The Basics on Measuring an I.T. Security Program

Register now

Measuring the effectiveness of an organization’s information security program isn’t a slam dunk, but the overall metric to know how well information is protected is easy, said security consultant Tom Walsh, president at Tom Walsh Consulting in Overland Park, Kan. “If you can’t pass a HIPAA security audit, then your program doesn’t measure up.”

Walsh spoke at a session at HIMSS13 in New Orleans during which Alain Bouit, information security officer at 19-hospital Adventist Health in Roseville, Calif., walked through the basics of measuring a security program.

There are three levels of measurement, he noted--Enterprise, Entry and Control--with an example of what can arise under each level:

* “Enterprise” covers threats throughout an organization to compliance with the HIPAA security rule, supported with an ongoing policy of maintaining compliance. The measure for this is the number of high-risk items found during an annual audit, Bouit explained.

* “Entity” covers the threat of a disaster in a local data center, with a policy to maintain protection and test disaster recovery procedures. The measure includes taking an inventory of locally hosted apps, updating the recovery plan and results from the most recent recovery exercise.

* “Control” covers the threat of unauthorized access with a policy of encrypting devices storing protected health information. The measure is a monthly report of the number of laptops and other devices that are not encrypted.

Effectiveness of various components of the measures at Adventist Health is done on a 0-5 scale. Because risk protection can be prioritized under HIPAA, having a score of 3 on the protection of certain applications may well be an acceptable level of risk, as higher-priority threats dictate higher resources.


For reprint and licensing requests for this article, click here.