Why Good Privacy Means Good Security

QuintilesIMS CPO Kimberly Gray on privacy, cybersecurity, and the power of empathy

When she joined QuintilesIMS as chief privacy officer, Kimberly Gray found herself at a new job seeking a new challenge, one on a global scale. As a pioneering chief privacy officer (CPO), a healthcare law attorney, and even a clinical assistant, Gray’s extensive résumé has provided her with the opportunity to approach both privacy and cybersecurity from a number of different vantage points. “Privacy is very subjective sometimes,” she says. “The ability to put yourself in the shoes of the individual is important.”

Gray credits working directly with patients as a clinical assistant early in her career as invaluable experience. “I think my perspective has always been a little bit different than a normal person who goes into healthcare law,” she says. After passing the bar and practicing law privately as a healthcare attorney, Gray went to work at Pennsylvania insurance company Highmark, where she literally defined her position as a privacy professional. The CPO position was created for her, and it came at just the right time. Shortly after settling in, HIPAA was enacted.

Kimberly Gray, chief privacy officer at QuintilesIMS

The landmark law changed Gray’s job overnight. “Suddenly, it was my job to get a big organization compliant with HIPAA,” she says. “I learned a whole different discipline that had nothing to do with law and just happened to be in the healthcare world.” Gray says it was a crash course in project management, a role she had not previously played. “I had seen things from the patient’s viewpoint, from the clinical side, from the provider’s view, from a legal perspective, and now at Highmark, I was seeing things from the insurance side of things,” she says. After creating a team to manage and adapt to the new law, Gray says the department worked so efficiently that she found herself looking for a new challenge.

Gray’s continued education and interest in information security landed her a role on the Health Information Trust Alliance (HITRUST), an advisory board made up of healthcare leaders working to develop a common security framework for the storage and sending of sensitive data. “I was the lone privacy officer in a sea of chief information security officers (CISOs),” Gray says. At HITRUST, Gray helped oversee a team that created deidentification standards sections for the framework and says that the alliance’s focus on cybersecurity, cyber-risk management, threat preparedness, and threat response have all provided her great perspective in her role at QuintilesIMS. “There’s a little bit of peer pressure, sitting on the board of an information security company with a bunch of CISOs, to be able to walk the walk,” Gray says. “And I think it makes me a much better privacy professional.” Gray has even begun presenting at cyberconferences on good cyberhygiene. This includes routine security scans, virus definition updating, and password protection, among other behavior, to maintain a healthy online presence.

“There’s a little bit of peer pressure, sitting on the board of an information security company with a bunch of CISOs, to be able to walk the walk.”

Gray’s role on HITRUST’s advisory board has also helped her communicate more constructively with her CISO colleagues. “While CPOs often come from legal or regulatory backgrounds, CISOs often come from more technical backgrounds,” Gray says. “Therefore, their way of looking at things often differs, and their language also differs.” This can sometimes create tension, and Gray says the interdependence between the two positions mandates good communication because good privacy requires good security.

Another contributor to that tension, Gray says, stems from CISOs scrambling to find funding for privacy protection that CPOs deem essential. “It sometimes seemed more like the CPO was telling the CISO what to do rather than asking,” she says.

The rise in high-level cybersecurity attacks and a developing awareness of cybersecurity have helped ease this strain, Gray says. Corporations are more readily realizing they need to invest in cybersecurity. “This means that the CISO doesn’t have as much trouble getting security budget dollars as he or she did just a few years ago,” Gray says.

The remainder of 2017 and the bulk of 2018 provides a number of interesting developments for Gray and her colleagues, a year she believes will be wildly busy and intellectually stimulating. The EU’s General Data Protection Regulation (GDPR) takes effect in May 2018. “Any time there is a new data protection law that organizations have to comply with, there’s a lot of work to be done,” Gray says. QuintilesIMS is also working to become certified to the European Union’s Binding Corporate Rules. Add a new American administration dealing with healthcare legislation and ever-changing international privacy laws (Japan and Latin America are changing their regulations at the moment), and Gray and her team seem to have a demanding year ahead.

As CPO, Gray says that overcoming some of the challenges of a global leadership position can be tricky. Practical considerations and the geographical constraints often mean she doesn’t ever actually physically meet the people she works with. “It’s difficult to develop those important personal relationships,” she says. But that is where her empathetic nature seems to thrive—in navigating problems with more than herself in mind.


EY Advisory believes a better working world means helping clients solve big, complex industry issues and capitalize on opportunities to grow, optimize, and protect their businesses.

A global mindset, diversity, and collaborative culture inspires EY consultants to ask better questions, create innovative answers, and realize long-lasting results.

The better the question. The better the answer. The better the world works.