Enhancing HITRUST Risk Assessments for Healthcare with Cyber Risk Quantification (CRQ)

December 8, 2020  Jack Freund

At this year’s HITRUST Annual Conference, RiskLens partnered with Highmark Health to present on an integrated approach to implementing HITRUST CSF, the security framework for the healthcare industry, with cyber risk quantification (CRQ), using the FAIR model.

Regardless of the framework in use, FAIR enables analysts to enhance and sharpen their risk analyses with specifics that provide the ability to add economic impact to organizational assessments and provide a defensible, rigorous risk report.

The HITRUST presentation began with the challenges that Highmark risk analysts faced presenting top risks to the organization. They wanted to improve their risk communication and sidestep common biases and pitfalls associated with qualitative risk assessments—including conflating risk and vulnerabilities and displaying risk with stoplight charts—when other organizational disciplines were using financial risk metrics.

Highmark implemented the RiskLens platform to provide quantitative risk scenario analysis. These scenarios can be associated with IT assets (applications, servers, databases, etc.), project consultations (changes to existing applications and infrastructure), and issue management.

This approach has enabled Highmark to have a clear and standardized language for communicating about risk as well as creating a clearly defensible risk analysis using economic impact as the common denominator.

CRQ produced several wins in addition to clear communication and rigorous analyses, namely finding risk and control options that reduce security investment and advising internal clients about risk avoidance opportunities.

Using the RiskLens CRQ platform, Highmark ran a Top Risks analysis based on annual loss exposure, and now tracks those risks on an ongoing basis (as in this anonymized example):





Highmark can also run ROI analyses to compare mitigation alternatives (also anonymized here):







This level of visibility into risk aligns well with the requirements for HITRUST compliance, including specific stipulations calling for clearly stated levels of acceptable risk and risk tolerance thresholds as well as the incorporation of internal incident histories in the risk analysis process.

The RiskLens platform, built on FAIR, is tailor-made to accommodate these kinds of requests by asking the firm to evaluate frequency of attack and loss values that are best informed by internal as well as external data, and to define risk appetite thresholds for its Loss Exceedance Curve reporting.

Meeting HITRUST CSF Requirements at Highmark with RiskLens' FAIR Cyber Risk Quantification

Level 1 Implementation Requirements

  • HITRUST requires risk acceptance and tolerance thresholds defined for each category of risk; RiskLens provides clear financial ranges for risk-based actions.

Level 2 Implementation Requirements

  • HITRUST specifies that likelihood and magnitude of harm should be included in the risk assessment process, including actual case impact scenarios. RiskLens has explicit variables to represent harm and leverages histories and experience in calculation.

Level FFIEC IS Implementation Requirements

  • The standard calls for threat modeling as part of risk assessment to identify and quantify risks. RiskLens uses quantifiable threat variables.

Level GDPR Implementation Requirements - Control Reference 03.B - Performing Risk Assessments

  • Highmark and many other RiskLens clients have run risk analyses around GDPR to assess their top risks associated with data privacy and the effectiveness of risk mitigation initiatives (read a case study).


The full presentation by Highmark Cyber Risk Team Manager, Jason Martin and RiskLens Director, Risk Science, Jack Freund, PhD is available here.