The old adage, "You can't manage what you don't measure," still applies--and even more so today with healthcare organizations facing a number of external and internal security challenges.

Externally, breach announcements seem to make the weekly news cycle bringing information security issues to the forefront of public awareness. Federal regulations designed to protect patient information are now being actively enforced. Growth in technology and the electronic health record continues to integrate into the delivery of healthcare.

Internally, the job of providing security is complicated by a variety of pressures, including the difficulty of managing competing priorities with limited resources, such as conducting incident investigations vs. implementing encryption on mobile devices.

As a result, healthcare organizations struggle to identify meaningful metrics that demonstrate progress is being made toward a more secure environment. Even organizations with relatively mature metrics programs are looking to improve their process and level of automation. These efforts often come about because management asks one seemingly simple question: How secure are we?

To answer this question, as well as set goals, meet performance expectations and improve overall security execution, healthcare organizations need to find and use strategic metrics and measurements.

In general, metrics and measurements are a necessity in business and the key to achieving important objectives. Security is no exception.

Metrics are used to predict risk and measure performance. Although the goals for tracking metrics are often the same, the ways in which healthcare organizations develop and utilize metrics can vary since different approaches can be taken to measure the effectiveness and maturity of their information security programs. For example, operational security metrics such as the number of intrusion attempts or anomalies detected can be reviewed in a weekly operations meeting, while technical and compliance metrics such as the percentage of devices without updated anti-virus software or encryption can be reported to governance committees on a monthly or quarterly basis.

Certain security metrics can also be rolled up and presented to senior management, the CEO and the board.

Within the information security program, you should identify units of measurement and then tie them to the processes to be measured, which can reflect your progress, such as the percentage of servers with the latest patches installed. This can also involve processes and elements of the security program, such as the percentage of employees who underwent initial information security awareness training.

This allows the performance measurement to span the entire security life cycle and include the security management and risk-related processes.

Although measuring different security processes and activities in isolation can be useful, a more important aspect of performance is measuring the relationships between different processes and recognizing how they align with your overall security strategy to form a defense-in-depth.

As your security metrics mature, key risk indicators (KRIs) and key performance indicators (KPIs) should be established by leveraging data gathered from various sources and then represented in spreadsheets, dashboards and custom tools built on industry recognized frameworks. A metric designated as a KRI is generally used in efforts to predict and prevent. In contrast, a KPI is used to review and correct. In other words, KRIs are used to look into the future and KPIs are used to look at the past.

Existing data can reveal process breakdowns that need to be fixed before they can be used as a reported metric. Which metrics to use to evaluate the effectiveness of security programs should be considered carefully since the wrong metric could motivate behavior that is not directed toward the information security program goals and objectives.  Also, keep in mind that metrics typically don’t tell the whole story and cannot replace common sense and logical thought.

So, in order to make themselves truly more secure, healthcare organizations:

* Need to build more formal metrics programs in order to better understand how well their information security programs are performing and whether security is improving.

* Need to establish a culture and process of continuous improvement in managing the effectiveness of their information security programs. Creating or expanding their risk assessment efforts as a way of ensuring that the organization’s strategic needs are being met is an area of improvement.

* Need to maintain or expand programs for the tactical discovery of vulnerabilities in the information security infrastructure. Risk and vulnerability assessments with a baseline and repeated measurement of security spending, workload and service-level metrics should be added to achieve a best practices maturity.

* Finally, they need to employ metrics and measurement to illustrate and justify resources in support of their information security program and implement security improvements. Metrics and measurement can provide management with an objective viewpoint and a basis for sound decision making. They can offer clear, actionable information that allows healthcare organizations to analyze how and when incidents, audit findings and risk elements deviate from policies, standards and assessments.

The bottom line is that healthcare organizations can anticipate future risk and opportunities for improvement as well as measure performance against information security program goals by establishing metrics.

Originally published by Health Data Management.