Impact of Security Culture on
Security Compliance in Healthcare
in the USA: Results from a National
Study
Mansur Hasib, D....
Personal Introduction
• Public, private and education sector experiences
• Lived in many states and travelled through all ...
Agenda
• Information Assurance in Healthcare
• Key Terms
• Identify the Problem being Examined
• Overarching Question
• Wh...
Information Assurance Model 2001

Note. Adapted from “A Model for Information Assurance: An Integrated Approach,” by W. V....
Key Terms

• Information Security Culture – Shared
Organizational Values Related to Information
Security
• Information Sec...
Health Insurance Portability
and Accountability Act - 1996

Note. Adapted from “An Introductory Resource Guide for Impleme...
HIPAA Security Rule 2003
• Requires Information Assurance Controls –
Technology, Policy, and People

• Administrative Safe...
NIST Publication 800-66
• National Institute of Standards and
Technology

• Provides Compliance Standards for Federal
Law
...
Business Problem

• In 2012, sixteen years after the enactment of
HIPAA, over 80% of the security breaches in
US healthcar...
Overarching Question

Can healthcare information security
executives achieve higher levels of security
compliant behavior ...
What Others Found

• People are the Weakest Link
• People Have a Behavior Choice
• Technology or Policy Alone Does not Gov...
Compliance Factors

• Organizational Level for Security
Governance
• CIO Role and Reporting Level
• Executive Management E...
Purpose
The purpose of this study was to examine the
relationship between the level of implementation of
a security cultur...
Specific Research Questions

1. To what extent is a security culture
implemented in the healthcare sector?
2. To what exte...
Hypotheses
• H1: The level of implementation of a security culture in the
healthcare sector will be low.
• H2: The level o...
Variables and Scope

• This study has two main variables:
• Dependent Variable – Level of Security
Compliance Behavior
• I...
Measures and Survey
Instrument
• Brady (2010) Validated Measures Used with Permission to
Measure two Main Variables:
• Dep...
Data Collection

• Survey sent to 124 CIOs and CISOs in healthcare
known to me.
• NH-ISAC sent out additional invitations ...
Logistics of Data Collection
• CIOs, CISOs and Equivalent Executives in US
Healthcare
• National Survey
• Limited to 26 Qu...
Size of Organization
Role of the Respondent
Reporting Relationships

Other
CEO

CISO

CIO

Administrator

Total

20

12

6

7

45

44%

CIOs

CFO

27%

13%

16%

1

0...
Presence of Chief Information
Security Officer Role
Insider Incidents

RANGE

FREQUENCY

PROPORTION

0-19%

14

22%

20-39%

18

29%

40-59%

4

6%

60-79%

5

8%

80-99%

8
...
Level of Security Culture

Moderately High Level of Security Culture – 37.75
Level of Security Compliant
Behavior

High Level of Security Compliant Behavior – 41.69
Pearson’s R Correlation

Influence of Security Culture on Security Compliance

p < .001, R=.516
Key Findings
• Brady Set of Measures are Excellent and Applicable
Broadly
• Moderately High Level of Security Culture – 37...
Key Recommendation

• Focus on People Controls
– People Controls are Cheaper than Technical
Controls
– People Controls Gov...
Additional Recommendations

• Focus on IT Strategy Rather Than Cost (48% Report
to CFO?)
• Focus on Risk Management not Co...
Contributions

• Applies a Well Established IA Model to Problem
• Provides Outline for People Controls Framework
• Strengt...
References

Hasib, M. (2013). Impact of Security Culture on
Security Compliance in Healthcare in the USA,
Laurel, MD: Capi...
Upcoming SlideShare
Loading in …5
×

Impact of Security Culture on Security Compliance in Healthcare in the USA: Results from a National Study

614 views

Published on

This presentation shares results from a national study of CIOs and CISOs in US healthcare to point out the importance of a balanced information assurance strategy composed of technology, policy, and people. The Health Insurance Portability and Accountability Act (HIPAA) became law in 1996 with security, and privacy requirements. Administrative safeguards of HIPAA require policies and management of people. Information assurance requires three controls: technology, policy, and people. The National Institute of Standards and Technology (NIST) Document 800-66, which provides guidance for HIPAA, does not address people controls and does not map well to an accepted information assurance model. Data on breaches in healthcare, show 80-90% of breaches are caused by insiders. This study shows that people management within the organization continue to be important for an enterprise security strategy.

Published in: Business, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
614
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
9
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Impact of Security Culture on Security Compliance in Healthcare in the USA: Results from a National Study

  1. 1. Impact of Security Culture on Security Compliance in Healthcare in the USA: Results from a National Study Mansur Hasib, D.Sc., CISSP, PMP, CPHIMS November 2013
  2. 2. Personal Introduction • Public, private and education sector experiences • Lived in many states and travelled through all 50 states of the USA • 25+ years experience managing IT • 12 years as CIO in healthcare and biotechnology • Doctor of Science in Information Assurance – 2013 • Adjunct Faculty – Carnegie Mellon and UMBC
  3. 3. Agenda • Information Assurance in Healthcare • Key Terms • Identify the Problem being Examined • Overarching Question • What Others Have Found • Purpose and Methodology • Results of My Study • My Key Findings • Key Recommendations • Contributions Made by This Research Study • Questions
  4. 4. Information Assurance Model 2001 Note. Adapted from “A Model for Information Assurance: An Integrated Approach,” by W. V. Maconachy, C. D. Schou, D. Ragsdale, and D. Welch, 2001, June. Paper presented at the 2001 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, New York: New York.
  5. 5. Key Terms • Information Security Culture – Shared Organizational Values Related to Information Security • Information Security Compliance – Information Security Behavior in Accordance with Organizational Policies • People Controls – Managing People for Purposes of Information Assurance
  6. 6. Health Insurance Portability and Accountability Act - 1996 Note. Adapted from “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (NIST Special Publication 800-66, rev. 1),” by United States Department of Commerce, National Institute of Standards and Technology, 2008, p. 2.
  7. 7. HIPAA Security Rule 2003 • Requires Information Assurance Controls – Technology, Policy, and People • Administrative Safeguards – Requires the Management of People for Information Assurance
  8. 8. NIST Publication 800-66 • National Institute of Standards and Technology • Provides Compliance Standards for Federal Law • 800-66 for HIPAA Focuses on Policy and Process • 800-66 Ignores the Management of People
  9. 9. Business Problem • In 2012, sixteen years after the enactment of HIPAA, over 80% of the security breaches in US healthcare are attributable to behaviors of people within the organization (HIMSS Analytics, 2008, 2010, 2012; Ponemon Institute, 2009). • Compliance with NIST 800-66 will not solve this problem because people controls are ignored by this standard.
  10. 10. Overarching Question Can healthcare information security executives achieve higher levels of security compliant behavior in their organizations by implementing an information security culture?
  11. 11. What Others Found • People are the Weakest Link • People Have a Behavior Choice • Technology or Policy Alone Does not Govern Behavior • Culture Influences Behavior • Management Engagement is Required for Implementing Culture • Management Needs to Obtain Buy In from People
  12. 12. Compliance Factors • Organizational Level for Security Governance • CIO Role and Reporting Level • Executive Management Engagement • Benevolent Management • Employee Empowerment • Policy Enforcement • Monitoring • Information Security Culture • Human Firewall
  13. 13. Purpose The purpose of this study was to examine the relationship between the level of implementation of a security culture and the level of security compliance behavior in US healthcare organizations. Brady (2010) had examined the relationship in USA and Canadian Academic Medical Centers using a 61 item validated survey instrument. Brady’s survey respondent pool and geographic locations were too broad. HIPAA is a US federal law and does not apply in Canada. Literature also shows that culture and compliance policy is impacted by senior leadership. The new HITECH laws and the ACA is not applicable to Canada either.
  14. 14. Specific Research Questions 1. To what extent is a security culture implemented in the healthcare sector? 2. To what extent is security compliant behavior exhibited in the healthcare sector? 3. To what extent does implementation of a security culture impact security compliant behavior?
  15. 15. Hypotheses • H1: The level of implementation of a security culture in the healthcare sector will be low. • H2: The level of security compliance behavior in the healthcare sector will be low. • H3: Implementation of a security culture will be positively related to the level of security compliance behavior in the healthcare sector. • The corresponding null hypothesis statistically tested was: • H30: There is no relationship between the level of implementation of a security culture and the level of security compliance behavior in the healthcare sector.
  16. 16. Variables and Scope • This study has two main variables: • Dependent Variable – Level of Security Compliance Behavior • Independent Variable – Level of Security Culture • This study was limited to CIOs and CISOs or equivalent senior roles within the USA. The study was broadened to include all types healthcare providers
  17. 17. Measures and Survey Instrument • Brady (2010) Validated Measures Used with Permission to Measure two Main Variables: • Dependent Variable – Level of Security Compliance Behavior • Independent Variable – Level of Security Culture Demographics: • Size of Organization, Role of Respondent, Reporting Relationship, % of Security Incidents Attributed to Insiders, % of Budget Spent on Security, Existence and Plans for CISO Role • Survey Instrument Used Brady (2010) Measures with Permission
  18. 18. Data Collection • Survey sent to 124 CIOs and CISOs in healthcare known to me. • NH-ISAC sent out additional invitations to 2,347 CIOs and CISOs. • 67 responses received. 40 from CIOs and CISOs known to me. 27 possibly from NH-ISAC pool. • Response rate of 2.7% overall. Rate of 32% from personal pool. • Sample size error rate is 4% for an unknown size population.
  19. 19. Logistics of Data Collection • CIOs, CISOs and Equivalent Executives in US Healthcare • National Survey • Limited to 26 Questions and Under 10 Minutes to Respond • Six Demographics and 20 Brady Questions • Ten Measures for Security Culture – Cronbach’s Alpha .9 • Ten Measures for Security Behavior – Cronbach’s Alpha .9 • Personal Appeal to CIO, CISO Contacts and NH-ISAC
  20. 20. Size of Organization
  21. 21. Role of the Respondent
  22. 22. Reporting Relationships Other CEO CISO CIO Administrator Total 20 12 6 7 45 44% CIOs CFO 27% 13% 16% 1 0 17 4 5% 0% 77% 18% 22 67
  23. 23. Presence of Chief Information Security Officer Role
  24. 24. Insider Incidents RANGE FREQUENCY PROPORTION 0-19% 14 22% 20-39% 18 29% 40-59% 4 6% 60-79% 5 8% 80-99% 8 13% 100% 14 22% N=63 100% 78% Reported Insider Incidents 49% Respondents Reported 40-100% Insider Incidents
  25. 25. Level of Security Culture Moderately High Level of Security Culture – 37.75
  26. 26. Level of Security Compliant Behavior High Level of Security Compliant Behavior – 41.69
  27. 27. Pearson’s R Correlation Influence of Security Culture on Security Compliance p < .001, R=.516
  28. 28. Key Findings • Brady Set of Measures are Excellent and Applicable Broadly • Moderately High Level of Security Culture – 37.75 • High Level of Security Behavior – 41.69 • Statistically Significant p < .001 Correlation Between Culture and Behavior • 52% CIOs Report to CEOs. 48% Report to CFO and Others • Smaller Organizations Tend Not to Have CISOs • 78% Respondents Report Insider Breaches • Personal Connection Critical to Obtain Responses from this Elusive Respondent Pool
  29. 29. Key Recommendation • Focus on People Controls – People Controls are Cheaper than Technical Controls – People Controls Govern Security Behavior – People Controls Become Stronger Over Time – People Controls Target a Major Source of Breaches
  30. 30. Additional Recommendations • Focus on IT Strategy Rather Than Cost (48% Report to CFO?) • Focus on Risk Management not Compliance • Modify NIST 800-66 -- Base on Maconachy et al. • Replace HIPAA -- Base on Maconachy et al. • Stop Marketing Buzzwords Like Cybersecurity – Promote Information Assurance as Holistic Discipline which Balances Technology, Policy, and People Controls for Mission Driven Organizational Strategy Powered by IT
  31. 31. Contributions • Applies a Well Established IA Model to Problem • Provides Outline for People Controls Framework • Strengthens Validity for Brady Measures – Applies Broadly • Provides Understanding of the Level of Security Culture • Provides Understanding of the Level of Security Compliance • Demonstrates a Strong Relationship between Culture and Compliance • Highlights the Importance of People Controls
  32. 32. References Hasib, M. (2013). Impact of Security Culture on Security Compliance in Healthcare in the USA, Laurel, MD: Capitol College. Cited in the references for new healthcare security and privacy certification from ISC2 MansurHasib@gmail.com Copyright Mansur Hasib 2013. This work is the intellectual property of the author. With proper author attribution, anyone may share and use material from this presentation for non-commercial, educational purposes provided this copyright statement is on the reproduced materials. For other use, written permission from the author required.

×