HIPAA, Healthcare and Security Leadership: Double Dose

As we noted in our premiere issue (see "Let's Talk," September 2002), building solid relationships with other key executives can be a make-or-break business for CSOs. This month we take an in-depth look at one such alliance between a CSO and an executive counterpart. Our goal is to explore the personal interactions, political realities and thought processes that help the practice of security succeed.

From time to time in future issues, we will look across the org chart to profile CSO relationships with other important executive partners (including the CEO, the CFO, and the vice presidents of marketing, sales and manufacturing). But we thought it made sense to begin this series with what, in many enterprises, is the most crucial interaction of all: the relationship between the CSO and the CIO. We turned to Dallas-based Baylor Health Care Systems, one of the

nation's leading health-care institutions. Robert Pickton is senior vice president and CIO, and Dan Meacham is the security information officer. Pickton, who's been with Baylor since 1995, is a 17-year veteran of health-care IT. Meacham reports to Pickton and is a former security consultant with KPMG.

We asked them about the major issues that define their relationship. Though the two clearly get along well and share a strong commitment to security excellence, their conversation also reveals the sort of tension we suspect will surface within many organizationsespecially at this relatively early moment in the evolution of security as a strategic enterprise activity. In a wide-ranging conversation with Staff Writer Simone Kaplan, Pickton and Meacham discussed security architecture, spending issues and the dynamics of their relationship, among other things.CSO: How does security fit into the overall IT structure at Baylor?Robert Pickton: Basically, it's one of several direct reports in my organization. At the executive level, I have the vice presidents of technology, applications support and data manage- ment who report to me. Then I have direct reports for customer service support, security, financial support, communications and administration. We have a lot of different departments here, and my direct reports oversee operations in each department so it's a little more centralized.

Dan Meacham: I report to Bob, and I oversee security in each of Baylor's departments. That means I work with Bob to design our security architecture. Then I take the security requirements to each of the departments and help them understand what needs to be done, get their buy-in and make sure the employees comply with the policy.

Pickton: Until Dan came on board two years ago, I kept running up against people in each department who wanted to take separate, unique approaches to internal security. Everyone had their own version of what our security architecture needed to look like, and it was just too disorganized and inefficient to oversee so many varied policies. So I created the position of security information officer in order to have one person who oversees and defines a single security strategy, policy and analysis. What's your day-to-day working relationship like?Pickton: Dan and I have a weekly meeting that lasts about an hour. Dan prepares an agenda and a write-up of the topics he wants to discuss with me. In the meetings, we always discuss our enterprise security architecture and how the various departments are handling their security responsibilities. We talk about HIPAA [the Health Insurance Portability and Accountability Act] a lot and also about business continuity, disaster recovery and follow up on action items from our last meeting. I try to leave some time at the end for us to do some creative strategic thinking.

When it comes to talking to the board, I do it. We have several boards, and I usually end up reporting to as many as 13 meetings each fiscal year. When I do my six-month IT update, I include progress on security and other key projects, but it's usually just so they know we continue to invest in security and that we continue to make progress toward our vision of the security architecture.So how are security resources meted out?Pickton: In terms of resources, I intentionally keep Dan without a staff. I want security projects to be owned by the departments, and I don't want competing strategy. So we have one security policy, but how the departments adopt it and interpret it for their particular applications varies and is overseen by the department heads. I don't want them throwing the responsibility to Dan to do it all. There have been times when he's needed some contract support, but overall he monitors the departments' progress on projects, and the best way for him to do that is to keep him lean and mean. That way he can influence and educate rather than keep order and control, though we don't get hung up on roles and titles as much as we do on getting the work done.

Meacham: Bob and I rarely have disagreements, but we do have a difference of opinion when it comes to resourcing. There have definitely been projects where a team would have been a big help. I'd love to have a staff, but given our structure that may not be appropriate. Bob wants all the accountability to lie with the departments. That's a challenge because here I come saying, We have to be secure, and here's how we're going to do it, but it's coming out of your budget and your resources. That makes follow-up and compliance very difficult. How did you two come up with Baylor's security architecture and strategy?Meacham: Well, when it comes to process I drew a lot on my experiences at KPMG, where I helped other companies organize their security structures. Our infrastructure is built around contingency planning, incident response, access control and systems standards. Every machine and system that any department or doctor at Baylor purchases has to meet our security standards before it can be added to the network. We also look very closely at gap analysisand by that I mean the three traditional gaps between knowledge, technology and compliance. We want business to drive the technology, not the other way around. We measure best practices, and they drive our technology decisions.

When I came to Baylor, Bob and I created a security-capabilities model that looks at cause and effect from the points of view of leadership, policies, management and information assets. We do quarterly risk assessments. As a health-care entity, we pay close attention to privacy and confidentiality, information integrity and availability, and accountability of systems, data and information. That's our infrastructure's backbone.

Pickton: Security isn't staticit's a process, and you have to establish a path by which you will build any program. You have to measure needs and risks constantly as new technologies come out. Three years ago, we never would have discussed wireless securityit just wasn't an issuebut today we have to know exactly how it works because we deploy nearly 500 BlackBerrys in our hospitals. We constantly test our strategies and challenge our assumptions.What's your process for determining spending levels on security?Pickton: Security isn't a separate budget item, and I don't think about it as a bucket unto itself. Every nickel we invest in hardware, software or our general technology direction includes the cost of compliance with our security architecture. Every dollar we spend contributes to furthering the security architecture. We do have a security/HIPAA/contingency planning amount that I target for our five-year budget horizon, but I couldn't break it down into a percentage because I've never thought about it that way.

Meacham: Let me give an example. The money that we might allocate for a new system includes what it would cost for that system to be brought up to our security standards. The departments that handle the actual applications are the ones to break their budget down into intrusion detection, antispam filters, antivirus software and so on. For us, that's infrastructure, not security. We don't say 20 percent of the IT budget is dedicated to security. We say, Here are the costs of a project, and security is a requirement of the deliverables.What are some of the biggest challenges you're facing right now?Meacham: Dealing with vendors and ASPs [application service providers]. As a health-care entity, we have very particular needs, and most vendors with over-the-counter software can't give us what we need. They say they don't have to comply with HIPAA because they're not a health-care provider or a health-care system; they feel they can be lax on the security end of things. When we request particular security customizations, the vendors say they don't have to do what we want because they aren't subject to HIPAA. But we are, and we need to be secure! Even if they wanted to make the changes, a lot of vendors don't have the resources to make the customizations, and then we have to look at other ways to handle security for that application, like using another product for encryption or auditing.

With ASPs, the challenge lies in their lack of focus on contingency and reliability. They're great about confidentiality, but we also have to make sure our information is accurate and always available. All the ASPs rely heavily on the Internet, which isn't very reliable. Nimda caused us to lose our connection for almost a day. In some cases we've had to force them to install dial-out lines and batch processing for reliability. The ASPs told us we were the only company to request that, and we were like, "And? That's an issue?" I mean, if we were a bank, would it be any different? We have patient information, and we have to respect that like a bank respects your money.

Our RFPs are modeled on the National Institute of Standards and Technology special publication 800-18, which is a systems security guideline published in 1998. It requires the recipient to document all security controls in the purview of their product. By putting that in the RFP, we can precertify potential systems to see if they meet our needs.Baylor has a chief medical information officer (CMIO). How do you work with him, and how does he fit into the security picture? Do you interact with any physical security authority?Meacham: Our CMIO works more with the physicians and medical devices in the labs that are affected by HIPAA. Donna Powers is our acting privacy and HIPAA officer. She's a senior vice president at Baylor Medical Center. We meet as needed but at least once a month and sometimes more often to discuss security around HIPAA. We get into privacy-related issues when we need to.

On the physical side, I interact regularly with the Baylor department of public safety. We're involved with them in Infragard (see "Safety in Numbers," Page 52), and the police chief is in charge of response for our chapter. I meet with them almost every other week. They report to the police chief, not to me, but we have a partnership. So if they have infosec questions, they come to me, or I go to them. If something happens on the computer that we need to investigate or an incident occurs that we see as threatening, we bring in the police. They have the established relationship with local and federal law enforcement. They're trained to do information forensics, so if a situation were to arise, I'd rather have them handle it from a liability standpoint than someone with whom I'm not familiar.Security seems tightly connected to IT at Baylor. Do you see it moving out on its own anytime soon?Pickton: No, not with us. So much of what we do in health care is about systems and data collection that it really makes more sense for security to be within the IT organization. I need security right where it is. I created the security job description. Dan is my direct report. I went looking for the role.

Meacham: Moving security away from IT wouldn't make a lot of sense at Baylor. What I do is really in line with IT. But I do think the security executive position is evolving at other corporations. When I was at KPMG, we were concerned about where security and internal audit interacted and whether they should report to the same person. But health care is a totally different beast, and other health-care organizations are positioning security like we are. In this industry, security is perceived as law enforcement, not information security, so for a CSO to take hold in this industry, I think he'd really need to have a foothold in both physical and IT security. In the next five to 12 years, I think we'll see more CSO positions at the corporate level, and they may incorporate compliance and risk management.

Copyright © 2002 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)