https://orcid.org/0000-0002-2035-8232
![Sample our Computer Science journals, sign in here to start your access, latest two full volumes FREE to you for 14 days]({"type":"image" , "src" : "/sda/5928/TOC-Subject-Sample-2021-Computer-Science.jpg"})
ABSTRACT
This paper introduces a novel cyber incident cost estimation methodology, applicable to large Australian healthcare providers. A review demonstrates the poor utility of current risk estimation approaches and the vulnerability of healthcare networks is evaluated using Leibniz’s law of indiscernibles, and Evans’ theory of vague objects. Finally, a quantitative cost calculation method is proposed, merging temporal and impact variables with service data from the Australian Institute of Health and Welfare.
This research demonstrates that existing attempts to measure cyber incident risk produces vague results. This is evidenced by 929 Australian healthcare data breaches recorded over 5 years, a AU$0.6bn annual national risk exposure, and low levels of healthcare cyber maturity across three states. The likelihood of data breaches is reported as 99.4%, with known ICT vulnerabilities exceeding 207,000. After logically concluding that healthcare networks are fundamentally insecure, an ‘operational shock’ calculation method is modelled against the AIHW data, to illustrate realistic cyber incident costs. This returns an exposure across Australia’s acute care hospital network of AU$148.1 m from a single incident that takes 1 week to resolve. In considering this quantum, risk transfer options using cyber insurance and improved agency cyber risk programs are required to mitigate significant financial risks.
Acknowledgments
None declared.
Consent statement
This research uses publicly available and de-identified organisational data, so patient consent is not a requirement.
Contributorship
MD researched literature and created the first draft. All authors reviewed and edited the manuscript and approved the final version.
Disclosure statement
No potential conflict of interest was reported by the authors.
Ethical approval
The PhD this paper is a component of has received ethics approval from Edith Cowan University, Australia ref: 2020–01418 – DART.
Notes
1. Across multiple standards and methodologies there is no consistency in defining sources of cyber risk – so this paper uses the ‘cyber-AIDD’ acronym to accommodate all four possibilities, unless a specific example or calculation details an individual component.
2. Tables sourced from AIHW files †Health-expenditure-Australia-2021–2022 and ‡Hospital-resources-tables-2021–22.