It’s not like healthcare hasn’t been warned – just see the ravaging of Britain’s national health system by the WannaCry ransomware hitting outdated, unpatched systems in 2017.
Some of the systemic problems that Ars Technica writer Yael Grauer cites:
Other industries have struggled with seemingly unquantifiable risk, then found that, by going through the FAIR analysis process, that probable risk could be reliably estimated in loss ranges. The health industry, with defined figures for lifetime value of a patient or lawsuit judgments and settlements may not be so far off.
In fact, the FAIR movement among healthcare providers is already underway. Highmark Health added FAIR cyber risk quantification to the HITRUST framework, the standard for health industry cybersecurity, using the RiskLens application. FAIR Institute Fellow Jack Freund, PhD, who worked with Highmark on the implementation, wrote that:
“Using the RiskLens CRQ platform, Highmark ran a top risks analysis based on annual loss exposure, and now tracks those risks on an ongoing basis…
“This level of visibility into risk aligns well with the requirements for HITRUST compliance, including specific stipulations calling for clearly stated levels of acceptable risk and risk tolerance thresholds as well as the incorporation of internal incident histories in the risk analysis process.”
Read Jack’s blog post and see some sample Highmark risk reports.
Another positive development, the Ars Technica’s article points out: Dr. Suzanne Schwartz, associate director for science and strategic partnerships in the Food and Drug Administration (FDA) Center for Devices and Radiological Health, is winning praise for bringing doctors, patients and healthcare providers together to strategize on cybersecurity. “We’re not able to address the cybersecurity issues within healthcare alone,” she said. She’s working on public/private partnerships through the FDA’s Healthcare Sector Coordinating Council – a good starting point would be tapping into the FAIR community.
Read the Ars Technical article: Why is the healthcare industry still so bad at cybersecurity?