1
A Model for HIPPA Security Policy Deployment
Can the cost of HIPAA security compliance be quantified?
Introduction
This research examines the issues related to the cost of compliance for the HIPAA security regulation.
The cost to comply, while relevant to any organization affected by this ruling, was slightly neglected by
the legislature as the rule was being drafted. Quite simply, the rule provides no insight into the costs
associated with complying with its statutes. This leads the authors to focus on several questions
concerning this issue. First, is there a method for quantifying the risk of not being compliant with the
HIPAA security rule, and is there a way to indicate what risk a health organization inherits by ignoring
their responsibilities to this rule? Second, based on the quantified risk for a specific organization, is there
any method, model, or equation that can be utilized to calculate a reasonable IT security budget
earmarked for this effort? Finally, given a budget, is there a model or procedure for dispersing this
monetary resource in the most effective and constructive manner? These questions provide the context
from which the authors approached this paper. It is divided into three parts. The first part provides a
concise introduction to the HIPAA security rule. The second part introduces a model for estimating the
cost of not properly complying with the HIPAA security rule. The third part discusses our Policy
Deployment Model for Minimum HIPPA Security.
Part I - The HIPAA Final Security Rule
The Health Insurance Portability and Accountability Act (HIPAA), passed in 1996 by the Senate and
House of Representatives, charged the Department of Health and Human Services (HHS) with the
implementation and enforcement of its measures.1 The purpose, as originally drafted, had four primary
objectives: To assure health insurance portability by eliminating job lock due to pre-existing medical
conditions; to reduce healthcare fraud and abuse; to enforce standards for health information; and finally,
to guarantee security and privacy of health information. 2
As articulated by Blue Cross Blue Shield:
Brian Lemoine. “HIPAA compliance cost may exceed Y2K,” Triangle Business Journal In Depth: Health 13 March
2000, 18 Nov. 2003 <http://www.bizjournals.com/triangle/stories/2000/03/13/focus6.html>.
2 45 CFR Part 160 and Subparts A and E of Part 164
1
2
“The Health Insurance Portability and Accountability Act of 1996 is intended to reduce the costs and
administrative burdens of health care by making possible the standardized, electronic transmission of
many administrative and financial transactions that are currently carried out manually on paper.” 3
Because the scope of the HIPAA rules are so broad and comprehensive, the focus of this paper is limited
to the final security rule, published by the Department of Health and Human Services on February 20 th,
2003. The final security rule mandates that all covered entities provide confidentiality, integrity, and
availability of all electronic protected health information (EPHI) that is collected, maintained, used, or
transmitted. 4 A covered entity is defined as a health plan, a healthcare clearinghouse, or a healthcare
provider that stores or transmits EPHI.5
The security rules were written to adhere to three basic tenets. Each tenet focuses on providing a
regulatory architecture that can be applied to entities of any size. The regulation must be comprehensive,
scalable, and technology neutral. 6 To achieve these three principals, the rule was written more as a set
of generally enforceable guidelines, intended to require each covered entity to interpret how this rule
should apply to their own best security controls.
Because of its tone, these general statutes lack a level of granularity, which would help guide
organizations on how to implement them. Each security standard is broken down into required and
addressable implementation specifications. Covered entities must implement required specifications and
have a choice to implement the addressable specifications.7 “The entity must decide whether a given
addressable implementation specification is a reasonable and appropriate security measure to apply
within its particular security framework.”8
The regulation declares four actions that a covered entity may take for addressing the implementation
specifications: (1) implement one or more of the addressable implementation specifications; (2)
implement one or more alternative security measures; (3) implement a combination of both; or (4) not
implement either an addressable implementation specification or an alternative security measure. 9
The focus of this paper addresses how to determine, based off of risk, how much in resources should be
spent, to comply with these rules. The nature of the rule requires that each covered entity acknowledge
3
EDI Glossary. BlueCross BlueShield of Kansas. 9 Nov. 2003
<http://wwww.bcbsk.com/prviders/edi/edi_glossary.htm>.
4 45 CFR Part 164 Introduction
5 45 CFR Part 160.103
6 HIPAA Consensus Research Project. 27 March 2003. SANS Institute. 13 Oct. 2003
<http://www.sans.org/projects/hipaa.php>.
7 45 CFR Part 160. FR 8335
8 Id. at FR 8336
9 Id.
3
that the rules must be addressed, but leaves great freedom as to how to address them. This situation
calls for some type of decision matrix and risk analysis model that would help guide organizations on how
their particular entity should account for these rules from both a risk perspective and from a policy
deployment perspective. It is the intent of the authors to articulate that by combining both methods, an
organization is given a greater understanding of how they should act and spend money towards
compliance with these rules. The following sections provide two models, that when used together,
provide a clear way of addressing these problems.
Part II - A Model for Estimating the Cost of Non-Compliance of HIPAA Security
A major hindrance overshadowing the issue of network security, and more specifically HIPPA security, is
convincing executives that securing their networks is a prudent and necessary investment. A 1999
Information Security Magazine Survey indicates that 69% of respondents feel that the greatest obstacle
towards better network security lies with senior management.10 “One of the biggest challenges is getting
senior management to take the problem seriously, and to commit resources to it.” 11
More recently, executives have focused an increasing amount of attention on the issue due to recent
regulation. Another study encompassing 7,500 senior information technology executives, found that 62
percent of these companies will increase spending on security for 2003, compared to 50 percent in
2002.12 Roughly two-thirds of those polled said they adopted security measures to limit liability, and
almost half said it was to comply with regulations such as Sarbanes-Oxley and HIPAA.13 Legal and
regulatory requirements for data integrity/confidentiality and consumer privacy are seen as the most
compelling arguments for a strong security program.14 But even with this new found compliance, it seems
that few executives truly understand how their efforts, and dollars, will pay off.
Management cannot draw a clear connection between the dollars spent on securing and fortifying
networks, and the intrinsic return on this type of investment. Given that many executives focus undying
CBL 7 – The survey’s actual results state that only 14 percent of the respondents identify senior management as
the primary obstacle. The report indicates that 29 percent of respondents identify budget constrains as the primary
issues, 10 percent identify unclear responsibilities, eight percent state it is a result of lack of internal policies and yet
another eight percent attributed the problem to lack of centralized authority. The authors of this paper infer that all
four other issues are a direct result of senior management’s attitude towards information and network security at the
time and then can all be attributed to a senior management bottleneck.
11 “Some way to go Readers still doubtful over HIPAA rules.” SC Online Magazine March 2003. 20 Oct. 2003
<http://www.scmagazine.com/scmagazine.2003_03/special/02.html>.
HGL 10
12 Robert Lemos. “US execs go security spending crazy.” Silicon.com 30 Sept. 2003. 2 Nov. 2003
<http://www.silicon.com/software/security/0,39024655,10006206,00.htm>.
13 Id.
14 Andy Briney. “2001 Industry Survey.” Information Security Oct. 2001. 15 Oct. 2003
<http://infosecuritymag.techtarget.com/articles/october01-/images/survey.pdf>.
10
4
attention to the bottom line; their aversion to this type of investment is understandable. Network security
is viewed today, as fire sprinklers were viewed a century ago; a waste of money. In 1882, sprinklers were
considered to be as dubious an investment as information security is today. CEOs and CFOs want to
see quantifiable proof of their return on investment before they outlay any funds. 15 In some ways, their
argument is as sound as the one supporting network security.
However, the number of successful security breaches continues to rise.16 For example, the number of
verifiable worldwide hacker incidents for the month of January 2003 is about 20,000, which far exceeds
the previous record of 16,000 set in October of 2002. 17 According to the Computer Security Institute’s
Computer Crime and Security 2003 Survey, 80 percent of the respondents acknowledged financial losses
to computer breaches with each intrusion averaging in the millions of dollars. 18
Even with the potential for the tremendous financial losses illustrated in the previous paragraph, there is
still no complete model designed to suggest and justify how much money should be spent to help negate
these risks. “Lacking any way to translate such statistics into expenditures and losses per organization,
per computer, or per user, the true impact of these figures remains uncertain.” 19
In 1882, a man named George Parmalee set a Bolton, England, cotton factory on fire to help sell his
newly invented sprinkler system.20 His intention was to convince the factory owner that while the
probability of fires may be remote, the damage incurred from just one incident could be devastating; and
that any investment aimed at deterring such an event was well worth it. While the approach introduced in
this paper excludes the utilization of any combustible devices, some of the underlying concepts remain
similar to what George Parmalee tried in the late 1800s. This model intends to articulate what costs and
liability factors are presented to CIOs who do not take HIPAA compliance seriously. The authors call this
model, the “Cost of Non-Compliance HIPAA Security Model”. The specifics of this model are detailed
below.
Explanation of the Model
Scott Berinato. “Finally, a Real Return on Security Spending.” CIO Magazine 15 Feb. 2002. 2 Nov. 2003
<http://www.cio.com/archive/021502/security.html>.
16 The authors recognize that this statement is more of a generalization than anything, but the statistics that follow it
support its merit. However, the authors also recognize that a portion of the reported increase may simply be a result
of an increased rate of reported incidents and a more comprehensive use of the tools to actually detect these
breaches. With more tools being used, there should be more comprehensive results.
17 Bob Tedeschi. “Cybercrime, they just don't mention it.” The Age 30 Jan. 2003. 19 Oct. 2003
<http://www.theage.com.au/articles/2003/01/30/1043804447447.html>.
18 Id.
19 Rebecca Mercuri. “Analyzing Security Costs” Communications of the ACM Vol. 46, No. 6 June 2003: 15-18. 19
Oct. 2003 <http://www.notablesoftware.com/Papers/SecCost.html>.
20 Scott Berinato.
15
5
”Hand in hand with the increase in awareness of the need for computer security has come the need for a
method of quantifying the impact of potential threats on organizations.”
The underlying framework of this model is centered on a general risk analysis. Risk analysis is defined as:
The process of identifying security risks, determining their magnitude, and identifying areas needing
safeguards. It is a tool used as part of any risk management system and is synonymous with risk
assessment.21 The first major publication addressing the topic of risk analysis, 22 was the Federal
Information Processing Standards (FIPS) Publication Number 65.23 Published in August of 1979, the
FIPS Publication became the de facto standard from which all subsequently published Risk Assessment
methodologies are compared. The end results of the FIPS risk analysis model are annual loss exposure
values based on estimated costs and recognized potential losses. 24
Since the publication of the 1979 FIPS model, there have been various other approaches and models
designed to attack this issue from alternate angles. The FIPS model uses a quantitative approach, while
other, newer models, use a qualitative approach for ease of preparation and speed of execution. 25 It was
felt by some security experts that the quantitative approach was too complicated and time consuming to
implement on a mass scale, and sought out to find an easier approach to implement. This resulted in the
creation of several new qualitative approaches. The authors identify two of these methods. The first was
a replacement to the FIPS 65 publication, released in 2001, and titled “Risk Management Guide for
Information Technology Systems”. The second is the Facilitated Risk Analysis Process (FRAP).
The authors chose, for this paper, a model created by Rita C. Summers, which is based on the original
FIPS 65 framework. This model provides the underlying architecture for the cost model discussed in this
paper.26 Summers’ model proposes a simple four step method towards risk analysis. First, identify an
organization’s assets that could possibly be compromised by security breaches, and assign monetary
values to them. Second, identify the threats and the vulnerabilities faced by this organization. Third,
calculate the annual loss expectancy (ALE) for each threat. Finally, identify potential safeguards and
estimate how much each one would help reduce exposures.27
21
Glossary of Vulnerability Testing Terminology. 28 May 2002. University of Oulu. 19 Oct. 2003
<http://www.ee.oulu.fi/research/ouspg/sage/glossary/>.
22 See Will Ozier. “Issues in Quantitative Versus Qualitative Risk Analysis.” (Datapro 4 May 1999) 2. - First formal
recognition in the information technology environment was with the publication of the Federal Information Processing
Standard (FIPS) 31 titled, Automated Data Processing Physical Security and Risk Management
23 United States. National Bureau of Standards. Federal Information Processing Standards Publication. FIPS PUB
65. 1 Aug 1979.
24 Federal Information Processing Standards Publication 1.
25 Will Ozier 4.
26 Summer’s model is described in detail in his book: Secure Computing - Summers, Rita. C. Secure Computing.
New York. Mcgraw Hill, 1997.
27 Olivia Carter, Deb Frinke, Chris Ritter, and Huaqiang Wei. CSI 28th Annual Computer Security Conference,
October 29-31, 2001: Cost-Benefit Analysis for Network Intrusion Detection Systems. (University of Idaho: Center for
Secure and Dependable Software, 2001)
6
The Cost of Non-Compliance HIPAA Security Model uses the first three steps that Summers proposes as
its foundation, but replaces the fourth step with an alternate approach. Instead of analyzing how different
safeguards will help reduce exposure, the authors are interested in using this model for a different kind of
output. As the title suggests, the output provided by the fourth step of this model will articulate how much
could be lost by a particular organization, if investments are not made to help secure a given network for
HIPAA compliance. Therefore, this model’s final step quantifies the risk of doing nothing to influence
executives to spend the appropriate dollars towards this effort. The next several paragraphs will describe
each step in greater detail.
Step I - Identify Assets
“The Task of identifying assets that need to be protected is a less glamorous aspect of information
security. But unless we know these assets, their locations and value, how are we going to decide
the amount of time, effort or money that we should spend on securing the assets?” 28
The first step to identifying assets attempts to answer the question, “what are a given organization’s
critical assets?” In other words, which assets are critical and essential for the day to day operation of the
business and which help maintain the businesses long term viability? Once these assets are identified,
they then must be classified into distinct categories. This paper classifies all assets into one of five
categories; Network Assets; Software Assets; Equipment Assets; Data/Information; and Other. 29 The
organization’s identified tangible and intangible assets such as software, information, and personnel
would be placed into their appropriate categories.30 Appendix A provides a comprehensive diagram with
a hypothetical organization’s assets identified and classified into their respective categories. Once
identified, all assets then need to be assigned an estimate of their intrinsic value. “The value of an asset
consists of its intrinsic value and the near-term impacts and long-term consequences of its
compromise.”31
In reference to the scope of this model, it should be noted that a covered entity is only responsible for
those assets that are under their direct ownership. Other property that can be placed on the balance
sheet as assets, but are rented or obtained through some sort of partnership, such as any off premise
<http:///wwwcsif.cs.ucdavis.edu/~balepin/new_pubs/costbenefit.pdf>
28 Avinash Kadam - Published Network Magazine - December 2002
29 James Meritt. “A Method for Quantitative Risk Analysis.” 5 Oct 2003 <http://cswww.ncsl.nist.gov/nissc/1999/proceeding/papers/p28.pdf>.
30 Will Ozier
31 United States. National Institute of Standards and Technology. Generally Accepted Principles and Practices for
Securing Information Technology Systems. SP 800-14 (Sept.1996. comp. Barbara Guttman, and Marianne
Swanson) 19.
7
networks, or leased business machines, do not need to be included for this analysis. Finally, while
business partners whom the covered entity shares Personal Health Information (PHI) with, are not
included in this assessment, their compliance with the HIPAA standards is still mandatory. 32
Step II - Identify Threats and Vulnerabilities
Once the critical assets of a particular organization have been identified and values have been associated
to them, a comprehensive list of threats and vulnerabilities for each asset must be identified. A threat is
an entity or event with the potential to harm the system. Threats come in many forms, but typical ones
may be: simple or hidden errors, fraud, disgruntled employees, hackers, or viruses. 33 “Threats should be
identified and analyzed to determine the likelihood of their occurrence and their potential to harm
assets.”34 Table B.1 provides a more comprehensive list of threats.
Step III - Calculate Annualized Loss Expectancy
After the list of the threats and vulnerabilities has been compiled, the next step is the calculation of the
annual loss expectancy. The annualized loss expectancy equation is: 35
Figure 2.1
SLO  AV  EF
ALE =Annualized Loss Expectancy
ALE  SLO  ARO
ARO =Annualized Rate of Occurrence
ALE  AV  EF  ARO
AV =Asset Value
EF =Exposure Factor
SLO  Single Loss Exposure
“Exposure factor is the measure of damage, harm, or loss resulting from a threat or event usually
expressed as a percent (0%-100%).”36 Exposure factor is the value lost from the threat in relation to a
specific asset. Figure C.2 provides a comprehensive list of exposure factors. The annualized rate of
occurrence estimates how often a threat might be expected to occur, expressed on an annualized basis
3245
CFR 164.314 RF 8358
Generally Accepted Principles and Practices for Securing Information Technology Systems 19.
34 Id.
35 Will Ozier 2.
36 Id. at 3.
33
8
(e.g., a threat that is expected to occur once every ten years would have a threat frequency of one tenth
or 0.1).37
The best way to calculate the ALE, is to create four matrices in a spreadsheet. Each matrix will represent
one of the following: asset value, exposure factor, annualized rate of occurrence, or annualized loss
expectancy. Each matrix would include assets on the column headers and threats and vulnerabilities on
the row header. The intersection of the matrix would include asset value, exposure factor, annualized
rate of occurrence, or annualized loss expectancy. The ALE matrix would be the multiplication of the
asset value, the exposure factor, and the annualized rate of occurrence. An example of how these
matrices would be formatted is illustrated below in Figure 2.2. Appendix C contains a more
comprehensive example
Accidental Errors
Computer Virus
AV
Accidental Errors
Computer Virus
EF
Accidental Errors
Computer Virus
ARO
at
io
Accidental Errors
Computer Virus
tw
a
Eq re
ui
pm
en
Da
t
ta
n /In
fo
rm
=
Annualized
Loss
Expectancy
Data Integrity
Loss
So
f
X
Annualized Rate
of Occurrence
Data Integrity
Loss
So
ftw
a
Eq re
ui
pm
en
Da
t
ta
n /Inf
or
m
at
io
Asset Value
Data Integrity
Loss
tw
a
Eq re
ui
pm
en
Da
t
ta
n /In
fo
rm
at
io
X
So
f
So
f
Asset Value
Data Integrity
Loss
tw
a
Eq re
ui
pm
en
Da
t
ta
n /Inf
or
m
at
io
Figure 2.2
ALE
Step IV – Summarize Total ALE for Organization
This step calculates the total ALE for the covered entity and consists of a summation of all the
intersections in the ALE matrix. The output of the Cost of Non-compliance HIPAA Security Model is this
single number. This determines how much risk one is exposed to, expressed in monetary terms for not
being compliant to HIPAA Security.
The total ALE for an Organization would provide the business case needed to get executives to focus
more resources towards HIPAA security compliance. It was the intention of the authors to use this model,
in conjunction with a formula, to come up with specified monetary levels that a particular organization
should spend to avoid a certain degree of liability or potential loss. Essentially, based on the Cost of NonCompliance HIPAA Security Model, a consulting firm would be able to calculate potential losses for a
particular organization and using a formula, could calculate the budget needed to mitigate degrees of risk.
This formula would be able to provide the ROI on security investments that every organization has had to
do without. It would provide a direct correlation between the amount of money spent, and the level of risk
37
Id.
9
and liability assumed, providing each CIO or CSO with a justifiable budget that would provide the ROI that
CEOs and CFOs want to see.38 Given this budget, we adjust our focus towards the second model
introduced in this paper, which is able to take this figure and allocate each dollar et, most efficiently.
Part III - The Policy Deployment Model for Minimum HIPPA Security
The Policy Deployment Model for Minimum HIPAA Security consists of several interrelated management
concepts that will be discussed prior to the model itself. For ease of comprehension, each of the three
concepts will be contained within its own section. The first discusses the management concept of Hoshin
Kanri. The second articulates how Hoshin Kanri is modeled using matrices. Finally, the last section will
discuss the theory of closed loop planning, and its role within the Hoshin Kanri management concept.
Hoshin Kanri
Hoshin Kanri - also called Hoshin Planning - or just Hoshin, is a Management System best used for
determining the appropriate course of action for any given organization and its set of unique
circumstances. 39 It provides, “an extended period of time for the organization to focus its breakthrough
effort while continuously improving key business processes day to day.” 40 The importance of this type of
management system is that it focuses a series of short-term projects on long term goals. Using these
projects, Hoshin Planning aligns an organization with the goals that are identified as being most critical to
its success. Hoshin Planning uses Key Performance Indicators to measure progress towards the goal.41
Hoshin Planning has been applied in many Japanese companies such as Toyota, Honda and Mitsubishi.
US companies such as Hewlett Packard, Intel, and Proctor and Gamble have also implemented Hoshin
Planning.42
Matrices
A fully implemented Hoshin Planning model consists of many levels of matrices that drill down predefined goals into clearly defined tasks.43 The top or highest level matrix provides a general overview of
how far along an organization is in meeting its goals. This level defines goals and metrics that help
38
The authors fell short of providing this equation do to lack of time and real attainable data. Therefore this portion of
the paper is of a purely academic nature.
39 Michael Cowley, and Ellen Domb. Beyond Strategic Vision: (Effective Corporate Action with Hoshin Planning.
Newton: Butterworth-Heinemann, 1997) 4.
40 “Breakthrough Effort” is the process of focusing the resources of a given business towards one strategic, well
defined vision. It is a long term, clearly ingrained goal of an organization. See
David A. Kenyon. “Strategic Planning With the Hoshin Process.” Quality Digest Magazine 1997. 26 Oct. 2003
<http://www.qualitydigest.com/may97/html/hoshin.html>.
41 John Reh. “Key Performance Indicators (KPI).” About.com. 22 Oct. 2003
<http://management.about.com/cs/generalmanagement/a/keyperfindic.htm>.
42 “Catchball Processes.” Baldrigeplus.com 1999. 28 Oct 2003 <http://www.baldrigeplus.com/Exhibits/Exhibit%20%20Catchball%20processes.pdf>.
43 “Hoshin Kanri.“ Pdponline 2002. 9 Nov. 2003 < http://www.geocities.com/parthadeb/hosinkanri.html>.
10
identify when each individual goal or step has been met. Each subsequent level takes the metrics
specified in the model’s previous level, and makes them the new goals with a new set of metrics. In short,
the first level of the matrix can identify what the problem is and the current progress made in solving this
problem. The next level will indicate where, more specifically, the problem lies, and the last or lowest
level will pinpoint which group within the company, the problem belongs to.
Closed Loop Planning
Embedded within the Hoshin model, is a concept titled Closed Loop Planning and the PDCA cycle.
Closed Loop Planning is the lifecycle used to execute a Hoshin model. PDCA, diagramed in Figure 3.1,
is simply an acronym, which stands for Plan, Do, Check, Act. The purpose of the closed loop model is to
provide continuous improvement to an organization’s bottom line, and the business processes that
support it.
Figure 3.1 47
In theory, the Closed Loop Planning process is easily
understandable, and corresponds well with what has
already been explained in this section. Using the
goals defined through the Hoshin model, management
defines tasks or plans that help the organization meet
these goals. This process takes place in the “Plan”
stage of the PDCA cycle. The employees of the
organization then take these plans and implement
them in the “DO” stage. Next, management uses the
metrics defined in the Hoshin model and measures the
results of the tasks that were implemented against the stated goals. This is the “Check” phase. In the
“Act” stage, the results from the metrics are analyzed, and any unwanted consequence or shortcomings
from the executed plan are acted upon. Finally, the process comes full circle, and new tasks or plans are
defined, implemented, checked and acted upon in a continuous fashion; always improving the
organization and its business processes.
Four Issues Regarding HIPAA Security Addressed by This Model
“Without a proactive metric tracking process, you cannot quantify the incremental level of effort, or
incremental expense, involved in maintaining your organization's compliance with the HIPAA Privacy
Regulations. Having such a process allows you to measure and validate your ongoing compliance with
the regulation.”44
“Monitoring your Privacy Compliance.” HIPAAnotes Volume Three, June 2003. 1 Nov. 2003
<http://www.hipaadvisory.com/note/vol3/june03.htm>.
44
11
There are four issues regarding the implementation of the final HIPAA security rule that the authors wish
to identify and discuss.45 First, while the final rule provides general requirements or guidelines towards
compliance, it fails to clarify how these rules apply to specific organizations. 46 Second, the rule is lacking
specific metrics that help organizations visualize their effort towards compliance, or lack there of, for each
requirement. Third, the rules do nothing to address the prioritization of these requirements based on the
organization that is implementing them. Finally, the rules fail to quantify even the most basic of costs
associated with becoming compliant.
The Policy Deployment Model for Minimum HIPAA Security is uniquely designed to address these four
points. The model addresses the first point by defining the minimum requirements, using Hoshin
Planning, in an easily understandable format that can be observed and fully consumed at a moment’s
glance. To address the second point, the model then identifies metrics for each of the defined
requirements that provide data and information about key processes, outputs, and results critical to the
success of deploying any policy within an organization. 47 Through the use of Hoshin Planning, the model
solves the third issue, by prioritizing each of the defined requirements, based on their specific importance
to the organization. Finally, the model addresses the last issue by providing qualified estimates of the
implementation costs for each requirement. Each of these four points is discussed in more detail below.
Defining Minimum Requirements
Minimum security requirements are interpretations taken from the HIPAA security rules. Each requirement
is either a required implementation specification or an implied intent of the final rule that was not directly
translated into a required implementation specification. 48 This model takes these minimum security
requirements, and matches them to a series of best practices.
“Best practices represent proven
methodologies for consistently and effectively achieving a business objective.” 49
Defining Metrics
Essential to the deployment of any policy throughout an organization, is the ability to define and measure
key performance indicators (KPI) and non financial indicators (NFI).50 When implemented properly, KPIs
45
This list of problems is not all inclusive
Richard Marks, and Paul Smith. “Analysis and Comments On HHS’s Just-Released HIPAA Security Rules.” Davis
Wright Tremaine LLP 17 Feb. 2003. 3 Nov. 2003
<http://www.nacua.org/documents/DWT_Security_Rules_Initial_Analysis_021703.pdf>.
47 James Evans, and James Dean. Total Quality: Management, Organization, and Strategy. 3 Ed. (Harrisonburg:
South-Western 2003) 23.
48 An implied intent is a requirement that is specified within the rule, but was not actually indicated as a required
implementation specification. As an example, the final security rule has the implementation specification of training
as “addressable”, yet in the introduction, HHS regards training as a need for the rules.
49 “What are Best Practices?” Siebel Systems 2003. 5 Nov. 2003
<http://www.siebel.com/bestpractices/whatare.shtm>.
50 Key Performance Indicators, also known as KPI or Key Success Indicators (KSI), help an organization define and
measure progress toward organizational goals. They are quantifiable measurements, agreed to beforehand, that
reflect the critical success factors of an organization See
46
12
and NFIs possess the ability of keeping management up to the minute on how an organization is
progressing towards a specified goal. As Peter Drucker, a prolific writer on subjects relating to
management, stated in his famous quote, “If you can’t measure it, you can’t manage it”
51
A critical step
in the policy deployment process is deciding what metrics are going to be used to accurately asses the
progress towards compliance. If the wrong KPIs of NFIs are used, the perceived progress could be
misleading, and result in costly mistakes and errors. In some circumstances, poorly chosen KPIs or NFIs
lead organizations to grossly miss their identified goals. This point only reinforces that careful
consideration should be put towards defining the KPIs and NFIs used to measure performance. With this
in mind, the authors decided that the Policy Deployment Model for Minimum HIPPA Security would use
security metrics defined by the National Institute for Standards and Technology (NIST).
Deployment Prioritization of Minimum Requirements
As with any policy deployment model, an organization must develop strategies to reach their selected
goals. Strategies are organized by importance and supported by facts and data that is obtained from
careful research and study of the relevant technical and/or managerial disciplines. 52 This model extends
this principal in order to show which metrics, relating to a certain criteria, have the highest degree of
relevance. This allows an organization to appropriate funds towards compliance, based on the rating of
the metric’s importance for the implementation specification. Multiple metrics can be used to measure the
success of the compliance effort.
When one or more of the implementation specifications are non-compliant for multiple related metrics, an
organization needs to prioritize its efforts in resolving this issue. The priority is determined through the
perceived importance that each of the metrics has on reaching the compliance goal of the implementation
specification. Initially, this prioritization comes from within the organization and has no formalized
procedure specifying which metrics map most closely to the implementation specifications. 31 What this
means is that the first round of prioritization is carried out by individuals and their understanding of the
organization. Once these metrics are chosen, an analysis of variance (ANOVA) is used to measure the
relevance of each metric to the given implementation specification.53 ANOVA is used to uncover the main
John Reh.
“About Peter Drucker.“ The Business World According to Peter F. Drucker. 1 Nov. 2003. <http://www.peterdrucker.com/about.html>.
52 Cowley, Michael and Ellen Domb. Beyond Strategic Vision: Effective Corporate Action with Hoshin Planning.
Newton, MA. Copyright 1997.
53 Professor Jeffrey Luftig. Personal Interview. 3 Nov. 2003. Leeds School of Business – University of Colorado at
Boulder.
51
13
interaction effects of categorically independent variables 54 (called "factors") on an interval dependent
variable.55
Estimating cost of Implementation
“Different industry surveys indicate widely varying results pertaining to security costs vs. return on
investment (ROI).”56 While these surveys provide some cost guidance for HIPAA compliancy, the
majority of expenditures are based on the current problems that the organization faces, which leaves
them open to risk.57 The Policy Deployment Model for Minimum HIPAA Security Compliance uses
prioritization to measure the current problems in compliance faced by an organization, and then gives an
estimate for the associated costs in becoming compliant. In the event that an organization is not
compliant for a given HIPAA requirement, this model can be used to identify the problem by looking at the
metrics that are not meeting the target amount and then show an estimate of the costs that should be
spent in order to become compliant.
The Policy Deployment Model for Minimum HIPPA Security
The model uses three levels of matrices to create a compliancy plan. The breakthrough focus, based on
the minimum requirements of the security rules, represents compliance, and is defined in the matrix by
the column heading in level 1 depicted in Figure 3.1. The row headings for level one translates the
standards and required specifications into best practices that correlate to one or more column headings.
The row also defines metrics to measure the implementation performance of each row. The intersections
of the row and column headings are linked with a prioritization weight. In relation to the PDCA cycle,
these metrics are then used in the check phase, and are prioritized for budgeting and resource allocation
purposes. Level 2, depicted in Figure 3.2 links the requirements of the security rules to the clearly
defined tasks through the intermediary of best practices. Level 3, shown in Figure 3.3, identifies best
practices with even more granularity, and defines tasks more specifically, which again are quantified by
metrics and weights.
Figure 3.1 (Level 1)
54
Figure 3.2 (Level 2)
Figure 3.3 (Level 3)
Independent variables that have no relation to one another. Interval independent variables can predict the
dependent variables but dependent variables cannot be used to predict them.
55 Interval dependent variables are influenced by independent variables. Changing an independent variable that
corresponds to one of these will have an effect on it. (reword / get source) See “ANOVA.” Quantitative Research in
Public Administration. 21 Oct. 2003 <http://www2.chass.ncsu.edu/garson/pa765/anova.htm>.
56 “Security Budgeting.” HIPAAnotes Volume Three, August 2003. 21 Oct. 2003
<http://www.hipaadvisory.com/note/vol3/june03.htm>.
57 James Morrison. “From Strategic Planning to Strategic Thinking.” HORIZON Site 2003. 6 Nov. 2003
<http://horizon.unc.edu/projects/OTH/2-3.asp>.
14
Compliance Yes
3
Compliance Yes
2
100% Y
Mon An
90% Y
1
$50
0
2
$100
0
Yes
N
An
Y
3
$300
0
The model identifies the tasks required to meet compliance through these varying levels of granularity.
Level one looks at the entire problem from a birds eye view. Each subsequent level, focuses on one
small portion of the problem, until eventually the root cause is identified. For accountability, each task will
have a specified owner, who is responsible for its success. Costing starts at the lowest level, where each
specified task is given a cost estimate. Costs start at the bottom and are aggregated upwards because of
the nature of the model. Each task is defined most specifically at the lowest level, so it becomes clear as
to where money is spent by applying costs at this level. As the levels aggregates up, the total for all tasks
on the lower level is summarized for the more general tasks on the next higher level .
Conclusion
The authors’ original intent was to create a business case for compliance of the HIPAA security rule,
establish a security budget, and provide a way to optimize that budget’s allocation. The business case
would produce an input to establish a security budget. In turn the security budget would be inputted into
the policy deployment model for minimum HIPPA security. This task proved to be extraordinarily difficult
due to the infancy of the rule and the apparent drought of real world data.
The end result of this paper is two models of a much more academic and theoretical nature that the
authors believe will produce terrific results when given real data. The first model estimates costs incurred
by non-compliance. These costs would then theoretically be fed into an equation that’s output would
provide a budget to be put towards compliance towards the HIPAA security rule. Due to the lack of real
world data, this equation was not included in this paper. It was realized by the authors that in order to
formulate such an equation, several iterations of this model would have to be tested in real world
scenarios. This is a task that reaches outside the scope of this paper. The second model would then
Result
Hours of Labor
Total Labor Cost
Equipment Cost
Total Cost
3
Target
3
2
$300 $100
0
0
Metric
3
$150
0
Target
Frequency
Result
Metric
4
Clearly Defined Task 3
100% 100% Y
Ann
Ann
Ann
95% 100% Y
Clearly Defined Task 2
3
Compliance Yes
Compliance Yes
Yes
Level 3
Breakdown Best
Practice 1
Breakdown Best
Practice 2
Breakdown Best
Practice 3
Clearly Defined Task 1
4
Result
2
Target
Hours of Labor
Total Labor Cost
Equipment Cost
Total Cost
Metric
Target
Frequency
Result
Metric
Breakdown Best Practice 3
Level 2
Metric 1
Metric 2
Breakdown Best Practice 2
5
$250
0
Compliance Yes
Compliance Yes
Compliance Yes
Breakdown Best Practice 1
3
$300
0
Result
100% Yes
Ann
Ann
80% Yes
Target
4
2
Best Practice 2
Hours of Labor
Total Labor Cost
Equipment Cost
Total Cost
3
Best Practice 1
Best Practice
Metric
Target
Frequency
Result
Metric
Metric 2
Metric 1
Level 1
Security Rule 1
Security Rule 2
Security Rule 3
15
take this budget and prioritize the money using an intricate policy deployment model. The authors believe
the work set forth will provide valuable business data when applied to specific covered entities and their
real world situations.
16
Appendix A - Assets
Figure A.1 – Asset Overview58
Assets
Network/
telecommun
ications
Software
Equipment
Data/
information
Other
Figure A.2 – Network/telecommunications59
Network/
telecommun
ications
Modems
This category consists of
the various modems both
internal and external. Any
system used to connect
information systems to
communication lines is
contained within this
category
Figure A.3 – Software60
58
James Meritt 2-3. IBM
Id.
60
Id.
59
Routers
This category contains
those items of information
technology which are
identified as routers,
gateways, hubs or serve a
similar purpose.
Cabling
Other
This category includes
special purpose cabling
identified for the information
technology but does not
include that which is
installed as part of the
operating area (e.g. built
in).
This category includes
those items of
information technology that
are used for networking
and/or telecommunications
but do
not fit within other
designated categories. It
includes, but is not limited
to, specialpurpose
communication cards and
adapters.
17
Software
Operating
System
This is the programming,
which enables the
information
technology to operate. The
vendor along with the
hardware that it operates
provides it.
Examples are MVS, DOC,
UNIX, …
Figure A.4 – Equipment61
61
Id.
Applications
Other
This category contains
those items of software
which are directly
necessary for the business
operations of the
organization. It is usually
developed in-house or
under contract and does not
contain those items of
software directly necessary
for the operations of
systems within it.
This includes any
programming which is not
either identified as a
component of a system
Operating System or as one
of the primary applications.
Typical examples are
provided by third-party
vendors.
18
Equipment
Monitors
This category covers items
which are used to display
information from the various
units of information
technology. It contains, but
is not
limited to, stand-alone
computer monitors and
terminals.
Figure A.5 – Software62
62
Id.
Computers
This category includes all
information processing
equipment
maintained by the
organization. It contains,
but is not limited to, PCs,
front-end
processors, fileservers,
mainframe computers and
workstations.
Printers
This category contains
items of information
technology used to
impress information upon
paper. It includes things
such as a variety of printers
(varying
from dot matrix through
laserprinters) and plotters.
Other
This category contains
items of equipment not
covered by other
designated categories. It
contains, but obviously is
not limited to, such things
as memory
cards, disk drives, tape
units and power supplies.
19
Data/
information
System
This category includes that
information which is
maintained
for the operation of the
information system. It
includes, but is not limited
to, such things
as schedule information,
error logs, usage logs, and
similar logging data.
Figure A.6 – Other63
63
Id.
Business
This category includes that
information maintained for
the
business purposes of the
overall organization. The
system business
databases, for
example, would be included
in this category.
Other
This category includes all
information sources not
readily
identifiable as belonging in
one of the other two.
20
Other
Facilities
Supplies
This may be the entire
building itself and its
supplied services or
simply the table the system
is on. It depends, of course,
on the system being
analyzed.
This includes supplies for
the information system.
Included are such things as
spare parts, backup
components, repair kits,
paper, ... It does NOT
include supplies for non-IS
functions associated with
the business.
Documentat
ion
This is the documentation
associated with the
operation of the information
technology. It does NOT
include that documentation
which may be present for
non-IS purposes.
Personnel
These are the people which
work with the information
system in all capabilities. It
does not include manning
at the organization for nonIS duties. As a firstorder
estimate the sum of salaries
of all operating personnel
may be used, as long as
you remember that there
are non-tangible assets
such as experience and
loyalty which are not
necessarily appropriately
priced.
Appendix B – Exposure Factors
Table B.1 – Exposure Factors64
Threat
Data Integrity Loss
Accidental Errors
Computer Virus
Abuse of Access
Privileges by
Employees
Attempted
Unauthorized
System Access by
Outsider
Theft or Destruction
of Computing
Resource
64
Description
A realized, or perceived possible, alteration of the data and/or information
maintained by or consisting of the specified asset.
Improper use of information technology not due to malicious intent but
solely through mistaken incorrect use
A Program which spreads by attaching itself to "healthy" programs. After
infection, the program may perform a variety of non-desirable functions.
Employees are authorized by the Security
Policy of the organization and further narrowed by their job responsibilities
to perform a small selection of functions with the information system. This
category covers those acts which may be performed but which are not
authorized.
Non-employees or personnel not contracted to perform work with or on
the information system who are not appropriately authorized yet are
attempting, but not succeeding, in gaining access to the information
system.
A primary resource of the organization is the computing capability of its
information systems. This threat addresses the unauthorized use of this
resource and the destruction of this resource - through physical or other
means.
Threats not specific to HIPAA were removed from the list. See
James Meritt 4-5.
21
Destruction of Data
Abuse of Access
Privileges by Other
Authorized User
Successful
Unauthorized
System Access by
Outsider
Information held by an organization is not only that used by their business
applications, but includes that used by the systems to operate, manuals,
personal experience and other forms. This threat may destroy that
information, or simply prevent the organization from using it.
While an employee is authorized to perform - and indeed may be required
- to perform many actions using the information system, he or she limited
to what may be done through organizational policy, job restrictions and
technological controls. But an authorized user - whether an employee or
contractor - may attempt to perform operations which are denied them.
This covers non-employees and non-contractors using, and possibly
destroying, information system resources. "Hackers" fit within this threat
description.
22
Qualitative
Quantitative
Asset Value
Data Integrity Loss
Accidental Errors
Computer Virus
Abuse of Access Privileges by
Employees
N
et
w
ca ork
tio /te
ns le
: M co
od mm
N
et
em un
w
o
s i
ca rk
tio /te
ns le
: R co
ou mm
N
et
te u
w
rs ni
ca ork
tio /te
ns le
: C co
ab mm
N
et
lin u
w
g ni
ca ork
tio /te
ns le
: O co
th mm
So
er u
ftw
ni
Sy ar
st e:
em O
pe
ra
So
tin
g
ftw
ar
e:
Ap
pl
ic
at
So
io
ftw
ns
ar
e:
O
th
er
Eq
ui
pm
en
t:
M
on
Eq
ito
rs
ui
p
C m
om e
n
pu t:
te
rs
Eq
ui
pm
en
t:
Pr
in
te
Eq
rs
ui
pm
en
t:
O
th
er
D
at
a/
Sy inf
st orm
em
at
io
n:
D
at
a/
Bu In
si form
ne
ss ati
on
D
:
at
a/
O In
f
th o
er rm
at
io
n:
O
th
er
:F
ac
ilit
ie
s
O
th
er
:S
up
pl
ie
s
O
th
er
:D
oc
um
en
O
ta
th
tio
er
n
:P
er
so
nn
el
Bu
:
si
As nes
se s:
ts M
on
et
ar
y
Appendix C – Annualized Loss Expectancy Sample Spread Sheets
Figure C.1 – Asset Values
Attempted Unauthorized
System Access by Outsider
Theft or Destruction of
Computing Resource
Destruction of Data
Abuse of Access Privileges by
Other Authorized User
Successful Unauthorized
System Access by Outsider
Litigation
Future Loss of Business
Loss of licensee
Reputation
Accidental Information Sent to
Wrong Place
Table C.2 – Exposure Factors Values65
65
The values provided in the table are from a number of experts in the arena of information system security. See
James Meritt 11.
Qualitative
Quantitative
Exposure Impact
Coefficient (Value lost a
from threat)
Data Integrity Loss
Accidental Errors
Computer Virus
Abuse of Access Privileges by
Employees
Attempted Unauthorized
System Access by Outsider
Theft or Destruction of
Computing Resource
Destruction of Data
Abuse of Access Privileges by
Other Authorized User
Successful Unauthorized
System Access by Outsider
Litigation
Future Loss of Business
Loss of Licensee
Reputation
Accidental Information Sent to
Wrong Place
N
et
w
ca ork
tio /te
ns le
: M co
od mm
N
et
em un
w
o
s i
ca rk
tio /te
ns le
: R co
ou mm
N
et
te u
w
rs ni
ca ork
tio /te
ns le
: C co
ab mm
N
et
lin u
w
g ni
ca ork
tio /te
ns le
: O co
th mm
So
er u
ftw
ni
Sy ar
st e:
em O
pe
ra
So
tin
g
ftw
ar
e:
Ap
pl
ic
at
So
io
ftw
ns
ar
e:
O
th
er
Eq
ui
pm
en
t:
M
on
Eq
ito
rs
ui
p
C m
om e
n
pu t:
te
rs
Eq
ui
pm
en
t:
Pr
in
te
Eq
rs
ui
pm
en
t:
O
th
er
D
at
a/
Sy inf
st orm
em
at
io
n:
D
at
a/
Bu In
si form
ne
ss ati
on
D
:
at
a/
O In
f
th o
er rm
at
io
n:
O
th
er
:F
ac
ilit
ie
s
O
th
er
:S
up
pl
ie
s
O
th
er
:D
oc
um
en
O
ta
th
ti o
er
n
:P
er
so
nn
el
Bu
si
As nes
se s:
ts M
on
et
ar
y
23
0.00
0.10
0.30
0.10
0.10
0.10
0.00
0.30
0.00
0.00
0.20
0.00
0.00
0.10
0.80
0.00
0.40
0.30
0.00
0.10
0.20
0.00
0.10
0.00
0.00
0.70
0.50
0.00
0.10
0.05
0.00
0.20
0.30
0.97
0.50
0.95
0.70
0.50
0.30
0.70
0.50
0.60
0.00
0.50
0.00
0.00
0.10
0.00
0.00
0.11
0.00
0.00
0.10
0.00
0.10
0.20
0.50
0.30
0.20
0.20
0.20
0.00
0.40
0.10
0.10
0.30
0.50
0.30
0.10
0.08
0.10
0.30
0.20
0.10
0.50
0.00
1.00
0.30
1.00
0.00
0.20
0.10
0.10
1.00
0.30
1.00
0.10
0.07
0.00
0.00
1.00
0.00
1.00
0.10
1.00
0.00
1.00
0.00
1.00
0.00
1.00
0.00
1.00
0.00
1.00
0.00
1.00
0.00
1.00
0.00
1.00
0.00
0.02
1.00
0.40
1.00
0.30
1.00
0.20
0.00
0.20
0.00
0.20
0.00
0.00
0.00
0.00
0.00
0.00
0.00
0.00
0.00
0.00
0.00
0.00
0.00
0.00
0.30
0.30
0.30
0.00
0.30
0.00
0.30
0.10
0.20
0.50
0.20
0.60
0.60
0.20
0.10
0.80
0.15
0.30
0.70
1.00
0.80
0.30
0.20
0.10
0.30
Figure C.3 Annualized Rate of Occurrence
?
?
?
?
?
Qualitative
Quantitative
Annualized Loss
Expectancy
Data Integrity Loss
Accidental Errors
Computer Virus
Abuse of Access Privileges by
Employees
Attempted Unauthorized
System Access by Outsider
Theft or Destruction of
Computing Resource
Destruction of Data
Abuse of Access Privileges by
Other Authorized User
Successful Unauthorized
System Access by Outsider
Litigation
Future Loss of Business
Loss of licensee
Reputation
Accidental Information Sent to
Wrong Place
et
w
ca ork
tio /te
ns le
: M co
od mm
N
et
em un
w
o
s i
ca rk
tio /te
ns le
: R co
ou mm
N
et
te u
w
rs ni
ca ork
tio /te
ns le
: C co
ab mm
N
et
lin u
w
g ni
ca ork
tio /te
ns le
: O co
th mm
So
er u
ftw
ni
Sy ar
st e:
em O
pe
ra
So
tin
g
ftw
ar
e:
Ap
pl
ic
at
So
io
ftw
ns
ar
e:
O
th
er
Eq
ui
pm
en
t:
M
on
Eq
ito
rs
ui
p
C m
om e
n
pu t:
te
rs
Eq
ui
pm
en
t:
Pr
in
te
Eq
rs
ui
pm
en
t:
O
th
er
D
at
a/
Sy inf
st orm
em
at
io
n:
D
at
a/
Bu In
si form
ne
ss ati
on
D
:
at
a/
O In
f
th o
er rm
at
io
n:
O
th
er
:F
ac
ilit
ie
s
O
th
er
:S
up
pl
ie
s
O
th
er
:D
oc
um
en
O
ta
th
tio
er
n
:P
er
so
nn
el
Bu
:
si
As nes
se s:
ts M
on
et
ar
y
Quantitative
N
et
w
ca ork
tio /te
ns le
: M co
od mm
N
et
em un
w
o
s i
ca rk
tio /te
ns le
: R co
ou mm
N
et
te u
w
rs ni
ca ork
tio /te
ns le
: C co
ab mm
N
et
lin u
w
g ni
ca ork
tio /te
ns le
: O co
th mm
So
er u
ftw
ni
Sy ar
st e:
em O
pe
ra
So
tin
g
ftw
ar
e:
Ap
pl
ic
at
So
io
ftw
ns
ar
e:
O
th
er
Eq
ui
pm
en
t:
M
on
Eq
ito
rs
ui
p
C m
om e
n
pu t:
te
rs
Eq
ui
pm
en
t:
Pr
in
te
Eq
rs
ui
pm
en
t:
O
th
er
D
at
a/
Sy inf
st orm
em
at
io
n:
D
at
a/
Bu In
si form
ne
ss ati
on
D
:
at
a/
O In
f
th o
er rm
at
io
n:
O
th
er
:F
ac
ilit
ie
s
O
th
er
:S
up
pl
ie
s
O
th
er
:D
oc
um
en
O
ta
th
tio
er
n
:P
er
so
nn
el
Bu
:
si
As nes
se s:
ts M
on
et
ar
y
Annualized Rate of
Occurrence
Data Integrity Loss
Accidental Errors
Computer Virus
Abuse of Access Privileges by
Employees
N
Qualitative
24
Attempted Unauthorized
System Access by Outsider
Theft or Destruction of
Computing Resource
Destruction of Data
Abuse of Access Privileges by
Other Authorized User
Successful Unauthorized
System Access by Outsider
Litigation
Future Loss of Business
Loss of licensee
Reputation
Accidental Information Sent to
Wrong Place
Figure C.4 – Annual Loss Expectancy