Abstract
This chapter discusses the issues and choices that researchers and technicians should consider when adapting maturity models to healthcare organizations needs. It discusses the practical utilization of maturity models, including different maners of exploring a model’s usefulness. For a more complete understanding of maturity models and their applicability, the selection of criteria and processes of measurement, called metrics, is briefly reviewed in terms of indicators and daily procedures. Finally, some issues of management information systems security are briefly addressed, along with a note on measuring security assessment.
Top1.1. Is Maturity an Easy Concept?
Applied to the field of information systems, the concept of model is not easy to explain because of the set of information’ complexity and diversity of uses that these systems may have at the services of healthcare organizations, in particular to support of medical decision making processes.
Many organizations are using several methods and techniques to examine and improve their current maturity level of Information Technology (IT). Although IT evaluation studies based on IT maturity stages have been conducted widely, the stages theory has not been confirmed through statistical testing. IT evaluation activities can present managerial implications to an enterprise by determining where it stands within the stages theory. The results of some studies tend to indicate the meanings and the opportunity of newly defined five stages of IT maturity: initiation, recognition, diffusion, control, and integration (Leem et al., 2008; Davis, 1992; King & Kraemer, 1984).
Information Systems (IS) and consequent advances have always been essential elements for organizations functioning and development, but nowadays the characteristics, the differentiation and the overload of data, technical information and equipments demand that IS assets should be managed in an explicit and intelligent way, moving towards maturity levels. A maturity model is a structured set of elements of any nature that has the characteristics of processes, practices, procedures, and protocols. This set is arranged by levels of specific subsets of elements that an organization must have to achieve a certain maturity level.
Before gaining organizational value from operational users, it is necessary that managers know which is their level of maturity in a given situation, who produces solid and mature information and how it can be maturely used. Information Systems Maturity also integrates a set of processes to locate, to evaluate, to get and to share information throughout all the organization. The process maturity framework is incremental, but maturity requires a long-term commitment.
Health data is one of the most vital, strategic assets hospitals and other healthcare organizations possess. They depend on this complex set of different data to develop adequate services, make critical strategic decisions, protect property rights, push marketing initiatives, manage projects, process transactions, attract potential clients, and generate revenues. Large amounts of critical data are created and patients' hospital records are compiled automatically, manually, and stored in the records department for retrieval whenever needed.
It has not always been easy to describe what “good recordkeeping” looks like. Yet, this question gains in importance as regulators, shareholders, and customers are increasingly concerned about the business practices of organizations. Some recordkeeping principles would be needed in order to guide records management professionals in designing comprehensive and effective records management programs. These principles can help multi-national organizations to establish consistent practices across a variety of business units.
An important question can be placed: how can a maturity model be used? A model of this kind can help the health organization to evaluate their recordkeeping programs and the practical procedures that are used daily. A detailed account of the practices of the health organization enables players to make an initial analysis of the maturity of information management. But it is important to note that the maturity model represents an initial assessment. A requirement for greater efficiency and a more thorough analysis of organizational policies and practices may be needed.
The maturity model will be more useful to decision makers who want to achieve maximum benefit from the implementation of policies for information management. The effectiveness of the control of information requires ongoing attention. But to begin, healthcare organizations can look for the following steps:
- •
Identify gaps between current practices and the organization's desired level of system maturity;
- •
Assess the risk (s) for the organization, taking into account the gaps analysis;
- •
Determine whether the additional information and analysis is required;
- •
Develop priorities and assign responsibility for program development.
Issues in Information Systems: In a strictly logistical cooperation, information systems do not present a priori any particular difficulties when they do not affect the data subject to special protection. However, in case of cooperation on a medical-technical activity, the strong link between activity and support the patient involves the use, management, or sharing personal medical information, subject to secrecy. Let us imagine a set of institutions for cooperation in medical biology, which focuses on the sharing of activities and technical means, namely applications for processing biological data and its storage. In this context, this cooperative group will manage all medical data from different patients and each of these establishments may have access to such data even from a distance.
Cooperation on the medical and technical activities eventually becomes an exercise in style: its developers have to successfully combine the practical constraints of partnership, and to retain the character of the proposed pooling efficiency looking for - sometimes unsuccessfully - to register in compliance with social regulations increasingly complex. Morality invites stakeholders to refrain from engaging in cooperation on activities related to health care without having made previously:
- •
A preliminary identification of the organizational constraints: information systems, procurement, personnel management, patient journey;
- •
A clear vision of the legal risks incurred: the application of complex regulations do not always take into consideration the logic of cooperation;
- •
And a certain amount of pragmatism.
Key Terms in this Chapter
Security Assessment: Its objective is to give the organization a fundamental understanding of its security posture as a whole in a set of key areas; an in-depth security assessment may be faced as a comprehensive study of the security of an organization, including an examination of all policies, procedures, hardware and software configurations, users, workstations, servers, Websites and mail servers; it is a comprehensive analysis of an organization’s network computing systems with an emphasis on security and the organization's compliance with relevant standards and controls.
Maturity Level: A maturity level is a well-defined evolutionary plateau that establishes a level of capacity for improving workforce capability; each maturity level specifies certain characteristics for processes, with higher maturity levels having more advanced characteristics and is a step towards achieving a mature process, providing a set of goals which, when satisfied, places an organization at the next level of maturity. It also specifies the path that a process follows in moving from immature and ad hoc process to highly mature process.
Security Indicator: A value that is obtained by comparing data (or attributes according to ISO-27004) logically related, concerning the behavior of an activity, process or control, within a specified time; a key indicator, that, when taken into account, may be predictive of the overall security posture of an organization (these critical indicators are derived from criteria based on factors like a single point of failure, operational vs. administrative, human factor related). The indicators are guided by security rules, regulations, and standards.
Metrics: Quantifiable measurements of some aspect of a system or enterprise; set of criteria and processes of measurement; tools designed to facilitate decision making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related data. Measurement permits to identify possible areas for improvement and track the improvement processes. The purpose of measuring performance is to monitor the status of measured activities and facilitate improvement in those activities by applying corrective actions, based on observed measurements.
Security Metrics: Set of precepts and rules necessary for a real way to measure the security level of an organization; security metrics involve the application of a method of measurement to one or more entities of a system that possess an assessable security property to obtain a measured value. From an organizational perspective, security measures and metrics should enable an organization to gauge how well it is meeting its security objectives.
Maturity Level: A maturity level is a well-defined evolutionary plateau that establishes a level of capacity for improving workforce capability; each maturity level specifies certain characteristics for processes, with higher maturity levels having more advanced characteristics and is a step towards achieving a mature process, providing a set of goals which, when satisfied, places an organization at the next level of maturity. It also specifies the path that a process follows in moving from immature and ad hoc process to highly mature process.
Indicator: It is a simple measure that indicates what is happening in a given situation; it is a specific piece of information that measures all or part of the condition, experience or behavior that is the desired state of well-being or outcome.
Maturity Model: It may be defined from three points of view (operational, process, and decisional) using “alerts” (predefined malfunctioning identified with standard checklists and overstep indicators) and is associated with correction or enhancement actions; it describes the development of an entity over time and have the following properties: an entity’s development is simplified and described with a limited number of maturity levels, levels are ordered sequentially and characterized by certain requirements that the entity must achieve, and the entity progresses from one level to the next without skipping any level. The model identifies various organizational issues in IS implementation and development and highlights the priorities requiring managerial attention at different stages of growth.
Security Assessment: Its objective is to give the organization a fundamental understanding of its security posture as a whole in a set of key areas; an in-depth security assessment may be faced as a comprehensive study of the security of an organization, including an examination of all policies, procedures, hardware and software configurations, users, workstations, servers, Websites and mail servers; it is a comprehensive analysis of an organization’s network computing systems with an emphasis on security and the organization’s compliance with relevant standards and controls.
Maturity Model: It may be defined from three points of view (operational, process, and decisional) using “alerts” (predefined malfunctioning identified with standard checklists and overstep indicators) and is associated with correction or enhancement actions; it describes the development of an entity over time and have the following properties: an entity’s development is simplified and described with a limited number of maturity levels, levels are ordered sequentially and characterized by certain requirements that the entity must achieve, and the entity progresses from one level to the next without skipping any level. The model identifies various organizational issues in IS implementation and development and highlights the priorities requiring managerial attention at different stages of growth.
Indicator: It is a simple measure that indicates what is happening in a given situation; it is a specific piece of information that measures all or part of the condition, experience or behavior that is the desired state of well-being or outcome.
Metrics: Quantifiable measurements of some aspect of a system or enterprise; set of criteria and processes of measurement; tools designed to facilitate decision making and improve performance and accountability through collection, analysis, and reporting of relevant performance-related data. Measurement permits to identify possible areas for improvement and track the improvement processes. The purpose of measuring performance is to monitor the status of measured activities and facilitate improvement in those activities by applying corrective actions, based on observed measurements.
Security Indicator: A value that is obtained by comparing data (or attributes according to ISO-27004) logically related, concerning the behavior of an activity, process or control, within a specified time; a key indicator, that, when taken into account, may be predictive of the overall security posture of an organization (these critical indicators are derived from criteria based on factors like a single point of failure, operational vs. administrative, human factor related). The indicators are guided by security rules, regulations, and standards.
Security Metrics: Set of precepts and rules necessary for a real way to measure the security level of an organization; security metrics involve the application of a method of measurement to one or more entities of a system that possess an assessable security property to obtain a measured value. From an organizational perspective, security measures and metrics should enable an organization to gauge how well it is meeting its security objectives.