When leadership at Henry Ford Health System began to float the idea of combining IT and privacy/security under one umbrella, they knew it might be met with skepticism, so they took to the road. Meredith Harper, now Chief Information Privacy & Security Officer, traveled to every hospital and business unit to speak with stakeholders about why it was necessary, making sure to tailor the message to each group. The plan worked, and HFHS implemented a program that leverages the strengths of five individual verticals to create a more collaborative environment. In this interview, Harper and CIO Mary Alice Annechario talk about the key challenges in securing patient data in a complex setting, their approach to education, how they work to bring consumers into the fold, and their thoughts on how the industry can address the growing workforce gap.
- About Henry Ford
- 5 verticals of privacy & security
- “It’s a different structure than you might see in other organizations.”
- A balanced approach to people, process & technology
- Building a “culture of confidentiality”
- Importance of branding
- Consumer council — “We feel like it’s our job to educate them.”
LISTEN NOW USING THE PLAYER BELOW OR CLICK HERE TO SUBSCRIBE TO OUR iTUNES PODCAST FEED
We’ve tried to balance our approach across all of those areas, because to me, good security hygiene is not just a technical fix. It is strong processes put in place to support the business, as well as a focus on training and education.
IT plays a very significant role to create appropriate access protocols, and to teach the organization why this matters, and what our role-based responsibilities are to one another.
That has been one of the heralding successes for us as an organization; that we’ve been able to put together a structure and work together as a solid team without feeling like we had created internal barriers.
We always try to take a very unique approach to things that people don’t always want to listen to.
We’re sharing that message, even if the focus isn’t specific to Henry Ford, and I think that really strengthens our brand. I think it helps our patients feel very comfortable that there are folks who are really paying attention to this and taking it seriously.
Harper: As I typically say to people, we are a very large organization with a lot of moving pieces. We have six acute care facilities. We have two behavioral health facilities as well as specialty care and service lines that are pretty robust. We have a health plan, we have a medical group with about 1,900 members, and we have the Henry Ford Physicians Network, which has about 900 members. We have a retail division which does things like optical care, pharmacy, and things of that nature. We have a robust research engine and an administrative arm there as well, and about 29,000 employees that are walking and moving and actually providing superb care throughout the system. So again, a pretty large system with a lot of moving pieces.
Gamble: Right, which makes it all the more critical to have a strong security privacy strategy so that’s where you come into play.
Gamble: Okay, so I want to talk about the relationship between the CIO and CISO, but I think the best thing to do first is to talk about some of the primary components of the security strategy, and what the main focus is for you.
Harper: What we tried to do several years ago was take a critical look at what we had built across our enterprise, whether it was focused on the privacy side or the security side. We wanted to determine whether we had the best structure in place to really support the growth strategy for Henry Ford as well as the threat environment that we’re changing pretty rapidly at the time. So we took a pretty radical approach, with Mary Alice’s support, to combine several areas together, and that makes up the foundation of what we call the information privacy and security office.
We have five verticals that actually roll up underneath that structure, one being network security and another being information security, with one of those focusing on the perimeter, and the other focusing on the governance, the incident response, and security assessment. We have the privacy team, which actually is a part of that structure; the IT audit and risk management group, which is required from a HIPAA security standpoint; and the last group that joined us was the identity and access management group.
That gives us about 53 people across all of our entities that we support, and they provide that necessary skill set for the enterprise. So it’s a different structure than you might see in other health organizations, but when we were doing our research, we found that Intel had a very centralized support model, similar to what we’ve created, and so we were able to learn from others how we could move that structure into the healthcare environment.
So that’s how we’re structured and what we focused on. In addition to that, we try to take a balanced approach to people, process, and technology. People always seem to have the perspective that as a security professional you are a technologist, but we’ve really tried to balance our approach across all three of those areas, because to me, good security hygiene is not just a technical fix. It is strong processes put in place to support the business as well as a focus on training and education, because if the technology fails us — which, at times, it may — we now put the onus in the hands of a person who has to make a judgment call and a decision. How are we helping and equipping them to be able to make the best decision when the time comes? So we do take a very different approach, even when it comes to our strategy, because we do have a great focus and balance across all three of those areas.
Annecharico: I came to the organization with a vision of a culture of confidentiality being one of my primary responsibilities. And, as Meredith described, we had the perfect storm to be able to create, with the approval of senior leadership, a program that would encompass privacy and security within one organic component of the organization — the IT division — in a way that would enable us to teach, lead, govern, and guide our constituencies to know what to do and how to be able to manage responsibilities.
It also was an opportunity for us to identify that it was a shared responsibility rather than that privacy and security was there to administer a service. It really was the development of a privacy and security council that enabled each one of our business stakeholders to participate in policy development as well as in the guidance, the rules of the road, and the framework for how we would educate one another and stay on top of issues together.
I think my perspective, as a clinician, is to assume that we as employees are also consumers of healthcare, and of the power and use of information that gets shared and distributed on network. So it’s taking a look at our role and responsibility from the consumer, the patient, as well as taking a look at it from the healthcare environment and the regulation that was telling us what we must do, and what we should do, to be able to support the assets and provide efficiencies for our end-user population. As stewards of that activity, IT plays a very significant role to create appropriate access protocols, and to teach the organization why this matters, and what our role-based responsibilities are to one another. We really did evolve the development of the privacy and security program with one another as well as with the endorsement of the organization’s leadership.
And it was creating, within the IT division, separation of duties, as well as collaboration across all of the domains that support this organization. It was creating that connectedness and trust between our groups so that we performed, fluidly, the role-based responsibilities to manage the security and technical aspects, as well as the domain of privacy — the real operational and process aspects. And that has been one of the heralding successes for us as an organization; that we’ve been able to put together a structure and work together as a solid team without feeling like we had created internal barriers to being efficient and effective.
Gamble: When you talk about the culture of privacy/security and really making sure that that permeates throughout the organization, I imagine that has to start at the leadership level.
Harper: I absolutely agree.
Annecharico: I think it also needs to become so practicable that it is, at the grassroots level, something that is of value. Prior to my arrival here, the organization was trying to take a look at cyber risk and cyber security in the framework of guiding and leading people into a protected environment for being able to use and protect the data. Meredith can describe the campaign that was rolled out at the time that I got here.
Harper: Sure. We’ve taken several approaches. To your original point, I think the tone at the top was very synergistic in terms of Mary Alice’s belief, as well as mine, as it relates to the culture of confidentiality that we’re creating. So I think the support really helped drive some of the messaging. But we also learned some lessons about branding and how do we brand some of the programs we’re creating within our privacy and security space where it becomes part of our language. It becomes a part of our fight pattern where, when we see certain things or certain logos, we really pay attention. We perk up and listen to what’s being said, because those messages are supporting the foundation of our program.
We started a couple of different programs, one being I Comply, which is probably our most successful program. This encompasses several different things, and at different times we may focus on different parts of what we consider to be an area of opportunity. When we started the program, we found that we have an exposure as it related to flash drives and portable storage devices that were not encrypted. So we did something very unique and created really a lot of fun and excitement around how we can get these flash drives out of people’s hands. We set up 20 different IT table across the system and we staffed them. We had contests and we really compelled individuals walking around with flash drives to come to turn them in. We would then transfer the data, no questions asked, to an encrypted device, and take those unencrypted flash drives out of their hands. Within the first four weeks of doing this under the I Comply banner, we were able to get 5,000 flash drives out of our environment.
We always try to take a very unique approach to things that people don’t always want to listen to. They might perceive them as barriers, so how do we create excitement around that? We’ve done several rounds of that, and we are now in phase 9 of I Comply. Last year we focused our branding on threat intelligence and sharing and how do we strengthen the connections that we have with external organizations as well as internal organizations, because we have several domains that we’re managing throughout the program. How do we increase the level of threat sharing, and how do we use that as an advantage to be able to adjust our posture when needed? So we’ve been very successful iterations of the I Comply Program, and we’re pretty proud of what that has become over the years.
Gamble: Branding it like that, I imagine it helps with recognition throughout the organization and becomes more of part of everyday life, instead of how security and privacy tend to be out of sight out of mind.
Annecharico: It actually is the screensaver on our desktop, so that in public areas as the screensavers come flashing across the screen to protect information, I Comply is a frequent piece of that rotation. This way, folks know that there is an air of responsibility that they have, but they also know that there’s a whole program behind it and support mechanisms for people to anonymously call in issues or concerns, as well as to call and get advice.
It’s not just our workforce. We have members of our community and our consumer population also call in with questions and concerns. We’ve been part of a patient advisory council where we listen to the voice of our consumers, both from the perspective of them being engaged in our care cycles, as well as concerns about privacy and security that we would love to help them model in their homes and on the devices that they use. So it extends far beyond just the element of our workforce. It’s how we reach out into the community and make this feel like an organic service that we provide.
Gamble: How were you able to get that message out to the public?
Harper: We do it a couple of ways. It’s very interesting. We actually have our community partners or folks in the community contact our office because they heard that Henry Ford Health System’s privacy and security office will talk to them about everyday concerns that they may have, even within their own environment. We get phone calls about whether they should use certain email programs — are they really secure. So we’ve created this great pipeline with our customer base where they feel comfortable discussing things with us. Sometimes they’re not even Henry Ford-related, but we feel that it’s our job to educate them on all things privacy and security whether it’s Henry Ford or not and I think they appreciate that.
The other part is we participate in so many different committees that are external to Henry Ford. I am the chair of the Michigan Healthcare Cybersecurity Council which, encapsulates about 26 CISOs across the state of Michigan within healthcare. So we’re sharing information at that level as well, and providing them with an outlet to be able to call us and have those conversations. I personally spend a lot of time with community organizations focusing on STEM, where we’re talking not only about privacy and security in general, but they also want to hear what we’re doing at Henry Ford. That’s always a component of it.
So we’re sharing that message, even if the focus isn’t specific to Henry Ford, and I think that really strengthens our brand. I think it helps our patients feel very comfortable that there are folks who are really paying attention to this and taking it seriously. One of the things we pride ourselves in with our team is that we get up every day, stay up late at night, and do what we do because of one thing and one thing only, and that’s our patients. We are pretty passionate about our patients. Sometimes people understand our passion, sometimes they don’t, but we are there for our patients. We want to protect them and educate them the best way that we can, so anything we can do to help move that along, we’re okay with it.
Chapter 2 Coming Soon…