Topics
More on Compliance & Legal

How hospitals can financially measure the risk of cybersecurity attacks

The value proposition is making sure everyone is using the same process for cyber risk quantification.

Susan Morse, Executive Editor

From left: Jack Lewin, Chris Bowen, Tracy Griffin and Michael Meis take part in Cyber Risk Quantification in Healthcare during the HIMSS Healthcare Cybersecurity Forum in Boston this week.

Photo: Mike Miliard, HITN

BOSTON – The question that arises when the topic of risk quantification comes up in healthcare is, "How much is it going to cost me?" said Jack Lewin, speaking during the HIMSS Healthcare Security Forum in Boston. 

"How do we value the healthcare data we're trying to protect here?" asked Lewin, founder and principal of consultant Lewin & Associates.

Chief information security officers and other experts taking part in "Cyber Risk Quantification in Healthcare" indicated there is no definitive answer.

Hospitals and other healthcare entities are the only organizations able to make multimillion-dollar investments in which no ROI is shown and the benefits are unclear outside of the security team, said Michael Meis, associate chief information security officer for the University of Kansas Health System. 

Security is believed to be either secure or not, Meis said.

"Really, it's a sliding scale," he said.

One way to measure the cost is to look at values of patient information on the dark web, Meis said. 

"It's something tangible to say, this is how we came up with this [number]," he said.

Fines levied to other organizations for cybersecurity breaches can also be used to associate the monetary value to risk, said Chris Bowen, founder and CISO for ClearDATA.

"The reality is, we've got a lot of data out there: OCR [Office of Civil Rights] fines; also a lot of lawsuits, settlements over the last 7 to 8 years," Bowen said.

Providers and some payers will try to limit the amount of liability in a contract, Bowen said.

Risk quantification enables cybersecurity teams to communicate risk – in financial terms – to healthcare leadership.

The value proposition is making sure everyone is using the same risk process  for cyber risk quantification, Meis said.

Tracy Griffin, director of information security risk and assurance, Bon Secours, Mercy Health, said risk quantification needs to be a financial conversation, but in patient terms, a breach needs to be data- and outcome-driven. 

Patient data can be more than at-risk for fraud. Today's privacy climate after the Supreme Court decision on Roe v. Wade and the Dobbs ruling is similar to what happened in the 1980s during the wave of HIV infections, according to Lewin.

After the Roe decision, he said, "Data has more implications than being discovered." 

This also holds true for mental health data, he said.

"The patient," Griffin said, "has a right to know their medical record, their ID is secure."

Twitter: @SusanJMorse
Email the writer: SMorse@himss.org