An approach for developing comparative security metrics for healthcare organizations

Information sharing among different healthcare organizations is critical for efficient and cost effective healthcare service delivery. Isolated information systems need to be interconnected to ensure information exchange. Interconnectivity increases exposure to risk of damage, loss and fraud. Security and privacy of patients' information are concerns of all healthcare organizations. These concerns hinder the willingness to share data across different organizations. An objective assessment of organizational security posture is required in order to build trust among interconnected systems. Security metrics are a collection of several measurements taken at different points in time, compared against baselines and interpreted to reveal an understanding. They provide insight, improve performance and accountability, and can reveal the overall security posture of organization. The current security assessment practices focus either on measuring security programme effectiveness, auditing or assessment of individual information systems components like networks and software. These practices are not sufficient to reveal the overall security posture of organization. Also, their assessment results are not meaningfully comparable among different organizations. In this paper we propose an approach for developing security metrics to be used for assessing security posture of healthcare organizations. The metrics for this approach shall not be tailored to any specific organization to ensure comparable results.