How One Healthcare Organization Stopped Chasing Fear and Started Building Defensible Security with DoCRA
For the PDF Version, Visit Here.
The Reality Check
This is the story of how a spreadsheet nearly cost a healthcare institution its reputation— and how a standards-based, technology-driven solution helped restore trust and resilience.
The real wake-up call wasn’t triggered by an actual data breach, but a shift in perspective from “if we get breached” point of view to a new reality of “when we get breached.”
Under that reality, a board member asked, “Can we say we did everything we could to protect this healthcare organization?”
It seemed like a reasonable question, to which even the CISO didn’t have a confident answer.
The lack of confidence wasn’t due to a lack of investment and people. Quite to the contrary. The security team routinely put out fires and met compliance checklists. Yet, they still felt exposed, because no one had ever taken the time to step back and ask:
Are we doing the right things for our business, and not just security for security’s sake?
The Turning Point
A phishing attack resulted in a minor breach of email accounts. The attack was contained quickly with minimal damage.
Yet everyone still felt rattled, not because of what happened…but because they all knew they had just avoided something much worse That’s when the inevitable question came:
“How do we know we’re protecting what matters, in a way that’s actually defendable?”
Enter DoCRA: A New Way to Think About Security
That’s when the CISO of the healthcare institution brought in DoCRA—the Duty of Care Risk Analysis.
Not another technical framework. Not just another compliance standard. DoCRA helped them answer the real question:
What’s a “reasonable” level of protection – for us, our partners, and our customers – that won’t break the business at the same time?
How It Changed Everything
- Risk Decisions are no longer made in isolation
- Security decisions are now made with the business in mind because everyone – IT, legal, compliance, and leadership all have a seat at the table.
- Security efforts are now focused on what matters most
- Not every threat got the same attention—only those that truly impacted the mission.
- They could now explain the “Why”
- Every control, every decision, could be tied back to risk. No more “we did it because the audit said so.”
- The organization are prepared for the inevitable
- They stopped pretending breaches wouldn’t happen. They plan for them—with clarity and accountability.
The Results
- Leadership Now Actively Involved – because they finally understand the risk in business terms.
- Security Is Now Seen as a Supportive Business Partner – not a roadblock.
- Incident Response Got Smarter – no scrambling, just clear decisions backed by a well-documented risk framework.
- They Could Sleep Better at Night – knowing they have a reasonable, responsible, and defensible program.
Final Thought
You can’t stop every cyber-attack. Don’t think you can.
What you can do is create a security program that protects your organization that stands up to scrutiny when the worst happens, the day we all fear.
That’s what this healthcare org did. They stopped guessing.
They stopped overcompensating.
They started making informed, fair, and defensible choices—with DoCRA.
About DoCRA
The Duty of Care Risk Analysis Standard provides principles and practices for evaluating cybersecurity risk in a way that balances harm to others with burdens on the organization. It is used by regulators, legal teams, and risk professionals to ensure risk decisions are fair, consistent, and defensible.
Learn more at: https://docra.org
About Reasonable Risk
Reasonable Risk is a SaaS platform that automates the DoCRA Standard to help organizations make defensible cybersecurity risk decisions—clearly, collaboratively, and continuously. With contextual risk scoring, dynamic dashboards, and full audit trails, Reasonable Risk turns cyber risk into business intelligence.
Visit: https://reasonablerisk.com