Q&A

Providence Health CSO on Recovering From HIPAA Violations

Eric Cowperthwaite, CSO of Seattle-based Providence Health & Services, opens up about the organization's efforts to bounce back from HIPAA violations.

By Bill Brenner, Senior Editor

Page 2

Which vendors have you brought in to help with the security improvements?
Cowperthwaite: I don't want to specifically say which vendors are related to the HHS complaints. I can tell you which vendors we've engaged in the last few months as part of the security program.

OK ...
Cowperthwaite: There are four fairly significant vendors we brought in: EDS was engaged to help us develop the current security strategy we're working from. They helped us build a three-year strategic plan and an overarching security strategy. Verizon Business Services is our managed security services provider. They manage and monitor all of our firewalls and intrusion prevention systems. We feel these are commodity items and we would rather source that to a services provider than try to maintain a security operations staff that has to run 24-7. We reduced expenses and got consistent operation around these devices.

GuardianEdge Technologies provides all of our endpoint and mobile device encryption capabilities for laptops, thumb drives, removable CDs, DVDs, removable USB hard drives, all those sorts of things; and six months ago we entered into a relationship with Symantec over the Vontu data loss prevention tools.

This is all part of the long-term strategic plan we're working from to first address the low-hanging-fruit security issues and work toward continuous improvements.

Are there any changes you made on the cultural side to address the problems that were there? For example, are there any new policies related to how employees may or may not handle e-mails?
Cowperthwaite: Communication, training and awareness is a significant component of our strategy. In the past we had these things but didn't feel they were as robust as we wanted them to be. I've always had a good relationship with our communications department. That's been the case since I got here in May 2006. They've really helped me to strengthen communication with employees. Employees also go through mandatory training called "Security and Your Job," which focuses on how they individually can take action to improve security, and we have an awareness component where we visit different locations and help people address specific concerns, like how to defend against phishing.

Talk a bit about the level of support you've had from upper management. Has it been adequate?
Cowperthwaite: I can tell you that the interest, support and awareness at the most senior levels are definitely there, at least since the day I arrived [in 2006]. I have regular one-on-one meetings with the CEO and members of the executive council that report to him, and I work closely with general counsel, the chief risk officer, etc. It really makes a difference.