Ransomware attacks on healthcare organizations increased by 94% year over year in 2021, according to a global survey by Sophos, an average of nearly two data breaches of sensitive PHI have occurred every day in the U.S., according to HHS, and the frightening threat of medical device hacks is finally prompting mandates for better cybersecurity controls from Congress and the FDA.
If ever there were an industry that needed the benefits of Factor Analysis of Information Risk (FAIR™) – a disciplined, quantified focus on the risks posing the most loss exposure (in money and lives) and the best candidates for risk reduction - healthcare is that industry.
As a quick introduction to FAIR cyber risk quantification for healthcare providers and payers, we pulled together this set of guides:
In this blog post, FAIR standard creator Jack Jones walks you through the steps of a FAIR analysis of ransomware risk for a mid-sized hospital, showing how to frame up a risk scenario to analyze, gather the data and complete the analysis.
This video presentation shows how to introduce cyber risk quantification (CRQ) to a healthcare organization that’s traditionally run on a controls checklist/maturity model approach to cybersecurity risk management, using the HITRUST CSF. Highmark combined analysis of risk scenarios with the list of controls to achieve an actionable view of risk
FAIR quantitative analysis meets each of the eight HIPAA Security Rule cyber risk requirements to scope, collect data, assess security posture, determine impact of loss events and document risk analysis in a way that stands up to regulatory scrutiny.
As this blog post points out, FDA proposed regulation of medical devices would in fact extend to hospital IT networks, and require FAIR-like risk assessments.
A case study: A major hospital operator in Northern California had been sharing confidential data with offshore vendors when COVID19 hit – and the vendors announced they were moving employees to working from home. Business management had to make a decision to continue offshore operations or not, and turned to the FAIR-enabled risk management team for fast answers.
With FAIR, CISO’s are transforming the risk culture at their organizations and winning a seat at the table as trusted advisors on business strategy. This detailed case study from RiskLens tells how CISO Omar Khawaja (photo) introduced FAIR at Highmark, starting with simple changes in risk vocabulary, and built a risk management program that produces impressive results. As he said:
“When I can say we are reducing risk by $78M a year on an investment of $15M, I can build an income statement that expresses reduced risk as to the equivalent of value brought to the company—or our loss avoidance,” said Khawaja. “Now I’ve shifted the security program away from being literally a cost center to being a value center.”
Learn more from interviews with these CISO’s: