Mark Eggleston says his entry into the CISO realm is a little more atypical than that of others. “I didn’t necessarily come from the network group. I didn’t necessarily come up from IT. I kind of came up from compliance. I tell people I’ve had three careers and this current career is the keeper,” he says.
Eggleston graduated from college in the early 1990’s with a bachelor’s degree in psychology. It was a time of economic recession, and professional jobs were hard to come by. So, he took a full-time job swinging a hammer for the construction company he had worked for during school breaks. He used his carpentry skills to help build houses and do remodeling projects, working his way up to lead work crews and manage subcontractors.
Working outside on a cold winter day, Eggleston realized he didn’t want to stay in construction. He decided to go back to school to get his master’s degree in clinical social work. Upon graduation with the advanced degree, he started what he calls his second career. “I got a job in the mental health field and eventually worked my way up to be a psychotherapist. I specialized in serving kids with medical diagnoses combined with mental issues,” says Eggleston. “It was a fascinating, really cool place to work. My job was incredibly, intrinsically fulfilling and I worked my way up from being a mental health technician to a psychotherapist doing individual family and group therapy. Then when I left there, I was the assistant supervisor of a behavioral health unit. That job, too, was just a lot of fun.”
“Around that same time, my wife and I were wanting to start a family. At that point, we decided we didn’t want to live in a thatch hut off a social worker type salary,” says Eggleston. “That’s when I went back to school for certification in management information systems. I got a business degree from Virginia Commonwealth University.”
Eggleston was able to put those new business skills to work when he transitioned out of direct care and began working for a company that was managing all the residential treatment care and therapeutic foster care for all children across the state of Virginia. “My behavioral health unit was basically reviewing this care. I was able to use my clinical skills, but I was also able to redesign some intake forms electronically,” he says. “I started there as an analyst and months later became an assistant supervisor to their behavioral health unit. I spent about a year with this company.”
This was about the time that HIPAA regulation hit the healthcare industry. Eggleston moved to the Philadelphia area to work for Catholic Health Initiatives (CHI), a large hospital system, to help co-found their initial privacy and security program. “I worked there for a few years, building up the HIPAA compliance program for the entire hospital organization across 19 states. We were the consulting group that all hospitals had to use. They could not use any of their independent budgets for consulting; they had to go through us to get compliance help and create their program,” says Eggleston. “We did national conferences. We traveled to their facilities for consulting and launched a compliance software to help log the gaps. We came up with the policies and procedures and all the forms needed for HIPAA compliance.”
According to Eggleston, “That was really the biggest thing that helped change the trajectory of my career. It was a wonderful opportunity that allowed me to get very knowledgeable in the privacy and security rules. HIPAA was so new that I had to read through all the beta registers, notices of proposed rulemaking and come up with policies and procedures on my own. I had two colleagues who had consulting backgrounds from Accenture and Ernst & Young, and we worked together help the hospitals to comply with the regulation. I learned to adopt a consulting mindset.”
“A lot of people think that you have to train your workforce in HIPAA. You don’t. You have to train your workforce on your own policies and procedures—your interpretation of the HIPAA regulations,” says Eggleston. “HIPAA is anything but prescriptive, whereas your procedures would be more prescriptive and your policy is more taking a stance on things.”
When CHI asked Eggleston to move to its Colorado headquarters in 2004, he opted to stay in Pennsylvania and take a new job with Health Partners Plans instead. He has been with HPP ever since. “I had the opportunity to take my knowledge of privacy and security programs and apply it to an HMO instead of a provider. Being familiar with the health care system from my clinical background, this made a lot of sense to me,” he says. At this writing, he holds the position of Vice President, Chief Information Security Officer and Privacy Officer at HPP.
On the personal side, Eggleston says he has always been a beach person. “My family has had a beach house all my life,” he says. “Just having a place at the beach and fishing, kayaking and swimming is very important to me. It’s kind of a … almost a spiritual connection to have that level of tranquility and beautiful surroundings around you. My family’s house is down in the north end of Virginia Beach where the beaches are a little bit more remote than some of the other beaches around here in the north. We’re lucky to have that.”
Boating is another of his passions. “I’ve been boating for a little bit more than a decade. We have a slip and a little runabout boat that my family loves to go out on, and we just kind of relax. Sometimes we crab, sometimes we fish and sometimes we just picnic out on the boat in Chesapeake Bay and really, really enjoy that. That’s probably my biggest hobby.”
Eggleston never quite put down that hammer from his construction days. His family just bought their second house, which he is renovating one room at a time. He says he ran out of rooms to fix up in their first house, so he had to sell it and buy another “project” house. “It’s got a new kitchen, two new complete bathrooms. A completely new basement and now I’m focusing on finishing the kitchen,” says Eggleston. “It’s lot of work but we get to do it the way we want to and save a ton of money. It gives me a sense of pride to walk around the house knowing that we did all this stuff ourselves. People give us compliments I can say, ‘Yeah, that was me and my son.’ I’m happy I can pass the skills along to him.”
Whether it’s building a house or building a HIPAA compliance program from scratch, Eggleston gets satisfaction from leaving his mark on the world.