1

Enterprise Risk Management Services

I Volunteered To Do This? Eric CowperthwaiteProvidence Health & ServicesSOURCE Seattle, June 16, 2011

2

Enterprise Risk Management ServicesAbout Providence

• 27 hospitals located in 5 states• Over 160 other facilities, including

– Physician clinics, long term care, laboratories, billing & debt collection– A health plan with over 400,000 members– A liberal arts university, private high school, several daycares

• $8 billion in annual revenue and $9 billion in assets• $500 million in annual community benefit• 7200 acute and long term care beds• More than 7 million primary care and acute outpatient visits• Tier 2 PCI Merchant with more than 2 million annual transactions• 40,000 end points (PC, laptop, tablet) and 5,000 servers• Among the 5 largest Catholic Healthcare Systems in the nation• Patient records on approx 10 million people on the west coast

3

Enterprise Risk Management ServicesTapes, laptops and viruses … Oh

My• Jan 1, 2006 – tapes containing data on more than 380,000 patients

are stolen. Tapes are not encrypted• Feb, 2006 – 3 laptops containing data on more than 1,000 patients

are stolen. Laptops are not encrypted• Mar, 2006 – a hospital goes to “downtime procedures” due to

malware infections in 80% of PC’s and laptops. A/V software is 2 versions old and signatures out of date.

• Feb – Apr, 2006 – EDS SPPS conducts gap analysis, forensics, etc. and recommends to the Board the institution of a formal Information Security program, including hiring a security executive

• May 15, 2006 – Eric Cowperthwaite’s first day at Providence• Jun – Sep, 2006 - HHS is onsite, investigating Providence actions

and interviewing employees.

4

Enterprise Risk Management ServicesReflecting on being a CSO in a

Crisis• I was approached 3 times, third time a friend told me they were

serious• The Board and senior execs were serious• Middle management viewed the crisis as a drain on budget and

resources• Going from crisis to sustained maturity is a 3 to 5 year journey• Make darn sure that your soon to be new employer wants to solve

their problem, even if they don’t know what it is yet• Security staff has to be absolutely top notch, in both terms of hard

and soft skills• You have to be prepared for a lot of hard knocks and dynamically

changing your plans and programs to adapt to reality

5

Enterprise Risk Management ServicesWorst Imaginable Environment

• Every business unit is responsible for it’s own IT – 10 CIOs

• 80% of my employees are professionals, I have 40,000 college degrees to deal with

• Financial accountability is decentralized• Healthcare is used to delivering locally• Everything is viewed as negotiable

6

Enterprise Risk Management ServicesUnderstanding the Business

• Failing to understand the needs of the business means a new CSO will lead them through the remainder of the crisis

• Lower healthcare costs– Healthcare costs rising faster than inflation– National political debate– Massive pressure to “transform” healthcare

• Increased Quality– Improve outcomes– Reduce infections, injuries and mortality in hospitals– Standardize healthcare so everyone gets the same quality of care

• Community Benefit – continuing to provide for the poor & vulnerable• Managing operating expenses – Good stewardship of our resources

7

Enterprise Risk Management ServicesWhat Did We Do?

• Established a formal Information Security program, with visibility all the way to the Board of Directors

• Created an executive position to lead that program, i.e. the CSO• Reviewed and analyzed policy and standards• Established a security controls framework

– Joint Commission for Accreditation of Healthcare Organizations– PCI DSS– HIPAA Security & Privacy Rules– National Institute of Standards & Technology– ISO 27001:2

• Implemented new and improved security controls, for example:– All at rest data encrypted on devices that are mobile (tapes, laptops, phones, etc)– Data loss prevention– Co-sourced security management controls (i.e. SIEM, firewalls, IDS/IPS)

8

Enterprise Risk Management ServicesWhat Did Our Regulators Do?

• HHS received multiple complaints that we had violated the Privacy and Security rules

• Class Action lawsuit filed in Oregon• All lawsuits were dismissed, including appeals by the plaintiffs• We were very transparent with the OR & WA Attorney Generals• No AG found that Providence had caused harm or broken state laws• HHS and Providence signed a Resolution Agreement on 7/15/08

– 3 years, established specific control and reporting requirements– No FTC Consent Decree– Providence CISO established as Agreement Monitor– $100,000 administrative fee– Providence did not admit to a violation of HIPAA or other law or regulation

9

Enterprise Risk Management ServicesBuilding Security Sustainability

• We started with– Multiple point solutions– Too many vendors– Too much cost and not enough controls– Managed by security

• Principles– Fit for purpose– Managed by appropriate IT operations organizations– Reduce the number of vendors to manage– Select vendors with suites or broad product offerings– Reduce cost, both product acquisition and operations

• Governance vs. Operations– Separate GRC, ITSec, InfoSec functions

10

Enterprise Risk Management ServicesNext: Enterprise Risk Management

• Today we are building Enterprise Risk Management– All security operations is managed within appropriate parts of the

business– Technical security controls are delivered by the CIO, not the CISO– Line of business delivers administrative controls, education, awareness – The CISO delivers Governance, Risk Management & Compliance

• Chief Risk Officer is independent of the business operations– Reports to the Chair of the Board’s Audit Committee– CISO, CPO, Insurance, Internal Audit, Compliance all report to the CRO– We started this path about 9 months ago– Already we are seeing far higher business engagement

11

Enterprise Risk Management ServicesThat’s The End

• Questions? • I’ll answer the ones I can