Towards a Strategic IT GRC Framework for Healthcare Organizations

The rapidly changing healthcare market requires healthcare institutions to adjust their operations to address regulatory, strategic, and other risks. Healthcare organizations use a wide range of IT systems producing large amounts of sensitive and confidential data. However, few tools are available to measure the data governance activities of healthcare institutions and align healthcare data management with legislation. The Governance, Risk, and Compliance (GRC) Model focused on integrating that ability to achieve organizational goals. The demand for corporate governance is crucial for protecting the healthcare system from risks. An adaptation of a modified version that includes strategy, processes, technology, people, as well as legal and business requirements was developed to analyze the factors affecting IT GRC implementation in healthcare organizations. Although about 48% of participants reported that their organizations implemented IT GRC programs, 16% stated that they are considering implementing IT GRC programs soon. In almost 71% of healthcare organizations, IT governance, risk management, and compliance are integrated. Among the factors influencing the implementation of IT GRC programs in Saudi healthcare organizations, legal context ranked as the most critical, followed by process, strategy, then technology, business, and finally, people contexts. This study shows that healthcare organizations must assess various factors for the effective implementation of IT GRC activities. Keywords—Information technlogy; strategic; healthcare; governance; compliance


I. INTRODUCTION
Increasing economic uncertainty, evolving market trends, and expanding regulations are escalating health organizations' risk exposure [1]. Currently, changes in healthcare systems are disturbing operations, necessitating the implementation of effective risk management systems. Hence, maintaining competitiveness and managing risk in the healthcare environment requires new actions, plans, and strategies. These changes have been facilitated by updated government regulations, organizational structures, accountability measures, and the relationship between consumers and healthcare providers [2]. In the evolving healthcare market, institutions must modify their operations to address regulatory, strategic, and other risks. However, the need to change these models, along with the implementation of new models and organizational structures, might increase industry risks while providing lucrative opportunities. As a result, healthcare organizations are learning how to use effective models to turn those risks into profits.
The healthcare domain contains many information systems that produce massive amounts of data. These data include patient data, disease research data, healthcare professional data, and other sensitive information that must be managed with the highest levels of confidentiality, integrity, and availability (CIA) [3]. Many healthcare organizations realize that the changes in healthcare systems are disrupting their usual practices, and they need effective risk management for data governance. They also recognize that maintaining competitiveness and managing risks in the healthcare environment require new actions, plans, and strategies. The modification in government regulations, organizational structures, and accountability measures as well as the relationship between consumers and healthcare providers [4], facilitate these changes. However, there is a lack of developed tools for measuring data governance activities and aligning the healthcare organization data management with legislation.
One of the models that have been introduced in the healthcare sector to deal with these issues is Governance, Risk, and Compliance (GRC). GRC focuses on integrating a range of capabilities that assist health organizations to act with integrity, maintain consistency, address uncertainty, and achieve organizational goals [5]. As the dependency on information systems increased, the need to apply the GRC concept to IT operations became apparent. IT GRC ensures that all IT systems have proper governance, risk management, and compliance management to support healthcare organizations [6]. Although many researchers identified the need for IT GRC in healthcare organizations, only a few addressed the need to develop a strategic framework for implementing IT GRC in healthcare settings [7].
The benefits of applying IT GRC in healthcare organizations include accountability, better management for 207 | P a g e www.ijacsa.thesai.org electronic health records, alignment with legal requirements. The purpose of this study is to support healthcare organizations in identifying IT GRC practices at a strategic level. This paper evaluates the main factors affecting IT GRC in the healthcare sector to develop a strategic model that addresses various perspectives.

A. Factors Led to the Emergence of IT GRC in the Healthcare Sector
The emergence of IT GRC as an approach for protecting healthcare organizations from excessive risk and removing growth barriers has been due to numerous factors. One such factor is the demand for corporate governance. Governance is a broad term that involves individuals who administer the operations, laws, processes, institutions, and policies which define the structure that manages and directs healthcare organizations [8]. Thus, governance affects how healthcare organizations address everything, such as daily operations and patient care strategies. If any organizational operation fails, the board of directors and executives are held accountable rather than the policies or organizational culture [9]. Therefore, an accountability issue arises whether external and internal constituencies trust that the healthcare providers are doing everything to protect the quality of care and mitigate risk.
Recently, there has been increased media coverage of healthcare organizations that fail to ensure the safety and protection of sensitive patient information [4]. Due to increased media attention, data breach, and the increasingly complex healthcare regulatory environment, board members and executives are more thoroughly accustomed to how their healthcare organizations operate. This increased scrutiny has ensured that the individuals in the governance have timely and accurate information regarding their organization. These individuals have the capability of making decisions that ensure compliance, prevent unnecessary risk, and reduce the impacts and chances of regulatory penalties and patient litigation [10].
Another factor that has led to the emergence of IT GRC in the healthcare sector is the increased adoption of electronic health records (EHR) that has led to greater risk. There is a growth of data in the healthcare sector, such as patient information. This growth indicates that healthcare organizations need an effective structure that clearly illustrates business requirements, data governance, and technology processes and infrastructure to support a secure data management environment [11]. Nonetheless, some healthcare organizations face challenges, such as increasing regulatory standards and requirements, a lack of funds for security initiatives, and the growing need for data sharing among collaborators and partners. These challenges have made it difficult for organizations to protect and manage all these data centers. Numerous areas have increased the risk due to the adoption of EHR, such as the global and dynamic nature of electronic information, collaborative patient care, and the utilization of electronic patient portals [3]. Due to the complexity of safeguarding health information, there is a need to have a more holistic risk management approach, such as carrying out a risk assessment on the electronic environment.
Another contribution to the emergence of IT GRC in the healthcare sector is the growth of regulatory requirements. Healthcare organizations must comply with these regulatory requirements to minimize the impact and chances of regulatory penalties and patient litigation [12]. In the healthcare sector, compliance denotes the act of adherence to regulations, along with the capability of healthcare providers to demonstrate and sustain that. Healthcare organizations need to adhere to internal policies as well as externally imposed regulations and laws. In addition to regulatory requirements, there are a more informed public, more assertive regulators, and more serious noncompliance penalties, which indicate that the organization needs to focus on compliance [13].
The boundaries of the extended healthcare enterprise are disappearing due to the far-reaching and intricate web of relationships [14]. For instance, numerous departments and constituencies share patient information. Additionally, the use of advanced technologies such as VoIP services, mobile devices, social networking, virtualization, and cloud outsourcing has led to the disappearance of conventional boundaries of a single healthcare enterprise [15]. This crosspollination of information and services has made it difficult to determine the beginning and end of one healthcare operation. It has also led to unwanted risks. It is challenging to manage the numerous healthcare sectors that affect patient information. Additionally, many divisions in the healthcare organizations, such as radiology, the ER, and hospital labs, have burdened healthcare providers with assessments of employment practices, workflow support, privacy, security, and health and safety. Therefore, healthcare organizations need to validate their extended enterprise members to meet social responsibility practices, comply with laws, and ensure that they operate in a manner that prevents unnecessary risks. This is because new technologies generate numerous opportunities and risks [16]. For instance, the utilization of mobile devices by healthcare providers might affect the delivery of services along with creating new expectations across numerous touchpoints. At every touchpoint, there is a likelihood of introducing risks relying on the capability of health organizations to secure the connection. Hence, the disappearing boundaries in healthcare enterprises that might lead to unwanted risk have contributed to the emergence of IT GRC.

B. IT GRC in Healthcare Settings
Researchers in [17] provided a clear GRC model based on the maturity model. The authors indicated that the GRC framework is most common among multinationals, insurance, banking, and listed corporations. However, the article acknowledged that there is a need for the GRC framework in healthcare settings. [18] indicated that in past years the GRC framework was not adopted in healthcare, although it has gained popularity among developed countries such as Germany and the U.S. The author discussed only the current state and significance of GRC in healthcare care without offering a clear IT GRC framework. [19] discussed past and future directions of information technology governance. The study did not provide a clear IT GRC framework that healthcare organizations can implement. [20] provided a clear guideline on how governance, risk, and compliance can align to ensure better decision-making. The study has indicated that, in past years, organizations have failed to align governance, risk, and compliance. However, the study did not provide a complete GRC framework that healthcare organizations can adopt specifically for the IT GRC setting. Table I summerizes the related litreture.
The literature agrees that there is a need to develop an IT GRC framework that healthcare organizations can use.

III. RESEARCH FRAMEWORK
This research aims to assess the factors affecting the implementation of IT GRC initiatives in healthcare organizations. This paper adopted a modified version of the frame of reference for integrated GRC developed in [2]. The original frame contained four components, strategy, processes, technology, and people. This research framework adds two new components, business and legal requirements. The research framework appears in Fig. 1. The description of the research framework components are as follows: • Strategy: The alignment among healthcare strategy, IT strategy, and IT GRC activities is crucial for integrating IT GRC in healthcare organizations [21]. A study conducted in Swiss hospitals found that IT directors usually make all the decisions without any discussion with related departments in about 75% of the hospitals [1].
• Process: IT GRC involves many processes that span various GRC domains (i.e., governance, risk management, compliance) [22]. IT governance processes must control IT risk management and IT compliance management in the healthcare organization [23].
• Technology: Technology plays a vital role in the integration of IT GRC activities. However, applying IT GRC technical tools in the healthcare organization requires an understanding of the nature of the healthcare business [24].
• People: People play different roles in IT GRC activities, such as identifying risks and managing the systems [23]. Understanding the importance of IT GRC activities in healthcare organizations is one of the success factors for implementing any IT GRC initiative in the healthcare organization [24].
• Business: Implementing IT GRC requires investment in technical solutions and processes. Thus, successful implementation requires approval from both business and information technology leaders to make the implementation successful [1].
• Legal: Regulatory compliance is one of the major drivers for any GRC program [25]. In the healthcare domain, organizations have to comply with various regulations. While some of these regulations are healthcare-specific, others could be related to IT regulations or other general laws.

IV. RESEARCH METHODOLOGY
To assess the factors affecting the implementation of IT GRC initiatives in healthcare organizations, this study started with a literature review, followed by a quantitative survey. The questionnaire items fall into six categories (technology, process, people, strategy, legal requirements, and business) see Appendix 1.
Two experts (a professor and an assistant professor) reviewed the developed questionnaire to test the content validity. After making the required changes, the authors translated the questionnaire into Arabic. Then, the research was reviewed by the Research Ethics Committee at Shaqra University in Saudi Arabia to gain ethical approval. 209 | P a g e www.ijacsa.thesai.org GRC activities inside the healthcare organizations, such as the type of IT GRC program in the organization and who is in charge of the IT GRC program in the organization. The third part includes statements developed to assess the factors affecting the implementation of IT GRC initiatives in healthcare organizations. The fourth part collects the demographic information of the participants. The final part allows the respondents to add additional comments regarding the topic.

V. DATA ANALYSIS
After completing all the required processes for the questionnaire development, the questionnaire was distributed to the targeted audiences of Saudi healthcare organizations members. We received 122 responses from 19 Oct 2021 to 7 Dec 2021. Four of the respondents were not accepted due to incompleteness or because they worked in the wrong industry. The analysis was conducted using Jamovi software [26]. This study implies quantitative methods as the analysis methods for many reasons such as the ability to generalization, high level of objectivity.

A. Sample Characteristics
Table II shows the demographic information of the participants. The gender balance among the participants was almost equal (Male 52.5%, Female 47.5%). The majority of the participants work in healthcare organizations in the Central Province (66.1 %) and the Western Province (25.4%). This was expected since most of the main locations of the healthcare organizations in Saudi Arabia reside in those two provinces, which have the majority of the Saudi population [27]. Although 67% of the participants have five years or more of experience in the healthcare sector, only 21.1% have experience with more than five years in IT GRC related activities.

B. IT GRC Status in Healthcare Organizations
This section discusses the IT GRC status in Saudi healthcare organizations. While 48.3% of the participants reported that their organizations implemented the IT GRC program, only 16.1% stated that their organization plans to have an IT GRC program in the foreseeable future.
High percentages of participants (28%) do not know about the IT GRC program in their organizations. These participants were not included in the analysis of the results.
Among organizations that implemented the IT GRC program, 71.9% of the participants stated that their organizations have an integrated IT GRC program that covers all of governance, risk management, and compliance processes. 77.4% of the participants also reported that the person in charge of IT GRC in the organization is from the IT department (i.e., Chief Information Officer (CIO) or equivalent or another IT director). Table III shows IT GRC status in Saudi healthcare organizations.

C. Reliability Testing
Cronbach's coefficient alpha test was used to measure internal consistency between items of the contexts. All of the values of Cronbach Alpha were above 0.8, which is considered above the accepted threshold [28]. Overall findings This research aims to study the factors affecting the implementation of IT GRC initiatives in healthcare organizations in Saudi Arabia. The authors have addressed this by analyzing the data collected from the survey. Among the six contexts, the most important one is Legal (mean 3.85), then Processes (mean 3.82), followed by Strategy (mean 3.78), Technology (mean 3.74), Business (mean 3.62), and finally People (mean 3.61). Table IV shows the overall results of the analysis.

D. Comparison between Different Groups
Based on the results of the questionnaire, Saudi healthcare organizations divide into three categories. The first category is the organizations that have already utilized IT GRC solutions. The second category is the organizations that are planning to implement IT GRC programs. The third category is the organizations that do not implement the IT GRC program. The researchers conducted an Analysis of Variance (ANOVA) test to examine the means among the three groups. Table V lists the means and standard deviations for all groups and contexts. It also presents the p-value for the ANOVA test for all contexts among the three groups. The results indicated significant differences among all six contexts between all categories. These findings show that organizations with IT GRC programs always have high mean values for all contexts. Additionally, organizations that do not implement IT GRC programs always have low mean values for all contexts. The ranking of the mean values shows differences in the importance of contexts for each category. For organizations with an IT GRC program, the processes context ranked first (mean = 4.10), and the people context was ranked last (mean= 3.89). For organizations planning to implement IT GRC programs, the legal context was ranked first (mean = 3.78), and the business context was ranked last (mean= 3.33). For organizations that do not implement IT GRC programs, the legal context was ranked first (mean = 2.77), and the process context was ranked last (mean= 3.22). The organization has an IT GRC program that covers only two aspects of GRC processes (i.e., governance and risk management, governance and compliance, or risk management and compliance).
The organization has an IT GRC program that covers only one aspect of GRC processes (i.e., governance, risk management, or compliance).

VI. DISCUSSION
The present research tries to explain the factors affecting the implementation of IT GRC programs in Saudi healthcare organizations. Legal context, which refers to the ability of healthcare organizations to meet all legal and regulatory requirements, was ranked as the most important context. This result was expected since following legal and regulatory requirements is usually compulsory. However, organizations that do not implement IT GRC programs face difficulties following or complying with these requirements since they have low mean values (2.72). This finding aligns with other studies that indicate compliance with the laws and regulations as one of the main objectives for GRC implementation [24].
The process dimension that controls various GRC domains ranked as the second most important dimension. Our study shows that organizations with well-structured processes have already implemented IT GRC since this dimension was ranked first for such organizations. This dimension ranked as the last dimension for organizations without an IT GRC implementation. Thus, they have difficulties controlling IT risk management and IT compliance management. Another study supports this finding since it showed the process level of the integration between IT GRC domains was low at healthcare organizations compared with other industries [23].
Synergy and alignment between IT GRC activities, IT strategic objectives, and business strategy are among the most crucial conditions. For organizations that plan to implement IT GRC solutions, this context ranked as the second most important. This ranking shows their willingness to offer better alignment integration between the GRC processes, IT, and business strategies. Weak strategic alignment negatively impacts IT GRC integration efforts across the healthcare organizations as mentioned in [1].
Technology context ranked as the 4th most important context. One possible reason is the use of technology as a tool to support IT GRC implementation rather than the main focus for healthcare organizations [23]. Another possible reason is the technical complexity of implementing such solutions in healthcare organizations [24].
Business context refers to the financial issues regarding the implementation of IT GRC activities in the organization. This context did not rank high in our study. This result was a surprise since financial factors are among the most important factors in many studies related to the implementation of IT in healthcare organizations [29]. A possible explanation is continuous pressure on healthcare organizations to decrease their expenditures [30]. People context includes human involvement in IT GRC activities in healthcare organizations. This context ranked with low mean values. The reason could be the lack of adequate staff devoted to IT GRC activities [1]. Another explanation is the unclear responsibilities for the IT GRC team [31]. Our finding also indicated a lack of expertise in the IT GRC domain in healthcare since only 21.1% of the participants have more than five years of experience in IT GRC related activities. This result shows the need for specialist training in the IT GRC domain in Saudi healthcare organizations.

VII. CONCLUSION
Healthcare organizations face many challenges to improve their operations to respond to regulatory, strategic, and other requirements. Many organizations have implemented the Governance, Risk, and Compliance (GRC) model to help manage and comply with internal and external legal aspects. IT GRC is a subdomain of GRC that focuses on IT operations in organizations. This study analyzed the factors affecting the implementation of IT GRC in healthcare organizations. It developed the research framework that comprises strategy, processes, technology people, and legal and business requirements.
The results indicated significant differences among all six contexts between various categories of healthcare organizations. The output of our research provides a strategic roadmap for healthcare organizations that are willing to implement IT GRC activities. Additionally, Saudi healthcare organizations need to pay special attention to the role of people in IT GRC activities since this context ranked among the lowest.
The main contribution of this study is to develop a strategic framework for IT GRC in healthcare organizations. The developed framework can help healthcare organizations in improving their IT services and align them with healthcare services. Another implication of this study is the need to align technology with other aspects such as legal requirements for IT GRC holistic strategic framework.
A possible limitation of the research is the number of participants, which can be considered low. However, the low number could be because our survey requires participants to have some knowledge of IT GRC to complete the questionnaire, and these people are usually limited in healthcare organizations. Another limitation is that the geographical context of the study is limited to Saudi Arabia.
Future work of our study includes the development of tools that integrate all the contexts to support healthcare organizations for better utilization of IT GRC concepts.