Operational shock: A method for estimating cyber security incident costs for large Australian healthcare providers

Abstract

ABSTRACT This paper introduces a novel cyber incident cost estimation methodology, applicable to large Australian healthcare providers. A review demonstrates the poor utility of current risk estimation approaches and the vulnerability of healthcare networks is evaluated using Leibniz’s law of indiscernibles, and Evans’ theory of vague objects. Finally, a quantitative cost calculation method is proposed, merging temporal and impact variables with service data from the Australian Institute of Health and Welfare. This research demonstrates that existing attempts to measure cyber incident risk produces vague results. This is evidenced by 929 Australian healthcare data breaches recorded over 5 years, a AU$0.6bn annual national risk exposure, and low levels of healthcare cyber maturity across three states. The likelihood of data breaches is reported as 99.4%, with known ICT vulnerabilities exceeding 207,000. After logically concluding that healthcare networks are fundamentally insecure, an ‘operational shock’ calculation method is modelled against the AIHW data, to illustrate realistic cyber incident costs. This returns an exposure across Australia’s acute care hospital network of AU$148.1 m from a single incident that takes 1 week to resolve. In considering this quantum, risk transfer options using cyber insurance and improved agency cyber risk programs are required to mitigate significant financial risks.