Accounting Authority ACCA Points to FAIR Standards for Healthcare Cyber Risk Management

Healthcare Finance Report by ACCA

The global standards body for the accounting profession, the Association of Chartered Certified Accountants (ACCA), recently issued a report, Risk Cultures in Healthcare: The Role of Accountancy, that urges finance professionals in healthcare to look to FAIR standards for help confronting “a perfect storm of risks”: rising cyber threats plus severe skills shortages.

Image from the ACCA report

The report quotes FAIR Institute Founder Nick Sanna and includes a schematic of the FAIR Materiality Assessment Model (FAIR-MAM), the standard for accurately quantifying loss from cyber incidents.

As the report says, “Boards must make tough decisions on where to invest scarce financial resources, as bolstering cybersecurity measures inevitably detracts from available funding for the prime objective of patient care.

“These are important judgment calls for financial leaders in assessing the relevant trade-offs and providing insightful scenario analysis on how much you spend versus all the damage from a cybersecurity attack.”

The report quotes Nick Sanna with some specific advice on how to handle those tradeoffs:  

"Healthcare needs to be more proactive, but you can only do that when you look the problem in the eye and decide how much you want to mitigate versus investing in dealing with it. That’s not possible without a financial loss model.

"The CFOs have to join up with the CISOs [chief information security officers]. Otherwise, you’re left guessing and managing risks crisis-to-crisis, and therefore losing more.”

A complicating fact, Nick warned, is that "There’s a lot of outsourcing in healthcare so that means the attack surface is not limited to the internal system. They cannot just think about cybersecurity in the confines of the services they manage. They need to look at cyber from a holistic perspective because ultimately the regulator is going to hold them accountable."

Nick made similar points in a webinar for the ACCA on Digital Transformation Risks: Roundtable for European ACCA Markets.

The FAIR Institute has long campaigned for the healthcare industry to take a careful, quantitative approach to cybersecurity investment, informed by the best data and models, given the serious implications of risk management decisions (example from 2022: FAIR Institute Urges a Risk-based Approach to Healthcare Cybersecurity, in Response to Policy Options Paper by Sen. Warner).

The Institute also has contributed timely analysis of cyber incidents in healthcare; see our work leveraging FAIR-MAM to bring clarity to the disastrous UnitedHealthcare breach (FAIR MAM Analysis: UnitedHealth Hack Disclosures May Significantly Under-report Total Impact).

FAIR-MAM FAIR Materiality Assessment Model Schematic 3FAIR-MAM representation 

Expect more advances in quantitative cyber risk management coming from our Health Industry Research Board in 2025. Are you a healthcare professional interested in participating? Contact us today.

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37