top of page
Image by Sharon McCutcheon


Making decisions is difficult, and at RISQ Management we understand that you need as much information as possible to make an informed decision.

Check out our resource library where you will find brochures on services we offer, and various types of publications from our founder.

Service Brochures:

RISQ Management is simplifying obtaining a FedRAMP Authorization to Operate (ATO) by providing an automated method to create the FedRAMP SSP. See FedRAMP service offerings brochure.

RISQ Management offers custom reporting that gives real-time insight into your business' current performance; in turn, these generated reports can be interrogated to help you improve your service and company offerings. See Custom Reporting service offerings brochure.

Our experienced regulatory affairs professionals have vast experience working with the US FDA and other global agencies. Our regulatory affairs experts will ensure that multiple strategies and alternatives are considered at every step to help you gain product commercialization. We provide expertise in pre- and post-marketing, regulatory filings, marketing authorization, and everything in between. See the Regulatory service offering brochure.



Harlow on Health Care - Short Takes at #HIMSS18

Harlow on Healthcare (David Harlow)

While at the HIMSS 2018 annual conference, David Harlow spoke with many healthcare technology company leaders. He is pleased to share some of those conversations. This selection focuses on interoperability, the patient matching technology that undergirds aspects of interoperability, and the benefits of these technologies in the development of tools to manage patient journeys in a manner that engages patients, caregivers and providers as partners in care, advancing the quadruple aim. See publication here.

Do You Know What A State-Run ‘HIE’ Is? Me Neither, But Gerard Knows. ITSP Magazine

In this part 1 of our 2-part podcast, Gerard Scheitlin from Orion Health looks at the state-run health information exchanges (HIEs) and how patient data is collected, accessed, and shared, giving us some insight into how population health and precision medicine are provided leveraging these systems and the big data they hold.

While this might sound a bit ominous, Gerard assures us that all is not doom and gloom as he provides some initial advice for patients; the bottom line is to recognize the value of the HIE, but be super informed with respect to what and when information is collected and used. See publication here.

Webinar: What is TEFCA Anyway? an Informative Panel Discussion

“TEFCA is aligning to be the biggest change to healthcare interoperability since Meaningful Use exploded EHR Utilization”

The Trusted Exchange Framework and Common Agreement (TEFCA) will be finalized at the end of 2018. Please join us to gain an understanding of key focus areas to ensure TEFCA compliance and gain a wider perspective and viewpoints from the healthcare community.

This informative webinar will begin with a brief introduction of TEFCA followed by a facilitated panel discussion. We will discuss the goals and complexity of TEFCA and invite an open conversation of associated risks, interdependencies with state and federal agencies, consent and consent management, impact on the opioid epidemic, and more.

Panelists include:

  • Gerard Scheitlin, Global VP, Security, Risk and Assurance, Orion Health

  • Kelly Thompson, CEO, Strategic Health Information Exchange Collaborative (SHIEC)

  • Chantal Worzala, PhD, Vice President, Health Information & Policy Operations, American Hospital Association & Vice Chair, eHealth Initiative Policy Steering Committee 


See publication here.

Health Records Should Belong To Patients. ITSP Magazine

This is part 2 of the two-part podcast where ITSPmagazine's Sean Martin had a chance to connect with Gerard Scheitlin, the Chief Risk Officer and chief of security, risk, and assurance for Orion Health.

In this second episode, the two continue the conversation, looking beyond the systems aspects and digging deeper into the health records. Gerard spends some time looking at what data is included in today’s electronic health records; you might be surprised about some of the things are collected, submitted, and used to provide health services, all driven by an industry looking to transition from a model of populous care to one of precision medicine.

We are in a transition in healthcare, one moving from a populous system of care to a model where precision medicine can be applied, and specific treatments can be directed toward particular patients based on a wealth of health information made available to the caregivers via our medical records. With this, the questions become: how do patients provide the information that matters and how do they take an active role in the data access and management process? And, more importantly, are they in control of the processes that manage how and when data is submitted, collected, access, shared, and analyzed? Can they turn on and off access to their medical like a light switch?

With more data becoming more distributed and more readily available to the entire healthcare ecosystem, how do we approach and manage risk? How do we make the information only valid (and valuable) when in use by the patient that owns it and not worth a penny for anyone looking to steal the information for malicious or fraudulent purposes? It’s this type of radical transformation that's required to move healthcare forward while dramatically reducing the risks we currently face in making our data available electronically. As Gerard notes in this episode, we need to be able to own our data; we need to be aware of where our data lives. See publication here.

Are We Doing Enough To Protect Health Records? ITSP Magazine.

Health data is some of the most important, sensitive, and valuable information available. This information is critical in providing health services, of course, but is also valuable in other ways; for criminal and fraudulent purposes. The question is, are we doing enough as an industry to help protect this data from all aspects of the security CIA triad: confidentiality, integrity, and availability?

To help answer this question, Sean Martin, editor in chief for ITSPmagazine, connected with Gerard Scheitlin, the Chief Risk Officer and chief of security, risk and assurance for Orion Health as part of the An InfoSec Life podcast series here on ITSPmagazine. Gerard has some amazing experiences to share as he looks to help his healthcare organization not only protect sensitive health information, but also to help make this information available in ways that can make our population healthier in the process. Of course, as the person responsible for also ensuring that the business processes and systems are designed and deployed with security in mind, Gerard has some interesting tales to share here as well.

In this Part 1 of this 2-part series, Gerard provides some insight into the challenges CISOs face with the growth of technology counter-balanced with the long-lasting legacy systems organizations and their patients continue to rely on every day. The challenge comes when a doctor wants to buy a new piece of equipment that can help save lives—does the provider buy that new piece of equipment to help saves lives, or do they replace the older systems that could be compromised and could put lives in danger? It is a difficult decision for the CIO, CTO, and CISO. But, as Gerard notes, The recent WannaCry events have triggered some sense of reality where some of the antiquated equipment is now being replaced. See publication here.

Prove to Your Clients That You Take Your Data-Custodian Role Seriously

In this video, Gerard Scheitlin, VP, security, risk, and assurance, explores the importance of being able to prove to those who entrust you with their data that you take that responsibility seriously. See publication here.

The Two Things You Should Be Doing to Prevent Phishing

In this clip, Gerard Scheitlin, VP, security, risk, and assurance, discusses strategies for successfully simulating phishing campaigns internally and incentivizing participation, learning more about the current external threat landscape, and more. See publication here.

There's Nothing Like a Good Emergency

Gerard Scheitlin, VP, security, risk, and assurance, explains in this clip why waiting for an emergency—like the WannaCry attack and other ransomware attacks—before kicking off a security program is the wrong approach and describes a quick, proactive strategy for getting "out in front of it" early. See publication here.

A Complete System, Not a Piecemeal Product

In this video, Gerard Scheitlin, VP, security, risk, and assurance, shares his thoughts on what it means for a product to stand up to a rigorous certification process, how it underscores that the product is a complete system that satisfies all aspects of a set of regulations, and more. See publication here.

Does Your Health IT Vendor Protect You From Ransomware?

With the WannaCry attack still fresh in everybody’s mind, it’s prudent to ask: Does my health IT vendor take great pains to ensure the protection of my trusted data? Your vendor can prove that they take their custodian role very seriously by incorporating a multi-faceted approach of prevention and reaction. Both of these facets incorporate social and technological protection. See publication here.

Validations Aren't Easy Things to Achieve

In May 2017, Orion Health was granted a certificate of authority by the Minnesota Department of Health to operate as a health data intermediary (HDI). In this video, Gerard Scheitlin, VP, security, risk, and assurance, explains why passing a state entity's product-review process is no simple matter for a health IT vendor, and why that should matter to customers. See publication here.

Rely on Health IT Vendors for Answers to Risk/Compliance Questions

In this clip, Gerard Scheitlin, VP, security, risk, and assurance, explains why a health IT vendor can offer the most complete answers to their customers' risk/compliance questions. See publication here.

A Tiered Approach to Protection

In this video, Gerard Scheitlin, VP, security, risk, and assurance, describes how a health IT vendor's tiered approach to protection creates a significant value-added service for the customer. See publication here.

Application of Quality Philosophies to Infosec, Compliance, & Privacy

In this video, Gerard Scheitlin, VP, security, risk, and assurance, explains how the application of quality philosophies to information security, compliance, and privacy can free a healthcare organization to focus on improving the health of their patients. See publication here.

The Advantages of Rolling Up Organizational Risks Into One Team

In this video, Gerard Scheitlin, VP, security, risk, and assurance, explains how rolling up organizational risks into a single team creates invaluable synergies for a health IT vendor. See publication here.

How to Address All HITRUST Requirements

In this video, Gerard Scheitlin, VP, security, risk, and assurance, describes a strategy for addressing all HITRUST requirements, including the technical, policy, process, and system aspects. See publication here.

Why Your Vendor MUST Have One Team for Security, Risk, & Assurance

In this whitepaper, Gerard Scheitlin VP Security, Risk and Assurance describes the benefits of having a single team that manages organizational risk. See publication here.

Big Healthcare Players Store Big Data in the Cloud

In this special guest feature, Gerard Scheitlin, Vice President of Security, Risk, and Assurance at Orion Health, makes the case that big healthcare players are storing big data in the cloud because the benefits of cloud infrastructures are significant and hard to ignore. Gerard is the executive in charge of the Risk, Information Security, and Quality function for Orion Health, a global provider of healthcare information technology. This includes responsibility for the organization’s security strategy, privacy and compliance oversight, clinical performance, and the implementation of quality improvement efforts to surpass compliance with industry leading accreditation standards. Gerard is a certified Lean Six Sigma Master Black Belt and holds a Bachelor of Science in Mechanical Engineering from Purdue University, and a Master of Science in Engineering Management from the University of Alabama. See publication here.

If your interested in a service you do not see please reach out to us regarding your inquiry! 

bottom of page