Impact of Security Culture on Security Compliance in Healthcare in the USA: Results from a National...
description
Transcript of Impact of Security Culture on Security Compliance in Healthcare in the USA: Results from a National...
Impact of Security Culture on
Security Compliance in Healthcare
in the USA: Results from a National
Study
Mansur Hasib, D.Sc., CISSP, PMP, CPHIMS
November 2013
• Public, private and education sector experiences
• Lived in many states and travelled through all 50 states of the USA
• 25+ years experience managing IT
• 12 years as CIO in healthcare and biotechnology
• Doctor of Science in Information Assurance – 2013
• Adjunct Faculty – Carnegie Mellon and UMBC
Personal Introduction
Agenda
• Information Assurance in Healthcare
• Key Terms
• Identify the Problem being Examined
• Overarching Question
• What Others Have Found
• Purpose and Methodology
• Results of My Study
• My Key Findings
• Key Recommendations
• Contributions Made by This Research Study
• Questions
Information Assurance Model -
2001
Note. Adapted from “A Model for Information Assurance: An Integrated Approach,” by W. V. Maconachy, C. D. Schou, D. Ragsdale,
and D. Welch, 2001, June. Paper presented at the 2001 IEEE Workshop on Information Assurance and Security, United States
Military Academy, West Point, New York: New York.
Key Terms
• Information Security Culture – Shared
Organizational Values Related to Information
Security
• Information Security Compliance –
Information Security Behavior in Accordance
with Organizational Policies
• People Controls – Managing People for
Purposes of Information Assurance
Health Insurance Portability
and Accountability Act - 1996
Note. Adapted from “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act
(HIPAA) Security Rule (NIST Special Publication 800-66, rev. 1),” by United States Department of Commerce, National Institute of
Standards and Technology, 2008, p. 2.
HIPAA Security Rule 2003
• Requires Information Assurance Controls –
Technology, Policy, and People
• Administrative Safeguards – Requires the
Management of People for Information
Assurance
NIST Publication 800-66
• National Institute of Standards and
Technology
• Provides Compliance Standards for Federal
Law
• 800-66 for HIPAA Focuses on Policy and
Process
• 800-66 Ignores the Management of People
Business Problem
• In 2012, sixteen years after the enactment of
HIPAA, over 80% of the security breaches in
US healthcare are attributable to behaviors
of people within the organization (HIMSS
Analytics, 2008, 2010, 2012; Ponemon
Institute, 2009).
• Compliance with NIST 800-66 will not solve
this problem because people controls are
ignored by this standard.
Overarching Question
Can healthcare information security
executives achieve higher levels of security
compliant behavior in their organizations by
implementing an information security
culture?
What Others Found
• People are the Weakest Link
• People Have a Behavior Choice
• Technology or Policy Alone Does not Govern
Behavior
• Culture Influences Behavior
• Management Engagement is Required for
Implementing Culture
• Management Needs to Obtain Buy In from
People
Compliance Factors
• Organizational Level for Security
Governance
• CIO Role and Reporting Level
• Executive Management Engagement
• Benevolent Management
• Employee Empowerment
• Policy Enforcement
• Monitoring
• Information Security Culture
• Human Firewall
Purpose
The purpose of this study was to examine the
relationship between the level of implementation of
a security culture and the level of security
compliance behavior in US healthcare organizations.
Brady (2010) had examined the relationship in USA
and Canadian Academic Medical Centers using a 61
item validated survey instrument. Brady’s survey
respondent pool and geographic locations were too
broad. HIPAA is a US federal law and does not apply
in Canada. Literature also shows that culture and
compliance policy is impacted by senior leadership.
The new HITECH laws and the ACA is not applicable
to Canada either.
Specific Research Questions
1. To what extent is a security culture
implemented in the healthcare sector?
2. To what extent is security compliant
behavior exhibited in the healthcare sector?
3. To what extent does implementation of a
security culture impact security compliant
behavior?
Hypotheses
• H1: The level of implementation of a security culture in the
healthcare sector will be low.
• H2: The level of security compliance behavior in the healthcare
sector will be low.
• H3: Implementation of a security culture will be positively
related to the level of security compliance behavior in the
healthcare sector.
• The corresponding null hypothesis statistically tested was:
• H30: There is no relationship between the level of
implementation of a security culture and the level of security
compliance behavior in the healthcare sector.
Variables and Scope
• This study has two main variables:
• Dependent Variable – Level of Security
Compliance Behavior
• Independent Variable – Level of Security
Culture
• This study was limited to CIOs and CISOs or
equivalent senior roles within the USA. The
study was broadened to include all types
healthcare providers
Measures and Survey
Instrument
• Brady (2010) Validated Measures Used with Permission to
Measure two Main Variables:
• Dependent Variable – Level of Security Compliance Behavior
• Independent Variable – Level of Security Culture
Demographics:
• Size of Organization, Role of Respondent, Reporting
Relationship, % of Security Incidents Attributed to Insiders, %
of Budget Spent on Security, Existence and Plans for CISO Role
• Survey Instrument Used Brady (2010) Measures with
Permission
Data Collection
• Survey sent to 124 CIOs and CISOs in healthcare
known to me.
• NH-ISAC sent out additional invitations to 2,347
CIOs and CISOs.
• 67 responses received. 40 from CIOs and CISOs
known to me. 27 possibly from NH-ISAC pool.
• Response rate of 2.7% overall. Rate of 32% from
personal pool.
• Sample size error rate is 4% for an unknown size
population.
Logistics of Data Collection
• CIOs, CISOs and Equivalent Executives in US
Healthcare
• National Survey
• Limited to 26 Questions and Under 10 Minutes to
Respond
• Six Demographics and 20 Brady Questions
• Ten Measures for Security Culture – Cronbach’s
Alpha .9
• Ten Measures for Security Behavior – Cronbach’s
Alpha .9
• Personal Appeal to CIO, CISO Contacts and NH-ISAC
Size of Organization
Role of the Respondent
Reporting Relationships
CEO CFO CIO
Other
Administrator Total
CIOs 20 12 6 7 45
44% 27% 13% 16%
CISO 1 0 17 4 22
5% 0% 77% 18%
67
Presence of Chief Information
Security Officer Role
Insider Incidents
RANGE FREQUENCY PROPORTION
0-19% 14 22%
20-39% 18 29%
40-59% 4 6%
60-79% 5 8%
80-99% 8 13%
100% 14 22%
N=63 100%
78% Reported Insider Incidents
49% Respondents Reported 40-100% Insider Incidents
Level of Security Culture
Moderately High Level of Security Culture – 37.75
Level of Security Compliant
Behavior
High Level of Security Compliant Behavior – 41.69
Pearson’s R Correlation
p < .001, R=.516
Influence of Security Culture on Security Compliance
Key Findings
• Brady Set of Measures are Excellent and Applicable
Broadly
• Moderately High Level of Security Culture – 37.75
• High Level of Security Behavior – 41.69
• Statistically Significant p < .001 Correlation Between
Culture and Behavior
• 52% CIOs Report to CEOs. 48% Report to CFO and
Others
• Smaller Organizations Tend Not to Have CISOs
• 78% Respondents Report Insider Breaches
• Personal Connection Critical to Obtain Responses
from this Elusive Respondent Pool
Key Recommendation
• Focus on People Controls
– People Controls are Cheaper than Technical
Controls
– People Controls Govern Security Behavior
– People Controls Become Stronger Over Time
– People Controls Target a Major Source of
Breaches
Additional Recommendations
• Focus on IT Strategy Rather Than Cost (48% Report
to CFO?)
• Focus on Risk Management not Compliance
• Modify NIST 800-66 -- Base on Maconachy et al.
• Replace HIPAA -- Base on Maconachy et al.
• Stop Marketing Buzzwords Like Cybersecurity –
Promote Information Assurance as Holistic
Discipline which Balances Technology, Policy, and
People Controls for Mission Driven Organizational
Strategy Powered by IT
Contributions
• Applies a Well Established IA Model to Problem
• Provides Outline for People Controls Framework
• Strengthens Validity for Brady Measures – Applies
Broadly
• Provides Understanding of the Level of Security
Culture
• Provides Understanding of the Level of Security
Compliance
• Demonstrates a Strong Relationship between
Culture and Compliance
• Highlights the Importance of People Controls
Hasib, M. (2013). Impact of Security Culture on
Security Compliance in Healthcare in the USA,
Laurel, MD: Capitol College.
Cited in the references for new healthcare security and privacy certification from ISC2
References
Copyright Mansur Hasib 2013. This work is the intellectual property of the author. With proper author attribution, anyone may share and use material
from this presentation for non-commercial, educational purposes provided this copyright statement is on the reproduced materials. For other use,
written permission from the author required.