When we ask hospital administrators about the factors that influence their decisions, these are the three we hear most:
1) impact on patient privacy and safety/wellness
2) financial impact and liability
3) probability that an action or inaction will result in negative outcomes on 1 or 2.
In today’s hospitals that are trying to navigate a growing number of cyber-related risks, we continue to see decisions in these three areas made with incomplete or inaccurate risk information (aka with poor risk visibility), created using broken and obsolete risk measurement methods and models.
Running an organization or department this way is like driving a car in the dead of winter, during rush hour, without scraping the ice off the windshield. Maybe you get through safely. Maybe you run off the road. Maybe you crash head-on into oncoming traffic.
Fixing this cyber risk visibility issue in hospitals is long overdue. However, there is a general failure to acknowledge that the analysis methods that many are using to produce risk estimates have very serious and well-documented flaws.
Without this acknowledgement, and the decision to make a corresponding change, hospital leaders will continue to drive their organizations while peering through a fogged windshield, hoping luck will help them avoid the potholes and the occasional downed tree in the road.
WHY RISK QUANTIFICATION LEVELS THE PLAYING FIELD
According to the FAIR Institute, “Information risk has become a business issue - not just a technology issue - because most business processes have been digitalized.”
As a result, hospitals need to start talking about risk in terms of business impact (financial and patient safety) rather than just using IT terms and labels.
You would not go to your board and ask to build a new wing to the hospital that you work in without understanding the cost of the wing, the potential revenue it would bring in, or how not building it would impact your ability to serve patients.
Yet CISO’s and risk managers are still going to their leadership and boards saying, “We think this possible risk exposure is “high”. So we think we should prioritize spending in this area, because if we don’t the cost could be significant.” The terms used are general and open to interpretation, which can be problematic when speaking to decision makers who think in terms of hard numbers.
Instead, consider this. Risk quantification allows you to:
- Calculate identified and potential risk vulnerabilities in financial terms.
- Understand the probability of risk exposure as it compares to financial impact.
- Prioritize risk investments through comparisons of risk probability, financial impact, and fluctuations exposure based on investment area.
- Communicate with your stakeholders in a common language.
Without a complete and accurate picture of a hospital's risk exposure, we see hospitals hit with fines, scrambling to recover from breaches, and adding daily to their list of risk-related to-dos without any true sense of what to do and why.
It is important to note that risk quantification does not prevent a hospital from fines, cyber threats, or even poor risk management processes.
Instead, it puts quantified insights into a hospital’s line of sight so your people can make the most informed decisions about how to avoid fines, address cyber threats, and improve risk management processes.
WHY NOW IS THE TIME FOR HOSPITALS TO THINK ABOUT RISK QUANTIFICATION
Hospital CISOs, risk analysts, IT security, risk managers, and compliance professionals are busy.
The idea of adding more responsibilities to their plate seems unthinkable. In fact, many hospitals think that they would need to hire specialized data analysts or risk quantification specialists to manage the data and provide actionable recommendations. They neither have the time nor budget to even consider this.
Fortunately, today’s risk management technology can streamline the processes you and your teams are using for your day-to-day risk operations and automate the risk quantification capabilities needed to guide, communicate, and make better decisions and investments about risk.
In doing so, time is spent being strategic about risk management instead of fumbling through spreadsheets to justify a decision or explain a gap that has put your hospital at risk.
For more about how hospitals can get started with risk quantification, take a look at “What is Open FAIR™?: A Healthcare Perspective.”
HealthGuard is the only risk management solution provider solely focused on healthcare. With our Open FAIR™ Risk Quantification DecipherRisk tool, we are on a mission to change the way hospitals talk about and make decisions about risk to protect their patients and financial investments.