Close

New Research from CDW on Workplace Friction

Learn how IT leaders are working to build a frictionless enterprise.

Click Here to Read the Report
Jun 03 2026
Security

How Health Systems Can Prioritize Healthcare Cybersecurity Risks With SPARQ

To better position their cybersecurity posture, healthcare organizations need to assess and quantify their risks.
Nelson Carreira
by

Nelson Carreira is an Executive Healthcare Strategist for CDW.

Walt Powell, CDW
by

Walt Powell is the Lead Field CISO at CDW, specializing in providing executive guidance around risk, governance, compliance and IT security strategies.

Headlines about the latest data breach affecting a healthcare organization have unfortunately become a norm in the industry. Healthcare is also a regular target for ransomware attacks

It’s clear why cybersecurity is top of mind for healthcare leaders across the country, but security teams often struggle with communicating needs that align with business objectives. They’re focused on solving for technical gaps (such as a lack of identity and access management or immutable backups), but nontechnical leaders can’t always connect how those gaps may put the entire organization at risk. 

Instead, security leaders need to translate their needs by quantifying risks into financial terms that make sense to nontechnical executives. Assessing security investments in this way helps organizations prioritize which risks to address, justify spending and reallocate funding as needed. 

CDW’s Security Program Assessment and Risk Quantification (SPARQ) offering can guide organizations through this process, especially as ongoing merger-and-acquisition activity and new compliance expectations complicate healthcare cybersecurity strategies.

Click the banner below to learn more about how to treat cybersecurity as a strategic business goal.

xs_iam_animated4_q424_na_desktop xs_iam_animated4_q424_na_mobile

 

How SPARQ Helps Healthcare Organizations Quantify Cyber Risk 

SPARQ includes a platform solution that leverages artificial intelligence and provides real-time updates on an organization’s quantified risk assessment so that it’s not a one-time event but an ongoing process that can help organizations develop a more mature cybersecurity program. 

From a storytelling point of view, it's the opposite of a compliance checkbox. Rather than having outside insurers or surveys inform an organization’s risk assessment, we take an inside-out look to discover what makes the most difference for an organization’s unique situation, what aspects will buy down the most risk and which areas will be the best place to invest. 

After the assessment, organizations won’t have to stumble through the 24 findings to know what they should tackle first. With SPARQ, each risk is assigned a dollar value, so the conversation can start with, “This particular project costs $200,000, but it buys down $9 million for a year’s worth of risk.” That then pushes into discussions about where organizations can invest to buy down the most risk, or move the needle for capital versus operational expenditures, or help the CFO hit an earnings target. It allows security teams to speak in the language of business. 

READ MORE: Follow this five-step action plan for achieving clinical care resilience.

Traditionally, CISOs have not been great at communicating the same way the CEO or CFO talks to the board. With SPARQ, they can start to use that dollars-and-cents framing to say, “These are the risks, and these are the trade-offs, and this is the investment mix that we want to make.” 

In the past, as security leaders, we’ve walked into board rooms to try to express what our metrics look like, what our vulnerabilities look like, what those risk scores look like, and it doesn't easily translate for executives. Now, by assigning monetary values to those risks, CISOs can better prioritize the challenges they’re trying to solve

So, You’ve Quantified Your Cybersecurity Risks. What’s Next? 

When an organization has identified and quantified its vulnerabilities and can say it has $20 million or $100 million or however much worth of risk, then comes the question: What to do about it? 

There are generally four options: 

  1. The organization can avoid the risk by doing nothing, but that’s a nonstarter. 
  2. It can accept the risk and eventually parse through its risk appetite. 
  3. It can transfer the risk to another entity, such as cyber insurance. 
  4. It can mitigate the risk with controls. 

SPARQ helps organizations decide what the right mix of options 2, 3 and 4 would be. How much risk should transfer to cyber insurance? How many dollars will the organization get back in risk reduction for what it’s spending? It’s a more focused approach to IT spending that lets leaders say, “OK, this is how much we want to transfer to insurance, and this is how much we're going to mitigate and spend on controls.”

Click the banner below to learn more about improving your organization's cyber resilience.

x-cyberresillience3-static-2024-na-desktop x-cyberresillience3-static-2024-na-mobile

 

Enhancing Healthcare Data Security With Continuous Risk Management 

SPARQ is a great starting or refresh point for organizations as they try to improve their zero-trust security architecture and mature in their identity and access management. The best way to reliably support these initiatives would be to shift funding around for them; to do that, organizations need to buy down risk to focus on the things that can help drive maturity. This step is especially critical in healthcare, where funding streams can be volatile and subject to legislative change. 

Similarly, this approach to quantifying cyber risk will be helpful as organizations adopt more AI solutions. AI risk can be quantified like any other risk, allowing organizations to create a roadmap toward AI remediations as well — particularly useful as the industry keeps an eye on further developments with Mythos

DISCOVER: How can healthcare supply chain volatility impact care delivery innovation?

As AI advances for malicious actors as well as defenders, continuous threat and exposure management becomes imperative for organizations. One of the key tenets of CTEM aligns with prioritization: What vulnerabilities do we prioritize? How do we prioritize which patches we should push? All of those feeds can map against key risk indicators, which we can use to also create business intelligence and value. Risk quantification ties closely to CTEM. 

Ultimately, organizations must focus on the most critical vulnerabilities, prioritize them and then tie them to what's most important for operational and financial health. Don’t get bogged down with just filling in the gaps in your cybersecurity program. Home in on understanding your overall risk so that your future projects don’t pose security concerns down the line.

This article is part of HealthTech’s MonITor blog series.

MonITor_logo_sized.jpg

sturti/Getty Images

More On

Related Articles