Health Information Management

Set up metrics to evaluate your security programs.

HIM-HIPAA Insider, January 16, 2007

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!


The good news-you have a robust security program in place that is well-supported by management, well-maintained, and successful so far. The bad news-you have no idea how well the individual aspects of your program are performing. Setting up a good security metrics program is vital to measuring how well your security efforts under HIPAA are really working and figuring out where they need improvement.

Use goals to get started
A security metric is a measurement of whether a security program is meeting a specific security goal, and how efficient and effective it is in doing so. In general, a metric tracks performance and helps management make decisions to improve performance. You can use a security metric to determine whether the organization is properly implementing security policy, whether security services work as intended, and what your organization's security problems are.

A good place to start is by forming a committee of senior management from all major aspects of the organization and the information technology staff, along with compliance officials. This committee will set the overall priorities and goals for your security program. Then you can design metrics to measure those priorities. These goals can change over time as your security needs evolve.

Focus on more than just HIPAA
One reason for establishing a security metrics program is to ensure that you are complying with HIPAA and other security-related regulations. Documenting your security metrics program and using it to improve your security program can help your organization avoid fines, lawsuits, and other penalties.

However, setting the bar at regulatory compliance might not be high enough to adequately secure your organization. A good place to start is Information Technology-Security Techniques-Code of Practice for Information Security Management (commonly referred to as "ISO/IEC 17799"), a broad-based information security standard published by the International Organization for Standardization. Also consider any other federal or state regulations that might apply, such as the Sarbanes-Oxley Act. It's important to set a security goal for the organization that represents an attempt to achieve industry-defined best practices, in addition to meeting regulatory requirements.

Focus on your weaknesses. Identify your organization's most vulnerable areas and design metrics to measure performance in these areas.

This approach can help you assess how serious the problems are and help bring management on board to support the required fix.

Create metrics with four tips
Once the areas of performance that you want to measure have been defined, you must get down to the details and ensure that you're creating meaningful metrics that will really improve your organization's decision-making. Keep the following four aspects in mind:


  1. Metrics should provide specific, quantifiable information. Your metrics must deal with measurable entities (e.g., the percentage of employees who complete annual security training, the number of intrusions that breach your security software, etc.) so you can measure performance over time and avoid subjectivity.


  2. You must be able to collect the data necessary to calculate metrics. Metrics that force you to go to absurd lengths for data collection-or for which you simply cannot collect data-are useless.


  3. Metrics should be based on ongoing, repeated processes that you can track over time. Creating a metric based on a single, one-time event is not useful to your organization over the long-term. Base your metrics on continuous challenges to your organization's security.


  4. Metrics should give relevant and meaningful guidance. Your goal is to truly measure performance, not to collect reams of data to make a program look good. For example, a metric that counts up the number of hours security staff spend performing a particular function might not assess whether that effort is effective. A better measure might be to examine how well your security systems repel viruses or other threats.


Editor's note: The above article was adapted from the newsletter Briefings on HIPAA. For more information or to order, call 877/727-1728 or go to

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular