A mature information security program must have repeatable processes, buy-in from top executives and broad adoption across the enterprise, and must be forged at the organization's highest levels, as part of an enterprise risk management strategy.
Sometimes it takes a crisis to make that happen, especially at large organizations where decision making is decentralized. Just ask Eric Cowperthwaite, chief information security officer (CISO) at Seattle-based Providence Health & Services, a $7 billion Catholic healthcare system with 27 hospitals and 50,000 employees.
On New Year's Eve 2005, Providence suffered a security breach that led to the first major corrective action under the Health Insurance Portability and Accountability Act's (HIPAA) Privacy and Security Rules. Tapes containing medical data on 386,000 people were stolen from an employee's vehicle. The data was not encrypted. It was discovered that employees routinely transported backup tapes and stored them in their homes for disaster recovery purposes to save the expense of a storage facility. Making matters worse, Cowperthwaite said, the data in question belonged to home and hospice care patients.
Just as Providence was recovering from the bad publicity, several unencrypted laptops from the system's Everett, Wash., operations were stolen, again containing data on home and hospice care patients. The organization was reeling.
"This is huge news and it is before the VA," said Cowperthwaite, referring to the infamous Veterans Affairs data security breach in May 2006.
Building a mature information security program with repeatable processes and effective governance would take two years and, according to court filings, some $20 million.
"That is a big deal. A lot of corporate resources were focused on security for a long time," said Cowperthwaite, who outlined the journey at Gartner Inc.'s recent security summit in National Harbor, Md. "The result is a much more comprehensive governance of risk."
Security program fragmented across business units
In some respects, the problem with information security at Providence was tied to the hospital mission at the core of the system's widely distributed operations: that decisions need to be made closest to the point of patient care.
"What was happening was that decisions about security were also being made at each of those [then] 26 hospitals, 26 different ways, not in a centralized fashion," said Cowperthwaite, who was recruited to rehabilitate security operations after the incidents. "Nobody was really accountable for security in the organization."
Hewlett-Packard Co.'s EDS consulting unit, brought in to assess the security program, found 186 different and often contradictory security policies practiced by the business units in the five states where Providence operates. The information security program that did exist consisted of five IT employees "buried deep" in the IT organization, working for a first-line manager with limited security experience.
"The only time they ever got executive visibility was when they screamed and yelled about password policy because HIPAA demanded it. They managed to get the CEO to sign it and promptly alienated all the business units when they tried to implement a strong password policy with no notice," he said.
Sensible security measures tended to backfire because of the draconian approach and narrow perspective. IT implemented Websense Inc.'s URL filtering -- a good idea, Cowperthwaite said, except it filtered out stuff needed by the 20,000 nonemployee physicians who use the hospitals and are the health system's primary source of revenue.
"Security had been narrowly defined by the company as only complying with HIPAA, not about securing the information of the company," Cowperthwaite said. The information security program's maturity rated at between a 0 and 1.
From bottom-up management to risk-based security
Another issue loomed in January 2006, making it imperative to get a handle information security: the merger between Providence Health and Providence Services, a $3 billion and $4 billion organization, respectively. At this point, information security had attention at the highest echelon of the system, including the board of directors. Based on recommendations from EDS, the organization agreed that the 186 policies needed to be replaced by a single security framework that nonetheless took into account the complexity of the organization, Cowperthwaite said. One person needed to head the process and be held accountable -- namely, him.
"It was a very reactive process for quite a while," he recalled.
Indeed, given the failed security-by-fiat methods of the past, Cowperthwaite's team spent 18 months "socializing the program," gaining agreement from each of the 26 hospital administrators on the policies and where to spend money operationally, from firewalls to intrusion prevention.
Staff increases sixfold
Security staff was increased from five people to 32 in six months. Senior security people and risks analysts were not easy to find. Even people who billed themselves as risk analysts tended to be "old security guys" who were experts at spotting a vulnerability and how to fix it but not schooled in identifying business risk and communicating that to the business.
Cowperthwaite's team adopted the ISO 27001 and 27002standards. But given Providence's many regulatory requirements, the program also factored in rules from HIPAA and the National Institute of Standards and Technology, as well as Payment Card Industry Data Security Standard requirements. Then the team gave it a name: the Providence Security Framework.
The framework allowed Cowperthwaite's team to develop a comprehensive security policy and in turn a security process catalog, where procedures such as risk assessments adhere to a template to ensure the organization is measuring risk in the same way no matter where it's done or who does it.
Searching for the right governance model
Finding the right governance structure for the Providence Security Framework proved to be a major challenge. It took three attempts and nearly two years to forge a structure that reflected the system's business strategy. Business involvement and a common risk vocabulary turned out to be crucial.
The first attempt -- strongly not recommended by Cowperthwaite -- put the CISO and the corporate executive counsel in charge of security. Though better than before, the approach did not engage the hospital administrators and was discarded after a year. An Information Security Council stocked with representatives from each of the business units and the usual cadre of risk experts -- legal counsel, quality managers, etc. -- worked better.
"But we were still talking security language at that point, not risk. The business still wasn't getting what we were talking about," he said. "It was all security mumbo jumbo, so that melted down."
Making security part of ERM
Ultimately, Cowperthwaite joined Providence's enterprise risk management committee, a group that includes representatives from every business unit and vertical function, from human resources to security. "We all define our risk in a common language and format," Cowperthwaite said. The committee determines which risks need to be monitored more closely, which should be referred to the board of directors and so on.
Another change that helped was merging IT and information systems strategic planning, which had functioned separately in the past. Going forward, Cowperthwaite is automating manual security processes and mapping them to a governance, risk and compliance (GRC) tool that gives business units visibility and input into the processes.
Risk-based approach touted by many
Not surprisingly, the journey from crisis to security by Providence, a Gartner client, reflects much of the advice prescribed by Gartner security analyst Paul Proctor on how to sell your information security program to the business.
I have been in organizations where my main focus was to meet compliance, nothing more, nothing less. People who are doing security for compliance purposes are putting their organizations at risk.
Candy Alexander, CISO, Long Term Care Partners LLC
But Cowperthwaite's risk-based approach to security and his belief that security compliance must be baked into an enterprise's strategic risk management is hardly confined to Gartner, as SearchCompliance.com discovered in extensive interviews with CISOs earlier this year on the topic.
"You need to do information security not to meet compliance but to protect the business. There is a huge difference between those two methodologies," Candy Alexander, CISO at Long Term Care Partners LLC, said. The New Hampshire insurance company formed in 2002 to provide long-term care insurance and administer medical benefits for federal employees.
Like Cowperthwaite, Alexander's risk management strategy focuses on numerous regulations: the Federal Information Security Management Act of 2002, the data privacy laws enacted by 44 states and HIPAA. However, the big three mandates inform -- but don't drive -- her organization's security strategy.
"I have been in organizations where my main focus was to meet compliance, nothing more, nothing less. People who are doing security for compliance purposes are putting their organizations at risk," Alexander said. Regulations, she added, should be the baseline.
Likewise, Carole Switzer, president of the nonprofit Open Compliance & Ethics Group, has long pointed out the need to break down risk management silos and find a common risk language to improve security and compliance. Especially problematic is the lack of communication between GRC and IT professionals.
"It is not that they don't try to talk to one another; they just speak different languages," Switzer said.
In March, Providence finalized the first-ever Resolution Agreement with the Department of Health and Human Services, stipulating that the health system's security polices comply with HHS rules and be subject to review for three years. Providence is required to report employee security violations by name and outcome and file annual reports on compliance efforts. In Cowperthwaite's view, the agreement, which took seven months of negotiating to gain approval, is validation of his hard-fought security program.
"It's a huge deal," he said, and in any case not as bad as the CVS Caremark Corp. resolution agreement, which includes a Federal Trade Commission consent order that will run for 20 years. But that's another story.
Let us know what you think about the story; email Linda Tucci, Senior News Writer.