Quantifying Cyber Risk in Healthcare with FAIR: A Short Guide

Healthcare Data - Risk Assessment- Crown Jewel PHI Database Breach at a Healthcare Payer OrganizationRansomware attacks on healthcare organizations increased by 94% year over year in 2021, according to a global survey by Sophos, an average of nearly two data breaches of sensitive PHI have occurred  every day in the U.S., according to HHS, and the frightening threat of medical device hacks is finally prompting mandates for better cybersecurity controls from Congress and the FDA.

If ever there were an industry that needed the benefits of Factor Analysis of Information Risk (FAIR™) – a disciplined, quantified focus on the risks posing the most loss exposure (in money and lives) and the best candidates for risk reduction - healthcare is that industry.

As a quick introduction to FAIR cyber risk quantification for healthcare providers and payers, we pulled together this set of guides: 

Ransomware Risk: Setting Up a FAIR Analysis

In this blog post, FAIR standard creator Jack Jones walks you through the steps of a FAIR analysis of ransomware risk for a mid-sized hospital, showing how to frame up a risk scenario to analyze, gather the data and complete the analysis.

Combining FAIR and HITRUST for Better Cyber Risk Management 

HITRUST - FAIR Integration - FeaturedThis video presentation shows how to introduce cyber risk quantification (CRQ)  to a healthcare organization that’s traditionally run on a controls checklist/maturity model approach to cybersecurity risk management, using the HITRUST CSF. Highmark combined analysis of risk scenarios with the list of controls to achieve an actionable view of risk 


Satisfy the HIPAA Risk Analysis Requirements with FAIR

FAIR quantitative analysis meets each of the eight HIPAA Security Rule cyber risk requirements to scope, collect data, assess security posture, determine impact of loss events and document risk analysis in a way that stands up to regulatory scrutiny. 

FDA Proposes a “Probabilistic,” Scenario-based Approach for Medical Device Cyber Risk

As this blog post points out, FDA proposed regulation of medical devices would in fact extend to hospital IT networks, and require FAIR-like risk assessments.

Video: FAIR Risk Analysis for Daily Decision Support at a Major Healthcare Organization

A case study: A major hospital operator in Northern California had been sharing confidential data with offshore vendors when COVID19 hit – and the vendors announced they were moving employees to working from home. Business management had to make a decision to continue offshore operations or not, and turned to the FAIR-enabled risk management team for fast answers.

Omar Khawaja CISO Highmark Health FAIR Conference 2018Case Study: Highmark Health Transforms Its Approach to Risk Analysis 

With FAIR, CISO’s are transforming the risk culture at their organizations and winning a seat at the table as trusted advisors on business strategy. This detailed case study from RiskLens tells how CISO Omar Khawaja (photo) introduced FAIR at Highmark, starting with simple changes in risk vocabulary, and built a risk management program that produces impressive results. As he said:

“When I can say we are reducing risk by $78M a year on an investment of $15M, I can build an income statement that expresses reduced risk as to the equivalent of value brought to the company—or our loss avoidance,” said Khawaja. “Now I’ve shifted the security program away from being literally a cost center to being a value center.” 

Learn more from interviews with these CISO’s:

Michael Carr, Health First

Brad Carvellas, The Guthrie Clinic

Michael Meis, University of Kansas Health System

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37