Cyber Risk Strategy
Healthcare organization mitigates significant cyber risks with cyber risk strategy
Strategic Challenge
A healthcare organization had experienced a prior cyber intrusion and discovered that their existing risk mitigation strategy needed to be enhanced and redefined. Otherwise, they would be ill-prepared to respond effectively to the next intrusion or data breach risking exposure of their PHI and other sensitive data. With the support of the board, the CEO engaged us to help
Outcomes Achieved
Risk Reduction: non-ransomware intrusion detection and response time improved from multiple days to hours
Cost Savings: 10% savings on IT and Cyber operational expenses
Service Quality: No quality measurements or focus to intentional NPS score of 40+
Background & Context
Healthcare organizations are seeking to focus on patient care and service delivery quality. Information Technology (IT) and ever-changing cyber risks are a critical part of that patient-care and service delivery equation. Our client, a healthcare organization, was keenly aware of this critical role and as such prioritized cyber security as part of their strategic plan.
Although the institution had previously implemented what they believed was sufficient cyber risk controls and a strategy that included prevention, detection and response capabilities, they experienced a close call (a significant intrusion incident) that prompted a review and evaluation of the existing strategy and capabilities.
Fortunately, the intrusion didn’t compromise patient health records. After the incident, the organization engaged us to help with providing answers to some key questions including
How do we detect cyber intrusions proactively?
How do we know if we have the right solutions and strategy in place?
Where are our significant risk areas?
What should our future cyber security strategy look like given our growth trajectory?
How will our cloud migration and adoption change our risk profile?
Cyber Risk Strategy
To provide meaningful answers to these questions, we completed a comprehensive assessment and analysis of the functional areas, critical assets, digital services and operations processes including interviews with third-party service providers.
This assessment yielded some material gaps that were previously unknown to the client. Some of the gaps discovered were in the areas of asset management, cloud adoption/migration, cyber governance, threat/vulnerability management, data protection, cyber and user awareness training.
We developed a strategy with specific recommendations to help close these gaps in order of priority and in accordance with the organizations risk profile and business objectives. In essence, we helped them develop a good cyber risk strategy that strengthened their current and future security posture.
Our engagement was extended to include the execution of critical elements of the strategy recommendations. These included significant outcomes such as improved recovery time from cyber incidents, that minimized disruptions in patient care and service delivery. Increased value from new cyber capabilities at a lower cost than previous years. Our client clearly got more value for less money. Lastly, positive employee/user experience resulting in sustaining productivity gains from cloud services with enhanced security. The new strategy did not cripple employee productivity by making them jump through hurdles to get their work done but instead enhanced the experience for employees. /items such as the sourcing, comparative evaluation and selection of a best-fit service provider for them. We also delivered additional cyber risk services such cyber learning clinics, penetration testing, architecture reviews and contract reviews
“We’re very glad that you’re here. We’re getting way more value than we expected”
Success Factors
Our client was successful in achieving their desired business outcomes because of a few critical factors
Our client’s role in the success of their cyber risk strategy and its associated business outcomes was significant and these were the critical success factors that informed their role
CEO active role
Prioritizing proactive engagement
Establishing/securing board support
Modeling cyber-priority behaviors and culture for the rest of the organization
Learning about cyber risks
Customer Impact
1
Operational Resilience
Improved recovery time from weeks/days to hours
Operational Resilience
Improved recovery time from weeks/days to hours
2
3
Operational Resilience
Improved recovery time from weeks/days to hours
Actionable Awareness
Cyber Learning Clinics comments from client employees
Understand the options available to you
Establish/determine what level of cyber insurance is required
