The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a central concern of US organizations that are in any way involved with the creation, access, processing or storage of sensitive confidential health records – electronic protected health information (ePHI). The Security and Privacy Rules are a particular point of focus since violation of those guidelines often leads to federal fines and settlements; those parameters are covered under Title II of HIPAA.
A newer piece of healthcare legislation is the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009. The first act is typically discussed in terms of concern with security and privacy of health records, while the second is generally described as increasing the implementation of digital health records and technologies. However, Subtitle D of HITECH is specifically focused on issues of security and privacy of electronic health data; it achieves this end by modifying and elaborating on those parameters within HIPAA. Essentially, if an organization is HITECH-compliant, that means that they are compliant with the most recent HIPAA security and privacy stipulations contained within the 2013 Omnibus Rule.
HITECH gives professionals a chance to work with an access governance model so that they can better control who does and does not get access to information – particularly for any systems that contain ePHI. When companies do implement some of the lessons they can glean from HITECH into the structure of their organizations, they will see that it costs them less to operate and that they are better able to create more efficient workflow to manage access risk. Both this reduction in the cost of operation and the streamlining of workflow improve the security of the organization while boosting its value.
To consider that specific notion of value from a security system, it helps to look at the return on security investment (ROSI) of a HIPAA compliant system – and we can use the analogy of soccer.
ROI and ROSI—Like Offense and Defense
Return on investment (ROI) and return on security investment (ROSI) initially seem to be almost identical concepts. However, you can start to understand what makes them dissimilar when you think about how you arrive at an ROI figure: add up the gains, subtract the cost and divide the difference by the cost. Immediately it’s clear that formula will not work: you will not typically profit from adding security measures. Instead of focusing on gain, the intent of the ROSI concept is to limit your losses and help your organization’s value from that perspective. For that reason, rather than thinking in terms of gain and scoring goals as you would with a soccer team, think in terms of not letting the other team score.
You can figure out how much value is being achieved with your security controls by performing a quantitative risk assessment, as noted by the European Union Agency for Network and Information Security (ENISA). In order to come up with your ROSI number, you need to first look at other data: the ARO, SLEs, ALE and mALE.
The single loss expectancy (SLE) denotes the total cost of a single security incident. The annual rate of occurrence (ARO) is the probability that the incident will take place during a single year. The annual loss expectancy (ALE) is the complete loss from security incidents throughout the year. Finally, the modified ALE (mALE) is the ALE, plus whatever losses are avoided through adoption of the security mechanism – as expressed by the mitigation ratio (the percent of threats the solution is able to counter).
To get the ROSI itself, you want to multiply the ALE by the mitigation ratio (producing the mALE), and then subtract the cost of the security apparatus. Divide that total by the cost of the security plan. The end result is the return on security investment.
In other words, you will get the ROSI figure by adding up your loss reduction numbers, subtracting how much you spent on the security mechanism to achieve that loss reduction, and then dividing by the amount you spent on the protective system. You want the number to be higher for ROI, but you want it to be lower for ROSI.
Problems with ROSI
What exactly is the loss reduction, though? By subtracting the annual loss expectancy once the security system is implemented from the annual loss expectancy prior to its adoption, you get the loss reduction. The issue is that the second figure is not easy to measure accurately, with confidence. The figure often has more to do with suggestions made within individual projections and broader polling than it does with real objective measurement.
Pete Lindstrom has said that what must be involved when looking at any solution is effectively a “gut check,” asking oneself point-blank if the amount spent on security achieves a loss reduction that justifies the cost.
As you can see, ROSI can be problematic when it is taken too seriously as an absolute. For greater accuracy when determining value of security, it helps to think about how security can be considered – different perspectives and factors when attempting to accurately apply a value to it, as indicated by Steven J. Ross, CISA, CISSP, MBCP. First, there is the notion of a threshold condition for adequacy of security solutions, without which a business could not be sold because protections do not meet standards of “adequacy.” A higher degree of security would be sufficiency – based on an independent metric that goes beyond the needs of adequacy. Intellectual property should be factored into any estimation of the worth of security solutions, since that asset is being protected. Plus, security should be considered in terms of facilitating sales, since security solutions will often lead to greater revenue.
In the context of healthcare, you want to consider how precious the ePHI is. Because of the various costs related to compliance and general data protection, expenses incurred in a healthcare data breach are diverse, ranging from forensics to breach notifications to lawsuits to lost revenue to lost brand value to post-breach cleanup – and that doesn't even include the federal fine. By implementing industry standards such as those of ISACA, you can systematize your controls and auditing, resulting in security that you and your clients can trust – and that really is holding true as a valuable data defense.
Author’s note: Adnan Raja is the Vice President of Marketing at Atlantic.Net. During his tenure, Atlantic.Net has grown from having a primarily regional presence to garnering and developing attention nationwide and internationally.