Security Metrics for e-Healthcare Information Systems: A Domain Specific Metrics Approach

Information sharing among different healthcare organizations is critical for efficient and cost effective healthcare service delivery. Healthcare organisations with information systems need to be interconnected to ensure information exchange. Interconnectivity increases exposure to risk of damage, loss and fraud. Security and privacy of patients’ information are concerns of all healthcare organizations. These concerns hinder the willingness to share data across different organizations. An objective assessment of organisational security posture is required in order to build trust and confidence among different entities in the eHealthcare ecosystem. Security metrics are a collection of several measurements taken at different points in time, compared against baseline and interpreted to reveal an understanding. Metrics provides insight, improve visibility and accountability, and can reveal the overall security posture of organisation. The current security assessment practices focus either on measuring security programme effectiveness, auditing or assessment of individual information systems components like networks and software. There are discrepancies in the way security is given meaning and quantified in several other approaches. These discrepancies affect their adoption as programmes to derive trustworthy measurable results. Several security assessment practices not sufficiently address measuring the overall security posture of an organization. For those that do, their assessment results are not meaningfully comparable among different organisations. In this paper we present an analysis of selected approaches, identifying their bias, and propose an approach for developing security metrics to be used for assessing security posture of healthcare organizations. The metrics for this approach shall not be tailored to any specific organisation to ensure comparable results.