Set up metrics to evaluate your security programs.
HIM Connection, January 16, 2007
Want to receive articles like this one in your inbox? Subscribe to HIM Connection!
The good news-you have a robust security program in place that is well-supported by management, well-maintained, and successful so far. The bad news-you have no idea how well the individual aspects of your program are performing. Setting up a good security metrics program is vital to measuring how well your security efforts under HIPAA are really working and figuring out where they need improvement.
Use goals to get started
A security metric is a measurement of whether a security program is meeting a specific security goal, and how efficient and effective it is in doing so. In general, a metric tracks performance and helps management make decisions to improve performance. You can use a security metric to determine whether the organization is properly implementing security policy, whether security services work as intended, and what your organization's security problems are.
A good place to start is by forming a committee of senior management from all major aspects of the organization and the information technology staff, along with compliance officials. This committee will set the overall priorities and goals for your security program. Then you can design metrics to measure those priorities. These goals can change over time as your security needs evolve.
Focus on more than just HIPAA
One reason for establishing a security metrics program is to ensure that you are complying with HIPAA and other security-related regulations. Documenting your security metrics program and using it to improve your security program can help your organization avoid fines, lawsuits, and other penalties.
However, setting the bar at regulatory compliance might not be high enough to adequately secure your organization. A good place to start is Information Technology-Security Techniques-Code of Practice for Information Security Management (commonly referred to as "ISO/IEC 17799"), a broad-based information security standard published by the International Organization for Standardization. Also consider any other federal or state regulations that might apply, such as the Sarbanes-Oxley Act. It's important to set a security goal for the organization that represents an attempt to achieve industry-defined best practices, in addition to meeting regulatory requirements.
Focus on your weaknesses. Identify your organization's most vulnerable areas and design metrics to measure performance in these areas.
This approach can help you assess how serious the problems are and help bring management on board to support the required fix.
Create metrics with four tips
Once the areas of performance that you want to measure have been defined, you must get down to the details and ensure that you're creating meaningful metrics that will really improve your organization's decision-making. Keep the following four aspects in mind:
- Metrics should provide specific, quantifiable information. Your metrics must deal with measurable entities (e.g., the percentage of employees who complete annual security training, the number of intrusions that breach your security software, etc.) so you can measure performance over time and avoid subjectivity.
- You must be able to collect the data necessary to calculate metrics. Metrics that force you to go to absurd lengths for data collection-or for which you simply cannot collect data-are useless.
- Metrics should be based on ongoing, repeated processes that you can track over time. Creating a metric based on a single, one-time event is not useful to your organization over the long-term. Base your metrics on continuous challenges to your organization's security.
- Metrics should give relevant and meaningful guidance. Your goal is to truly measure performance, not to collect reams of data to make a program look good. For example, a metric that counts up the number of hours security staff spend performing a particular function might not assess whether that effort is effective. A better measure might be to examine how well your security systems repel viruses or other threats.
Editor's note: The above article was adapted from the newsletter Briefings on HIPAA. For more information or to order, call 877/727-1728 or go to www.hcmarketplace.com/prod-162.html.
Want to receive articles like this one in your inbox? Subscribe to HIM Connection!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- QA:Coding multiple initial infusions
- News and briefs: Oklahoma Osteopathic Association against residency bill change
- HIPAA Q&A: Level of encryption needed for email
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- ED-to-inpatient transfers are flawed with safety gaps
- Joint Commission Center announces handoff communication solutions
- Inside best practice: Reduce patient falls with a stoplight
- Identify modifiable risk factors to prevent patient falls
- Searched