It’s not breaking news that the healthcare industry is becoming more regulated in an effort to protect patient information and improve care. Based on recent conversations I’ve had with auditors, I’m hearing the single largest sources of difficulty in achieving regulatory compliance is:

1. Comprehensively cataloging and documenting the extensive information security control measures necessitated by complex healthcare environments; and

2. Producing the assurance or evidence needed to confirm the controls are working correctly and effectively.

As a result, healthcare CISOs are increasingly focusing on the use of information security frameworks to help achieve regulatory compliance and answer increasing business demands for low-cost, reliable information security management. However, framework adoption is still limited throughout the healthcare industry.

One reason for the low adoption rates is that many healthcare organizations are too busy firefighting the results of their immature processes to spend time improving them. Yet it is clear from research that some organizations have created significant contribution to their security maturity and compliance with regulatory requirements through judicious adoption of a framework. This has resulted in an ever-greater reliability of controls, processes, services and support for transformational change and regulatory compliance. But choosing what information security framework will work best in your organization isn’t as simple as it seems. The following case study illustrates one hospital’s process in selecting a framework most suited to their needs.

Information Security Framework Adoption Case Study

There are some early leaders here. One Eastern U.S. hospital, which we’ll refer to as Hospital X, operates with multiple facilities in various locations. Their information security program resembled a lot of other hospitals in that they were missing the "enterprise" part. Hospital X had developed an information security policy and a set of security technologies and practices. However, it did not have a comprehensive information security program encompassing all its facilities enterprise-wide. HIPAA was an organizational priority but compliance lagged far behind management’s expectations.

Hospital X was typical in that they had diverse departments and services with autonomous operations and business processes. There were common information security controls and requirements in place but unique information security needs and expectations in some areas. It was generally perceived that protecting information was the overall responsibility of the Information Security and IT departments. As a result, clinical, ancillary and business departments were resolving their unique information security issues independent from one another with little documentation or central coordination.


The impetus to devise a comprehensive information security framework derived from a review of how the enterprise would comply with security controls and requirements such as those identified in the HIPAA Security rule and PCI Data Security Standard. Therefore, Hospital X's governance body, the Information Security Committee, directed the Information Security Manager, to develop and implement a framework to meet the needs of all departments enterprise-wide as well as applicable security laws, regulations and standards. The objective of this effort was to establish an enterprise-wide information security framework that met common and disparate business requirements. This framework would have to support a flexible implementation, as needed in autonomous departments, while maintaining accountability to information security controls and requirements.


A project team was designated to coordinate the effort and act as the focal point for activities among the departments and the Information Security Committee. The project team was staffed with participants from the Information Security Office and other departments that had risk management as part of their mission. The project team’s goals were to:

* Identify industry-recognized information security frameworks,

* Determine what frameworks were employed by hospitals of similar size, and

* Recommend to the Information Security Committee a framework best suited for the organization.

The project team hired a security consultant to assist in their efforts and provide a broad perspective on the frameworks used by other hospitals throughout the country. Although there were a variety of frameworks identified, the Risk Management Framework from the National Institute of Standards and Technology (NIST) caught the project team's attention. It provided a comprehensive framework for information security policy and practice as well as having a whole family of detailed NIST documentation to support an enterprise-wide information security program. The NIST framework was flexible enough to meet the needs of the organization as well as individual departmental needs. The NIST documentation was publically available at no cost and aligned with regulatory requirements such as the ones contained within the HIPAA Security rule.

With HIPAA compliance as an organizational priority, the Department of Health and Human Services (HHS) has issued publications that state, “although only Federal agencies are required to follow guidelines set by NIST, the guidelines represent the industry standard for good business practices with respect to standards for securing e-PHI” and “covered entities may use any of the NIST documents to the extent that they provide relevant guidance to that organization’s implementation activities.” These references are not intended to imply recommendation or endorsement by HHS. However, it gave the project team confidence that HHS was familiar with NIST and would support its use which could benefit the organization during an Office for Civil Rights audit.


The project team presented to the Information Security Committee its findings and recommended NIST as the enterprise-wide framework. The Information Security Committee approved and this provided the executive sponsorship necessary to help ensure buy-in and a successful implementation. Hospital X's information security team developed an enterprise-wide framework and associated implementation documentation and tools based on NIST. The information security team hired a security consulting firm to independently conduct a gap assessment during this period to determine policy and practice implementation priorities.

The Information Security Committee also approved a measure that required departments to complete and submit an information security framework compliance plan, based on the recommendations from the gap assessment.

Hospital X has a standards-based information security framework that provides flexibility for implementation within its departments, as well as accountability to regulatory requirements and standards. Most impressive is that for the first time, there is one security policy, one framework and a baseline set of security requirements throughout the enterprise.

Critical Success Factors

From the beginning, the information security framework initiative received senior management support. Hospital X's choice of framework was well-known, industry-recognized and comprehensive. The project team took advantage of the lessons learned from other organizations. The Information Security Office acted as the communications and advisory center for complying with the framework, thereby ensuring coordination between departments and the Information Security Committee. A reasonable, phased implementation approach was established that began with an updated policy, followed by a gap assessment and ultimately security controls and requirements implementation.

The Information Security Committee saw opportunities for addressing common needs across the enterprise while coordinating with departments' efforts to determine their level of compliance with the new information security framework. For example, the committee took the common need for information security awareness training and centrally managed a solution by implementing an enterprise-wide information security awareness program. The first phase is an introductory course that standardizes awareness in the area of information security. Subsequent phases include a module specific to the security policy and another for security risk assessment and management. In addition, the Information Security Office can now offer services that make sense to departments, such as policy gap analysis, because these services fall within the context of an established and understood framework. In many respects, this effort broke down barriers among the departments. For example, the Radiology Department is integrating information security into its operating plan with the business manager acting as the information security manager.


Integrating and managing information security enterprise-wide, especially in larger healthcare organizations, is a challenge that requires the formalization of an information security framework. Such a framework establishes a structure of resources and principles with which a prioritized list of projects, tasks and activities can be managed. Effective information security management requires an integrated approach that makes security part of the core fabric of business processes and a key component of the organizational culture. This means infusing the key components of security (policy, process, behavior and technology) across all the dimensions of the enterprise. As healthcare organizations strive to become more aligned with security controls and requirements as well as achieve or maintain regulatory compliance, they will increasingly adopt an information security framework based on flexible policy management, a process-centric approach, realignment of roles and responsibilities, and adaptive security architectures to bring consistency and integration to information security management.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access