Health IT Compliance, Data Security Risk Management and Regulations
Hi everyone! Welcome to this podcast from Cambridge Healthtech Institute for the 2015 Bio-IT World Conference & Expo, which runs April 21-23 in Boston, Massachusetts. I’m Ann Nguyen, one of the Associate Conference Producers for this event.
Today, we’re chatting with Dave Peterson, Executive Director of Vendor & Third Party Assurance, National IT Compliance at Kaiser Permanente Information Technology. He’ll be a panelist during the closing panel, Achieving Much-Needed Innovation while Hurdling the Barriers of Stringent Regulation, during a shared session that includes the Cloud Computing, Data Security, IT Infrastructure – Hardware and Software Development conference tracks.
Dave, thank you for joining us. Can you describe how you ended up at Kaiser Permanente, your activities there and the resources you have now for carrying them out?
I began my career at Kaiser in 1996 as a systems programmer after leaving the financial services industry to pursue a new career in the IT field. As a lifelong Kaiser member myself and a father of two fourth-generation Kaiser members of the health plan, I specifically sought out a position here because of my interest in the health IT efforts I was experiencing myself, and the opportunity to work for an organization that has had such a direct impact on the lives of myself and my family.
I looked at it then, and I still do today, as an incredibly exciting and personally rewarding experience to work in an organization that delivers your babies, cares for your parents and facilitates your health and well-being every day. That’s really a neat, unique opportunity.
Over my 18 years with Kaiser, I’ve actually served in a number of different roles surrounding the support and implementation of information technology. After seven years in an IT compliance leadership role, which I’m still in today over various operational and controls-based remediation activities, there was this interesting convergence with my background and the critical need to understand and manage Kaiser’s vendor-related data privacy and security risks.
Consequently, I was given another unique opportunity just in about the past year to lead the establishment of a major vendor risk management program to do just that. That program is now heading into its second year of a five-year effort to build and implement the people process and technology platform for evaluating, integrating and managing data privacy and security risks throughout the various stages of the vendor life cycle, KPY.
In my job title, you see the Third Party Assurance reference. What that refers to is actually managing the flipside of that vendor risk management coin, where Kaiser Permanente actually is the vendor to the various employer groups who have our interest in purchasing our health insurance products. In this way, we’re driving the Kaiser organization to implement and maintain data privacy and security controls that actually stand up to the scrutiny of our own customers through the use of independent evaluations of our controls, such as SSAE 16 reports, ISSA, etc.
It’s a really unique role in terms of having both sides of that coin. There are really exciting times for me and I’m lucky to have, frankly, a great team of people working for me who support all of our efforts on these fronts.
What would you say are the main regulatory hurdles that are offsetting the otherwise rapid pace of technological innovation in the life sciences?
Yeah. Interesting question. And it might be controversial but really, from my data privacy and security risk point of view, I’m frankly not sure there are enough “hurdles” to offset the incredible pace of technology innovation we’re seeing in the industry.
Of course, we all have massive amounts of regulation that we have to deal with. The FDA for medical devices, HIPAA for the use of protected health information or PHI and the PCI Data Security Standards over credit card transactions, etc., which really makes compliance a mindboggling proposition, I know, for technology innovators.
But really, when I sit back and think about it, are these things actually getting in the way of innovation? Frankly, Ann, I just don’t see it. To the contrary, the volume of new innovation projects we’re seeing, at least at Kaiser, particularly things like medical device integration, cloud service-related projects, etc. – the volume is really quite staggering. Industry research is telling us that more than 40% of healthcare organizations are already using public cloud services. We should really be expecting something like a 43% increase in healthcare outsourcing by 2018.
These services, in terms of cloud services and so forth, are really making technology implementation easier and easier for life sciences innovators, which is a fantastic thing from a capability advancement point of view and extremely exciting. What worries me, frankly, is whether regulatory compliance and data privacy and security risk are really on the radar relative to those innovations or really understood in the context of the actual implementations.
Looking at our industry data, the project volume we’re seeing within Kaiser or, really, if you walk the floor at health IT-focused conferences like HIMSS or Bio-IT World, I just did not see that life sciences innovation is really being stifled per se by regulation. Not that it needs to be, but we should definitely be thinking about compliance risk, data privacy and security risk as we undertake these innovations, in my opinion.
You make some great points. What solutions might someone in your position need or be able to spearhead to balance patient privacy and IT compliance with the advancement of biological research in healthcare?
Yeah. Balance is really a great word choice for that question because that balance is going to come from recognizing that IT innovation is not the extensive drawn-out and highly governed activity it used to be within organizations. Information technology, to my earlier point, it has really become a fast, cheap and simple commodity to secure through services like cloud. Our thinking about risk management governance really needs to evolve accordingly. When I say our, I’m talking about the industry.
First of two thoughts that I have about that question is I think that we really need to win the hearts and minds of technology innovators and the consumers of those innovations to truly believe that privacy and security risks are real and something to be concerned about. Even in the face of seemingly daily reports that we see about new data breaches, I think our tendency as humans is we somehow disconnect ourselves from the cause-and-effect relationship brought about from the actual innovation work itself.
To that end, when I get pushback, say, from our vendors, relative to the control requirements that we introduce to them, I’ll frequently ask the team members or even the vendors themselves, whether they would personally be comfortable with their own data or, say, their child’s data being included in a proof of concept or a pilot project.
In other words, we’re really trying to get them to connect at a personal level to say do they really know where and how their data is being stored or accessed with these various implementations, say for example, and particularly with cloud providers. If you don’t know or if those innovators don’t know, they absolutely should before they move forward with anything involving patient data privacy and security and confidential information.
In essence, each of us needs to take personal accountability for data privacy and security risks and govern our desired innovation efforts in a way that brings that balance together.
The second thing I believe we need to do is establish and expect that service-based report standards on the sufficiency of controls and compliance for service providers who handle sensitive data. What that really means is we need to really think about what tools are being put out there to help understand the risk. Yes, many of us are commissioning and sharing our own ISSA reports, our SOC reports and other independent auto reports to really address that need and be able to proactively share with consumers of the technology the status of our controls.
But anybody who has ever reviewed these reports at a level of detail knows that the scope of coverage, the reporting period, the evaluation principles can and do vary widely. The recipients of those reports frequently view this as oftentimes a check-the-box kind of exercise for lots of different reasons, when in fact a service provider being able to just "produce" the report means almost nothing due to the lack of framework upon which the reports are scoped.
Yeah, there are standards that are usually being followed by the governing bodies over these reports like the AICPA, etc. But within those standards, there’s a tremendous amount of flexibility that the service organization has with the content that’s actually being produced.
In essence, we believe at Kaiser that consistent and transparent reporting on controls effectiveness really will enable a safe and secure path to rapid innovation and research, but at the same, afford that balance that’s needed to be able to manage risk. To that end and along with others in our industry, we’re starting to look at opportunities to influence the AICPA, the International Standards Organization and other industry bodies to adapt those standards to enable consistent reporting on scope of process and controls coverage.
In effect, when you get one of those reports, it can truly be a trusted source for a check-the-box type of review rather than having to do a deep dive.
Thank you so much for offering a very clear perspective and a number of good insights today. We look forward to hearing more from you at the event later this spring.
Excellent. Thanks for the opportunity.
That was Dave Peterson of Kaiser Permanente. He’ll be joining the closing panel discussion at the upcoming Bio-IT World Conference & Expo taking place April 21-23 in Boston. If you’d like to hear him in person, go to www.bio-itworldexpo.com for registration information and enter the keycode "Podcast".
I’m Ann Nguyen. Thank you for listening.