Impact of Security Culture on Security Compliance in Healthcare in the USA: Results from a National...

download Impact of Security Culture on Security Compliance in Healthcare in the USA: Results from a National Study

of 32

  • date post

    11-Nov-2014
  • Category

    Business

  • view

    360
  • download

    2

Embed Size (px)

description

This presentation shares results from a national study of CIOs and CISOs in US healthcare to point out the importance of a balanced information assurance strategy composed of technology, policy, and people. The Health Insurance Portability and Accountability Act (HIPAA) became law in 1996 with security, and privacy requirements. Administrative safeguards of HIPAA require policies and management of people. Information assurance requires three controls: technology, policy, and people. The National Institute of Standards and Technology (NIST) Document 800-66, which provides guidance for HIPAA, does not address people controls and does not map well to an accepted information assurance model. Data on breaches in healthcare, show 80-90% of breaches are caused by insiders. This study shows that people management within the organization continue to be important for an enterprise security strategy.

Transcript of Impact of Security Culture on Security Compliance in Healthcare in the USA: Results from a National...

  • 1. Impact of Security Culture on Security Compliance in Healthcare in the USA: Results from a National Study Mansur Hasib, D.Sc., CISSP, PMP, CPHIMS November 2013
  • 2. Personal Introduction Public, private and education sector experiences Lived in many states and travelled through all 50 states of the USA 25+ years experience managing IT 12 years as CIO in healthcare and biotechnology Doctor of Science in Information Assurance 2013 Adjunct Faculty Carnegie Mellon and UMBC
  • 3. Agenda Information Assurance in Healthcare Key Terms Identify the Problem being Examined Overarching Question What Others Have Found Purpose and Methodology Results of My Study My Key Findings Key Recommendations Contributions Made by This Research Study Questions
  • 4. Information Assurance Model 2001 Note. Adapted from A Model for Information Assurance: An Integrated Approach, by W. V. Maconachy, C. D. Schou, D. Ragsdale, and D. Welch, 2001, June. Paper presented at the 2001 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, New York: New York.
  • 5. Key Terms Information Security Culture Shared Organizational Values Related to Information Security Information Security Compliance Information Security Behavior in Accordance with Organizational Policies People Controls Managing People for Purposes of Information Assurance
  • 6. Health Insurance Portability and Accountability Act - 1996 Note. Adapted from An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (NIST Special Publication 800-66, rev. 1), by United States Department of Commerce, National Institute of Standards and Technology, 2008, p. 2.
  • 7. HIPAA Security Rule 2003 Requires Information Assurance Controls Technology, Policy, and People Administrative Safeguards Requires the Management of People for Information Assurance
  • 8. NIST Publication 800-66 National Institute of Standards and Technology Provides Compliance Standards for Federal Law 800-66 for HIPAA Focuses on Policy and Process 800-66 Ignores the Management of People
  • 9. Business Problem In 2012, sixteen years after the enactment of HIPAA, over 80% of the security breaches in US healthcare are attributable to behaviors of people within the organization (HIMSS Analytics, 2008, 2010, 2012; Ponemon Institute, 2009). Compliance with NIST 800-66 will not solve this problem because people controls are ignored by this standard.
  • 10. Overarching Question Can healthcare information security executives achieve higher levels of security compliant behavior in their organizations by implementing an information security culture?
  • 11. What Others Found People are the Weakest Link People Have a Behavior Choice Technology or Policy Alone Does not Govern Behavior Culture Influences Behavior Management Engagement is Required for Implementing Culture Management Needs to Obtain Buy In from People
  • 12. Compliance Factors Organizational Level for Security Governance CIO Role and Reporting Level Executive Management Engagement Benevolent Management Employee Empowerment Policy Enforcement Monitoring Information Security Culture Human Firewall
  • 13. Purpose The purpose of this study was to examine the relationship between the level of implementation of a security culture and the level of security compliance behavior in US healthcare organizations. Brady (2010) had examined the relationship in USA and Canadian Academic Medical Centers using a 61 item validated survey instrument. Bradys survey respondent pool and geographic locations were too broad. HIPAA is a US federal law and does not apply in Canada. Literature also shows that culture and compliance policy is impacted by senior leadership. The new HITECH laws and the ACA is not applicable to Canada either.
  • 14. Specific Research Questions 1. To what extent is a security culture implemented in the healthcare sector? 2. To what extent is security compliant behavior exhibited in the healthcare sector? 3. To what extent does implementation of a security culture impact security compliant behavior?
  • 15. Hypotheses H1: The level of implementation of a security culture in the healthcare sector will be low. H2: The level of security compliance behavior in the healthcare sector will be low. H3: Implementation of a security culture will be positively related to the level of security compliance behavior in the healthcare sector. The corresponding null hypothesis statistically tested was: H30: There is no relationship between the level of implementation of a security culture and the level of security compliance behavior in the healthcare sector.
  • 16. Variables and Scope This study has two main variables: Dependent Variable Level of Security Compliance Behavior Independent Variable Level of Security Culture This study was limited to CIOs and CISOs or equivalent senior roles within the USA. The study was broadened to include all types healthcare providers
  • 17. Measures and Survey Instrument Brady (2010) Validated Measures Used with Permission to Measure two Main Variables: Dependent Variable Level of Security Compliance Behavior Independent Variable Level of Security Culture Demographics: Size of Organization, Role of Respondent, Reporting Relationship, % of Security Incidents Attributed to Insiders, % of Budget Spent on Security, Existence and Plans for CISO Role Survey Instrument Used Brady (2010) Measures with Permission
  • 18. Data Collection Survey sent to 124 CIOs and CISOs in healthcare known to me. NH-ISAC sent out additional invitations to 2,347 CIOs and CISOs. 67 responses received. 40 from CIOs and CISOs known to me. 27 possibly from NH-ISAC pool. Response rate of 2.7% overall. Rate of 32% from personal pool. Sample size error rate is 4% for an unknown size population.
  • 19. Logistics of Data Collection CIOs, CISOs and Equivalent Executives in US Healthcare National Survey Limited to 26 Questions and Under 10 Minutes to Respond Six Demographics and 20 Brady Questions Ten Measures for Security Culture Cronbachs Alpha .9 Ten Measures for Security Behavior Cronbachs Alpha .9 Personal Appeal to CIO, CISO Contacts and NH-ISAC
  • 20. Size of Organization
  • 21. Role of the Respondent
  • 22. Reporting Relationships Other CEO CISO CIO Administrator Total 20 12 6 7 45 44% CIOs CFO 27% 13% 16% 1 0 17 4 5% 0% 77% 18% 22 67
  • 23. Presence of Chief Information Security Officer Role
  • 24. Insider Incidents RANGE FREQUENCY PROPORTION 0-19% 14 22% 20-39% 18 29% 40-59% 4 6% 60-79% 5 8% 80-99% 8 13% 100% 14 22% N=63 100% 78% Reported Insider Incidents 49% Respondents Reported 40-100% Insider Incidents
  • 25. Level of Security Culture Moderately High Level of Security Culture 37.75
  • 26. Level of Security Compliant Behavior High Level of Security Compliant Behavior 41.69
  • 27. Pearsons R Correlation Influence of Security Culture on Security Compliance p < .001, R=.516
  • 28. Key Findings Brady Set of Measures are Excellent and Applicable Broadly Moderately High Level of Security Culture 37.75 High Level of Security Behavior 41.69 Statistically Significant p < .001 Correlation Between Culture and Behavior 52% CIOs Report to CEOs. 48% Report to CFO and Others Smaller Organizations Tend Not to Have CISOs 78% Respondents Report Insider Breaches Personal Connection Critical to Obtain Responses from this Elusive