4 CISO Tips on Starting FAIR Cyber Risk Quantification at a Healthcare Organization
Healthcare industry CISOs have been among the most active – and sharing – members of the FAIR™ community. In videos and blog posts, we’ve collected some of their collective wisdom about introducing Factor Analysis of Information Risk and quantitative cyber risk management practices to healthcare providers and healthcare payers. Here’s a sampling of starter advice from:
Michael Meis, Associate CISO, The University of Kansas Health SystemBrad Carvellas, VP and CISO, The Guthrie Clinic
Omar Khawaja, Former VP and CISO, Highmark Health (now VP Security and Field CISO, Databricks)
And others.
In explaining FAIR, meet people where they’re at
Cyber risk quantitative methods take some effort at socializing, particularly if the organization is used to qualitative risk assessments based on the opinions of SMEs. Be patient; it could be a 2-3-year process, Michael Meis said. “If they’re married to colors [red-yellow-green for risk ratings], put quantitative ranges on colors and advance from there,” Michael said. See some approaches here: What Does a Hybrid between Quantitative and Qualitative Cyber Risk Analysis Look Like?
Brad Carvellas found an interesting angle to speaking with medical professionals – emphasize the data-driven, probabilistic nature of FAIR. “Medicine is a science of uncertainty and an art of probability,” he quoted one of the founders of The Johns Hopkins University School of Medicine.
But the bottom line for any healthcare audience, Brad said, is outcomes for patients – for cyber risk management, that’s maximizing protection for confidentiality of PHI and integrity and availability of systems while minimizing investment.
Look for opportunities in existing healthcare processes
Brad’s team worked risk assessments into purchasing decisions for infusion pumps, pointing out manufacturers that might have a vulnerable tech stack that opens the door to ransomware vs. those that have security by design. “We went from being barely present in the medical device purchasing cycle, to advisers and enablers on quality care,” he said. Understand your stakeholders’ pain points, Michael advised “it helps you cater a message about how you can fix their problems.”
Support HIPAA compliance with cyber risk analysis
Healthcare is one of the most cyber-regulated industries around; HIPAA regulations mandate risk assessments that forward-thinking organizations increasingly view as an opportunity to gain business value, not just run a checklist. Learn in this case study how one organization used FAIR risk analysis to meet the requirement to assess “the potential risks and vulnerabilities to the confidentiality, availability and integrity of all e-PHI that an organization creates, receives, maintains, or transmits.”
Clean house in the cyber risk management program
Learn in this case study how Highmark Health’s Omar Khawaja turned FAIR analysis loose on existing practices to make impressive cost-savings gains, including: re-evaluating dozens of risk assessments and finding that the vast majority labeled “high risk” weren’t when risk analysis in financial terms was applied…and analyzing existing controls for their effectiveness, including a million-dollar control producing zero risk reduction.
As CISO at Highmark, he could "build an income statement that expresses reduced risk as to the equivalent of value brought to the company—or our loss avoidance,” Khawaja said. “I shifted the security program away from being literally a cost center to being a value center.”