In finance, systemic risk often refers to the collapse of the entire financial system or market. In other applications, it refers to the risk associated with an entire system (e.g., human body, factory) or system of systems (e.g., air traffic control).
In the world of cybersecurity, we are faced with the fact that the Internet is really one large system of systems (or a network of networks really), which means issues in any one area or organization have the potential of rippling out to many others.
We have seen this played out countless times through the spreading of Internet viruses and worms, and even issues with the core services like DNS (Domain Name Service, which translates a computer’s IP address into a human friendly form: 10.1.5.6 = www.mycomputer.com).
More...
Systemic risk is generally viewed as a threat to an organization’s overall ability to function. Component risk affects specific parts of the system: hardware, applications, security controls, etc. If a component is adversely affected, the damage can be contained without threatening the entire system.
Many security professionals become so focused on component risk that they lose appreciation for the big picture. When it comes to a vital, cyber-intensive industry like healthcare, systemic risk goes well beyond the organizational level.
Look Out for the Black Swan
A single systemic vulnerability could jeopardize patient care across a city or broad swath of the nation. Whether a security breach is accidental or malicious, the consequences could be catastrophic and totally unexpected. This type of event is known as a “black swan,” a concept popularized by influential risk analyst and author Nassim Nicholas Taleb. A black swan event is unprecedented, difficult to predict (or even fathom), and has a profound impact on how things are done going forward.
In today’s world, the biggest threat to our security is a black swan. This is why healthcare organizations should focus primarily on assessing systemic risk. How mature are our vulnerability management processes? Are the appropriate policies in place and widely understood? Do we have the right metrics to make timely and accurate decisions? Examining these global issues is a more efficient and effective way to determine how well an organization is managing risk.
Perils of Thinking Small
Concentrating on a series of discrete vulnerabilities is like a cigarette smoker attempting to evaluate his risk of cancer by examining individual blood cells. Not only is the smoker’s activity highly impractical, but it also distracts him from more important health issues and exhausts his resources.
Of course, there are times when you must look at component-level risk as well, especially with assets that can be accessed remotely over the Internet. But even then, it’s critical to understand the relationship between these assets and macro-level security. A root-cause analysis is needed to determine whether a system process failure (or lack of controls) allowed the vulnerability to exist in the first place.
Deep Impacts
Managing cyber risk in healthcare also requires a deep understanding of the sheer scale of systemic impacts. If a software glitch causes a hospital’s EHR to go down, there will undoubtedly be disruption, but patients can be rerouted to other facilities in the area to get the care they need. But what if, as is often the case, the local health systems use the same EHR and are similarly affected? The issue then escalates from an organizational problem to a regional crisis. Let’s say a black swan emerges, like a structural failure of the Internet or a coordinated cyber attack by a sworn enemy. Healthcare as we know it could shut down on a national scale. To be sure, that’s a nightmare scenario, but a possible consequence of neglecting systemic risk.
