Search for a command to run...
Healthcare in the USA has been hit with a 45% increase in cyberattacks from 2020 to 2024. These cyberattacks have created exposure for millions of patient records each year and have an average cost to remediate a situation of over $10 million. A significant but seldom-observed contributor to this vulnerability is the conflict that exists in Agile methodology between the need for rapid product delivery within short timelines and the often-complicated governance of data security. In this paper, the authors present the Agile-Healthcare Cybersecurity Analytics [AHCA] Framework, which can be characterized as a new integrated process that incorporates Data- Centric Business Analysis throughout each phase of the Agile lifecycle specifically for the protection and compliance of Healthcare Software Systems. Thus, for AHCA, the focus of data security and compliance is a continuous concern rather than that of a series of checkpoints. To support the development of this framework, the authors utilized a mixed-methods design that consisted of: (1) a systematic literature review consisting of 127 peer-reviewed studies that are in the top one-third of publications (Journal of Cybersecurity, IEEE Transactions on Crowdsourcing/Cloud Computing, International Journal of Security and Privacy, etc.) published from 2015-2024 that focused on Agile-based security, Healthcare Cybersecurity, and Data-Centric Architecture; (2) a multi-vocal literature analysis using regulatory guidance from HIPAA Security Rule, NIST Special Publication 800-66, and the Health Information Security Protection Act [HICP] of 2023; (3) an iterative framework design process that followed Design Science Research Methodology; and (4) Expert Validation using a Delphi study with 23 senior-level Litigation IT executives and Cybersecurity Leaders, many of whom come from large, well-established hospital systems, Health IT vendors, and Regulatory Agencies, and were further validated through a sequence of semi-structured interviews. A Framework for AHCA consists of five layers that are integrated and dependent on each other: 1) The first layer is a Discovery and Classification of Data Sprint Zero. 2) The second layer is a Threat-Driven User Stories and Security Acceptance Criteria.3) The third layer is an ongoing Data Flow and Risk Scoring that are integrated into the reviews of each sprint. 4) The fourth layer is the ability to build guardrails (Compliance-as-Code) for (but not limited to) HIPAA, HITRUST, NIST. 5) The fifth layer provides a Retrospective Security Metrics Dashboard to provide feedback to the next cycle. The primary deliverables will be a prioritized catalog of 42 healthcare-specific security requirements with traceability back to regulatory citations, an Agile-calibrated lightweight data- risk scoring model and empirically validated integration points for increasing security requirements coverage by 68% with minimal impact on sprint duration.