Thinking / Risk assessment and planning

Risk planning must be done in advance. By the time a risk materializes, it will be too late to react. However, unlike external threats, a suitable plan lets you minimize your level of cybersecurity risk.

Risk assessment is the first step, discovering which cybersecurity risks are present and the impact they could have on your patients, your personnel, and your organization and its assets. We work with you to catalog each risk, taking possible security vulnerabilities or flaws into account in evaluating the likelihood and extent of loss or damage.

The plan we make with you then determines the most appropriate risk management strategy, given a choice of avoiding the risk, transferring it, mitigating it, or accepting it. For example, the risk of an attacker taking control of a life safety system could be mitigated by making sure that the system is always running the latest, most secure versions of software and firmware. The risk of unauthorized remote control of a medical device could be avoided by switching the remote control function off, or mitigated by protecting access to that function through strong passwords or other types of reliable authentication.