ZenGRC

Simply Powerful GRC

ZenGRC Team

Navigating the Future of AI Governance: A Guide to NIST AI RMF, ISO/IEC 42001, and the EU AI Act

· ·

Businessman using mobile smartphone and icon network connection data with growth graph customer, digital marketing, banking and payment online, analysis and planning of business.


In the rapidly evolving landscape of Artificial Intelligence (AI), Governance, Risk, and Compliance (GRC) professionals must navigate the increasingly complex challenges of trustworthy development, deployment, and monitoring of AI systems. 

The recently released NIST Artificial Intelligence Risk Management Framework (NIST AI 100-1)ISO/IEC 42001, and the upcoming European Union Artificial Intelligence Act are pivotal guidelines for organizations to better govern AI usage. 

This blog delves into the similarities and differences of these frameworks, offering essential insights for alignment and outlining how ZenGRC can facilitate a robust, continuous AI governance monitoring program.

Understanding the Frameworks

What is the NIST AI Risk Management Framework?

The NIST AI Risk Management Framework (AI RMF) is designed to provide organizations with a structured approach to managing risks associated with AI technologies. It emphasizes flexibility, allowing organizations to tailor their risk management practices to their specific needs while assuring AI systems are developed and deployed responsibly, ethically, and trustworthy. 

The framework itself is published by the National Institute of Standards and Technology (NIST), which has decades of experience developing standards for all manner of technology. Any organization of any industry or size can study the AI RMF and extract valuable lessons.

What is ISO/IEC 4200?

ISO 42001 is a standard from the International Organization for Standardization (ISO). It provides guidelines for establishing, implementing, maintaining, and improving an AI management system. 42001 focuses on assuring that AI systems are used in a way that is ethical and transparent and promotes trust among users and stakeholders. The standard covers various aspects of AI governance, including accountability, data privacy, and security. Similar to other ISO standards, 42001 is voluntary. Organizations can choose to certify their compliance with this standard via external audits and controls validation. 

EU Artificial Intelligence Act

Although not finalized yet, the draft EU AI Act represents a comprehensive legal and regulatory framework proposed by the European Union to govern AI use within its member states. It categorizes AI systems based on their risk to citizens’ rights and safety and outlines requirements to be met before those systems can be deployed. The AI Act is particularly notable for its legal enforceability and the potential for significant penalties for non-compliance.

NIST AI RMF vs. ISO 42001 vs. EU AI Act: Similarities and Differences

While all three frameworks aim to promote responsible AI, their approaches and emphases vary. 

FeatureNIST AI RMFISO 42001EU AI Act
PurposeGuidelines for risk management and ethical considerations in AIGuidelines for an AI management systemLaw with specific compliance requirements
FocusMore focused on the risk management aspectProvides a detailed structure for AI managementBased on the risk associated with an AI system
ApplicabilityFlexible, applicable across different sectors and types of AI applicationsFlexible, designed to be applicable across various sectors and AI applicationsApplies to organizations operating within or targeting the Europe market
Legal ImplicationsVoluntary standardsVoluntary standardsLegal implications; mandatory compliance for affected entities
Geographical RelevanceGlobalGlobalEU Member States
ComplianceVoluntaryVoluntaryMandatory as law is enacted


Aligning With the Frameworks

Organizations looking to align their IT operations to these frameworks should start by comprehensively analyzing how they want to use AI (the business use cases) and the risks associated with AI so the organization can understand the specific opportunities and challenges they face. This involves identifying the purpose and desired outcomes of the AI system, the type of data processed, the decision-making capabilities of the system, and the potential effects on individuals and society. 

From there, organizations can develop a tailored risk management strategy that addresses these risks while considering each framework’s unique requirements.

Training and awareness are also crucial. To ensure a cohesive approach and increase transparency, stakeholders, from developers to executives, should be educated about the principles and requirements of strong AI governance.

Frequently Asked Questions (FAQs)

What is AI Governance, and Why is it Important?

AI Governance refers to the frameworks, processes, and practices organizations implement to ensure the responsible and ethical development, deployment, and monitoring of artificial intelligence systems and advanced AI technologies. It is crucial because AI systems can significantly impact individuals, businesses, and society. 

How Do NIST AI RMF, ISO/IEC 42001, and the EU AI Act Influence AI Governance?

The NIST AI Risk Management Framework (AI RMF) provides guidelines for managing AI risk using AI models and algorithms. ISO/IEC 42001 is a standard for establishing an AI management system focused on ethical AI, transparency, and trust in AI systems. The EU AI Act proposes legal requirements and AI regulation for AI systems based on risk levels, making it legally binding for organizations operating in or targeting the European market.

What Are the Best Practices for AI Governance in Organizations?

Best practices for AI Governance include:

  • Conducting risk assessments
  • Establishing clear policies and procedures
  • Implementing robust data governance and data protection practices
  • Promoting transparency and explainability
  • Ensuring human oversight 
  • Continuously monitoring AI systems for compliance and ethical concerns 

Organizations should also consider AI safety initiatives and adopt AI principles for responsible AI development.

What is an Example of AI Governance?

An example of AI Governance is a healthcare organization implementing a governance regime like the NIST AI RMF to identify and manage risks associated with their AI systems and machine learning models. This may involve conducting risk assessments, establishing controls and AI policies, and continuously monitoring AI outputs to ensure they operate as intended and comply with ethical and regulatory requirements.

What are the Pillars of AI Governance?

The pillars of AI Governance typically include:

  • Ethical and responsible AI development.
  • Data governance and privacy. 
  • Transparency and explainability.
  • AI risk management.
  • Continuous monitoring and compliance.
  • Addressing potential harms and safeguards. 

It also involves collaboration with policymakers, civil society, and the private sector to create governance structures and building blocks for the AI ecosystem.

Leveraging ZenGRC for AI Continuous AI Monitoring

ZenGRC can play a pivotal role in helping organizations align with the NIST AI RMF, ISO 42001, and the EU AI Act by offering a comprehensive solution for continuous AI monitoring and governance. 

As AI continues to shape the future of technology and society, the importance of robust governance frameworks cannot be overstated. By understanding the nuances of the NIST AI RMF, ISO 42001, and the EU AI Act and leveraging tools such as ZenGRC, organizations can ensure that their AI systems are both compliant and aligned with the highest standards of ethics, accountability, and transparency.

See how ZenGRC can help streamline AI governance and provide an always-on view of AI risk and compliance across your business — schedule a demo today!

Top 5 Risks Affecting the Healthcare Industry

· ·

Cybersecurity is a constant, serious threat to the healthcare industry. Unfortunately, however, the risks to cybersecurity and data security in healthcare are only one part of the larger risk management puzzle for healthcare organizations. Infections, alarm fatigue, telemedicine, and a lack of emergency preparedness also pose severe threats in healthcare.

To minimize exposure, healthcare organizations require a comprehensive risk management program. With risk management initiatives, organizations can:

  • Identify and address existing and emerging risks;
  • Meet business objectives and strategic goals;
  • Maintain legal and regulatory compliance;
  • Lower the chances of debilitating losses while enhancing their ability to deliver quality care.

Read on to explore the key risks affecting the healthcare industry and some risk management strategies they can leverage to avoid undue risk exposure.

The 5 Critical Risks in the Healthcare Industry

Healthcare organizations are constantly tested by risks that affect their ability to achieve business objectives. Changes to the Affordable Care Act and the Health Insurance Portability and Accountability Act (HIPAA), for example (plus other healthcare reforms), all add pressure and make the future even more uncertain.

If these risks are not appropriately managed and mitigated, they can result in many unwanted outcomes, including:

  • Financial losses;
  • Fines and penalties;
  • Reputational damage;
  • Increase in medical malpractice suits and claims for workers’ compensation.

Let’s delve into five critical risks affecting healthcare facilities.

1. Cyber Risks

In 2020, data breaches against healthcare firms increased by 55.1 percent from 2019. According to the HIPAA Journal, one healthcare data breach was reported each day. The average cost of a breach was $7.13 million, the highest among all industries; and such incidents cost healthcare companies $6 trillion by the end of the year.

2021 was even worse. According to the same report from the HIPAA Journal, breaches hit an all-time high in 2021 and exposed a record amount of patients’ protected health information (PHI). They impacted a whopping 45 million people. Worse yet, the average cost of a data breach rose to $9.42 million.

The healthcare sector is a prime target for all kinds of cybercriminals due to the vast amounts of PHI and electronic health records generated. Attackers can earn staggering profits by selling this data since a single medical record is valued at up to $250 on the black market.

Moreover, care organizations are vulnerable to all types of cyber threats. Malware, ransomware, viruses, phishing, and credential harvesting all help attackers to disrupt healthcare operations, monetize PHI, and prevent medical staff from delivering patient care.

Such attacks may harm the organization’s business continuity, damage its reputation, and endanger patients’ lives. They may also result in lawsuits or fines due to the firm’s inability to comply with the privacy and security requirements stipulated under laws such as HIPAA.

The healthcare industry also has a high cybersecurity risk because:

  • Organizations have many connected devices that are often not patched properly;
  • Medical professionals use insecure devices to remotely access patient data, leaving the door open for bad actors;
  • Healthcare workers are often not trained on how to prevent or deal with cyberattacks;
  • Absent or inoperative security controls enable bad actors to access sensitive patient information.

Cyber Risk Management Strategies

Healthcare organizations must have a proper risk management strategy in place to boost the cybersecurity of healthcare information and avoid the costs of a cyberattack. The strategy should guide the organization’s investments in cybersecurity tools like firewalls, antimalware and antivirus, endpoint detection and response (EDR) systems, and so forth.

Cyber liability insurance can provide financial protection by transferring the risks and associated costs to the insurance provider. That said, premiums can become prohibitive if the organization fails to implement proper controls to prevent attacks. That’s why risk management and security controls are always vital.

2. Healthcare-Associated Infections

According to the Centers for Disease Control, 1 in 31 patients at a hospital facility has a healthcare-associated infection (HAI). HAIs cost hospitals $28.4 billion each year. They also cost society $12.4 billion due to early deaths and lost productivity.

The risk of HAIs is exceptionally high in healthcare organizations where any of the following factors exist:

  • Increased frequency and variety of invasive procedures;
  • Severely ill patients;
  • Overuse or improper use of antibiotics;
  • Failure to adhere to best practices for preventing HAIs.

HAI Risk Management Strategies

It’s impossible to eliminate the risk of HAIs completely. They can, however, be prevented to a large extent by assuring that all sanitation systems are operational and up-to-date.

Healthcare management should train staff on the proper use of these systems and basic infection control techniques to keep patients safe. Accountability and reporting to the appropriate healthcare authorities can also help prevent HAIs on a broader public health scale.

3. Telemedicine

According to the American Hospital Association, 76 percent of U.S. hospitals connect remotely with patients and practitioners through video and other new technologies. Remote care allows practitioners to increase the scope and reach of their care.

Telemedicine also, however, creates several risks for healthcare organizations. In addition to the risk of cyberattacks due to insecure devices, telemedicine may also result in allegations of negligence, especially if healthcare providers are not adequately trained or lack the proper experience and credentials.

Telemedicine Risk Management Strategies

Since there’s no federal clinical standard to guide how healthcare organizations deliver telemedicine, they must set their own standards and implement their own controls for telemedicine.

They must ensure that all providers have the right capabilities and credentials, and follow appropriate standards of care. Healthcare professionals should also be trained on regulatory requirements for patient privacy and data security to know how to avoid non-compliance.

Another critical risk mitigation strategy is to implement a robust peer-review process, staff bylaws, and processes to adhere to the Centers for Medicare and Medicaid Services (CMS) guidelines.

4. Emergency Preparedness and Patient Safety

Pandemics and other disasters can strike an organization at any time. Healthcare organizations that are not prepared for such events cannot care for their patients; nor can they protect their staff from injury, illness, burnout, and mental health problems.

In addition, organizations may not be able to meet the requirements of the CMS Conditions of Participation. This could result in termination from the CMS program, which affects their ability to meet HIPAA requirements, protect patient privacy, and prevent fraud in the healthcare system.

Emergency Preparedness Risk Management Strategies

To avoid such adverse circumstances, all healthcare organizations must implement an emergency incident response plan based on:

  • A thorough and ongoing risk assessment;
  • Supporting policies and procedures;
  • A communication plan to coordinate with federal, state, and local health departments;
  • A training and testing program with provisions to conduct regular emergency drills.

The plan should be reviewed and updated regularly. Organizational leadership should be involved in the planning process to assure that the organization can continue to deliver care while protecting staff from being exposed to additional risks.

5. Alarm Fatigue

In healthcare settings, alarms are designed to draw the attention of professionals to a potential problem. Since they are so common, however, overwhelmed nurses and doctors experience alarm fatigue and become desensitized to these warnings.

Consequently, they often tune them out. By ignoring an alarm, however, providers may fail to respond to a situation as they should, reducing the quality of care. In some cases, alarm fatigue can be fatal.

Alarm Fatigue Risk Management Strategies

Healthcare organizations can reduce the risk of patient harm from alarm fatigue by implementing precautionary measures. One is an effective process for safe alarm management and response in high-risk areas. Other critical steps to manage this risk are:

  • Perform baseline alarm risk assessments to understand the current conditions contributing to alarm fatigue;
  • Identify the default alarm settings and the limits appropriate for each alarm-equipped medical device in each care area;
  • Identify the situations when alarm signals are not clinically necessary.

Challenges of Risk Management in Healthcare

To mitigate the critical risks explored here, healthcare organizations must adopt comprehensive risk management programs. Unfortunately, risk management can be a challenging prospect for several reasons.

As reimbursement moves away from a fee-for-service model to a value-based model, it may affect the financial performance of healthcare organizations. Moreover, higher pay-for-performance penalties may be imposed if the organization fails to provide quality care. These changes make it harder to balance risk management with quality care.

Under-reporting of errors or problems also affects risk management. A lack of data makes it harder to find solutions that can reduce the organization’s risk exposure. On the other hand, too much data is also a challenge because it can overwhelm your analysis and hinder your decision-making to minimize losses.

Improve Risk Management with ZenGRC

For effective healthcare risk management, visibility, evaluations, monitoring, and automation are all crucial. ZenGRC brings all these capabilities in one comprehensive platform.

ZenGRC is an all-in-one platform for risk management, compliance, policy management, and governance. It shows the risk areas and changes in a healthcare organization so they can act fast to stay ahead of ever-evolving threats.

To see ZenGRC in action, schedule a demo.

Identifying Assets for IT Risk Analysis

· ·

Any organization that uses information technology should conduct cybersecurity risk assessments from time to time.

Each organization, however, faces its own unique set of security risks and needs to tailor its approach to addressing those specific risks within its risk management processes.

To get started, you first need to identify all your organization’s IT assets, which might be subject to those risks. Then, you can understand the losses you might incur should certain risk events happen and implement prudent steps to keep those risks in check.

IT assets include servers, customer contact information, sensitive partner documents, and trade secrets.

Some assets are physical, such as computing devices; others are electronic, such as data or software. Not all assets are of equal value, either. Some are more costly than others, and some have higher risk exposure.

Each asset has different associated risks, and the importance (the “criticality”) also varies. Your cybersecurity risk management plan will need to account for all those factors.

What is an IT Risk Analysis?

Information Technologies (IT) Risk Analysis is a process of identifying potential threats and vulnerabilities to your IT systems to establish what loss you might expect to incur if certain events happen. Its objective is to help your risk mitigation initiatives at a reasonable cost.

Creating an Asset Register for IT Risk Analysis

Risk assessments typically take one of two approaches. The most common is to start by compiling an inventory of your IT assets; the other method is to consider various scenarios or identified risks that can lead to a compromised asset or breach.

An asset-based risk assessment starts with an asset register or asset inventory. This document specifies all the places where sensitive information is stored and the asset’s estimated value.

So, one of the first things an organization should do when performing a cybersecurity risk assessment is to identify those IT assets.

Creating an asset register helps to clarify what is valuable in your company and who is responsible for it. You need to know what you have and who is in charge of protecting those assets to understand the technology risks to your company entirely.

First, generate the register itself: the list of hardware, software, devices, and databases that store sensitive information.

To do this, consult with the asset owners. An “asset owner” is the person or entity responsible for controlling an information asset’s production, development, maintenance, use, and security.

The asset owners will be familiar with how information moves through their departments. Involving them in the process will be quicker and less intrusive than having your implementation or compliance team go through the entire company.

What are Assets for IT Analysis

It might be that asset owners aren’t sure what assets fall within their responsibility. In that case, recommend that they list all the software they use, the documents in their binders and file cabinets, the employees in the department, and the equipment in their office, among others. Assets might include:

  • Hardware: Laptops, servers, printers, cell phones, USB sticks, authentication keys.
  • Software: Purchased software and free software.
  • Information: Electronic media, such as databases, PDF files, Word documents, Excel spreadsheets, and the like, as well as paper documents. This also could include sensitive data.
  • Infrastructure: offices, electricity, and air conditioning (the loss of these assets can cause information to be unavailable).
  • Outsourced Services: Legal services, shipping services, online services (Dropbox, Gmail, and so forth). These aren’t assets in the purest sense of the word, but you control these services the same way as assets, which is why they are often included in an asset inventory.
  • Human Resources: The employees in each department and their access to the IT infrastructure. These also aren’t assets in the purest sense, but they manage and run your business operations and could potentially lead to a data breach.

Identifying Risks to Your Listed Information Assets

When executing the risk assessment, identify the risks these different types of assets might encounter. The purpose of an information security risk assessment is to help inform stakeholders and decision-makers about the risks they face so that they can consider and support proper risk responses. So, think expansively about what risks might happen and how.

Hardware

With the increase in Bring Your Own Device (BYOD) policies, the hardware risks that affect companies also extend to employees’ personal equipment. At the same time, technology solutions are available to enforce removable media policies, limiting unauthorized extraction of information and malware infection.

Software

The principal risks of your company’s software are its vulnerabilities and the ease with which cybercriminals can exploit them to infect your organization.

Vulnerability scanners can help here by highlighting vulnerable software and pending security updates. Updating your tools and enforcing shadow IT and legacy software policies significantly reduces cybersecurity risks.

Infrastructure

The risk identification process can only be completed by considering infrastructure risks. Physical access controls are crucial in mitigating unauthorized access to critical systems.

At the same time, natural disasters are specific threats that hinge upon local geographic factors. Business continuity and data security policies must be in place to prevent cyberattacks during these critical events.

Outsourced Services

Your organization may rely on various third-party services for its operations. This includes traditional vendors and cloud service providers for your information systems.

Your information security risk assessment should consider your suppliers’ risks and data protection policies to determine their risk level. This activity allows your company to assess third-party risk and the cost-benefit of these services.

Human Resources

Human resources present risks that your company should assess, too. For example, phishing attacks are common cyber threats that depend heavily on the cybersecurity awareness of your employees. Malicious insiders may also exist, so implement security controls to identify and intercept potentially dangerous behavior patterns.

Manage and Mitigate Risks with Help from ZenGRC

Whether your organization has its IT team to conduct an information security risk assessment or outsource the task, ZenGRC can help make the process easier for you.

ZenGRC helps your organization implement, manage, and monitor your risk management framework. Prioritize tasks with automated workflows so everyone knows what to do and when. Insightful reporting and dashboards visualize information, making it easy to share with stakeholders.

On the compliance end, ZenGRC has templates to help your organization streamline the complete lifecycle management of all your relevant cybersecurity risk management frameworks, including PCI-DSS, NIST, HIPAA, and more.

Contact us today for a free consultation and demo and start managing risk worry-free the Zen way!

ZenGRC and 360 Advanced Join Forces to Revolutionize GRC

· ·

ZenGRC is thrilled to announce our strategic partnership with 360 Advanced, a leader in cybersecurity and compliance services.

This powerful alliance combines ZenGRC’s cutting-edge GRC platform with 360 Advanced’s deep expertise in security and compliance programs. Together, we’re set to revolutionize how organizations approach governance, risk, and compliance.

Our partnership delivers the tools and expertise that companies of all sizes need to navigate today’s complex regulatory landscape with confidence.

To read the full press release, please visit the 360 Advanced website.

Read more

eBook: Maximizing ROI with ZenGRC

· ·

A Guide to Operationalizing and Scaling Governance, Risk, & Compliance

Struggling to balance compliance with operational efficiency? Our ebook provides a strategic roadmap for establishing a robust GRC program that delivers tangible results. From setting up governance structures to implementing advanced risk assessment workflows, discover how ZenGRC can help you optimize your operations and achieve long-term success.

Ready to see ZenGRC in action?

Fill out the form to book your demo today and take the first step towards simplifying your GRC processes!

GET started