Providence Health CSO on Recovering From HIPAA Violations

Providence Health & Services has the uncomfortable distinction of being the first organization penalized for violating the privacy section of the federal Health Insurance Portability and Accountability Act (HIPAA).

The Seattle-based organization, which operates a health plan and several hospitals, recently agreed to fork over $100,000 and make good on a systems improvement plan as part of a deal with the U.S. Department of Health & Human Services (HHS) to settle allegations it lost laptops and electronic backup programs with individually identifiable health information in 2005 and 2006.

According to published reports, HHS investigated Providence Health after it fielded more than 30 complaints from those whose information was compromised when unencrypted laptops, optical disks and backup tapes went missing after being left unattended between September 2005 and March 2006. In all, 386,000 patients were exposed to potential identity fraud.

In this Q&A, Providence Health CSO Eric Cowperthwaite (who was hired in 2006) explains the steps the organization has taken to ensure such a security lapse doesn’t happen again.

CSO: Let’s start with a description, from your perspective, of what happened.

Eric Cowperthwaite: There’s a fair amount of information publically available, but other than that we’re being pretty cautious about what we’re willing to talk about [due to ongoing legal issues].

Do you feel the agreement with HHS is fair toward Providence Health?

Cowperthwaite: The agreement includes a corrective action plan that, in my opinion, recognizes that we have an ongoing security program that has been focused on improving and strengthening our security capabilities and our ability to protect patient information. The fact that HHS didn’t require us to have third-party oversight as we developed and implemented the plan is significant. With agreements like this you often see that sort of oversight included. I think it shows that HHS recognizes our focus to improve security.

What are the main problems your action plan seeks to address?

Cowperthwaite: Areas of significant risk include the mobility of data, the data access internal employees have and making sure it is appropriate based on their role, and having the ability to detect and react to an incident in a timely manner. These are among the main components of the corrective action plan.

Let’s look at this from the patient’s perspective. When they use your online system, is there anything they will notice in the user experience that’s a direct result of the security improvements you’ve put in place?

Cowperthwaite: There is no change to the user experience. The changes are really behind the scenes. In our security program one thing you see is the need to know who has access to health information and whether they should have that access. We have to know who has access to the patient’s data. If there’s an improper use of data it’s our responsibility to determine how it happened so it doesn’t happen in the future.

Which vendors have you brought in to help with the security improvements?

Cowperthwaite: I don’t want to specifically say which vendors are related to the HHS complaints. I can tell you which vendors we’ve engaged in the last few months as part of the security program.

OK …EDS was engaged to help us develop the current security strategy we’re working from. They helped us build a three-year strategic plan and an overarching security strategy. Verizon Business Services is our managed security services provider. They manage and monitor all of our firewalls and intrusion prevention systems. We feel these are commodity items and we would rather source that to a services provider than try to maintain a security operations staff that has to run 24-7. We reduced expenses and got consistent operation around these devices.

Cowperthwaite: There are four fairly significant vendors we brought in:

GuardianEdge Technologies provides all of our endpoint and mobile device encryption capabilities for laptops, thumb drives, removable CDs, DVDs, removable USB hard drives, all those sorts of things; and six months ago we entered into a relationship with Symantec over the Vontu data loss prevention tools.

This is all part of the long-term strategic plan we’re working from to first address the low-hanging-fruit security issues and work toward continuous improvements.

Are there any changes you made on the cultural side to address the problems that were there? For example, are there any new policies related to how employees may or may not handle e-mails?phishing.

Cowperthwaite: Communication, training and awareness is a significant component of our strategy. In the past we had these things but didn’t feel they were as robust as we wanted them to be. I’ve always had a good relationship with our communications department. That’s been the case since I got here in May 2006. They’ve really helped me to strengthen communication with employees. Employees also go through mandatory training called “Security and Your Job,” which focuses on how they individually can take action to improve security, and we have an awareness component where we visit different locations and help people address specific concerns, like how to defend against

Talk a bit about the level of support you’ve had from upper management. Has it been adequate?

Cowperthwaite: I can tell you that the interest, support and awareness at the most senior levels are definitely there, at least since the day I arrived [in 2006]. I have regular one-on-one meetings with the CEO and members of the executive council that report to him, and I work closely with general counsel, the chief risk officer, etc. It really makes a difference.

Give an example of the difference that is made.

Cowperthwaite: A good example is when you have a new significant risk to the company, the theft of and malicious use of data, for instance. Having support from the senior execs means you can elevate the visibility of that risk to the appropriate level without being stuck in the position where you have to bring it to a mid-level manager who can’t do anything about it anyway.

If you are the CSO of an organization and a regulatory agency comes along and tells you the company is out of compliance, what is the right or wrong way to respond?

Cowperthwaite: If a regulatory agency shows up on your doorstep and suggests you are out of compliance with HIPAA, PCI or some other item, treat it like any other security incident. You should automatically activate your crisis management team, which should include general counsel, human relations, public affairs, etc. Typically the agency serves you with a formal letter or subpoena, depending on the scenario. That represents a crisis for the company.

You then need to determine whether the complaints are right or wrong. Ether way you need to go into a response mode and be prepared, in conjunction with your attorneys, to work with the regulators and not fight them. Unless you have something really bad, like with Enron, the regulators are not setting out to do you in. Your best bet is to be as cooperative as possible so you don’t have to resort to court action.