A CIO finds a way to protect sensitive data and pave the way for BYOD

Pat Smith, CIO of Our Kids, devises a way to protect sensitive data while paving the way for mobile devices and a network of care providers.

This Content Component encountered an error

CIOs still mired in the logistics of launching a bring your own device (BYOD) program should consult Pat Smith. Not only was she able to implement a successful BYOD program, she did so while protecting the information of the organization's key customers -- abused, neglected and abandoned children. It is this drive to use IT to improve lives that made Smith the SearchCIO-Midmarket 2013 IT Leadership Award winner in the category of customer experience.

Getting there wasn't exactly easy for Smith, CIO at Our Kids of Miami-Dade and Monroe Inc. As a provider of child welfare services to Florida's Miami-Dade and Monroe counties, the nonprofit Our Kids deals with highly personal and sensitive information. To create a technology environment that provided more people more access to data in more places, Smith first had to build up the organization's information architecture and break down an archaic model of how the foster care, adoption and child welfare systems operated.

"The old paradigm was that the case worker would go out and dig through all of the systems to find what they could about a child or a family," Smith said. Her vision was to streamline that relationship by bringing the information to case workers, as well as providing access across a vast network of care providers whenever they needed it. And of course she needed to do this without undermining the organization's mission to protect sensitive data.

Pat SmithPat Smith

The project entailed three major tasks for Smith's IT team: They had to connect data together from disparate sources, build an infrastructure that would keep highly sensitive data safe and secure, and convince those who generated the data that sharing information was a good idea.

"Most people in charge of these systems -- good people concerned about privacy laws -- don't always understand the foster care system," Smith said. "I sometimes have to go back to the statutes, go line by line and point out where it says we are the legal guardian and have access to that [information]."

Putting a SonicWall around personally identifiable information

I've spent a lot of my time here brokering agreements to get access to those records and to combine them together so that my case workers have all of that information at their fingertips.
Pat Smith, CIO, Our Kids of Miami-Dade and Monroe Inc.

The child welfare system deals in some of society's most sensitive information, from Social Security numbers and birth certificates to records from medical and mental healthcare providers. So keeping such personally identifiable information (PII) under lock and key might seem like the correct course of action. Doing so, however, also creates data silos and layers of bureaucracy for case workers and care providers that can ultimately be a deterrent -- rather than a service -- to at-risk children, according to Smith.

Fortunately, Smith was accustomed to working with highly sensitive data. For more than 20 years, she helped run IT departments in both the banking and pharmaceutical industries, and she brought that experience to the Our Kids table. When it came to the appropriate infrastructure, Smith and her team built a VPN to the network and eventually decided to secure those pathways with a class of products from SonicWall Inc., later acquired by Dell Inc.

Not only does SonicWall provide network security, but it also enables Our Kids to create different levels of access to the database, effectively controlling who sees what, she said. That means Smith can provide granular data on any of the 3,500 children in Our Kids' care to the appropriate user. Security, though, is not just about which users can access what information within the system; it also pertains to information users can access outside of the Our Kids system. To that end, the technology Smith implemented can actually differentiate between accessing Facebook to keep in touch with runaways, an acceptable practice, versus accessing Facebook games, a security risk. With the proper controls in place, the new system helped Our Kids expand the number of users who access the system five-fold, from 200 to more than 1,000, Smith said. Network utilization increased by 30%.

A BYOD policy that comes with a stipend

Smith also needed to align this new approach to information sharing with the trend toward BYOD. While BlackBerrys are standard issue for employees who require access away from the office, Smith was seeing an uptick in requests from case workers and other care providers to connect their personal mobile devices to the network. The increase was significant enough to prompt Smith to create a BYOD policy that still allowed the organization to protect PII. The upshot was a policy that offers a monthly stipend commensurate to what Our Kids pays out to BlackBerry users in return for retaining some control over the personal device.

"Employees get this allowance once they sign off on the new policy, which states that we have the right to wipe the entire device if there is inappropriate use or loss or theft," she told The Mobile Enterprise just last year. "I can't stress how important this is. There are also criteria under which we will perform a partial device wipe. For example, when somebody leaves the company, we'll just remove company data and applications."

An IT leader given to 'soul searching'

Asked to describe her approach to IT, Smith said she is probably not "a typical IT" person. "I didn't come up through the ranks of hardware or software coding," she said. "I approach this from a business solutions perspective."

"Not a typical IT person" is not an exaggeration. An economics major in college, Smith went on to earn a master's in library science before having a successful career in corporate IT. She made the jump from corporate America to a small nonprofit after doing "some soul searching" and deciding she needed "to do something more meaningful."

"I really love IT, and I was spending a lot of my time in budget and strategy management meetings," she said. "I wanted to get my hands back on the technology again."

Her timing couldn't have been better: Florida's child welfare system was struggling even after the state decided to privatize the system in 2003. Just a few years before that, Miami-Dade County came under scrutiny after a foster care child went missing for more than a year before the system became aware of her disappearance. Her caretaker was later accused of murdering the child.

"The week I started, the governor started a movement because of the death of so many children in foster care. He said, 'Why can we track our packages around the world, but not our children?'" recalled Smith. "The real reason I was recruited and brought in was to solve that problem.

She did come up with a solution. Today, case workers are required to make in-person visits every 30 days, and they can now use a smartphone to snap the child's photo, which is stamped with location information, the date and time of visit, and can be uploaded directly to the state system, she said. And she's come up with other solutions since then, which, she said, have been embraced by the Our Kids community. "I've spent a lot of my time here brokering agreements to get access to those records and to combine them together so that my case workers have all of that information at their fingertips," said Smith, who joined Our Kids five years ago. "We've painstakingly worked with them to show them we're going to protect their data, keep it confidential and that we have a shared interest in helping them."

The painstaking effort can be traced in part to Smith's strong belief that when a child enters the system, the entire community -- has a role to play -- legal, medical, educational, social. For CIO Smith, that list includes IT.

"We don't want to be on the front page of a newspaper because another child has died," she said. "We need a technology solution to solve this problem."

Let us know what you think of the story; email Nicole Laskowski, senior news writer, or follow her on Twitter at @TT_Nicole.

This was first published in July 2013

Dig deeper on Security and risk management for Small Business

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Related Discussions

Nicole Laskowski, MidMarket asks:

Pat Smith had to do a lot get buy-in for information sharing. How much time should a CIO spend on getting buy-in for new technology from the line of business?

0  Responses So Far

Join the Discussion

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCompliance

SearchHealthIT

SearchCloudComputing

SearchMobileComputing

SearchDataCenter

Close