At this year’s HITRUST Annual Conference, RiskLens partnered with Highmark Health to present on an integrated approach to implementing HITRUST CSF, the security framework for the healthcare industry, with cyber risk quantification (CRQ), using the FAIR model.
Regardless of the framework in use, FAIR enables analysts to enhance and sharpen their risk analyses with specifics that provide the ability to add economic impact to organizational assessments and provide a defensible, rigorous risk report.
The HITRUST presentation began with the challenges that Highmark risk analysts faced presenting top risks to the organization. They wanted to improve their risk communication and sidestep common biases and pitfalls associated with qualitative risk assessments—including conflating risk and vulnerabilities and displaying risk with stoplight charts—when other organizational disciplines were using financial risk metrics.
Highmark implemented the RiskLens platform to provide quantitative risk scenario analysis. These scenarios can be associated with IT assets (applications, servers, databases, etc.), project consultations (changes to existing applications and infrastructure), and issue management.
This approach has enabled Highmark to have a clear and standardized language for communicating about risk as well as creating a clearly defensible risk analysis using economic impact as the common denominator.
CRQ produced several wins in addition to clear communication and rigorous analyses, namely finding risk and control options that reduce security investment and advising internal clients about risk avoidance opportunities.
Using the RiskLens CRQ platform, Highmark ran a Top Risks analysis based on annual loss exposure, and now tracks those risks on an ongoing basis (as in this anonymized example):
Highmark can also run ROI analyses to compare mitigation alternatives (also anonymized here):
This level of visibility into risk aligns well with the requirements for HITRUST compliance, including specific stipulations calling for clearly stated levels of acceptable risk and risk tolerance thresholds as well as the incorporation of internal incident histories in the risk analysis process.
The RiskLens platform, built on FAIR, is tailor-made to accommodate these kinds of requests by asking the firm to evaluate frequency of attack and loss values that are best informed by internal as well as external data, and to define risk appetite thresholds for its Loss Exceedance Curve reporting.
Meeting HITRUST CSF Requirements at Highmark with RiskLens' FAIR Cyber Risk Quantification
Level 1 Implementation Requirements
Level 2 Implementation Requirements
Level FFIEC IS Implementation Requirements
Level GDPR Implementation Requirements - Control Reference 03.B - Performing Risk Assessments
The full presentation by Highmark Cyber Risk Team Manager, Jason Martin and RiskLens Director, Risk Science, Jack Freund, PhD is available here.