Published on

SOURCE Seattle 2011 - Eric Cowperthwaite

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. I Volunteered To Do This? <br />Eric Cowperthwaite<br />Providence Health & Services<br />SOURCE Seattle, June 16, 2011<br />
  2. 2. About Providence<br />27 hospitals located in 5 states<br />Over 160 other facilities, including<br />Physician clinics, long term care, laboratories, billing & debt collection<br />A health plan with over 400,000 members<br />A liberal arts university, private high school, several daycares<br />$8 billion in annual revenue and $9 billion in assets<br />$500 million in annual community benefit<br />7200 acute and long term care beds<br />More than 7 million primary care and acute outpatient visits<br />Tier 2 PCI Merchant with more than 2 million annual transactions<br />40,000 end points (PC, laptop, tablet) and 5,000 servers<br />Among the 5 largest Catholic Healthcare Systems in the nation<br />Patient records on approx 10 million people on the west coast<br />
  3. 3. Tapes, laptops and viruses … Oh My<br />Jan 1, 2006 – tapes containing data on more than 380,000 patients are stolen. Tapes are not encrypted<br />Feb, 2006 – 3 laptops containing data on more than 1,000 patients are stolen. Laptops are not encrypted<br />Mar, 2006 – a hospital goes to “downtime procedures” due to malware infections in 80% of PC’s and laptops. A/V software is 2 versions old and signatures out of date. <br />Feb – Apr, 2006 – EDS SPPS conducts gap analysis, forensics, etc. and recommends to the Board the institution of a formal Information Security program, including hiring a security executive<br />May 15, 2006 – Eric Cowperthwaite’s first day at Providence<br />Jun – Sep, 2006 - HHS is onsite, investigating Providence actions and interviewing employees. <br />
  4. 4. Reflecting on being a CSO in a Crisis<br />I was approached 3 times, third time a friend told me they were serious<br />The Board and senior execs were serious<br />Middle management viewed the crisis as a drain on budget and resources<br />Going from crisis to sustained maturity is a 3 to 5 year journey<br />Make darn sure that your soon to be new employer wants to solve their problem, even if they don’t know what it is yet<br />Security staff has to be absolutely top notch, in both terms of hard and soft skills<br />You have to be prepared for a lot of hard knocks and dynamically changing your plans and programs to adapt to reality<br />
  5. 5. Worst Imaginable Environment<br />Every business unit is responsible for it’s own IT – 10 CIOs<br />80% of my employees are professionals, I have 40,000 college degrees to deal with<br />Financial accountability is decentralized<br />Healthcare is used to delivering locally<br />Everything is viewed as negotiable<br />
  6. 6. Understanding the Business<br />Failing to understand the needs of the business means a new CSO will lead them through the remainder of the crisis <br />Lower healthcare costs<br />Healthcare costs rising faster than inflation<br />National political debate<br />Massive pressure to “transform” healthcare<br />Increased Quality<br />Improve outcomes<br />Reduce infections, injuries and mortality in hospitals<br />Standardize healthcare so everyone gets the same quality of care<br />Community Benefit – continuing to provide for the poor & vulnerable<br />Managing operating expenses – Good stewardship of our resources<br />
  7. 7. What Did We Do?<br />Established a formal Information Security program, with visibility all the way to the Board of Directors<br />Created an executive position to lead that program, i.e. the CSO<br />Reviewed and analyzed policy and standards<br />Established a security controls framework<br />Joint Commission for Accreditation of Healthcare Organizations<br />PCI DSS<br />HIPAA Security & Privacy Rules<br />National Institute of Standards & Technology<br />ISO 27001:2<br />Implemented new and improved security controls, for example:<br />All at rest data encrypted on devices that are mobile (tapes, laptops, phones, etc)<br />Data loss prevention<br />Co-sourced security management controls (i.e. SIEM, firewalls, IDS/IPS)<br />
  8. 8. What Did Our Regulators Do?<br />HHS received multiple complaints that we had violated the Privacy and Security rules<br />Class Action lawsuit filed in Oregon<br />All lawsuits were dismissed, including appeals by the plaintiffs<br />We were very transparent with the OR & WA Attorney Generals<br />No AG found that Providence had caused harm or broken state laws<br />HHS and Providence signed a Resolution Agreement on 7/15/08<br />3 years, established specific control and reporting requirements<br />No FTC Consent Decree<br />Providence CISO established as Agreement Monitor<br />$100,000 administrative fee<br />Providence did not admit to a violation of HIPAA or other law or regulation<br />
  9. 9. Building Security Sustainability<br />We started with<br />Multiple point solutions<br />Too many vendors<br />Too much cost and not enough controls<br />Managed by security<br />Principles<br />Fit for purpose<br />Managed by appropriate IT operations organizations<br />Reduce the number of vendors to manage<br />Select vendors with suites or broad product offerings<br />Reduce cost, both product acquisition and operations<br />Governance vs. Operations<br />Separate GRC, ITSec, InfoSec functions<br />
  10. 10. Next: Enterprise Risk Management<br />Today we are building Enterprise Risk Management<br />All security operations is managed within appropriate parts of the business<br />Technical security controls are delivered by the CIO, not the CISO<br />Line of business delivers administrative controls, education, awareness <br />The CISO delivers Governance, Risk Management & Compliance<br />Chief Risk Officer is independent of the business operations<br />Reports to the Chair of the Board’s Audit Committee<br />CISO, CPO, Insurance, Internal Audit, Compliance all report to the CRO<br />We started this path about 9 months ago<br />Already we are seeing far higher business engagement<br />
  11. 11. That’s The End<br />Questions? <br />I’ll answer the ones I can<br />