Ranking Cyber Risks to Healthcare Companies with Risk Quantification

Doctor - Ranking Healthcare Cyber RisksIt’s high stakes in the cyber risk landscape for healthcare ­providers, payers, medical device makers, third-party vendors, and the rest of a complex ecosystem where cyber events have real-world consequences in cancelled surgeries, disrupted emergency rooms, and damaging releases of the most sensitive personal information (PHI).

The new RiskLens Cybersecurity Risk Report for 2023 brings together cyber risk quantification, FAIR risk analysis and our tailored industry data to reveal insights that health industry risk and security managers and business leaders need to know to target strategy for cybersecurity in healthcare.

Key Points about Cyber Risk in the Healthcare Industry

  • Highly regulated: The federal government’s HHS Office of Civil Rights (OCR) actively tracks healthcare data breaches and issues fines for HIPAA privacy violations (a total $6.1 million in 2021) at covered healthcare organizations and their “business associates.” The Food and Drug Administration (FDA) and Federal Trade Commission (FTC) also exercise oversight.
  • RiskLens Cybersecurity Risk Annual Report 2023 CoverMandated regular risk assessments under the HIPAA Security Rule with tighter requirements likely to come. “All too often, we see that risk analyses only cover the electronic health record (ePHI),” OCR Director Lisa Pino wrote in 2022. “I cannot underscore enough the importance of enterprise-wide risk analysis.”  
  • Ongoing problems with weak cybersecurity. Most notoriously, Britain’s National Health System was crippled in 2017 by the WannaCry ransomware exploiting a vulnerability in its old, unpatched Windows 7 operating system. The FBI reported in 2022 that “approximately one third of healthcare IoT devices have an identified critical risk potentially implicating technical operation and functions of medical devices.”
  • High likelihood for lawsuits – in fact, “it is now common for multiple lawsuits to be filed after healthcare data breaches,” HIPAA Journal reported, noting that three class action suits were filed within days of Regal Medical Group reporting in February, 2023, on a data breach of 3.3 million PHI records.

Key Findings for the Healthcare Industry in the RiskLens 2023 Cybersecurity Risk Report Based on Cyber Risk Quantification, FAIR Analysis, and Industry Data

RiskLens Cybersecurity Risk Report 2023 - Top 2 Industries by Total Loss Exposure

Detail from the RiskLens Cybersecurity Risk Report

  • The Healthcare sector is second only to Public Administration for average loss exposure ($5.5 million vs $7.6 million) among nine sectors studied. 
  • Relatively high annual probability of any cyber loss event (9%), second to Public Administration (17%).
  • Insider error (annual probability 24%) and insider misuse (annual probability 20%) were the top risk themes for loss exposure at health organizations, likely a result of widespread access to PHI records by staff. 
  • Despite the impression from some highly disruptive ransomware attacks at healthcare facilities in the news, on an industry average, the annual probable occurrence of a ransomware event is just three percent.

Get the full details – download the Cybersecurity Risk Report now.

The RiskLens data science team ranks risks by average loss exposure (per risk scenario), summarizing how losses play out probabilistically over 10,000 simulated years, incorporating both the probable cost and probability of occurrence of the events. It’s a measurement in dollars that security and risk teams can use to inform cost-effective spending decisions.

The representative/reference organization used for this simulation study is a mid-sized healthcare industry organization in North America of 500-1,000 employees and $100M-$1B in revenue with personally identifiable information (PII) records at risk.

*** This is a Security Bloggers Network syndicated blog from RiskLens Resources authored by Jeff B. Copeland. Read the original post at: