In October 2020, three US agencies joined forces to issue a stark warning to hospitals and health care providers: Ransomware attacks are on the rise—and institutions need to take immediate action to protect themselves.
According to the report, co-authored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department for Health and Human Services (HHS), ransomware attacks, service disruptions and data theft all increased substantially in the sector since 2019, and the COVID-19 pandemic only escalated the problem.1
Starkly stated, cybercriminals see life sciences and health care organisations not only as a source of significant revenue, but also as treasure troves of sensitive data. To counter these threats, the time has come for the industry to up its cybersecurity game.
Part of the challenge is that many life sciences and health care institutions currently evaluate risk based on qualitative assessment and non-validated opinion. The challenge? This approach is both imprecise and ill-suited to today’s advanced cyber threats.
To move up the maturity ladder, CISOs must actually be able to prioritise and address areas of greatest risk, secure employee and patient data and clearly identify the enterprise systems and standards required to get the job done. This necessitates access to robust cyber risk analytics and reporting. To make more informed decisions and set enterprise-level goals, CISOs must be armed with visual cyber risk reports and dashboards that are as credible, defensible and actionable as financial statements.
To get line of sight into their most pressing risk areas and blind spots, today’s organisations are consequently turning to more advanced analytical solutions.
Rather than simply identifying high impact/high risk areas, these approaches kick it up a notch— leveraging near-real-time data insights to obtain actionable insight into specific scenarios. So, for instance, while a traditional approach to cyber risk management might identify a high risk of reputational damage, a data insights-based approach could indicate not only which application may contribute to that risk but also steps you can take to mitigate it. Going granular, it could arguably even show you that you can reduce risk by X% if you use a certain type of secure server.
In fact, this level of reporting could:
This capacity can allow life sciences and health care organisations to aggregate, normalise and enrich their data inputs. It attaches risk to specific areas of the organisation—for example, a certain product line or hospital—and can help institutions and organisations improve their risk posture by making better investment decisions that align with their cybersecurity strategy. Taken to its logical conclusion, it can empower:
While enhancing your cyber risk analytics and reporting is a critical milestone for life sciences and health care organisations, it is in some ways only the first step. Once the foundation is in place to actively manage cyber risks through data insights— and drive actions to help you reach your KPIs—it then becomes possible to use that data to advance your organisation even further.
For instance, once you have sufficient insight into the financial implications of your business decisions, you can determine where to allocate your next dollar to see a better return. You can better define your ultimate risk appetite and more accurately assess the level of investment risk you're willing to accept. And depending on your level of maturity, you can gain unprecedented visibility into hidden risks—and execute risk-intelligent responses which could involve bolstering your controls, allocating additional resources, or mitigating through a cyber insurance policy.
Moving from advanced analytics and reporting towards cyber risk quantification should allow organisations to do more than shore up their defences against bad actors. It should also position an industry under pressure to enhance data security, better protect people’s privacy and make investment decisions aligned with strategic priorities.
Rather than simply identifying high impact/high risk areas, analytical solutions such as cyber risk quantification kick it up a notch – leveraging near-real- time data insights to obtain actionable insight into specific scenarios.
1.Cybersecurity and Infrastructure Security Agency, Ransomware Activity Targeting the Healthcare and Public Health Sector, 2020
Carlos Amaya | US Cyber Principal
carlamaya@deloitte.com
Ajay Arora | US Senior Manager
ajarora@deloitte.com