Occupation: chief information security officer, Providence Health & Services
Personal: Married, four children
College: B.S., computer engineering, California State University-Sacramento
Something of a perfect storm for privacy and security is converging in the health care industry. As part of last year's Patient Protection and Affordable Care Act, companies are now required to digitize their medical records, but with this push come greater threats and challenges.
Eric Cowperthwaite, the chief information security officer of Providence Health & Services, which employs 54,000 people in Washington, Oregon, California, Alaska and Montana, is facing these challenges proactively.
Providence, which operates 214 physician clinics, 27 hospitals, a health plan and many other services, has cut a model for other Catholic health care organizations in protecting patients' information from an increasing number of breaches.
This was borne out of necessity: in 2008, Providence was the first organization to enter into a resolution agreement with Health & Human Services (HHS) to resolve allegations of violating the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules. Cowperthwaite, 44, has overseen the successful implementation of that agreement.
“They have the most mature program that I'm aware of in health care delivery,” says Gartner analyst Paul Proctor. “Eric has a program that rivals those in financial services.”
The federal government and business side of the industry, Cowperthwaite says, are “pushing us down the road of 100 percent electronic records. All patient information has to be in accessible, open systems.” These systems “will be a one-stop shopping center for all the information you could want about a single person.”
However, confidential information – personal and financial in nature – is incredibly valuable for those who want to steal it. Breaches cost the health care industry $6 billion a year, according to the Ponemon Institute, and the majority of those intrusions currently come from insiders. At the same time, HIPAA and 2009's Health Information Technology for Economic and Clinical Health Act, or HITECH Act, levy heavy fines for the loss of patients' information.
At Providence, protection of that data begins with recognition and emphasis. By design, Cowperthwaite reports to the chief risk officer instead of the chief investment officer. He believes he's the only one among his peers at Catholic health organizations who does this.
“I think it's a recognition that information security is a critical function of the business,” he says. “It's not just an IT issue, but it touches the whole business.”
Providence did not have much of a security program to speak of before Eric, Gartner's Proctor says. “They brought Eric in to build that program up.”
What began with six employees not well versed in information security has become a staff of 19 who report to Cowperthwaite directly, and another 33 people assigned in a matrix role. He is the single point of contact from the security side to those managing the electronic medical record rollout, with multiple teams of auditors, managers and privacy and compliance staff asking questions about access controls and complying with federal regulations.
Cowperthwaite has set the first line of defense for Providence with its employees. All of them must undergo privacy, security and compliance training every year. Cowperthwaite also customizes training for different business units. If, for example, his staff notices emails being sent that contain confidential information, they will educate that particular unit rather than send a company-wide email blast.
A leading area of focus for Providence has been with its employees in the field. As a Catholic entity, home care and hospice are significant parts of the mission. The laptops and mobile devices being used hold vital patient information.
Cowperthwaite has established several policies to mitigate potential threats: Employees are required to activate security controls and keep their computers within sight, the amount of data on them is limited to that day alone, and they are shut down while in transit and cable-locked in employees' trunks. Above all, employees are made aware of why all these safeguards matter.
These measures stand out following Providence's previous slip-up. According to published reports, HHS investigated the company after it fielded more than 30 complaints from people whose information was compromised after unencrypted laptops, optical disks and backup tapes went missing, having been left unattended between September 2005 and March 2006. In all, 386,000 patients were opened to potential identity fraud.
Providence agreed to settle the allegations for $100,000, and successfully implemented a systems improvement plan. Cowperthwaite says the organization had already decided to make significant changes to its security program before the deal. He says HHS recently notified them that they have met all of their mandates.
“I'm proud that we are the first organization to come out of that in a really good way,” he says. “We went above and beyond what they required of us.”
For Cowperthwaite, this has been the validation of an unlikely path. He joined the U.S. Army out of high school and his 10-year service included deployment in operations Desert Shield and Desert Storm. In 1996 he enrolled at California State University, Sacramento to study computer engineering. He graduated two years later and went to work for Medi-Cal, the state of California's Title XIX Medicaid Insurance program. Information security came onto his radar gradually over the years. “I call myself the accidental security guy.”
When Providence called, he foresaw challenges in health care information security that have come to fruition and still animate his work.
“I knew that the explosive growth in the storing of patient information, and needing to do it as effectively and efficiently as possible without expanding costs, would make for a dramatic and innovative field to be in,” he says.
– Ryan Goldberg
Top 5 influential IT security thinkers
From the - December 2011 Issue of SCMagazine »