By: Saket Modi, Co-Founder and CEO at Safe Security
For more than the past decade, healthcare has been the biggest target of data breaches. The total average cost has increased to $9.23 million in 2021 from $7.13 million the previous year, demonstrating a 29.5% rise. Cyberattacks in healthcare are unfortunately not limited to their financial, regulatory, and reputational impact since they have a direct consequence on lives. An Alabama-based resident claimed negligent homicide for the death of her infant because the hospital’s fetal monitors were inaccessible as a result of a ransomware attack, leaving its systems locked for eight days. For instance, if a hacker tampers with CT or MRI scans, it could also lead to incorrect medical procedures/surgeries, incomplete diagnoses, and reduced emergency or urgent care.
In such a scenario, the healthcare sector needs to quickly improve its cyber risk management. This is possible only if they move away from the traditional reactive and point-in-time approach in cybersecurity to adopt a predictive and measurable method instead. Adopting a proactive strategy includes knowing the organization’s breach-likelihood in real-time and its financial impact on the organization.
The NotPetya attack happened five years ago. Since then, has much changed in the healthcare sector? The cost of ransomware alone has grown by 1094% since 2015. However, there are three key areas where this sector falls short:
Financial services organizations predict the likelihood of loans being repaid using the financial history of the applicant, their previous loans, salary/income, and credit score. Similarly, OTT platforms use predictive analytics and algorithms to improve their suggestions. The medical fraternity too relies on prediction models to improve diagnostics, identify risk groups, and improve patient care. Why not use the same analytical approach to predict the possibility of a breach rather than detecting cyberattacks after they happen and reacting to them? The use of predictive technology and models such as the Bayesian Network to predict cyber breaches makes this possible.
Enterprise cyber risk is a product of the probability of a breach happening and its business consequence. This probability is termed the “breach-likelihood” of the organization and can be calculated at the most granular level. Starting from the breach-likelihood of each medical device in every room, department-wise employee threats, to vendors or suppliers of equipment and pharmaceuticals, Electronic Medical Records directory on the cloud and the security posture of each cloud asset – the possibilities are endless. Each prediction makes the organization that much more prepared to predict and therefore mitigate breaches. Once an organization knows what to expect, it can focus energies on fixing what really matters rather than carrying out ad-hoc activities which only add to a sense of security rather than real cybersecurity.
Breach likelihood in the healthcare sector can be a gamechanger in giving the visibility that is missing today. Similar to doctors arriving at a diagnosis after carrying out due diligence, sieving noise from actual symptoms, and aggregating all relevant information to a central database, cyber risk quantification can segregate information from noise.
As healthcare organizations ramp up cybersecurity infrastructure, they need to remember that all cybersecurity services, products and processes implemented in their cyber risk ecosystem need to communicate with each other. In a scenario where tens of cybersecurity services and tools are performing well in silos, but together fail to generate a comprehensive and prioritized solution, breach-likelihood is can create one score to drive cybersecurity strategy.