Keynote

I Volunteered To Do This?
Eric Cowperthwaite
Providence Health & Services
SOURCE Seattle, June 16, 2011

About Providence
27 hospitals located in 5 states
Over 160 other facilities, including
Physician clinics, long term care, laboratories, billing & debt collection
A health plan with over 400,000 members
A liberal arts university, private high school, several daycares
$8 billion in annual revenue and $9 billion in assets
$500 million in annual community benefit
7200 acute and long term care beds
More than 7 million primary care and acute outpatient visits
Tier 2 PCI Merchant with more than 2 million annual transactions
40,000 end points (PC, laptop, tablet) and 5,000 servers
Among the 5 largest Catholic Healthcare Systems in the nation
Patient records on approx 10 million people on the west coast

Tapes, laptops and viruses … Oh My
Jan 1, 2006 – tapes containing data on more than 380,000 patients are stolen. Tapes are not encrypted
Feb, 2006 – 3 laptops containing data on more than 1,000 patients are stolen. Laptops are not encrypted
Mar, 2006 – a hospital goes to “downtime procedures” due to malware infections in 80% of PC’s and laptops. A/V software is 2 versions old and signatures out of date.
Feb – Apr, 2006 – EDS SPPS conducts gap analysis, forensics, etc. and recommends to the Board the institution of a formal Information Security program, including hiring a security executive
May 15, 2006 – Eric Cowperthwaite’s first day at Providence
Jun – Sep, 2006 - HHS is onsite, investigating Providence actions and interviewing employees.

Reflecting on being a CSO in a Crisis
I was approached 3 times, third time a friend told me they were serious
The Board and senior execs were serious
Middle management viewed the crisis as a drain on budget and resources
Going from crisis to sustained maturity is a 3 to 5 year journey
Make darn sure that your soon to be new employer wants to solve their problem, even if they don’t know what it is yet
Security staff has to be absolutely top notch, in both terms of hard and soft skills
You have to be prepared for a lot of hard knocks and dynamically changing your plans and programs to adapt to reality

Worst Imaginable Environment
Every business unit is responsible for it’s own IT – 10 CIOs
80% of my employees are professionals, I have 40,000 college degrees to deal with
Financial accountability is decentralized
Healthcare is used to delivering locally
Everything is viewed as negotiable

Understanding the Business
Failing to understand the needs of the business means a new CSO will lead them through the remainder of the crisis
Lower healthcare costs
Healthcare costs rising faster than inflation
National political debate
Massive pressure to “transform” healthcare
Increased Quality
Improve outcomes
Reduce infections, injuries and mortality in hospitals
Standardize healthcare so everyone gets the same quality of care
Community Benefit – continuing to provide for the poor & vulnerable
Managing operating expenses – Good stewardship of our resources

What Did We Do?
Established a formal Information Security program, with visibility all the way to the Board of Directors
Created an executive position to lead that program, i.e. the CSO
Reviewed and analyzed policy and standards
Established a security controls framework
Joint Commission for Accreditation of Healthcare Organizations
PCI DSS
HIPAA Security & Privacy Rules
National Institute of Standards & Technology
ISO 27001:2
Implemented new and improved security controls, for example:
All at rest data encrypted on devices that are mobile (tapes, laptops, phones, etc)
Data loss prevention
Co-sourced security management controls (i.e. SIEM, firewalls, IDS/IPS)

What Did Our Regulators Do?
HHS received multiple complaints that we had violated the Privacy and Security rules
Class Action lawsuit filed in Oregon
All lawsuits were dismissed, including appeals by the plaintiffs
We were very transparent with the OR & WA Attorney Generals
No AG found that Providence had caused harm or broken state laws
HHS and Providence signed a Resolution Agreement on 7/15/08
3 years, established specific control and reporting requirements
No FTC Consent Decree
Providence CISO established as Agreement Monitor
$100,000 administrative fee
Providence did not admit to a violation of HIPAA or other law or regulation

Building Security Sustainability
We started with
Multiple point solutions
Too many vendors
Too much cost and not enough controls
Managed by security
Principles
Fit for purpose
Managed by appropriate IT operations organizations
Reduce the number of vendors to manage
Select vendors with suites or broad product offerings
Reduce cost, both product acquisition and operations
Governance vs. Operations
Separate GRC, ITSec, InfoSec functions

Next: Enterprise Risk Management
Today we are building Enterprise Risk Management
All security operations is managed within appropriate parts of the business
Technical security controls are delivered by the CIO, not the CISO
Line of business delivers administrative controls, education, awareness
The CISO delivers Governance, Risk Management & Compliance
Chief Risk Officer is independent of the business operations
Reports to the Chair of the Board’s Audit Committee
CISO, CPO, Insurance, Internal Audit, Compliance all report to the CRO
We started this path about 9 months ago
Already we are seeing far higher business engagement

That’s The End
Questions?
I’ll answer the ones I can

Keynote

by SOURCE Conference

Accessibility

Categories

Upload Details

Usage Rights

Statistics

Keynote Presentation Transcript

Keynote

by SOURCE Conference

Accessibility

Categories

Upload Details

Usage Rights

Statistics

Keynote Presentation Transcript

Let LinkedIn power your SlideShare experience

Let LinkedIn power your SlideShare experience

Customize SlideShare content based on your interests

Keep up to date when your LinkedIn contacts post on SlideShare