As chief technology officer at the Department of Veterans Affairs, Peter Levin is responsible for the cybersecurity of the largest medical system in the United States and the second largest federal agency.
His job involves helping to facilitate and secure the flow of personal health information among the VA employees at hundreds of hospitals, clinics and offices nationwide, and making that information available electronically to the 21.9 million veterans and their families who depend on the VA for their medical care. Medical professionals and veterans are increasingly seeking to access that information via mobile devices, which raises new concerns about privacy.
You want to surround the threat that you know is going to get in, just like your body knows it will be infected someday, it just doesn’t know when and it doesn’t know how. But it has, over millennia, developed an extraordinarily effective response to disease. It’s a biological example, but it’s a metaphor that translates well to electronic threats in the context of network security.” – Peter Levin
“What the success of Blue Button really is indicative of is not the overall quality or insight of the program, it’s the absolute, acute need of people to get access to their data.”
Appropriately, Levin has come to think about cybersecurity and mobility in a biological sense, with a focus on minimizing the threat of an intruding antibody.
“You want to surround the threat that you know is going to get in, just like your body knows it will be infected someday, it just doesn’t know when and it doesn’t know how,” he said. “But it has, over millennia, developed an extraordinarily effective response to disease. It’s a biological example, but it’s a metaphor that translates well to electronic threats in the context of network security.”
This article originally appeared in the latest edition of CGI Initiative for Collaborative Government‘s Leadership journal. For more news and insights on innovations at work in government, please sign up for the AOL Gov newsletter. For the quickest updates, follow us on Twitter @AOLgov.
He has a less-than-conventional vision for creating a mobile, agile VA while ensuring the security of millions of personal records in the cloud and in telemedicine.
“My vision is not that we’re going to be perfectly secure,” he said with characteristic honesty. Instead, he is working to defend against scalable breaches using a “configurable, nuanced, rapid response that’s triggered by the detection of intrusion.”
That realistic viewpoint is behind the VA’s groundbreaking effort to securely add smart phones and tablet PCs to its network. In October 2011, the department issued a request for information for vendors to help build a national mobile device management (MDM) system that would allow at least 10,000 and as many as 100,000 mobile devices running iOS, Android and Windows operating systems to securely connect to the VA’s network – the largest such deployment in the federal government.
MDMs manage and protect information from a central location, which VA officials said will be in the cloud for their system. The devices will be managed remotely and provide encryption and reporting capabilities so VA officials can keep track of the devices while enforcing the department’s security, management and other policies. The MDM system will also allow iOS devices to connect to a VA app store where users can download applications.
Security Through Openness
As the VA and the veterans it serves expand their use of mobile devices, Levin applies an unexpected twist to secure the software and data they access: He is a vocal advocate of open-source technology development and the open sharing of health data. That perspective is grounded in the knowledge that security breaches happen in large numbers on a daily basis. The VA is particularly vigilant about the issue, given the 2006 breach in which 26.5 million personal records were compromised when a laptop computer was stolen from a contractor’s home. The incident led to a re-examination of cybersecurity policies governmentwide and to the VA sending Congress monthly updates on its security efforts.
“Proprietary system are the ones that are inherently more vulnerable because if you think that there aren’t people who are trying to break into those systems just as much, you’re wrong.”
As a result, VA officials including Secretary Eric Shinseki and Deputy Secretary W. Scott Gould have undertaken a big push to shore up the agency’s information technology system in recent years. Part of that effort involved naming Levin CTO and senior adviser to Shinseki in May 2009 and increasing his influence, as well as that of Chief Information Officer Roger Baker, who is responsible for the agency’s operational IT requirements.
Those moves have borne results. In September, Levin was justifiably proud that President Barack Obama had publicly referred to three breakthroughs in which Levin had played a key leadership role: the Blue Button program, which gives veterans access to their health information and allows them to share it with doctors outside the VA; the progress being made on processing a backlog of claims, some dating to the Vietnam War, via an innovation competition; and definitive steps toward the long-standing goal of creating a single electronic health record (EHR) for military service members to be shared between the Department of Defense and the VA.
Still, Levin knows that plenty of work remains. For example, the VA is enabling the 134,000 medical professionals who work at 152 VA hospitals to securely access patient records using mobile devices and cloud-based applications through a groundbreaking initiative Levin led: a platform for improving veterans’ EHRs called the Open Source Electronic Health Record Agent. The system’s underlying principle is in keeping with what Levin said is a key tenet of his approach to cybersecurity: Open-source development offers the fastest, safest and most transparent way to accelerate progress.
“The reason you do open source is because you level the playing field,” he said. “You make it completely transparent, and you make it so anyone can participate. Those three factors, combined with a standards-based, openly architected, modular system, will keep you on the cutting edge.”
Public Servant, Private-Sector Mentality
Levin relishes the challenge of balancing openness and security. After all, he has built a career on doing the unexpected. The Washington, D.C., native didn’t have much interest in school until he realized he was better at math than he thought. He went on to study electrical and computer engineering at Carnegie Mellon University, conduct post-doctoral research at the Technical University of Munich, and eventually become associate dean for research at Boston University’s College of Engineering. Today, he is a consulting professor of aeronautical and astronautical engineering at Stanford University.
Along the way, he spent many years as a successful tech entrepreneur in the private sector, including the semiconductor industry, which lies at the heart of all computerized technology.
Levin has never taken the easy road. At Carnegie Mellon, he wrote a simulation program for electromagnetic field theory, which, for most people, is the least enjoyable part of an engineering curriculum, he said.
“So, of course, that’s what I wanted to do,” Levin said. “The thing that nobody wanted to do is what I absolutely had to do.”
That drive paid off. Working in collaboration with Professor Jim Hoburg, Levin wrote a program that attracted the attention of Hans Steinbigler, a pioneer in the field of simulation programming. Steinbigler invited Levin to do his post-doctoral research in Germany.
After completing his studies, he went into private industry, where he was founding chief executive officer of the cybersecurity software company DAFCA Inc. and executive director of Astaro, an Internet security company based in Karlsruhe, Germany. Shortly before joining the VA, he co-founded and led an award-winning semiconductor software design company and was a partner in a venture capital firm based in Dusseldorf, Germany.
It was serendipity that brought Levin to the VA. In 2008, he escorted a close friend who was receiving an award at the White House and met James Peake, then VA secretary, in the Green Room.
“I asked a question about the lack of telemedical services offered,” Levin said. “It happened to be on my mind.”
Shortly after Obama won the presidential election, Levin got a call from Peake asking to meet with him. After learning everything he could about telemedicine and distilling it into a few PowerPoint slides, Levin went to the VA headquarters in downtown Washington, D.C., for the first time.
“I had to look it up on a map,” Levin said. “I had no clue where it was. I had never served in uniform. What do I know about health care delivery? I’m a semiconductor guy.”
The opportunity Peake offered was one Levin couldn’t pass up.
“You can imagine my grandmother’s small apartment in Forest Hills, with the gold-framed iconic picture of Franklin Roosevelt,” Levin said. “Math and science were an expedient way to education, to make money. But I still believe that the best thing you can do is care for the public interest.”
That lifelong affinity for politics and government has found expression in the CTO position, where Levin guides improvements in veterans‘ health and benefit services “by promoting a deeply collaborative culture, renovating business processes and leading the development of new technology platforms,” he said.
Going for the Layups
Levin arrived at the VA in June 2009 with a strategy for establishing leadership early on. In close cooperation with the secretary, deputy secretary, chief of staff and CIO, Levin decided to go after the “layups.” Inspired by the strategy Peter Sims outlines in his book “Little Bets: How Breakthrough Ideas Emerge from Small Discoveries,” Levin wanted to build momentum for transformational change by systematically taking small, exploratory steps and being open to new ideas along the way.
“He wrote down my playbook,” Levin said of Sims. “It’s exactly what I did and still do – not try to boil the ocean or solve every problem in the first two weeks.”
Levin said his first layup was not in an area his bosses expected. “For personal reasons, I was keenly focused on suicide prevention,” Levin said, referring to the fact that he lost many family members to the Holocaust and knows that survivors and their descendants have high rates of suicide, divorce and mental illness. “For me, that was a place where a morally transcendent problem met personal interest, met the opportunity to actually do something meaningful and worthwhile quickly.”
He proposed augmenting the Veterans Crisis Line with an anonymous online chat service for veterans who didn’t feel comfortable talking on the telephone. One month later, the service was a reality.
“With Roger Baker’s help, we got that stood up quickly, and today we have had more than 3,000 interventions,” Levin said. “It’s hard to say how many would have led to tragedy, but I bet it’s more than one. In my faith tradition, if you save one, you save the world.”
Acute Need for Data
After that, Levin turned to what he describes as an “almost trivial project called Blue Button” – a Web-based feature that allows patients to download and share their health information with health care providers, caregivers and others they trust. Blue Button is a collaborative effort with the Department of Health and Human Services’ Centers for Medicare and Medicaid Services, DOD and the Markle Foundation, a private, not-for-profit philanthropic organization.
Many colleagues advised Levin against confronting layers of bureaucracy and red tape to unify data from different platforms in a single, accessible, user-friendly format. But Levin feels strongly that veterans should be able to access their data, and he said he won approval from the secretary to “just try to drill a hole through the fortress.”
Levin told Shinseki he’d have 20,000 to 25,000 users within a year. “He looked at me kind of sternly and said, ‘That’s a big number. Just make sure you hit it,’” Levin recalled. Blue Button had 25,000 users within six weeks.
Since launching in October 2010, the system has attracted more than 500,000 users and has been adopted by major health insurance companies such as Aetna and UnitedHealth Group. Still, Levin insists that Blue Button is merely a good platform that “a freshman at any junior college could have come up with.”
Others view it less modestly. At a recent Consumer Health IT Summit sponsored by the Department of Health and Human Services, Dr. Donald Berwick, administrator of the Centers for Medicare and Medicaid Services, called Blue Button “iconic and magical.”
“What the success of Blue Button really is indicative of is not the overall quality or insight of the program,” Levin said. “It’s the absolute, acute need of people to get access to their data, and that’s why you’re seeing it run like this.”
The program is revolutionizing the approach that has been in place since 2004 when HHS’ Office of the National Coordinator for Health IT proposed a national infrastructure that would let health providers share information.
The office’s model is “institution to institution or provider to provider, and Blue Button shows up frankly as an idea that nobody thought of,” Levin said. “What about the voice of the patient? What about the patient’s access to data? What we’re discovering to our delight is that patients want to be involved.”
Blue Button downloads health information in a simple text file or enhanced PDF that can be read, printed or saved on any computer. Implementing it raised several security concerns, however. Because thousands of veterans would be downloading their personal health data via mobile devices, Levin used encryption technology to protect the data as it moves between VA’s secure MyHealtheVet system and other data assets. That way, any breach that might occur would at least be containable.
Levin acknowledges that favoring transparency comes with risks. “There were folks who were nervous about it, and there are still plenty of them,” he said. “They’re jittery for a reason, but that was the choice we made.”
It came down to a fundamental policy choice. “Are you going to give them the information that they asked for, even if there’s a cybersecurity risk, which you can train them to remediate or at least to lessen?” he asked. “Or are you not going to give them the info and tell someone who carried a gun in your name, who shot bullets to defend your liberty, that you are not going to have access to your information because we don’t think you’re smart enough to keep it private?”
The argument proved compelling, Levin said.
“More Eyes, More Brains, More Secure”
As recently as three years ago, the VA did not have a Facebook page or a Twitter account for keeping in touch with its constituency. Today, the department’s Facebook page is one of the most popular in the federal government, with more than 143,000 friends. Levin often reads the comments to keep tabs on how people perceive his work.
In one case, intuition told him that a veteran was in trouble, and he decided to reach out to the man from his private e-mail account. The man replied, and the two have become close correspondents.
“To make a long story short, we write to each other very often, and I rely on him for a lot of things, not the least of which is to tell me what’s really going on,” Levin said. “How does a Vietnam-era veteran see the things that I think are so transformational, so earth-shaking and important that I interrupted my career, moved my family, and maniacally, obsessively devoted myself to the care of veterans?”
Looking forward, he plans to forge ahead with his open-source plans, a term he says is misleading.
“It implies that because the code is exposed, you’re inherently more vulnerable to hackers exploiting something that you haven’t discovered yourself. And what is scientifically known, well-studied, quantified and stress-tested is that exactly the opposite is true. Proprietary systems are the ones that are inherently more vulnerable because if you think that there aren’t people who are trying to break into those systems just as much, you’re wrong.”
Levin sees open-source development as an important way to anticipate and defend against the unexpected in the ever evolving mobile frontier. “Open source has the added advantage that you’ve got a lot of people looking at it at the same time,” he said. “It really is a blunt-instrument argument: more eyes, more brains, more secure.”