Jeremy Walczak – Independent Health

Jeremy Walczak says the brakes on a car aren’t just for stopping, they’re for letting you accelerate with confidence. His philosophy regarding information security isn’t so different—strong security measures don’t just protect, they let a company aggressively pursue its goals, he says.

Walczak is the mechanic tuning up the brakes on Buffalo, New York-based Independent Health, a not-for-profit health plan that brings affordable healthcare to around 400,000 members in the eight counties of western New York.

Originally a security architect when he began at Independent Health in 2010, Walczak is now Chief Information Security Officer (CISO). He points out that healthcare has traditionally been slow to adopt state-of-the-art security measures, but he believes that trend has changed and wants to make Independent Health an example.

He’s adapting security measures from other sectors like manufacturing and financial services, to the world of healthcare, protecting Independent Health and its clients, as well as promoting a more trusting relationship between them.

Shrinking the scope of risk

Walczak says it makes sense that the healthcare industry was behind the eight ball on information security for a long time. After all, hackers were said to be after credit card numbers, not medical records.

He adds that the signing of the Affordable Care Act as well as the growth of online insurance distributors, have encouraged consumers to make more online credit card transactions for healthcare.

More pervasive and dangerous is growing Medicare and Medicaid fraud. Walczak says hackers can steal social security numbers and siphon money through the Medicare system. What’s more, Medicare fraud takes longer to discover and shut down than credit card fraud.

A social security number is much more difficult to replace than a credit card, he points out.

To protect Independent Health’s members, Walczak is working toward reducing the frequency with which patient data is accessed by the company’s departments, minimizing the opportunity for the data to be intercepted or misdirected.

It’s an idea he took from his prior experience in manufacturing and financial services, which protect sensitive data by only transmitting them when absolutely necessary and using fake data for all other tests and internal reviews.

Similarly, Walczak proposes using dummy data rather than the real thing when, for example, the quality assurance or development team needs to use data to test their systems.

“The fewer places you process sensitive information, the more you reduce the footprint that you have to secure,” he says.

Digital defensive linemen

In addition to shrinking the scope of data use, Walczak does a lot of what he calls “blocking and tackling”—that is, foundational security measures that prevent attackers from reaching member information in the first place.

Walczak says these measures, which encompass everything from encrypting systems to improving IT architecture, act like guardrails for the big vehicle that is Independent Health. With strong security processes in place, the company can roll out new applications or tech solutions for its members without worrying about hidden vulnerabilities.

One tool to help set up the guardrail is called Rsam.

It is a governance, risk and compliance management platform that Independent Health uses to generate web-based assessment questionnaires. The questionnaires are sent to third-party vendors and help Independent Health detect gaps in their partners’ information security.

Based on information collected from the questionnaire, Rsam issues each vendor a risk score, which helps Independent Health see which gaps present the biggest risks and what fixes will remedy those risks most efficiently. The platform also lets Independent Health’s Information Security team track all vendor assessments from a single window and helps the team manage those assessments through notifications, reminders and a tracking function.

“We have to do that level of due diligence,” Walczak says, adding that they incorporate the information they glean into their negotiations on contract terms.

The information Walczak’s team collects from its questionnaires is also useful for triaging potential sources of risk. Walczak’s team identifies these potential vulnerabilities and then tracks efforts to remediate or manage the risk.

By streamlining this process, it’s easier for the company to learn where their key security risks reside, what security tools or processes to invest in and how to build the case necessary to procure funds to buy them.

Many small turns of the screw

Independent Health uses dozens of systems with hundreds of privileged users logging in and out, making it important to have a single tool that will keep track of administrator and other privileged usernames and passwords to ensure they don’t fall into the wrong hands.

“We are ramping up our ability to safeguard the keys to the kingdom,” Walczak says. He explains that every time a new system or piece of software is introduced, new accounts and passwords are created, generating a dizzying amount of permissions that need to be monitored.

Walczak says this issue is prevalent in healthcare organizations, which don’t typically use central enterprise resource planning (ERP) systems like manufacturing or retail companies.

He compares the mission of building and maintaining an effective cybersecurity practice to hanging a door.

“If you tighten one screw too tightly the door will be crooked. Instead you make several smaller turns on many screws to keep it aligned.”

In the future, he says he wants to focus on longer-term, strategic initiatives for information security and build processes that will help other departments and executives mitigate their own risk instead of relying solely on his team. Put another way, he’s not just tuning up the brakes on the car, he’s showing his colleagues how to do it for themselves.