processes to mitigate the impact to our valued team members?

We have the tools, know what the culture should look like, and have amazing partners to begin this broader conversation.  Let’s get started!

Share this article:

Risk Insider: Terri Nichols

The Information Gap

By: | August 22, 2014 • 2 min read
Terri Morris-Nichols is system director of risk management at PeaceHealth, a not-for-profit health care system with 10 hospitals and medical facilities in Alaska, Washington and Oregon. She is a registered nurse with a master's degree in health administration. She can be reached at TNichols@peacehealth.org.

All too often, we hear antidotes about circumstances where important information was not provided to the risk management team because of the fear of retribution or retaliation.

When that happens, we lose the opportunity to improve the organization’s performance. Particularly in health care, this leads to ineffective feedback for patient safety.

“Compassionate communication” encourages others to share and express their thoughts. It has been described as ensuring we hear the underlying values, needs, and fears of those we communicate with.

With compassionate communication — and the coaching and mentoring that follows — our colleagues will ensure that critical information is provided and that risk management can be seen as a partner.

Organizations that have a highly evolved risk culture have designed opportunities for this open dialogue. Approaching the risk culture with a mind-set linked to valuing and engaging the individual through compassionate communication still provides the necessary parameters around which we can protect the organization and mitigate risk.

A Hurtful Silence

We have heard stories about individuals who isolate after a mistake has been made or when their actions result in an untoward outcome because they believe that opening up to someone is a risk to themselves and their organization.

They silence their opportunities to process their feelings and emotions in exchange for safety from legal ramifications, believing they will be met with blame and criticism for their actions.

Yet, in a culture of compassionate communication, these doors are opened, and leaders can nurture the space between recognition and reporting to inspire, create hope, and engage employees in areas that might have been neglected in the past.

With compassionate communication, the culture is enhanced and enriched.

Each of our employees has the ability to see and report situations that could bring about risk to the organization, so visibility and approachability are crucial.

Using opportunities to seek information — explore what is keeping your employees up at night — and to provide education on a structured schedule demystifies the idea of who is behind the door.

Risk managers also need strong communication and conflict resolution skills.

While many risk managers understand the skills related to negotiation and mediation, we sometimes forget that we are working with human beings who bring their fears and hesitations when thinking about risks in our organizations.

Training risk managers in empathetic approaches, the principles of cooperative power, and sound communication skills will provide an infusion of compassionate communication within the risk culture where it is needed to ensure that the right thing is done on behalf of those served.

I was once told that it takes at least two years to fully develop trust in another individual. Trust at a level where no matter what the decision or action, support can be given indicates a trusting relationship.

Working to develop and solidify strategic relationships with risk management, through our use of empathy and compassion, will contribute to the kind of risk culture that benefits those serving the organization and those being served.

Read all of Terri Nichols’ Risk Insider contributions.

Share this article: