News

Getting Personal with a Privacy Expert

Bridging Innovation Interview:   Cathy Petrozzino

Cathy Petrozzino is a long-time contributor to the Cybersecurity and Privacy communities both inside and outside of MITRE. A subject matter expert in privacy and Artificial Intelligence ethics, she navigates complex discussions surrounding policy and best practices; coaches startups, particularly those in healthcare, who are trying to enter an extremely regulated market. She strives to be a Privacy and Security catalyst, breaking down barriers to entry. Originally from Maryland, Cathy continues to bring her independent perspectives and positive energy to the Boston Community and beyond.

What is your Educational/Professional Background?

I graduated from Johns Hopkins and received my masters from Northeastern. I moved to the Boston Area and started working in Privacy when I was at John Hancock. The Health Insurance Portability and Accountability Act (HIPAA) rolled out, and we needed to understand what it meant to the company. I was responsible for understanding what “Privacy” meant for Hancock’s IT systems. It was a great opportunity to work with diverse people from different business and product areas, legal, and security. I really enjoyed it.

I’ve been at MITRE all total for 20 years. I became involved with Privacy work, ethics in big data and AI analytics, and cybersecurity. I’ve mainly been in Privacy, supporting internal MITRE Privacy Operations and external stakeholder efforts.

Can you describe some of your work at MITRE?

An impactful project was with the Food and Drug Administration (FDA), focusing on medical device cybersecurity as they became concerned about the associated risks. I worked with a fantastic MITRE team to conduct a stakeholder analysis, with around 150 interviews with diverse organizations (medical device manufacturers – large and small, Health Delivery Organizations large and small and associations), and it was fascinating. Later, I began to look at big data analytics and ethics, publishing a paper on ethical considerations and the AI life cycle. I have been doing more in the area of Privacy and Ethics in Artificial Intelligence and have also co-authored a paper for MITRE’s Center for Data Driven Policy.

MITRE has been growing its work with healthcare and Protected Health Information (PHI). The work is coming faster and more furious. Trying to keep on top of it can be challenging.

Internal to MITRE, we are protecting MITRE’s own Personally Identifiable Information (PII), to include the employees. It’s not just about reputation or about what we have to do. It’s about respecting individuals whose information we are entrusted to safeguard from unauthorized access.

How did this lead to working with Bridging Innovation?

At our campus outside Boston, there are a few of us who are known for our work in Privacy. Our company started to become more involved with the MassChallenge Boston accelerator program, and they needed someone who could support from a Privacy perspective. A lot of startups are looking to break into the healthcare space, and sometimes you have to have a frank conversation about HIPAA, for example. You have to say to them, “that’s nice, but it is going to be challenging when it comes to convincing these institutions to work with you in sharing their PHI.” We help these startups understand the nuances, and how even one single data field can have HIPAA impacts. I also help startups whose very success relies on trust, and where privacy fits in. Privacy is all about trust between those individuals whose information you have and your organization. It’s a relationship between the individual and the organization. My skillset allows me to fill a niche need.

That’s got to be hard seeing a great startup, and then asking them to tap the breaks to consider the requisite compliance

It’s not only “what are the compliance considerations” (although that is very key). It’s helping them know how that has played out in the community. When we worked on the stakeholder study for FDA, we met with medical device suppliers and users. Users are on the front lines. That gave me more insight about thinking beyond compliance. A startup can be “compliant”, but still face hesitation from big organizations to share sensitive healthcare information with them.

Seems that goes back to the trust concept you spoke about?

This sounds callous, but there is a little calculation: Is it worth it to that organization (big company) to share their most sensitive information with you? What is the payoff? What do they get out of sharing that data? That’s part of the risk calculation. I try to help startups consider alternative partners – local hospitals for example – or working with synthetic data. I try to help startups know there are other options.

As an example of how we try to help start-ups, I was part of a MITRE team that supported a larger collaborative effort to standardize a Privacy risk questionnaire that startups could provide to hospitals, making their jobs easier. That can make a big difference to a startup, in terms of not having to spend so many resources answering essentially the same question, in ten different ways for 10 different hospitals.

So beyond coaching startups, you are identifying innovative solutions to position them for success?

We want to position them for success. I don’t want to speak about privacy and be the factor that dooms them. If they aren’t successful, it should be for other reasons beyond Privacy. You have to explain that there is a lot of latitude, but they need to make a convincing case that they know what they are talking about.

I love doing this. It’s very interesting. It’s energizing to me. I ended up this last year volunteering to read applications to the MassChallenge Boston Accelerator, and rate which one’s look promising and which one’s don’t. You see the most interesting concepts and ideas, and I think “wow”, to be that open minded! They haven’t stumbled across those things that can constrain their creativity. It’s very cool. It’s very interesting; presented in a fearless way.

I don’t want – in any way – to subtract any enthusiasm and passion from what they do. I want to help them: “Here’s a challenge, and here’s an approach”.

One of the things that MITRE really brings to the table is our independence. I can be an independent voice for the startups. I won’t recommend one vendor over the other.

It’s a “SME Coach”. It’s a certain expertise. Coaches don’t really tell you what to do, they help you think through the process.

© 2021 The MITRE Corporation. All rights reserved. Approved for Public Release; Distribution Unlimited. Case Number 20-02581-23

Click for copy of Getting Personal with a Privacy Expert article