A view from the Center

Deloitte's Life Sciences & Health Care Blog

Better protecting your crown jewels from cyber attack

The health care industry is going through a period of cyber-awakening. Reports of data security breaches are growing, and with this growth is the increasing cost of cyberattacks throughout the industry. And while many organizations are implementing improved defensive measures, the health care industry is undergoing a surge in data breaches, security incidents, and cyber attacks.

Fear of a cyberattack is like a ticking time-bomb in the minds of many business leaders, who worry that their hospital or health plan will be next in the headlines. And these headlines are largely shaped by what companies are required to publically report, such as the theft of personal health information (PHI).

But what really happens in the aftermath of cyber crisis? In all but the rarest cases, organizations that have suffered an attack are careful not to disclose and even shy away from talking publically about the impacts – and certainly costs tend to be underestimated. Largely in the shadows of a breach are the less discussed or understood impacts, such as brand damage, loss of customers or negative effect on future cyber insurability.

Being prepared starts with a clear picture of what could happen. Anticipating the financial impact in advance of a breach can help leaders to map out what the greatest impacts to the company might be – to understand the full financial impact, particularly those impacts that matter most.

To get this clear picture, Deloitte Advisory brought together its Cyber Risk, Forensics and Investigation, and Valuation teams to model these impacts, not just in terms of cost, but also duration.

First, we modeled a likely cyberattack scenario – this model is customized to a specific health company’s attributes and other unique factors such as revenue, size, number of customers, etc.

Second, once we applied a most-likely attack scenario to the specific company, through accepted financial valuation methods we then identified how the organization would be impacted post-breach – both the direct costs commonly associated with cyber breaches; and also others that are more far-reaching, intangible costs.

What we learned from this modeling approach is that the cost of a single cyber incident, depending on the company, industry and breadth of attack, can stretch into the billions over a number of years.

And what are the benefits of this approach? If an organization can achieve some level of fidelity on the true cost of a breach, then the company can better understand its total risk exposure with eyes wide open. They can get a realistic picture of the likely impact of a cyberattack to better direct cyber risk program investments.

One way to better balance these investments is through the lens of Deloitte Advisory’s Secure.Vigilant.Resilient.TM framework. This framework is designed to help organizations establish balanced programs to:

  • secure what can and should be secured;
  • improve the ability to identify and predict malicious activity; and
  • improve preparedness, and response and recovery capabilities when a cyber incident or crisis occurs.

By applying the framework above, combined with better awareness of the potential business impacts through modeling, leaders can transform their organization’s level of readiness and improve their ability to achieve full business recovery when a cyberattack happens. The purpose, really, is to help executives better guide cyber risk investment decisions to mitigate potential impacts, and lead their organizations to succeed in an otherwise increasing cyber threat environment.

Author bio

John Gelinne is a Director in Cyber Risk Services for Deloitte Advisory in the U.S. and is a part of the Resilient practice that helps clients prepare, respond to, and recover from cyber incidents. John joined Deloitte after retiring from the U.S. Navy after 30 years of service. John is responsible for cyber incident response, cyber war gaming and building technical resilience that allow organizations to rapidly adapt and respond to dynamic changes, disruptions, or threats.