Threat and Risk Assessment for a leading health service provider
Case Study
About Our Client
Overview
Our client is a leading Australian health service provider. They operate in over 100 locations, providing services to one million Australians through 250 health practitioners, and have a revenue of more than $250 million.
The Challenge
Our client’s focus to provide world-leading healthcare services to all Australians is being achieved through strategic acquisitions, partnerships, and organic growth. It is their primary priority to preserve their reputation, client trust, patient data confidentiality and to ensure the continuity of their exceptional services.
Challenging this, is a need to understand their cyber security and privacy risk profile across all crown jewel data assets, business arrangements, and healthcare centres while ensuring their new compliance obligations with the Security of Critical Infrastructure (SOCI) Act.
This requires identification and understanding of their key risks across critical assets so they can prioritise the monitoring of key risks and their largest reputational and financial threats. This builds the foundation for an actionable roadmap for remediation activities.
Our allied health client has a range of crown jewel data assets that need cyber protection, including:
- Patient data.
- Practitioner data.
- Employee data.
- Security data.
- Credit card data.
- Financial payments.
- Unstructured data.
To support their strategy, they need a targeted and objective approach to cyber security planning.
Avocado Services provided
- IT security threat and risk (TRA) assessments across all key systems for the previous three years.
- Development of the remediation roadmap.
- Business continuity and disaster recovery planning.
- Identity and Access Management advisory.
Sector
Allied Health
”Preserving patient and practitioner trust; safeguarding confidential information entrusted to their care, and securing uninterrupted client services are paramount to achieving our client’s business strategy. Knowing their cyber security and privacy risk profile across all crown jewel assets and more recently, complying with the Security of Critical Infrastructure (SOCI) Act significantly supports these goals. Avocado has helped our Allied Health client understand and remediate their largest reputational and financial threats.
The Approach
Given the organisational complexity, encompassing various business arrangements, systems architectures, applications, and medical devices, Avocado conducted a Threat and Risk assessment (TRA). This assessment aimed to define the approach and gain a clearer understanding of the organisation’s risks and potential consequences.
This allowed for a prioritised approach, considering cyber controls that are known to have the most impact on the organisation’s crown jewel assets. It ensured risk exposure were assessed against the probable cyber threat vectors faced by the organisation, resulting in a comprehensive strategy to address this exposure.
Significantly, our cyber consultants:
- Leveraged our deep domain knowledge and specialised understanding of their existing cyber security controls.
- Maintained a year-to-year understanding of the global cyber security threat and loss environment for the in-scope health services.
- Utilised the FAIR model – an internationally recognised industry standard model. This allowed us to calculate tangible financial losses that could occur if potential cyber threats against the company were to occur, , enabling a more robust discussion with the board in their understanding and impact of their information management risks.
- Avocado determined the key controls that were most effective in reducing potential losses within the organisational risk appetite.
A risk-buydown matrix was creates to demonstrate efficient risk remediations. Avocado successfully:
- Identified the cyber risk scenarios that the organisations crown jewel assets could be exposed to through internal and external threat actors;
- Through the Threat, Risk and Control (TRC) modelling, we calculated the inherent risk exposure for each scenario and the scenarios that presented a medium, high, or extremely risk severity impact and;
- Highlighted current risk exposure for each of the scenarios based on their cyber security control environment.
Avocado supported the client in the most efficient way to target remediation activity for risk buy-down. Our tailored support for the client focused on identifying key threats to specific crown jewel assets and determining their critical controls that required mitigation through a strategy and roadmap combining the existing IT strategy and desired cyber maturity uplift.
The Outcome
By conducting a threat and risk assessment we offered a targeted and objective approach to cybersecurity planning, which aligned with the organisation’s unique risks, control environment, and risk appetite.
Providing our client with an actionable roadmap that was financially justifiable helped align their IT and cyber roadmaps together for more efficient allocation of resources.
By framing our clients’ risk in financial terms, we empowered business decisions. This created enhanced communication between stakeholders and leadership so the Board could understand how risk decisions directly impact the organisation in the future.
Overall, our client now has a better understanding of their threat and control landscape. Avocado has helped minimise potential damage to client trust, confidentiality of patient data, and ensured continuity of their exceptional services.
Today, we continue to effectively address their cyber gaps with a comprehensive cybersecurity strategy. This includes cyber advisory services associated with delivering the roadmap; providing ongoing security assessments including third-party due diligence, and improving organisational resilience.
If you want to gain a clearer understanding of your risks with a clear remediation strategy and experts to get you there, contact Avocado today.
