Information Assurance Framework
for Health Care Industry
(IAF4HC)
Part II- The
Background
Information Security is normally recognized with three
parameters namely
a)
Confidentiality
b)
Integrity
c)
Availability
This is the CIA approach which is used in the basic ISO 27001
approach.
The “Techno Legal Information Security” principle that Naavi
has been suggesting extends the above three pronged approach to
two other parameters such as Authentication and Non Repudiation
that is recognized as an “Information Assurance” approach. With
legal compliance comes an assurance of mitigation of the
“Liability Risk”. Mitigation of “Liability Risk” arises both
from the ability to defend against being held liable for a
breach as well as the ability to recover compensation for the
breach from another. Hence in this approach the end objective
extends from DRP-BCP to DLS-OLS. (DLS=Defensive legal shield and
OLS=Offensive legal sword).
The COBIT approach is often associated with the term
“Information Assurance” rather than Information Security.
Considering the practical difficulties in implementation of
Information Security, Naavi has been advocating a “Three
Dimensional” model which extends the “Techno legal” approach
further to include “Behavioral Science”. In this approach the
importance of the “People factor” is recognized not merely by
the need for awareness training but from the point of view of
making them behave in a secure manner.
Naavi has tried to codify these thoughts in the “Theory of
Information Security” and the Indian Information Security
Framework.
The “Theory of Information Security” is built around a
“Pentagon Model” where implementation of Information Security in
an organization is considered as bound by five aspects namely
a)
Awareness
b)
Acceptance
c)
Availability
d)
Mandate
e)
Inspiration.
The theory postulates that for achieving a satisfactory
implementation of Information Security in an organization, the
users should first be “Aware” of the threats, vulnerabilities
and security aspects. However mere “awareness” does not lead to
implementation and the users need to “accept” the need for
security. This requires a change to be brought in the minds of
the users. In view of the “human” factor involved in this
conversion the term “Control” used in other frameworks are used
as “Strategies” in this approach.
“Availability” refers to all aspects of security that are
within the control of the organization such as placement of
appropriate software tools necessary for the information
security.
“Mandate” recognizes both the existence of external legal
compulsions but also the strategic value of internal sanctions
that support the legal impositions and security objectives.
While “Availability” and “Awareness” are controlled by the
organization, “Mandate” is imposed by the law and can be
supported additionally as a strategic internal policy,
“Acceptance” and “Inspiration” is predominantly controlled by
the users themselves. The Organization can only facilitate
“Acceptance” or ”Inspiration” by appropriate strategies but the
user has the greater say in the end result.
Based on the above thoughts, Naavi presented the IISF 309
framework to provide the necessary guidance to the organization
for implementation of Information Security.
The IISF 309 was an attempt to zero in on the
responsibilities of different parts of an organization towards
achieving the Information Assurance objectives. In the version 5
of the framework, 25 different steps have been identified. This
includes top management decisions, policy formulations as well
as requirements to be fulfilled by the different departments
such as the HR,IT or General administration. Detailed
specifications have also been drawn on each of the 25 steps to
be implemented for three different levels of implementation.
While working on the IISF framework which was based on the
TISM, for the purpose of “measurability” , certain suggestions
have also been made similar to CMMI model of identifying the
level of maturity capability reached in an organization at a
point of time and how it can be monitored over a period of time.
It may be said that these suggestions are subject to a need
for further refinement through research both at the academic and
industry level.
In the light of this background, Naavi looked at the
requirements of the Health Care industry in India and the
outcome has been the industry specific suggested framework
“IAF4HC”.
IAF4HC is an “Information Assurance Framework” specifically
designed to meet the requirements of Indian Health Care industry
such as the Hospitals. Companies engaged in medical
transcription or insurance billing or providing other services
to the US clients are already having the mandatory framework of
HIPAA-HITECH.
While HIPAA-HITECH framework is a good framework for adoption
by any Health Care or other companies, it was felt that there
was a need to provide a compliance path with gradual
implementation of security measures rather than providing one
large framework such as HIPAA-HITECH and determine whether a
company is “Compliant” or “Non Compliant”.
Though we say that “Security is as strong as the weakest link”
and there are no “half measures”, in practice, no organization
can jump to the highest level of information security in one
step. Auditors
are therefore confronted frequently with the question of whether
the suggested framework is commensurate with the nature and size
of activity of the organization. In the absence of proper
guidance to break the compliance into smaller achievable steps,
auditors were forced to compromise on their reports stating
that certain controls were considered “Not Necessary”. This
involved a subjective assessment often under unavoidable
pressure from the management. While some auditors stood their
ground and dubbed a client “Non Compliant” for reasons they
considered reasonable and fair, the management felt that the
auditor was needlessly rigid in his approach.
While a rigid approach of the auditor is acceptable in the
case of a “Mandatory Audit” conducted by a regulatory agency,
when a progressive management initiates an audit as an
improvement measure of its own volition, the rigidity of the
auditor could be considered misplaced and dysfunctional.
Naavi has been an advocate of “Self Regulation” and hence even
where ITA 2008 compliance audit has not been mandatory, he has
strongly favoured such an audit as good corporate governance.
However many managements feel that they
are not “Big Enough” for ISO 27001 or COBIT or ITA 2008 audit
and hence end up not doing anything at all towards security.
Similarly Indian health care industry at present may not be
ready for a full HIPAA implementation and hence they are not
considering any structured approach to information assurance.
Instead of just lamenting on the non compliance, Naavi
therefore felt the need to put in place a suggestion which can
be implemented by most organizations who would like to achieve
acceptable levels of Information Assurance in smaller steps. The
feeling of having achieved “Level 1” or “Level 2” would act as a
motivation for the organizations to start an information
assurance program which they would otherwise not begin at all.
This approach which is generally referred to as IAF4MI
(Information Assurance Framework for modular implementation) is
referred to as IAF4HC as a health care industry specific
framework.
CHC HC
Though the approach originated in the light of the felt need of
the Health Care industry in India, it is Naavi’s considered
opinion that the approach may also be found suitable for other
organizations trying honestly to achieve greater levels of
information assurance competence but are not ready to take a
single large leap to “satisfactory zone of safety”.
IAF4MI/IAF4HC tries to achieve this objective of “Satisfactory
information assurance through small doses” rather than
attempting an over dose which may be rejected by the system
altogether.
Breaking the “Satisfactory Information Assurance” into
achievable sub goals and the manner in which this classification
is made in the framework is considered the USP of this
framework.
The end result of achieving say all levels of assurance under
IAF4MI may be same as or should be better than a faithful
implementation of assurance under COBIT or under HIPAA or under
ISO 27001.
But IAF4MI is designed to assist a voluntary compliance
program better than the other formats.
Let’s look deeper into the concept of Information Assurance
through modular implementation in the next part of the article.
Naavi
November 18, 2012
[PS: Naavi's approach to IA is broader than the usually
recognized definition of IA. Hence Naavi has decided to use
the term "Total Information
Assurance" in place of Information Assurance in all his
discussions. As a result the acronyms will also be changed
from IA to TIA where ever applicable in all references in
future...Naavi ...19th November 2012]
