Senate Select Committee on Intelligence Chairman Mark R. Warner (D-VA) recently issued a white paper, “Cybersecurity Is Patient Safety,” suggesting policy initiatives for the federal government to incentivize better cybersecurity practices in the healthcare sector.
In a letter to Sen. Warner, FAIR Institute President Nick Sanna applauded the intent of the policy options paper but wrote “We recommend that this call for minimum levels of cyber hygiene gets coupled with critical risk management activities...A pure compliance approach to cybersecurity will not help us win the war against cyber threats.”
Sanna recommended specifically that healthcare organizations assess their cyber risks in financial terms so they can effectively prioritize cybersecurity efforts, both for new initiatives and to evaluate the performance of their existing controls and processes for their effect in reducing risk.
The FAIR Institute is the leading proponent for Factor Analysis of Information Risk (FAIR™), the international standard for cyber risk quantification, recognized by the National Institute of Standards and Technology (NIST) and other standards-setting organizations. Become a FAIR Institute member.
“Requiring that healthcare providers take a risk-based approach to cybersecurity will help them assess what best hygiene practices will work for them in the context of the ever-changing cyber risks they face and prioritize them based on business impact, like any other organizational investment activity,” Sanna wrote.
Learn more: Quantifying Cyber Risk in Healthcare with FAIR: A Short Guide
Read the complete text of the letter:
Comment to “Cybersecurity Is Patient Safety” document issued by the Office of Senator Mark Warner
November 28th, 2022
We commend Sen. Warner for authoring the document with the intent of improving cybersecurity practices in the healthcare sector. We generally agree with the proposals outlined in the document but feel that it omits the key role of cyber risk management in helping healthcare providers prioritize their cybersecurity efforts.
Chapter 2, that is about providing incentives for healthcare providers to implement adequate levels of cybersecurity starts with calling for a minimum level of compliance to certain cybersecurity practices.
We recommend that this call for minimum levels of cyber hygiene gets coupled with critical risk management activities such as:
Assessment of top cybersecurity risks in financial terms, to allow for:
- An understanding of the materiality of cyber risks for the specific healthcare provider
- Better communication of the impact and business significance of cyber risk to the key business stakeholders in a language they understand, dollar and cents
After all, the executives running those healthcare organizations need to prioritize cyber investments against other business priorities. That is best done if they fully understand the probability of occurrence and the financial impact of cyber events. Trying to get them more familiar to technical cybersecurity recommendation has not been working so far, as they are not and will not become cybersecurity experts, so it is time that we help them understand cybersecurity in business terms. Cyber risk quantification standards (such as Open FAIR) and multiple assessment tools are now widely available and already in use by a growing number of healthcare providers.
Demonstration of adequacy of care for material cyber risks, to allow for:
- An understanding whether materials cyber risks are being mitigated to an acceptable level, based on business impact
- An assessment whether the organization is investing sufficiently in cybersecurity or not
This can be accomplished by quantifying risk and assessing if key controls reduce risk to a level that the business can tolerate. By then factoring the investment cost, an organization can then compare the cost-effectiveness of those controls and assess whether they are indeed effective in their unique context.
A pure compliance approach to cybersecurity will not help us win the war against cyber threats, as best hygiene practices can rapidly become obsolete in the face of new threats and put excessive compliance burdens onto the regulated entities. Good hygiene should be seen as a set of recommended best practices, that will inevitably change over time and that might not have the same level of effectiveness in different organizations. What works in one organization might not work as well in another.
Instead, requiring that healthcare providers take a risk-based approach to cybersecurity will help them assess what best hygiene practices will work for them, in the context of the ever-changing cyber risks they face and prioritize them based on business impact, like any other organizational investment activity.
We would be happy to engage in more detailed discussions with the office of Sen. Warner to help incorporate risk management considerations - that are becoming necessary in a dynamic and ever-changing cyber threat environment – in its healthcare policy recommendations.
Best regards,
Nicola (Nick) Sanna
President, FAIR Institute
About the FAIR Institute
The FAIR Institute is an expert non-profit organization with 13,000+ members whose mission is to help advance the cybersecurity and operational risk management professions through improvements in risk assessment and decision-making methodologies. SC Magazine recognized the FAIR Institute as one of the three most influential industry organizations of the last 30 years. Learn more at www.fairinstitute.org.
