Impact of Security Culture on

Security Compliance in Healthcare

in the USA: Results from a National

Study

Mansur Hasib, D.Sc., CISSP, PMP, CPHIMS

November 2013

• Public, private and education sector experiences

• Lived in many states and travelled through all 50 states of the USA

• 25+ years experience managing IT

• 12 years as CIO in healthcare and biotechnology

• Doctor of Science in Information Assurance – 2013

• Adjunct Faculty – Carnegie Mellon and UMBC

Personal Introduction

Agenda

• Information Assurance in Healthcare

• Key Terms

• Identify the Problem being Examined

• Overarching Question

• What Others Have Found

• Purpose and Methodology

• Results of My Study

• My Key Findings

• Key Recommendations

• Contributions Made by This Research Study

• Questions

Information Assurance Model -

2001

Note. Adapted from “A Model for Information Assurance: An Integrated Approach,” by W. V. Maconachy, C. D. Schou, D. Ragsdale,

and D. Welch, 2001, June. Paper presented at the 2001 IEEE Workshop on Information Assurance and Security, United States

Military Academy, West Point, New York: New York.

Key Terms

• Information Security Culture – Shared

Organizational Values Related to Information

Security

• Information Security Compliance –

Information Security Behavior in Accordance

with Organizational Policies

• People Controls – Managing People for

Purposes of Information Assurance

Health Insurance Portability

and Accountability Act - 1996

Note. Adapted from “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act

(HIPAA) Security Rule (NIST Special Publication 800-66, rev. 1),” by United States Department of Commerce, National Institute of

Standards and Technology, 2008, p. 2.

HIPAA Security Rule 2003

• Requires Information Assurance Controls –

Technology, Policy, and People

• Administrative Safeguards – Requires the

Management of People for Information

Assurance

NIST Publication 800-66

• National Institute of Standards and

Technology

• Provides Compliance Standards for Federal

Law

• 800-66 for HIPAA Focuses on Policy and

Process

• 800-66 Ignores the Management of People

Business Problem

• In 2012, sixteen years after the enactment of

HIPAA, over 80% of the security breaches in

US healthcare are attributable to behaviors

of people within the organization (HIMSS

Analytics, 2008, 2010, 2012; Ponemon

Institute, 2009).

• Compliance with NIST 800-66 will not solve

this problem because people controls are

ignored by this standard.

Overarching Question

Can healthcare information security

executives achieve higher levels of security

compliant behavior in their organizations by

implementing an information security

culture?

What Others Found

• People are the Weakest Link

• People Have a Behavior Choice

• Technology or Policy Alone Does not Govern

Behavior

• Culture Influences Behavior

• Management Engagement is Required for

Implementing Culture

• Management Needs to Obtain Buy In from

People

Compliance Factors

• Organizational Level for Security

Governance

• CIO Role and Reporting Level

• Executive Management Engagement

• Benevolent Management

• Employee Empowerment

• Policy Enforcement

• Monitoring

• Information Security Culture

• Human Firewall

Purpose

The purpose of this study was to examine the

relationship between the level of implementation of

a security culture and the level of security

compliance behavior in US healthcare organizations.

Brady (2010) had examined the relationship in USA

and Canadian Academic Medical Centers using a 61

item validated survey instrument. Brady’s survey

respondent pool and geographic locations were too

broad. HIPAA is a US federal law and does not apply

in Canada. Literature also shows that culture and

compliance policy is impacted by senior leadership.

The new HITECH laws and the ACA is not applicable

to Canada either.

Specific Research Questions

1. To what extent is a security culture

implemented in the healthcare sector?

2. To what extent is security compliant

behavior exhibited in the healthcare sector?

3. To what extent does implementation of a

security culture impact security compliant

behavior?

Hypotheses

• H1: The level of implementation of a security culture in the

healthcare sector will be low.

• H2: The level of security compliance behavior in the healthcare

sector will be low.

• H3: Implementation of a security culture will be positively

related to the level of security compliance behavior in the

healthcare sector.

• The corresponding null hypothesis statistically tested was:

• H30: There is no relationship between the level of

implementation of a security culture and the level of security

compliance behavior in the healthcare sector.

Variables and Scope

• This study has two main variables:

• Dependent Variable – Level of Security

Compliance Behavior

• Independent Variable – Level of Security

Culture

• This study was limited to CIOs and CISOs or

equivalent senior roles within the USA. The

study was broadened to include all types

healthcare providers

Measures and Survey

Instrument

• Brady (2010) Validated Measures Used with Permission to

Measure two Main Variables:

• Dependent Variable – Level of Security Compliance Behavior

• Independent Variable – Level of Security Culture

Demographics:

• Size of Organization, Role of Respondent, Reporting

Relationship, % of Security Incidents Attributed to Insiders, %

of Budget Spent on Security, Existence and Plans for CISO Role

• Survey Instrument Used Brady (2010) Measures with

Permission

Data Collection

• Survey sent to 124 CIOs and CISOs in healthcare

known to me.

• NH-ISAC sent out additional invitations to 2,347

CIOs and CISOs.

• 67 responses received. 40 from CIOs and CISOs

known to me. 27 possibly from NH-ISAC pool.

• Response rate of 2.7% overall. Rate of 32% from

personal pool.

• Sample size error rate is 4% for an unknown size

population.

Logistics of Data Collection

• CIOs, CISOs and Equivalent Executives in US

Healthcare

• National Survey

• Limited to 26 Questions and Under 10 Minutes to

Respond

• Six Demographics and 20 Brady Questions

• Ten Measures for Security Culture – Cronbach’s

Alpha .9

• Ten Measures for Security Behavior – Cronbach’s

Alpha .9

• Personal Appeal to CIO, CISO Contacts and NH-ISAC

Size of Organization

Role of the Respondent

Reporting Relationships

CEO CFO CIO

Other

Administrator Total

CIOs 20 12 6 7 45

44% 27% 13% 16%

CISO 1 0 17 4 22

5% 0% 77% 18%

67

Presence of Chief Information

Security Officer Role

Insider Incidents

RANGE FREQUENCY PROPORTION

0-19% 14 22%

20-39% 18 29%

40-59% 4 6%

60-79% 5 8%

80-99% 8 13%

100% 14 22%

N=63 100%

78% Reported Insider Incidents

49% Respondents Reported 40-100% Insider Incidents

Level of Security Culture

Moderately High Level of Security Culture – 37.75

Level of Security Compliant

Behavior

High Level of Security Compliant Behavior – 41.69

Pearson’s R Correlation

p < .001, R=.516

Influence of Security Culture on Security Compliance

Key Findings

• Brady Set of Measures are Excellent and Applicable

Broadly

• Moderately High Level of Security Culture – 37.75

• High Level of Security Behavior – 41.69

• Statistically Significant p < .001 Correlation Between

Culture and Behavior

• 52% CIOs Report to CEOs. 48% Report to CFO and

Others

• Smaller Organizations Tend Not to Have CISOs

• 78% Respondents Report Insider Breaches

• Personal Connection Critical to Obtain Responses

from this Elusive Respondent Pool

Key Recommendation

• Focus on People Controls

– People Controls are Cheaper than Technical

Controls

– People Controls Govern Security Behavior

– People Controls Become Stronger Over Time

– People Controls Target a Major Source of

Breaches

Additional Recommendations

• Focus on IT Strategy Rather Than Cost (48% Report

to CFO?)

• Focus on Risk Management not Compliance

• Modify NIST 800-66 -- Base on Maconachy et al.

• Replace HIPAA -- Base on Maconachy et al.

• Stop Marketing Buzzwords Like Cybersecurity –

Promote Information Assurance as Holistic

Discipline which Balances Technology, Policy, and

People Controls for Mission Driven Organizational

Strategy Powered by IT

Contributions

• Applies a Well Established IA Model to Problem

• Provides Outline for People Controls Framework

• Strengthens Validity for Brady Measures – Applies

Broadly

• Provides Understanding of the Level of Security

Culture

• Provides Understanding of the Level of Security

Compliance

• Demonstrates a Strong Relationship between

Culture and Compliance

• Highlights the Importance of People Controls

MansurHasib@gmail.com

Hasib, M. (2013). Impact of Security Culture on

Security Compliance in Healthcare in the USA,

Laurel, MD: Capitol College.

Cited in the references for new healthcare security and privacy certification from ISC2

References

Copyright Mansur Hasib 2013. This work is the intellectual property of the author. With proper author attribution, anyone may share and use material

from this presentation for non-commercial, educational purposes provided this copyright statement is on the reproduced materials. For other use,

written permission from the author required.