SOURCE Seattle 2011 - Eric Cowperthwaite

1. I Volunteered To Do This? Eric Cowperthwaite Providence Health & Services SOURCE Seattle, June 16, 2011

2. About Providence 27 hospitals located in 5 states Over 160 other facilities, including Physician clinics, long term care, laboratories, billing & debt collection A health plan with over 400,000 members A liberal arts university, private high school, several daycares $8 billion in annual revenue and $9 billion in assets $500 million in annual community benefit 7200 acute and long term care beds More than 7 million primary care and acute outpatient visits Tier 2 PCI Merchant with more than 2 million annual transactions 40,000 end points (PC, laptop, tablet) and 5,000 servers Among the 5 largest Catholic Healthcare Systems in the nation Patient records on approx 10 million people on the west coast

3. Tapes, laptops and viruses … Oh My Jan 1, 2006 – tapes containing data on more than 380,000 patients are stolen. Tapes are not encrypted Feb, 2006 – 3 laptops containing data on more than 1,000 patients are stolen. Laptops are not encrypted Mar, 2006 – a hospital goes to “downtime procedures” due to malware infections in 80% of PC’s and laptops. A/V software is 2 versions old and signatures out of date. Feb – Apr, 2006 – EDS SPPS conducts gap analysis, forensics, etc. and recommends to the Board the institution of a formal Information Security program, including hiring a security executive May 15, 2006 – Eric Cowperthwaite’s first day at Providence Jun – Sep, 2006 - HHS is onsite, investigating Providence actions and interviewing employees.

4. Reflecting on being a CSO in a Crisis I was approached 3 times, third time a friend told me they were serious The Board and senior execs were serious Middle management viewed the crisis as a drain on budget and resources Going from crisis to sustained maturity is a 3 to 5 year journey Make darn sure that your soon to be new employer wants to solve their problem, even if they don’t know what it is yet Security staff has to be absolutely top notch, in both terms of hard and soft skills You have to be prepared for a lot of hard knocks and dynamically changing your plans and programs to adapt to reality

5. Worst Imaginable Environment Every business unit is responsible for it’s own IT – 10 CIOs 80% of my employees are professionals, I have 40,000 college degrees to deal with Financial accountability is decentralized Healthcare is used to delivering locally Everything is viewed as negotiable

6. Understanding the Business Failing to understand the needs of the business means a new CSO will lead them through the remainder of the crisis Lower healthcare costs Healthcare costs rising faster than inflation National political debate Massive pressure to “transform” healthcare Increased Quality Improve outcomes Reduce infections, injuries and mortality in hospitals Standardize healthcare so everyone gets the same quality of care Community Benefit – continuing to provide for the poor & vulnerable Managing operating expenses – Good stewardship of our resources

7. What Did We Do? Established a formal Information Security program, with visibility all the way to the Board of Directors Created an executive position to lead that program, i.e. the CSO Reviewed and analyzed policy and standards Established a security controls framework Joint Commission for Accreditation of Healthcare Organizations PCI DSS HIPAA Security & Privacy Rules National Institute of Standards & Technology ISO 27001:2 Implemented new and improved security controls, for example: All at rest data encrypted on devices that are mobile (tapes, laptops, phones, etc) Data loss prevention Co-sourced security management controls (i.e. SIEM, firewalls, IDS/IPS)

8. What Did Our Regulators Do? HHS received multiple complaints that we had violated the Privacy and Security rules Class Action lawsuit filed in Oregon All lawsuits were dismissed, including appeals by the plaintiffs We were very transparent with the OR & WA Attorney Generals No AG found that Providence had caused harm or broken state laws HHS and Providence signed a Resolution Agreement on 7/15/08 3 years, established specific control and reporting requirements No FTC Consent Decree Providence CISO established as Agreement Monitor $100,000 administrative fee Providence did not admit to a violation of HIPAA or other law or regulation

9. Building Security Sustainability We started with Multiple point solutions Too many vendors Too much cost and not enough controls Managed by security Principles Fit for purpose Managed by appropriate IT operations organizations Reduce the number of vendors to manage Select vendors with suites or broad product offerings Reduce cost, both product acquisition and operations Governance vs. Operations Separate GRC, ITSec, InfoSec functions

10. Next: Enterprise Risk Management Today we are building Enterprise Risk Management All security operations is managed within appropriate parts of the business Technical security controls are delivered by the CIO, not the CISO Line of business delivers administrative controls, education, awareness The CISO delivers Governance, Risk Management & Compliance Chief Risk Officer is independent of the business operations Reports to the Chair of the Board’s Audit Committee CISO, CPO, Insurance, Internal Audit, Compliance all report to the CRO We started this path about 9 months ago Already we are seeing far higher business engagement

11. That’s The End Questions? I’ll answer the ones I can