Security Enterprise Architecture for Healthcare (SEAFH)

By Tom Tuduc

1. Introduction

To comply with HIPAA and to provide best services under limited resources and time, healthcare organizations often have to make decisions that involve conflicting objectives. For example, what is the ROI of an identity management system that requires significant staff time and resources to integrate with directory servers and domain authentication systems? While a simpler single sign-on solution is sufficient in the short term. Another example is to determine whether 20 percent more data availability is equivalent to 5 percent less data integrity?  How healthcare organizations should perform due-diligence, risk and quantitative ROI assessments, create policies, processes, and best practices? This paper employs a framework and methodology which draw from IT best practices that will help all healthcare organizations.

2. SEAFH – An Overview

Security threats are moving targets that security strategies must consider. New technology and security vulnerabilities limit the effectiveness of any strategy. A particular strategy may become obsolete by the time it is implemented. To be in the best position to deal with security and HIPAA compliance, organizations must consider three concepts:

1. Uncertainties & Risk Management.
2. Enterprise Architecture
3. Balanced Score Card

Until recently, the cost of computing and lack of tools have inhibited methodologies and processes for integrating these three bodies of knowledge for information security for the healthcare industry. HIPAA deals with confidentiality, integrity, availability of protected health information. HIPAA also brings information risk management to the same level of compliance as infection control, ethical practices, and billing fraud/abuse. In addition, legal advisors recommend that security should be treated at a CXO level in an organization (Tunitas).

The following sections give an overview of the three mentioned bodies of knowledge and how they play out in healthcare security.

Uncertainties & Risk Management

Uncertainties are ubiquitous in security tools and their effectiveness, and security ROI. Security technologies including Behavior-based Intrusion Detection Systems, Statistical-Based Intrusion Detection Systems and Spam filters (Graham) are based on quantitative analysis such as Baysian probability and statistics. The next wave of security technology in intrusion prevention systems will rely even more heavily on quantitative analysis and Baysian probability. For example, unknown intruders with unknown signatures require various expert judgments in infrastructure technologies including networking, voice over IP, as well as industry specific applications and systems. “Trustworthy Refinement through Intrusion-Aware Design” is an example of a next generation project using Baysian net and influence diagrams at Carnegie Mellon Institute (Ellison).

On the business side, quantitative security ROI and quantitative risk management gain much visibility as security regulations are coming in effect. Case in point [For example], Bank One employs probability trees to minimize the rate systems get hacked and factors preceding successful attack (School). Likewise, Deutsche Bank deploys an information security risk metrics systems using ROI, risk indicator, cost avoidance and cost reduction (Duliba). 

In calculating ROI, quantitative analysis is an effective tool for vendor selection. Other quantitative analysis include policy analysis, policy portfolio, risk assessment, and risk analysis. ROI calculations include:

1)      For what size of organization and how should access control be used?

2)      How complex an organization, its processes, and computing entities when it becomes cost inhibitive to maintain and monitor the access control rules?

3)      When to use access control, or the surveillance of personnel, and when to choose accountability, or the surveillance of data (Geer)?

4)      What is the optimal number of network scan for vulnerabilities, internal and external, per year -as scanning means loss of productivity in addition to costs?

In security ROI and budgeting it is often believed that the lack of a serious breach in the previous fiscal year means security has been over budgeted. Here a risk management framework can provide technical security personnel a financial yard stick for much needed security budgets.

Where there are no security statistics for every hardware, appliance and software, organizations employing quantitative analysis should start with general statistics (CSI/FBI Computer Crime and Security Survey, http://www.securitystats.com/, @stakes.com) and collect data by monitoring all traffic and employing honeypots

Enterprise Architecture (EA)

EA is the knowledge of the current state of the organization. In business process management, this is the AS-IS state of the organization in terms of its assets, processes, personnel, data, and other computing entities. Knowing the AS-IS’s enable organizations to know possible TO-BE architectures.

In dealing with the AS-IS and TO-BE architectures, organizations can employ Enterprise Architecture (EA) documents to make the transition painless. To reduce unauthorized access to data and comply with HIPAA while enabling doctors to access patient data in every exam room, Northwestern Memorial Physicians Group’s new architecture employs PC blades. These PC blades are centrally located in a back room while minimal user interfaces are in the exam rooms. In addition, doctors wear a radio-frequency identification tag to activate the terminals when they enter the room. In this example, the patients get the same services (customer functions) while some computing entities and processes got changed. An EA document can show the difference between the two architectures and which uncertainty was reduced or eliminated. EA is the map of the computing entities and processes of an organization.

Balanced Scorecard (BSC)

BSC is a method for measuring progress and managing milestones. Taking concepts from Six Sigma, Total Quality Management, and Continuous Quality Management, BSC provides clear connections of cause and effect in business performance. Viewing information security from a quality perspective puts security policies, assessment, prevention, and monitoring right in the BSC cross hair.

Examples of healthcare organizations employing BSC include Aurora Health Care - Wisconsin's largest private employer, Hutchinson Area Health Care, Ontario Hospital, and the American Red Cross. Hundreds of other healthcare organizations are using BSC to improve clinical care and hospital management.

3. SEAFH - A Closer Look                                                                           

SEAFH is a methodology that optimizes resources to produce the best security strategy for healthcare including healthcare IT security ROI, and IT security processes. SEAFH consists of the following main components:

1. Dash board
2. Score card – Performance Key Indicator (PKI)
3. Enterprise Architecture (EA)
4. Risk Management Reference Framework (RMRF)
5. Common Vulnerabilities & Exposures (CVE)
6. HIPAA security rules
7. Security Standards and Controls

While EA models the flow and components of security information, RMRF models the uncertainties of the information as well as the uncertain relationships between the information, i.e. the probability of a port-scan attack, the probability of applications opening and closing ports.

Complexity is the main enemy of security. SEAFH transforms complexity into manageable components and processes. First SEAFH models all entities. Entities include hardware, software, processes, and personnel. The modeling creates standardized views such as data view, process view, personnel view, geographical view, and time view. More specialized views, using any particular combination of data, process, personnel, location, and time are called Aspects.  

The SEAFH framework is shown in Figure 1a and 1b. While each component is taken from separate bodies of knowledge and can be modeled in parallel, the EA component is often the first component to be model in order to give a comprehensive view of all involved entities of an organization. Figure 2 shows a snapshot of an Aspect modeled using Analytica (Lumina), a risk modeling tool.

While SEAFH incorporates industry best practices to provide a framework, security controls are provided by standards and regulations including HIPAA security rules, NIST SP 800 series, ISO1799, and Common Criteria. The Balanced Score Card and Risk Management Framework components enable ROI planning, and monitoring improvement of security processes. 

The following sections give a closer look into some of the components of this methodology.

Enterprise Architecture (EA) Documents

This consists of:

1) Tangible assets: hardware, software, equipments, appliances, networks, devices.

2) Intangible assets including data, automated processes, and non-automated processes (processes are examples of the “hows”)

3) Strategic assets: people, business strategies, business rules, corporate risk and goals.

An EA document can be a few pages or hundreds of pages depending on the depth and complexities of the organization. In either case, it provides the six dimensions views: what, how, where, who, when, and why (Figure 3). These views can be used for analysis, i.e. whether to implement access control, data surveillance, behavioral based intrusion-detection, patch management, or forensics.

Risk Management Reference Framework (RMRF)

RMRF consists of risk analysis including qualitative and quantitative, risk mitigation, risk monitoring, and risk communication (Figure 4 & 5). Primary Risk analysis techniques include Monte Carlo, Decision analysis/Influence Diagram and secondary techniques including game theory and systems theory. Security system behavior can be simulated using Monte Carlo while best decisions can be obtained using expected utility, value of information & control etc. (Tuduc).

ROI is defined as ratio of savings to cost. Costs include time, human and computing resources. Savings include Cost Avoidance and Cost Reduction (Hall 1998).

RMRF maps enterprise entities (who, what, when, where, why, and how) to each security vulnerability and threat. Each of the asset entities can have attributes such as Exposure Factor, Single Loss Expectancy, Annualized Rate of Occurrence, and Annualized Loss Expectancy (as defined by Shon Harris in CISSP…)

RMRF can employ the Balanced Score Card component that shows risk indexes of Aspects at any given time with respect to up-to-date threats. Risk calculations such as trends, forecasts, and mitigation for Aspects can include tangible, intangible, and strategic assets.  

Aspects

RMRF can be superimposed on top of IT security processes and EA documents as a guide to produce documents and reports. RMRF uses Aspects as means for user interfaces and risk ranking. RMRF provides a methodology to analyze, mitigate, and manage known, unknown, and unknowable security vulnerability and threats by ranking aspects by a risk index. Aspects are inputs to the RMRF and comprise unique sets of related objects/entities describing specific functions. For example, accounting functions of a company have sets of objects/data/personnel uniquely describing those functions.

Balanced Score Card (BSC)

The balanced scorecard is a management and measurement system that enables organizations to articulate their goals and strategy and map them to processes and indicators (Balancedscorecard.org). Healthcare performance applications are numerous (Visumhealthcare.com).

A typical BSC implementation includes four perspectives:

1. Financial Value
2. Business Process & Operation
3. Customer View Points
4. Continuous Improvement

Security failure can be viewed as quality failure and can be measured and controlled using BSC.  A BSC adaptation for security contains a similar four perspectives. Here the Financial Value Perspective articulates the business value of security initiatives, i.e. how security applications enable business strategies (Giga Information Group, Chief Security Officer Online).   

Conclusion

By piecing together industry best practices, HIPAA regulations and industry standard control procedures, healthcare organizations can effectively manage the complexity of enterprise security issues, assessments, policies, monitoring, and communication. By employing a reference framework, organizations can reuse bodies of knowledge available in Enterprise Architecture, Risk and Decision Analysis, and Balanced Score Cards. This reuse and integration is the key to bring order to a chaotic world of security threats, vulnerabilities, and exploitations.

References

• Arveson, Paul. “The Convergence of Strategy, Performance and Enterprise Architecture in the US Federal Government”. http://www.balancedscorecard.org/bscit/prm.html
• Duliba, Katherine. “Information Security Risk Metrics: How to Quantitatively Assess Applications”. Deutsche Bank. RSA Conference 2/24/2004. San Francisco CA.
• Ellison,R.J., and Moore, A. P. 2003. “TRIAD - Trustworthy Refinement through Intrusion-Aware Design”. TECHNICAL REPORT CMU/SEI-2003-TR-002. ESC-TR-2003-002 Coordination Center. Software Engineering Institute. Carnegie Mellon University/ http://www.cert.org/archive/pdf/triad.pdf
• Geer, Dan. “The Shrinking Perimeter: Making the Case for Data-Level Risk Management”

http://www.verdasys.com/download/download.php?file=ShrinkPerim.pdf

• Giga Information Group, Chief Security Officer Online, “Aligning Security with the Business: The Balanced Scorecard”. http://www.csoonline.com/analyst/report816.html
• Graham, Paul. “Better Baysian Filters”. http://www.paulgraham.com/better.html

• Lumina Decision Systems. “Influence Diagrams”. http://www.lumina.com/software/influencediagrams.html
• Robinson, Brian. “Enterprise architecture modeling emerges as key tool for improving readiness”

http://www.fcw.com/supplements/homeland/2003/sup4/hom-arch-12-01-03.asp

• School, Albert. “Information Security Threat Modeling A risk based approach”.

Bank One Corporation, RSA Conference 2/24/2004. San Francisco CA.

• Tuduc, Tom. “Homeland Security Quantitative Risk Analysis”. ISSA Journal January 2004 Issue.
• Tuduc, Tom. “Security Architecture Risk Reference Framework”. http://www.webarches.com/EASecurityRiskManagement.htm
• Tunitas Group. “HIPAA Security Rule” http://www.tunitas.com/presentations/HIPAA_Security_UCSF.pdf
• Visumhealthcare. “What is Balanced Scorecard – Health Care Performance Management”

http://www.visumhealthcare.com/index1.php?info=hpm_bc_bs