When leadership at Henry Ford Health System began to float the idea of combining IT and privacy/security under one umbrella, they knew it might be met with skepticism, so they took to the road. Meredith Harper, now Chief Information Privacy & Security Officer, traveled to every hospital and business unit to speak with stakeholders about why it was necessary, making sure to tailor the message to each group. The plan worked, and HFHS implemented a program that leverages the strengths of five individual verticals to create a more collaborative environment. In this interview, Harper and CIO Mary Alice Annechario talk about the key challenges in securing patient data in a complex setting, their approach to education, how they work to bring consumers into the fold, and their thoughts on how the industry can address the growing workforce gap.
- Building a business case for security
- “No organization can put into place everything that needs to be done.”
- Combining IT & security under one umbrella
- IP & S roadshow: “It took a year of talking, socializing & evangelizing.”
- Constant education — “The threat horizon is changing every year.”
- Dialogues with medical device manufacturers
- “The more conversations we have, the better understanding we have.”
LISTEN NOW USING THE PLAYER BELOW OR CLICK HERE TO SUBSCRIBE TO OUR iTUNES PODCAST FEED
No organization can afford to put in place everything that needs to be done, and risk doesn’t go away once you have completed a technology or a program. It is forever growing, and we need to be vigilant about what risk looks like, because that threat window always changes.
They knew it was going to be a shift in their normal processes, but it was for the better. It wasn’t because there was a hammer being brought down by the security team saying, ‘you have to do these things.’ We did tell them they had to do it, but we also told them why they had to do it.
We’d find them training and educating each other on the fly as things were happening, and that was a really good thing for us to see where they were starting to take ownership of what even their coworkers were doing.
That’s a space that is relatively new for IT to manage. It has opened up a world of tremendous opportunity for us to standardize the footprint of the technologies that we will use across the system.
Annecharico: Another way to emphasize what we do outside of the organization and in the consumer realm is the speaking engagements that we have as well as the other committees and memberships that we have with peers across the industry. Everyone is looking for best practices, and we believe that in many ways we’ve enabled other organizations to start thinking differently about the separation of privacy from security, one aspect perhaps being within the IT domain and another aspect not being in that space. It really doesn’t matter where it ultimately ends, but we felt that we had a great grounding by being able to incorporate cellophane around a program that made it as transparent and made it as workable and believable across this organization, so that when we are talking with our consumers either inside or outside the organization, the messaging is the same.
We look at risk from the lens of consumer: what would we do, what should we do, and if we were in the shoes of the consumer, what should be done for us to protect information about us. And that means looking at the strategy within the organization and building a budget that will help us incorporate the things that we know we must do and that we should do in a way that provides a body of evidence that is supportable both to the board’s expectation of what a culture of confidentiality looks, and also what our system can afford in terms of resources and capital and operating expense to support that.
Gamble: That’s something I definitely want to touch on — the challenge for some organizations in making the business case to sell this. I know everyone understands that cybersecurity is important, but are there different ways that organizations with a smaller budget can emphasize the importance of putting these programs into place?
Annecharico: That’s the age-old question. Most organizations can’t afford to put in place everything that needs to be done; actually, no organization can afford to put in place everything that needs to be done, and risk doesn’t go away once you have completed a technology or a program. It is forever growing, and we need to be vigilant about what risk looks like, because that threat window, as Meredith described, always changes. Our strategic attempt here to validate what we believed needed to be part of the strategy and the implementation process to continue to widen the scope of the work that we were doing to protect the networks and to protect the data, was born out by an assessment that we had done. Meredith can describe the process we used, as well as the outcomes and events that helped us create the visibility we needed.
Harper: I think it was a series of conversations. One of the things that we attempted to do when we started to streamline our program and pull it all under one umbrella, was what I call the IPSO road show. I went out to every one of our hospitals and business units, and connected with leaders that would be key stakeholders of the work that we’re doing in our space, and talked with them about why we’re here and the importance of the work that we do in our space and how that’s going to benefit them. And I really started to shift the language. One thing that’s a pet peeve when I speak with colleagues is that we don’t tailor our communication to the audience we’re speaking with. When we start to talk a lot of ‘text speak’ to clinicians, that doesn’t resonate with them.
So I took it upon myself to say, how do I set the stage, with the support of Mary Alice and the leadership, to talk through with some of the operational challenges that are happening within our business units and our service lines — things that are very critical us? How do I shift the discussion to help them to understand how the things we do in our space really help to support the work that they do? It took about a year of us talking, socializing, and evangelizing about the importance of it, as well as the risk framework we were going to use. How were we going to staff it centrally? How were we going to support it locally? It was a lot of what I would consider to be shaking hands and kissing babies that had to happen.
I think once we got to the end of that, we found that we had a very strong support base from our key stakeholders who understood why we were here. They knew that it was going to be a shift and a change to their normal processes, but it was for the better. It wasn’t because there was a hammer being brought down by the security team saying, ‘you have to do these things.’ We did tell them they had to do it, but we also told them why they had to do it and the benefits of doing it, which I can’t really say that was part of our message 10 years ago. It was a very different message. We’ve evolved that over time and it’s been pretty successful for us in terms of gaining that support and really rolling out the initiatives that we have to roll out.
Annecharico: I think other driver too that changed some of that complexion was HITECH and the rigor around what was expected of us as organizations. We know as human beings that we’re going to have missteps in the work that we do. Our overriding responsibility is do no harm, and that safety comes above everything else. We sometimes make mistakes; we sometimes put information in harm’s way and it may get exposed, and you hope it’s only internally, that the wrong department got a lab result on Mary Alice. But at other times it’s essential that we take a look at how do we manage and protect in a way that teaches individuals that there are different ways. We have a series of resources that are available to help problem-solve and answer questions that may guide someone in a different direction.
Gamble: That goes along the lines of education. I imagine that has to be something that’s really multifaceted as far as keeping the staff and the community educated, especially when there are so many different types of threats out there.
Annecharico: We have programs that help educate. We have mandatory education on an annual basis, much like all organizations do, that identify things like fire safety as well as disaster planning and chemical safety. We also have a segment for privacy and security where we bring the workforce members up to speed with what might have changed in the year preceding, while also making them very aware of the basics and the threat horizon that is changing every year. We need to make sure they are able to protect themselves as well as protect the organization, and so education is multifaceted.
When there are incidents that require us to step in and help take a look at what might have happened and what might have been preventable, those breakthrough moments of, this is what happened and this is how we can prevent it in the future, are some of the most valuable aspects of education that Meredith’s team puts into play.
Harper: I think one of the other things that has been very successful as we talked about shifting the culture and behavior and training and education, is that when we have unfortunate incidents or failures in processes, it’s required as a part of our investigation that we retrain the entire department. We will come back and retrain folks one-on-one as much as we have to until we no longer see any concerns or issues in that specific area. I think the repetitive nature of some of those training sessions has also caused a really interesting dynamic where we find that our teams, even though they love us, don’t want to hear us over and over again talking about the same thing, so they start to police themselves. We’d find them training and educating each other on the fly as things were happening, and that was a really good thing for us to see where they were starting to take ownership of what even their coworkers were doing, which I thought was really great.
Gamble: That shows that the message is getting through.
Annecharico: One area we’ve not talked about is the mobility of our workforce. They’re being driven by consumer demand and the availability of technology that enables people to be more efficient and effective, or more connected. Sometimes it’s not more efficient and sometimes it’s not more effective, but is it’s connected. So this landscape of mobility has created a number of challenges, but it also has created a number of opportunities for us to standardize processes and standardize on technologies that we know we can protect. And we are able to partner with our clinical staff, whether it’s iPhones for our medical groups or portable devices like iPads and laptops, we have a standard that is widely received. And yet, it doesn’t bottleneck us into a single platform or a single domain of technology while we try to look at what the consumer-driven needs are and try to meet them where they are, as well as establish a set of standards that will help guide us.
Gamble: Are those standards for smartphones or for medical devices — or both?
Annecharico: Medical device standardization is something we are also doing, and I would say that it’s analogous to the work that Meredith and her team are doing. But in the space of our clinical engineering and connecting medical equipment to computers, that’s a space that is relatively new for IT to manage. It has opened up a world of tremendous opportunity for us to standardize the footprint of the technologies that we will use across the system so that, at the same time, we have a standard configuration that we can protect, and that we are aware of vulnerabilities that may exist and how we can manage them, because sometimes you can’t eliminate them. You need to manage them or mitigate as much risk as you can.
Harper: The other thing we’ve attempted to do by way of advocacy with medical device manufacturers specifically is we are talking to them more and more about the challenges that we’re facing with the devices that they’re manufacturing. Are they always taken into consideration some of the operational constraints that we may have, and what exposure we have because of that particular device?
So there’s movement in that relationship building with the medical device manufacturer community. It probably could be much better, and moving forward, we hope we can continue to do that. But I know that we’ve engaged in those conversations — specifically around devices that are FDA-approved, because there are other requirements we have to meet, and being able to touch and secure those devices could invalidate the FDA certification. So how do we come up with other ways, whether we’re looking at physical security or whether we’re looking at some other compensating controls to be able to manage that device more effectively?
My perspective is the more conversation we have, the better understanding we’ll have, and hopefully we can come to a solution together as two industries that are supporting each other.