[3-J-2-05] A quantitative risk evaluation method against cybersecurity threats for Japanese medical institutions
Cyber security, Risk management, Hospital information system, Medical institutions
[Purpose]
Cyberattacks in healthcare institutions have increased rapidly, and healthcare institutions require appropriate security implementations. A risk assessment method is required to prioritize risks based on their severity. This research developed a quantitative risk assessment method applicable to medical information systems’ cybersecurity risk.
[Methods]
We develop a new risk assessment method that takes into account asset value for risk quantification. Risk is calculated with Asset value, Impact of risk, and Likelihood. Asset value is calculated from four perspectives: Business continuity, Operational management, Human resource management, and Patient wellness. Confidentiality, Availability, and Integrity are used to evaluate Impact. The likelihood is evaluated based on the probability that the risk will occur. Comparisons between the conventional risk matrix method and proposed method were carried out using an example based on a document for electronic medical record systems in Japan.
[Results]
Risks were prioritized on a scale of 1–5 using the risk matrix method. The proposed method evaluated risks on a scale of 0 to 368. Risks were evaluated as 1 using the risk matrix method were evaluated 28–112 using the proposed method.
[Conclusion]
The proposed method makes it possible to evaluate quantitative risk by takes into account asset values and to evaluate risk with higher precision than conventional methods.
[Ethical Considerations]
This research is related to cybersecurity risks and does not constitute life science or medical research involving human subjects.
Cyberattacks in healthcare institutions have increased rapidly, and healthcare institutions require appropriate security implementations. A risk assessment method is required to prioritize risks based on their severity. This research developed a quantitative risk assessment method applicable to medical information systems’ cybersecurity risk.
[Methods]
We develop a new risk assessment method that takes into account asset value for risk quantification. Risk is calculated with Asset value, Impact of risk, and Likelihood. Asset value is calculated from four perspectives: Business continuity, Operational management, Human resource management, and Patient wellness. Confidentiality, Availability, and Integrity are used to evaluate Impact. The likelihood is evaluated based on the probability that the risk will occur. Comparisons between the conventional risk matrix method and proposed method were carried out using an example based on a document for electronic medical record systems in Japan.
[Results]
Risks were prioritized on a scale of 1–5 using the risk matrix method. The proposed method evaluated risks on a scale of 0 to 368. Risks were evaluated as 1 using the risk matrix method were evaluated 28–112 using the proposed method.
[Conclusion]
The proposed method makes it possible to evaluate quantitative risk by takes into account asset values and to evaluate risk with higher precision than conventional methods.
[Ethical Considerations]
This research is related to cybersecurity risks and does not constitute life science or medical research involving human subjects.