2020 and 2021 have proven to be crushing years for hospital operators - the continued global pandemic, supply chain issues, an escalating level of cyber threats, and even a domestic terror attack that took down critical application and telecommunications for one hospital's infrastructure. For IT and telecommunications systems, these issues highlighted the need for better visibility and understanding of risk across the hospital and a strategic approach to prioritizing the use of often scarce resources to protect employees, patients, and the organization’s financial stability.
Effective risk management for hospitals starts with top-down support from the governing board and executive management. Hospital cybersecurity teams, who are responsible for managing risk, must be able to communicate that risk to the governing boards and executive management with clarity and in terms that enable effective decision making. Risk assessment methods based on qualitative analysis, such as verbal scales (high, medium, low) and colors (red, yellow, green) do not provide a tangible basis for making critical risk- related decisions. A report by McKinsey & Co. on Cyber Risk Measurement and the Holistic Cybersecurity Approach [1] confirmed this challenge, summarizing the situation from a board perspective as follows:
“Most reporting fails to convey the implications of risk levels for business processes. Board members find these reports off-putting—poorly written and overloaded with acronyms and technical shorthand. They consequently struggle to get a sense of the overall risk status of the organization. Corporate Information Security Officers and their teams often lack the business experience to speak in terms that the board can understand, defaulting to technical discussions.”
This sentiment is matched by that of corporate security executives, who recognize the need to frame their recommendations in terms that clearly resonate with the C-suite.
Quantitative risk analysis provides a unique way to bridge this critical gap. Here's why: the qualitative approach associates a specific dollar value to each identified risk, clearly capturing the potential cost to an organization if that risk becomes reality. This means complex technical analyses are presented in more familiar business terms, making risk and its potential business impact easily understood to a hospital’s executive teams and boards.
WHAT IS OPEN FAIR ™?
Open FAIR ™ (Factor Analysis of Information Risk) is an industry-proven way to perform a quantitative risk analysis of potential losses arising from attacks on IT assets.
Open FAIR ™ categorizes all the components of risk - threats, vulnerabilities, and consequences – then models, quantifies, and rolls these up into a quantified risk analysis based on the potential frequency of loss or damage and its magnitude. The quantified risk model uses state-of-the-art estimation techniques coupled with multivariate Monte Carlo simulations to provide a clearer understanding of potential risks. Open FAIR ™ analysis develops the probabilities of loss for different scenarios in a way that supports more informed decision-making for financial and strategic planning.
THE HISTORY OF OPEN FAIR ™
FAIR was originally released to the public in 2006 and standardized by the Open Group [TR2] in 2014 through the development of the Risk Taxonomy Standard (O-RT). Until the Open Group standardized FAIR, the security community did not have a consistent way to approach risk quantification, and FAIR has become the international standard for the quantification of cyber security and operational risk. The FAIR body of knowledge (BOK) and approach aligns with existing security frameworks, such as NIST Cyber Security Framework (CSF - NIST 800-53), and International Standards Organizations (ISO) 27000.
SHOULD MY ORGANIZATION ADOPT AN OPEN FAIR ™ BASED APPROACH?
Key benefits
- Quantitative risk assessment
- Improved financial and strategic decision-making approach to cyber and enterprise risk
- Use of consistent terms and language for risk
- Structured analytical approach to risk measurement
- Improved communication on risks and their impact
HOW CAN MY ORGANIZATION IMPLEMENT OPEN FAIR ™?
Organizations can implement Open FAIR ™ in a modular fashion that complements and strengthens existing risk management processes.
HEALTHGUARD CAN HELP YOU GET STARTED.
HealthGuard is one of only three accredited Open FAIR ™ trainers - and the only one with a healthcare focus. Our HealthGuard University offers a range of the Open FAIR ™ training courses to get you and your team off the ground.
We also offer in-depth consultation and training to focus the use of FAIR techniques on your most pressing risk management concerns.
HealthGuard delivers an industry-leading, end-to-end cyber risk management solution, DecipherRisk™, specifically designed for hospitals. DecipherRisk™ integrates and supports the Open FAIR ™ risk quantification standard.
If you would like to have a conversation about how implementing Open FAIR™ can help your organization, then contact us here.
LEARNING MORE ABOUT OPEN FAIR ™
Here are some resources to get you started with Open FAIR ™:
- Risk Analysis (O-RA)
- Risk Taxonomy (O-RT), Version 2.0
- Introduction to Cyber Risk Quantification with Open FAIR ™ (video)
- Get Open Fair™ Certified
SOURCES
[2]IBM/Ponemon Institute Cost of a Data Breach Study
Open FAIR™ is a trademark of The Open Group
