Brad Carvellas, Vice President and Chief Information Security Officer at The Guthrie Clinic, operator of five hospital campuses and more than 50 clinics in Pennsylvania and New York, speaks from experience in launching a FAIR program in a healthcare institution – he was part of the team that introduced quantitative cyber risk management to Highmark Health, a FAIR pioneer in the sector.
Brad shared his insights at the 2021 FAIR Conference (FAIRCON21) in the panel discussion:
Practitioner Use Case Panorama
With Mike Radigan, leader of the cyber risk quantification practice at a global company, and Cedric De Carvalho, Cyber Risk Manager at Richemont International.
Registrants for the 2021 FAIR Conference can view the archived video of Brad's presentation by returning to the FAIR Conference platform, using the same link, username and password that was emailed to you. Didn’t attend the conference? You can still register now at no charge to view the sessions on video – register here.
Brad is building a cyber risk quantification program from the ground up at Guthrie, with a goal of “audience-centric” communication on risk. “We have to target and calibrate our communication; it’s about what the audience needs to make informed business risk decisions,” he says. And the FAIR approach is close to what his audience knows from medical practice: “Medicine is a science of uncertainty and an art of probability,” he quotes William Osler, one of the founders of The Johns Hopkins University School of Medicine.
Advance your career in risk management: Learn to apply the FAIR standard for cyber and technology risk quantification
Focus on patient care, Brad advises managers of cyber and technology risk in health organizations, as that’s the bottom line -- quality available health services. Ransomware attacks, now rampant in the sector, can take down electronic medical record (EMR) systems, shut down operating rooms, and disrupt emergency departments, negatively impacting patients, costing revenue and potentially leading to court judgments (see the recent lawsuit against an Alabama medical facility over the death of an infant after a ransomware event).
Brad’s team has been able to work risk assessments into purchasing decisions for infusion pumps, pointing out which manufacturers might have a vulnerable tech stack that opens the door to ransomware, and those that have security by design. “We went from being barely present in the medical device purchasing cycle, to advisers and enablers on quality care,” he says.
Maturity of Cyber Risk Management for Healthcare Providers
As Brad sees it, the sophistication level of quantitative cyber risk management in healthcare is “nascent but starting to mature quickly” in response to three drivers gaining the attention of boards: first, coverage in the news media on ransomware, data breaches and other cybersecurity loss events among healthcare providers and payers; second, the discussions at the federal government level about protection of critical infrastructure; and third, the tougher underwriting requirements among cyber insurers after heavy ransomware losses. “Now, it’s ‘If you don’t have x or y controls, we may not renew you.’”
“There’s a lot of attention to cybersecurity in healthcare. It’s driving change, but for sustainable risk management, you need to be able to effectively measure and communicate business risk,” Brad says. “If you don’t have tools like FAIR to do that, I’d argue you can’t have a cyber security program delivering optimized business risk reduction and value.”