# Opener

Harnessing Cyber Risk Quantification to Safeguard Healthcare Providers

Published by Brendan J. Fitzpatrick

Welcome to Axio’s series on cybersecurity for healthcare providers, where we share expert insights and practical advice tailored to the unique security needs of the medical sector. Our aim is to equip healthcare security professionals with the knowledge and tools necessary to safeguard sensitive patient data against increasing cyber threats. Each installment of this series will explore various aspects of cybersecurity risk management we have deployed with Axio customers. By staying informed and proactive, healthcare providers can ensure a secure environment for both their patients and their practice.   

Register for our webinar: Critical Cyber Concerns for Healthcare Providers in 2024


2024: shrinking cyber budgets despite an expanding attack surface

In previous blogs, we at Axio have outlined an unfavorable set of conditions that our friends in the healthcare provider community face. In a nutshell, advances in interconnected medical technology fuel strides in efficient and effective healthcare, but also create an expanding attack surface to be exploited by the unrelenting pressure from threat actors seeking to extort providers by impacting patient care and privacy. Against this backdrop, security and risk departments are faced with shrinking budgets, as healthcare providers are still recovering from the pandemic.

We’ve discussed the need for continuous assessment– which is well and good (and Axio makes it easy). However, even if you have the resources to conduct these assessments, you’re often confronted with a laundry list of areas that could use some improvement and often have nothing but your experience (and sometimes just your gut) to decide where you should focus your time and effort. What do the over-taxed and underfunded security, risk, and compliance groups do to prioritize and secure budgets to strengthen security?

We believe the answer is cyber risk quantification.

We’ve said this time and again, but it bears repeating – cyber risk quantification is fundamentally a game changer. Organizations who quantify their cyber and operational risk know where to spend their budget to get the biggest bang for their buck. Cyber risk quantification deepens the business relationship between security leaders and their board of directors and/or senior management because (sometimes for the first time) both groups will be speaking the same language – that of dollars and cents.

Axio360 helps security and risk professionals to identify and quantify their cyber and operational risk, quantify proposed security improvements, and present those to their board of directors or senior management and obtain the necessary funding to implement those changes. At the end of the day, it allows those tasked with managing cyber risks to effectively present only the necessary information to the board when seeking a budget increase. (We’ve also seen it positively impact cyber insurance renewals, but we’ll save that for a future blog.)

Here are a few examples to illustrate the benefits:

  • After an incident response tabletop exercise, a provider showed their board the potential financial impact of the exercised events. This demonstration effectively secured additional funding for essential improvements uncovered by the exercise, emphasizing the practical benefits of integrating cyber risk quantification into these IR exercises.
  • By identifying which controls had the most favorable ROIs on implementation, a provider was able to successfully argue and secure budget for those controls, highlighting the strategic advantage of targeted investments based on quantified cyber risk assessments.
  • A healthcare provider facing budget reductions successfully utilized cyber risk quantification to maintain their existing budget, by quantifying the increase in risks that would come with the elimination of personnel and technology. This enabled the provider to keep driving forward on critical security initiatives.

How Axio cyber risk quantification for healthcare providers works:

Axio follow’s Carnegie Mellon Software Engineering Institute’s OCTAVE Allegro approach. This approach describes risks as a combination of Condition and Consequence: condition being the specifics of a cyber event (actor, motive, means, opportunity, weakness, and negative outcome) and consequence being the losses incurred as a result. In healthcare, you already know the predominant conditions – cyber-criminal gangs breaching and extorting over-extended and underfunded cyber and IT organizations by exploiting the increasingly-interconnected environments of healthcare organizations.

What many organizations don’t know is what the consequence would look like for them. How long would they need to recover from a large-scale ransomware event? What does that look like in terms of immediate response costs? Impacts to income and cashflow from postponed or canceled elective procedures? Fines and penalties from OCR or State Attorneys General? Patient class-action lawsuits?

It seems like a lot, but the Axio360 platform makes it easy to walk through these potential expenses and break each of these down into simple, easy-to-understand formulas. The platform will even suggest formulas to you! Once complete, the process of assessing the cost-effectiveness of new security controls is a simple process of tweaking those same formulas. Users can adjust values to see exactly how each investment could change the overall financial impact of an event, equipping them with the necessary information in financial terms to justify proposed security investments.

Next up

Our next article in this series focuses on the role of cyber insurance in mitigating risks for healthcare providers. Traditional insurance practices rely on historical data for risk assessment, but the dynamic nature of cyber threats poses challenges due to the lack of extensive historical claims data. We discuss how Axio’s cyber risk engineering provides forward-looking insights, enabling clients to demonstrate their cyber resilience and quantify expected losses, thereby empowering them to negotiate better insurance terms and design customized insurance programs.

Register for our webinar: Critical Cyber Concerns for Healthcare Providers in 2024