Some of the world’s largest and most successful companies, including Amazon, BlueCross Blue Shield, and the Mayo Clinic have embarked on their Open FAIR™(1) journey and are realizing the benefits of cyber risk quantification. Things like more effective board-level reporting, improved risk visibility and better decision-making around cybersecurity strategies and investments. While these and many other companies have started to see the benefits of cyber risk quantification (CRQ), there are many that have been left behind and are yet to tap into its secret powers, especially small and mid-sized hospital systems.
Obstacles for hospitals
So what are some of the things preventing small and mid-sized hospitals from adopting Open FAIR™?
One is lack of awareness by boards. Few hospital risk, audit and compliance committees are aware of business benefits Open FAIR™ and CRQ. As a result, they don't push management for quantitative risk reporting.
Another challenge is the limited access to CRQ expertise. Without access to the skillsets required to quantify cyber risk effectively, hospital CISOs and risk managers are forced to rely on risk scoring methods built around flawed math and estimating methods.
A third and possibly one of the biggest obstacles is not understanding the business value. Without being able to articulate the business value CRQ can deliver, it makes it difficult to justify the investment of resources (time, people, and money). Many hospitals lack the staff and tools necessary to perform even simple risk analysis, let alone more involved and time consuming deep-dive analysis with quantitative models.
WHAT CAN YOU DO?
Building a quantitative risk management process requires an investment of resources (time, people money) and specific skillsets. It is not just about buying a tool and plugging in numbers. It requires helping organizations change the way they think, talk, and go about the process of analyzing and estimating risk, which cannot be done with just a flip of a switch. It needs a more thoughtful strategic approach that involves planning and the application of organizational change management practices and principles.
HealthGuard’s mission is to build a more safe and secure healthcare system by improving the way hospitals measure and manage cyber risk. We understand that getting started with Open FAIR™ and quantitative risk analysis can be challenging for most hospitals and suggest the following steps can help you get past this hurdle.
STEP 1- LEARN THE BASICS
Educate yourself on some of the foundational concepts of risk quantification. The goal here is not to become an expert, but to get comfortable with the concepts and an understanding of what is possible in terms of the business value cyber risk quantification can bring.
- Downloading the Open FAIR™ Body of Knowledge (BoK)
- Attending an introduction class. There are several FREE options available to you from organizations such as Healthguard University, Society of Information Risk Analysts (SIRA), The Open Group, and the FAIR Institute.
STEP 2 - FIND A CRQ SHERPA AND START PRACTICING
Find someone that has the experience and has been down the path you are on. Organizations like HealthGuard specialize in helping hospital security, audit, and risk professionals develop effective strategies and navigate the path toward your goals and objectives.
While you begin to learn more about FAIR, it is important to start applying your knowledge by running analyses. The Open Group provides the Open FAIR™ Risk Analysis Tool, a modeling tool, available for a 90-day evaluation license on their website. Healthguard is also in the process of developing an OpenFAIR™ trainer making a demo version of our Decipher Risk application, so you can learn by analyzing a risk scenario. Working with these tools allows you to understand the value of quantitative analysis to estimate the frequency and magnitude of losses associated with a particular risk. You can also learn how to interpret the results and communicate about the risk to other stakeholders in the organization.
As you get more familiar with FAIR and quantitative analysis, you can then apply them to specific uses cases your most critical risk scenarios, such as:
- Completing your annual HIPAA risk assessment, or
- Using analysis to inform a specific risk scenario or IT security investment decisions. Addressing a specific business situation to help guide decisions on mitigation plans investments.
- Get help - the first time you want to do an analysis, it helps to have someone that has done it, and can answer the questions and give some insight to potential objections.
STEP 3 - IDENTIFY A CHAMPION AND POTENTIAL LANDMINES
Start small - pick one important decision and build a “pitch deck” that helps explain and sell the idea of risk quantification internally. This should include:
- the business problem,
- the solution,
- a recommended path forward, then
- identify an executive sponsor that sees the potential value and shares your vision - this will be who you deliver the pitch deck to.
Your Sherpa and newfound champion can help you try to anticipate potential detractors, stakeholders, and influencers that may feel they have something to lose. While there is little doubt that every hospital CFOs and board could benefit from having more accurate business-level risk information available when making important cybersecurity investment decisions, historically the solutions have been cost-prohibitive and out of reach of all but the largest, most profitable organizations. So even for hospitals that see the value and have the desire, they often lack the budget and staffing necessary to implement CRQ into their risk management programs.
STEP 4 - GET A QUICK WIN
At the end of the day, you are looking for an opportunity to demonstrate the value of Open FAIR™ / CRQ by giving decision-makers a better understanding of risk and new insights they can use to make their decisions.
This can come in several forms:
- If you have the skills and are comfortable with the process, you can perform an analysis in-house using one of the tools mentioned above.
- Bring in someone to do a pilot risk assessment project.
- If you already have the budget for an external HIPAA risk assessment, you can use this to hire someone with Open FAIR expertise to introduce a quantitative analysis.
As you see the value of applying quantitative risk analysis to achieve your business goals, start to make it part of your risk management process.
NOW THAT YOU HAVE STARTED
Remember that there is help and resources available to you, including the team at HealthGuard who is here to partner with you every step of the way. We provide the most comprehensive, cost-effective CRQ solution designed for hospitals and are here to partner with you every step of the way.
Through Healthguard University, we offer FAIR™ training and how to use it and our consulting services help you solve your specific needs, and our comprehensive DecipherRisk solution lets you rapidly operationalize and automate many of the fundamental FAIR practices. With your newfound knowledge, you can begin applying Open Fair™ cyber risk quantification principles incrementally and decide what pieces to take on and when, and make that better fit your organization’s situation, culture, and resources.
(1) These organizations are members of the FAIR Institute™.