Wednesday, May 20, 2009

MIT CIO forum

Academic keynote

Moderator: Mr. Gary BeachPublisher EmeritusCIO Magazine

Prof. Erik Brynjolfsson, Schussel Professor of Management and DirectorMIT Center for Digital Business (CDB) - boo coming out - Wired for Innovation: How Information Technology is Reshaping the Economy, MIT Press (book) (October, 2009, In Press)

Prof. Thomas Malone, Patrick J. McGovern Professor of Management and DirectorMIT Center for Collective Intelligence (CCI)

Dr. Jeanne Ross, DirectorCenter for Information Systems Research (CISR) - has a book coming out - IT Savvy - realist in the group "don't see cloud computing as a game-changer for big companies where the challenge is still cleaning up the complex environment that has developed over the years. It facilitates small and new companies getting into businss/computing.

Erik- how to guarantee getting you fired - run a control group ...

CIO Keynote Panel: CIO Leadership and the Bottom Line

Moderator: Prof. Erik Brynjolfsson, DirectorCenter for Digital Business at MIT

Mr. Bob Greenberg, General ManagerInformation Technology Optimization, IBM

RADM Elizabeth Hight, Rear Admiral, Vice Director Defense Information Systems Agency - Vice Director of the Defense Information Systems Agency (DISA). She helps lead a worldwide organization of more than 6,600 military and civilian personnel responsible for planning, developing, and providing interoperable, global net-centric solutions that serve the needs of the President, Secretary of Defense, Joint Chiefs of Staff, the combatant commanders, and other Department of Defense (DoD) components."what is most important to the people I work with is whether we accomplish the mission."

DOD "deploys mobile wifi to sattellite communications to tactical structure. It's a long way from your dad running wire down the mountain."

"We have been working closely with Melissa (Hathaway) for the lat 18 months since the president (Bush) launched the cybersecurity intiative." Expects focus on privacy of govt employee data.

"DoD is able to offer SaaS/cloud services on government intranet to other government agencies.

I can't imagine an IT project that takes >3 months. If it does , I haven't modularized it enough." #pmp

on client data sitting in the cloud - "It just won't happen. Trust me." due to privacy and security reasons. Hight agrees, although she identifies herself and her organization as cloud computing providers - she considers their security superior to that of the govt agencies to which she is providing data.

Connected Healthcare Systems

Governance, Risk and Compliance
Moderator: Dr. George Westerman, Research Scientist Center for Information Systems Research (CISR)
Ms. Karen Kotowski, SVP and CIO, SALLIE MAE, INC.
Dr. David Blaszkowsky, Director, Office of Interactive Disclosure US Securities and Exchange Commission
Mr. Shawn Banerji, Managing Director, Global Technology SectorRussell Reynolds Associates
Mr. J. Kent Crawford, Founder and Chief Executive Officer, PM Solutions
Mr. Scott MitchellChairman and CEO, Open Compliance and Ethics Group

Enterprise 2.0
Moderator: Prof. Andrew McAfee, Visiting Associate Professor, Center for Digital Business at MIT
Mr. Marco Pacelli, CEO, Clickfox
Mr. Sid Probstein, CTO, Attivio
Mr. Raheel Retiwalla, CTO, Monitor Analytics and Clearway Technology Partners
Mr. Geoffrey Oblak, General Partner , Ascent Venture Partners

Anna Convery,CMO, Clickfox -

: Prof. Glen L. UrbanDavid Austin Professor of Marketing, Dean EmeritusMIT Sloan School of ManagementChairman, MIT Center for Digital Business

Keynote Panel: Cloud Computing

Moderator: Mr. Brian Watson, Editor in Chief, CIO Insight
Mr. Ron Markezich, Corporate VP, Microsoft Online
Mr. Ed Bugnion, VP, Cisco
Mr. Emil Sayegh, GM, Mosso, Rackspace Cloud
Mr. Bill Rogers, Chief Information Officer and VP of Information Technology, Goss International

Wednesday, May 13, 2009

Hearings on Major Revision of Expansive Massachusetts Data Privacy Law today on Beacon Hill

by Sarah Cortes

Public comment was received today on Beacon Hill on a major draft revision to MassachusettsData Privacy Law, Senate Bill 173. House Chairman Theodore Speliotis, pictured left, Senate Chairman Michael Morrissey, below, and a half dozen elected state officials presided this morning over a hearing on dozens of privacy, identity theft and credit card laws and related amendments, including SB 173.

About a dozen representatives of industry organizations plus one IT security professional testified at today’s hearing, unanimously supporting the bill, which revises MGL 93H, Massachusetts’ Data Privacy Law. The amendment makes four revisions:
The most major of the changes defers to existing federal law where applicable. HIPAA and Sarbanes-Oxley cover most enterprises. This takes a considerable burden off firms handling data records and reduces complexity.

Another major revision is the reversal of provisions that would dictate specific technical tools or methods like encryption. The revised law would steer clear of any such specific requirements.
Small firms will find relief in the third change, which requires separate standards for them.
The fourth change allows firms to take action against employees violating the security policy.

“As a major technology state, we need to get this right,” observed Anne Doherty JohnsonExecutive Director, New England Council TechAmerica, which represents about 1,500 member firms. “The current regulations exceeded the intent of the legislature and are very problematic for the reasons outlined. TechAmerica believes this legislation will correct those and is a huge step in the right direction.” Doherty, who testified today as she has in hearings on the bill over the last several months, echoed the opening statement by Chairman Morrissey. Morrissey, pictured left, stated that the hearing marked a crossroads between the approach up to the present, where the legislature expanded the scope and jurisdiction of the law beyond the borders of Massachusetts and beyond its original intent, and a possible future approach by incoming undersecretary of the Office of Consumer Affairs and Business Regulation, Barbara Anthony. (see related story.)

Bradley A. MacDougall, Associate Vice President of Government Affairs for Associated Industries of Massachusetts (AIM), also testified. AIM is the state’s largest nonprofit, nonpartisan association of Massachusetts’ employers with more than 6,500 members who employ nearly one out of every five workers in Massachusetts. MacDougall captured the essence of sentiment expressed during three hours of testimony by approximately a dozen industry representatives:
“Data protection is a top priority for Associated Industries of Massachusetts (AIM) and our members who will continue to pursue the development of reasonable data privacy regulations in Massachusetts. The delay, in the general effective date of May 1, 2009 to January 1, 2010, does not resolve the substantive issues within the current rules that impose high costs and prescribe specific technology solutions. Massachusetts cannot afford additional unreasonable regulations on employers working to protect jobs and prevent layoffs while competing in a global economy. Senate Bill 173 would provide a necessary solution in the absence of regulatory rule changes. The legislation would ensure that clear guidelines for the development of identify theft regulations be utilized to provide consistency for those entities already regulated under Federal law and further provide businesses with greater flexibility to strategically invest their limited operational and IT resources.”

MacDougall,AIM and a broad coalition of industry groups representing Technology, banking, retailers and mutual funds, among others, have been instrumental players in deconstructing and analyzing proposed legislation, explaining it to the public, raising awareness of the proposed law, and advising the legislature and Administration on issues of concern, since the TJ Maxx data breach set in motion the chain of events resulting in today’s hearing.

copyright 2009 Sarah Cortes
Reblog this post [with Zemanta]

Ranch Kimball and John Halamka at HBS

by Sarah Cortes

Another early morning at the sunny and elegant Spangler Center at Harvard Business School finds over 100 leaders of industry preparing for a double feature from two health care movers and shakers. First on the program is the well-known Ranch Kimball, President and CEO of Joslin Diabetes Center and former Secretary of Economic Development under Governor Mitt Romney. As if Kimball weren't enough, John Halamka, pictured left playing the Japanese flute, will be speaking. CIO of Harvard Medical School, among many other roles, posts and responsibilities, this high-profile medical technologist is one of the most sought-after thinkers and speakers in the world of health information technology("HIT"). Although unclear at first why these two are double-billed, it soon becomes apparent.

Kimball runs through a deck of slides with dizzying speed and stunning clarity of message. Russ Vandenpool, a board member of HBSAB, the sponsor of the event, summed it up: "Kimball takes a page directly from Michael Porter's book on competition by applying focus on quality and defect reduction to health care delivery." Although only at Joslin since 2007, Kimball explains he has retooled the center based on lessons from Toyota's famous revolution - focusing on quality of care delivery up front to significantly reduce cost and improve patient quality of life over time. Kimball shows us how tuning and focusing on eight specific service delivery points with patients early on reduces the need for dialysis and surgery later. Some pretty clear slides prove this, he explains, where the purple Joslin cost bar is clearly shorter than the green cost bar for all other providers, as everyone can plainly see for the microsecond it flashes on the screen. It's just long enough to make the point effectively. Complete economy of Kimball's message and our time.

Next up is Halamka, who we look forward to from our acquaintance with his well-regarded daily blog, "Life as a Healthcare CIO." On this topic, electronic health records ("EHR") and electronic medical records ("EMR") are core concepts. Halamka apprises us how BIDMC coordinates with Joslin by sharing medical records, a technical feat in the world of health care, we come to understand. According to Kimball, pictured right, Joslin went to all-EMR seven years ago and was, he believes, the first Harvard hospital to do so. The disarming interchange between Kimball and Halamka informs us how closely these two coordinate professionally. An insight into a human success factor behind technical coordination?

Halamka's part of the program soon conveys how far from simple is his world of medical computing. Halamka's slides reflect a close watch on the Washington pulse, including a HIT Policy Committee, an HIT Standards Committee, and "Regional HIT extension centers." The first of these, the HIT Policy Committee, is apparently focused on "meaningful use," of electronic records, an elusive concept on which Capital Hill is still wandering in the wilderness. $19 billion in federal funds lie in the balance, it seems, available to spend and waiting for consensus on the best way to spend it. Only 2% of hospitals, we learn from Halamka, are currently on-line with EHR, and these funds are intended to encourage and allow the rest to get there as soon as possible. The government has announced it will divide the $19 billion among doctors, providing each with $44,000 to go into electronic records in 2011. Doctors can qualify for reimbursement if they show "meaningful use," whatever that is. As best as anyone can tell, this relates in some way to certification of the electronic method and software that doctors select against some technical standard. Guidance from HHS is expected to be available by the end of the year.

Because state law pre-empts HIPAA, Halamka notes there are, in effect, "50 privacy policies," in the sense that the patchwork of individual state policies effectively prevents information-sharing, quite apart from technical challenges. "Privacy has been protected differently in each locality," notes Halamka.

He hopes policymakers can do away with the current system whereby, after seeing a patient, the doctor calls a phone number on the patient's insurance card and "gets to argue with a high-school educated triage clerk about the appropriate diagnosis." Halamka's cynical humor conveys a deep-seated frustration with the current system, coexisting curiously along with what seems like good-natured optimism that we nevertheless can and should improve health care.

Halamka flashes a detailed slide on the data interoperability capability for all providers in Massachusetts, called the "MA-Share Appliance." Apparently this is opensource software, "built on a common messaging gateway," by which health care providers can communicate with each other to improve quality of patient care delivery.

He shares that he was the fourth human to have his genome mapped as a way of illustrating the rapid way the cost of such sequencing is coming down, from $350 million for the first human (which might include all sunk costs to that date. Or the special carrying case), to $100 million for the second, $100,000 for the third, and his cost only $10,000 for genome sequencing.

Halamka also shares that his annual budget is $30 million, which is 1.8% of revenue, always an interesting data point for IT professionals

Kimball, scheduled tightly, rushes off apologetically after Q&A, while Halamka lingers graciously a few minutes after the meeting ends as a crowd surrounds him, eager for every word with this oft-quoted, pace-setting CIO.

copyright 2009 Sarah Cortes
Reblog this post [with Zemanta]

Tuesday, May 12, 2009

Testimony of Sarah Cortes before Massachusetts Senate on Massachusetts Data Privacy and Security Laws

Testimony of InmanTechnologyIT of Massachusetts
Sarah Cortes, PMP, CISA, President
Before Chairman Michael W. Morrissey, Chairman Theodore C. Speliotis and Members of the Joint Committee on Consumer Protection and Professional Licensure in Support of S. 173, and Act Ensuring the Privacy of Certain Data

My name is Sarah Cortes and I am a technology professional in Massachusetts. Among other services, I follow and advise clients regarding the development of rules for the protection of personal information for residents of the Commonwealth, as well as laws and regulations with federal and other state jurisdictions and internationally. I also write extensively about security, privacy, surveillance, and technology. I wish to express my appreciation to the Administration for extending the general effective date of May 1, 2009 to January 1, 2010. As a security professional, I support S. 173, which would improve upon M.G.L. 93H. However, I remain concerned about wide-ranging rules which present significant enforcement challenges and could lead to widespread noncompliance, rendering a setback for overall compliance efforts. I urge the Administration to review rules and regulations in comparison with federal and other states laws, policies and regulations, and to revise them to ensure consistency and enforceability.
I support S. 173 because it:
  • Remains consistent with Federal law and regulations.
  • Avoids technology-specific requirements that will quickly render it obsolete
  • Facilitates for organizations the enforcement of their data security policies on employees who willfully violate data protection rules, regulations and policies.
  • Protecting personal information is a necessary activity and in the interest of the public, including consumers, businesses, and other organizations. The development of a reasonable public policy is vital for our economy.
As a data security practitioner, I see my clients continually struggle with the complex nature of technology and operational implications.These clients include:
  • Fortune 500 financial services, biotech and technology firms headquartered in Massachusetts, who operate in all 50 states as well as internationally
  • Colleges and universities located in Massachusetts but with associated overseas institutions
  • Small web design and social media service delivery firms operating in multiple states
  • Medium-sized training and certification delivery businesses based in Massachusetts but operating in multiple states
  • Medium-sized non-profit organizations operating in multiple states
  • Small non-profit organizations operating only in Massachusetts but with donors residing in many states
The jurisdiction and scope of the Massachusetts law, “persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts,” presents issues as well. From a technical standpoint, the difficulty of continually sifting large databases that change minute-by-minute, lead to many possibilities, including:
  • A database that contained no in-scope data and was not subject to regulations, could add a Massachusetts data record and fall in scope within minutes. Detecting the presence of Massachusetts residents in databases from minute-to-minute presents technical challenges and expenditure of resources.
  • Due to failover and disaster recovery technology as well as cloud computing, third party firms engaged in a primary business of storing data for third party clients or providing computing services for such clients could find in-scope data of Massachusetts residents on their servers or storage devices due to a failover or split-second transfer of data. These firms not subject prior to data privacy laws could suddenly find themselves subject in this fashion.
Due to these and many other scenarios, I can testify that the Massachusetts data privacy laws and regulations, as written, essentially could extend far beyond Massachusetts to include many organizations who do little or no business with Massachusetts residents. This is because firms will need to invest time and resources to develop the ability to ensure to themselves and outside auditors and examining bodies that, from minute to minute, they remain exempt.

I advise clients in a number of technology areas, including:
  • Complex Application Development/Implementation, like large projects with over 100 technical staff implementing, for example, trading systems
  • IT Security/Privacy/ Risk/Audit management, performing risk assessments and managing large security implementation projects
  • Data Center Operations Management, including vulnerability scanning but also day-to-day operations
  • Disaster Recovery/High Availability, reviewing infrastructure and network architecture and advising on restructuring for resilience; and
  • Technology Program/Project Management.

In educating and advising my clients about Massachusetts Data Privacy laws, about which there continues to be widespread lack of awareness and understanding, I find a general view emerging. This view holds that the regulations are so far-reaching, yet vague, that they are unenforceable and organizations need not fear enforcement. I do not endorse this view, and have written many papers and articles urging and explaining compliance, including an article that appears today on a national media outlet, TechTarget, understanding-the-risk-of-penalties-for-violating-data-privacy-laws/, that warns against a dismissive view, and references numerous successful enforcement actions of state and federal data privacy laws.

Nevertheless, the fact remains today that enforcement of the many state and federal privacy laws remains costly and difficult at best, with limited success.

In closing, Massachusetts will ultimately best protect its residents by analyzing similar state and federal laws, ensuring consistency where possible, and “going beyond, where no man has dared to go,” only as a conscious step with a clear enforcement plan.
Thank you for your time. I wish to state that on behalf of data security professionals in this state, we stand ready to assist in adopting rules that are effective in achieving the Legislature’s goals. Thank you for the opportunity to provide comments and I would be happy to provide additional information.

Sarah Cortes, PMP, CISA

Reblog this post [with Zemanta]