The Challenge
Ransomware has become an all-too-common attack vector for hospitals and other healthcare institutions, so leadership wanted to get out ahead of the threat. Not only were they worried about response costs, lostproductivity for their employees and lost revenue, they also had a real fear related to patient safety – to take one example of many incidents of “disruptionware” targeting healthcare systems, in the “WannaCry” attack on the British National Health Service in 2017, thousands of hospital appointments and operations were cancelled and five emergency rooms had to turn away patients. Senior management wanted to understand how much risk they faced from ransomware and how much they could lose if they were under attack, including secondary impacts such as regulatory fines or lawsuits.
In order to answer these questions, the organization needed to start communicating risk using the financial terms best understood by business stakeholders. The security and risk team set out to answer these questions to help the organization make decisions on implementing stronger controls or accepting the current state of risk.
The Solution
With the help of the RiskLens Professional Services team, the healthcare organization’s analysts used the RiskLens Platform to identify an appropriate scenario in order to quantify this risk of concern. The platform builds out workshop questions based on the scope of work to allow analysts to answer the big question in financial terms, “How much risk do we have?” The RiskLens Platform is based on the industry standard model for quantifying risk, Factor Analysis of Information Risk (FAIR™).
The team began by focusing analysis on the amount of risk associated with an outage of the EHR (Electronic Healthcare Record) System as a result of a ransomware attack from a cyber criminal. The analysts used the high-level scoping capability within RiskLens to rapidly determine what data points were necessary for the analysis, effectively reducing their workload by removing research into data that did not ultimately support quantifying risk.
The analysis collected data through structured workshop questions on key risk and control factors including historical number of ransomware attempts, phishing email click-rates and reduction in click rates after a previous security awareness training program, controls in place to prevent a ransomware attack, and the number of employees using the EHR system.
From the loss side, the organization gathered data to understand how quickly it could get the system back online and how much damage they could expect during the outage. The analyst team also considered the possibility of civil lawsuits if the outage were to cause any harm to their patients.
Over the course of a three-day period, the team was able to meet with business management to understand what data should go into their analysis describing, in financial terms, the effect of a breach of a non-encrypted health records database containing PII
Inevitably the estimates used to calculate risk have a degree of uncertainty associated with them. However, like all data input into the analysis, distributions allow the organization to account for uncertainty.
The table below clearly illustrates the overall loss exposure for the scenario. The tabular data communicated the varying range of probable outcomes on the left and the probable loss that could materialize for the event.
The Risk Treatment Analysis capability of RiskLens allows comparison analyses to be rapidly performed. In this scenario, the analysts leveraged the platform's capability to make several comparison assessments vs. the existing baseline to model risk in the event that network segmentation or threat intelligence software were implemented. These comparison reports provided the organization with tangible data to make a decision: The results showed that both improvements were worth the investment but helped the organization to prioritize the two projects based on the ROI and various factors.