Abstract

This research provides a maturity model for information security for healthcare organizations in the United States. Healthcare organizations are faced with increasing threats to the security of their information systems. The maturity model identifies specific performance metrics, with relative importance measures, that can be used to enhance information security at healthcare organizations allowing them to focus scarce resources on mitigating the most important information security threat vectors. This generalizable, hierarchical decision model uses both qualitative and quantitative metrics based on objective goals. This model may be used as a baseline by which to measure individual organizational performance, to measure performance against other organizations, or to monitor changes in the information security environment over time.

Information security incidents cause significant harm, both financial and reputational, to individuals and organizations across the globe. The cybersecurity threat is pervasive and continues to grow at an alarming rate. This harm is heightened in healthcare organizations because human lives may also be at risk in the event of an information security incident. Healthcare organizations have also become a popular target with cybercriminals due to the rich trove of personal information entrusted to them. Existing information system security frameworks are complicated, difficult and time intensive to administer and monitor, and rarely provide relative importance of key performance metrics. Understanding the most important levers in improving information security by introducing a generalizable model can help close a gap in the existing literature.

Using a comprehensive literature review, objectives, goals, and outputs were identified and linked together in a four-level hierarchical decision model (HDM). At level 1, the purpose of the HDM is to determine the degree to which the organization meets the mission of providing a secure information security environment by evaluating a broad set of metrics. Level 2 specifies five objectives, based on industry- and domain-relevant research, for the promotion of a secure information security environment. Level 3 identifies twenty-two goals with associated measurable outputs, characterized by desirability functions, to create level 4. A structured model is developed using these linked concepts with the help of subject matter experts to validate the content and construct of the model. The model is further tested by measuring for inconsistency and disagreement.

Using case studies, actual industry data are used to demonstrate how the model calculates a score to create a performance measure for each case study organization. Results are discussed to illustrate how the case study sites might increase their performance in future assessments against the model.

This research project contributes to the field by introducing a generalizable model and measurement system that compares information security performance in healthcare organization to an ideal state. Healthcare organizations provide critical resources to millions every day and must remain operational despite information security threats. Understanding where healthcare organizations can best direct their limited resources to support stability of their information systems is essential to leaders of these organizations.