2020 was a crushing year for hospital operators. The global pandemic, supply chain issues, an escalating level of cyber threats and even a domestic terror attack that took down critical application and telecommunications for one hospital's infrastructure. IT and telecommunications systems, these issues highlighted the need for better visibility and understanding of risk across the hospital and a strategic approach to prioritizing the use of often scarce resources to protect employees, patients and the organization’s financial stability.
Effective risk management for hospitals starts with top down support. from the governing board and executive management. The hospital cybersecurity teams, who are responsible for managing risk, must be able to communicate risk to the governing boards and executive management with clarity and in terms that enable effective decision making. Risk assessment methods based on qualitative analysis, such as verbal scales (high, medium, low) and colors (red, yellow, green) do not provide a basis for making critical risk related decisions. A report by McKinsey & Co on Cyber Risk Measurement and the Holistic Cybersecurity Approach  confirmed this challenge summarizing the situation from a board perspective, as follows:
“Most reporting fails to convey the implications of risk levels for business processes. Board members find these reports off-putting—poorly written and overloaded with acronyms and technical shorthand. They consequently struggle to get a sense of the overall risk status of the organization.”
“Corporate Information Security Officers and their teams often lack the business experience to speak in terms that the board can understand, defaulting to technical discussions.”
This sentiment is matched by that of the corporate security executives who are equally concerned.
Quantitative risk analysis can provide a way to bridge this critical gap because this approach associates a specific financial amount to each risk that has been identified, representing the potential cost to an organization if that risk actually occurs” . As a result, complex technical analyses in are presented in more familiar business terms that improve understanding of risk and their potential business impacts for to a hospital’s executive teams and boards.
WHAT IS OPEN FAIR™?
Open FAIR™ (Factor Analysis of Information Risk) is an industry-proven way to perform a quantitative risk analysis of potential losses arising from attacks on IT assets.
Open FAIR™ categorizes all the components of risk - threats, vulnerabilities, and consequences – – then models, quantifies, and rolls these up into a quantified risk based on the potential frequency of loss or damage and its magnitude. , The quantified risk uses state of the art estimation techniques coupled with and multivariate Monte Carlo simulations to provide a clearer understanding of potential risks. Open FAIR™ analysis develops the probabilities of loss for different scenarios that support more informed decision making for financial and strategic planning.
THE HISTORY OF OPEN FAIR™
FAIR was originally released to the public in 2006 and standardized by the Open Group [TR2] in 2014 developing the Risk Taxonomy Standard (O-RT). Until the Open Group standardized FAIR, the security community did not have a consistent way to approach risk quantification, and FAIR has become the international standard for the quantification of cyber security and operational risk. The FAIR body of knowledge (BOK) and approach aligns with existing security frameworks, such as NIST Cyber Security Framework (CSF - NIST 800-53), and International Standards Organizations (ISO) 27000.
SHOULD MY ORGANIZATION ADOPT AN OPEN FAIR™ BASED APPROACH?
- Quantitative risk assessment
- Improved financial and strategic decision making approach to cyber and enterprise risk
- Use of consistent terms and language for risk
- Structured analytical approach to risk measurement
- Improved communication on risks and their impact
HOW CAN MY ORGANIZATION IMPLEMENT OPEN FAIR
Organizations can implement Open FAIR™ in a modular fashion that complements and strengthens existing risk management processes.
AND HEALTHGUARD CAN HELP YOU GET STARTED…
Healthguard is an accredited Open FAIR trainer and offers the Open FAIR™ Risk Quantification Fundamentals course through HealthGuard University, so your organization can get trained.
Healthguard offers in-depth consultation and training to focus the use of FAIR techniques on your most pressing risk management concerns.
Healthguard delivers an industry leading, end to end cyber risk management solution, Decipher Risk™, specifically designed for hospitals that integrates and supports the Open FAIR™ risk quantification standard.
If you would like to have a conversation about how implementing Open FAIR™ can help your organization, then contact us here.
LEARNING MORE ABOUT OPEN FAIR™
Here are some resources to get you started with Open FAIR ™
- Risk Analysis (O-RA)
- Risk Taxonomy (O-RT), Version 2.0
- Introduction to Cyber Risk Quantification with Open FAIR™ (video)
- Get Open Fair™ Certified
Open FAIR™ is a trademark of The Open Group