When leadership at Henry Ford Health System began to float the idea of combining IT and privacy/security under one umbrella, they knew it might be met with skepticism, so they took to the road. Meredith Harper, now Chief Information Privacy & Security Officer, traveled to every hospital and business unit to speak with stakeholders about why it was necessary, making sure to tailor the message to each group. The plan worked, and HFHS implemented a program that leverages the strengths of five individual verticals to create a more collaborative environment. In this interview, Harper and CIO Mary Alice Annechario talk about the key challenges in securing patient data in a complex setting, their approach to education, how they work to bring consumers into the fold, and their thoughts on how the industry can address the growing workforce gap.
- Threat-sharing with police, FBI — “If we have better information, we can prepare ourselves better.”
- PHI Protection Network Conference
- Addressing the cybersecurity workforce shortage — “We have to get more creative.”
- Value of a diverse leadership team
- CIO & CISO in lockstep
- “You have to have a united front.”
LISTEN NOW USING THE PLAYER BELOW OR CLICK HERE TO SUBSCRIBE TO OUR iTUNES PODCAST FEED
When the incident is happening, do we really go back to those plans and really follow them appropriately? And do we test them out? Because just having the plan on paper without testing the plan to be able to refine it doesn’t really help you.
It communicates and demonstrates to our customer base, our clients, our patients, and our guests that Henry Ford is taking this seriously. This is serious for us. We not only want to be a part of the industry, we want to be innovators in the industry. We want to be the forerunners.
If we can find someone who is ambitious, who has a genuine interest in supporting our patients, we will give them a chance. We will train them in the things we need them to know in order for them to be security, privacy, identity, or risk specialists. That’s the approach we have taken to close that gap.
There’s more work that the industry can do in that space. We have to entertain women more. We have to entertain minorities more. We have to show that this is just not a male-dominated field. And the way we do that is by introducing girls to this much earlier than we typically have.
Gamble: From your perspective, Meredith, what would you say is one of the biggest challenges on your plate, I mean is it just the fact that there are so many different types of threats out there or what would you say is really the toughest thing that you deal with?
And so we’re really trying to get our process refined enough and test it out enough, because that’s the other piece. Even when we look at something as simple as incident response — and I know everyone has done this incident response plan — when we put it on paper, it looks really nice and wonderful. But when the incident is happening, do we really go back to those plans and really follow them appropriately? And do we test them out? Because just having the plan on paper without testing the plan to be able to refine it doesn’t really help you. I think that we are all challenged with that, specifically at Henry Ford.
The other challenge is in threat-sharing and the intelligence. We’ve tried to create some very strong relationships with organizations, including police authorities like the Michigan State Police, or the FBI or Secret Service, which we worked with in the past. But I think getting advanced knowledge from those organizations when they see anomalies happening in other industries that are very similar to ours is key. Typically when we see things happening in the educational environment at the university level, normally healthcare is the next industry to experience that wave of anomalies. If we had better information about what’s going on in other industries, we could prepare ourselves a little bit better. And so that intelligence, communication, and advanced intelligence is something we struggle with, because some of this information is classified, and unless we are holding security clearances with that particular agency, we can’t always get access to that information. So we’re at a disadvantage a little bit when it comes to that.
Annecharico: I would also state that Meredith, as humble as she is, is a part of so many of those networks, and is credentialed in having access to information that many other organizations don’t have access to. That does two things — that helps us, but it also helps her versatility in helping create the boot camp environment to help other organizations move some of their agendas forward in realizing that there are alignments and associations outside of their own space that they need to reach out and establish relationships with.
Gamble: Right. I had seen that Meredith was recognized at the PHI Protection Network Conference for work in the space. What did having that type of recognition mean to you and to the organization?
Harper: I think it does a couple of things. It communicates and demonstrates to our customer base, our clients, our patients, and our guests that Henry Ford is taking this seriously. This is serious for us. We not only want to be a part of the industry, we want to be innovators in the industry. We want to be the forerunners, and I think we’ve been really successful in trying something new and seeing how it works. It works perfectly and it does a good service to the organization, and so I think it shows outwardly that we are interested.
For me personally, it supports what my core beliefs are — why I get up every day and do the work that I do. I’m committed to people and I’m really connected to people, whether those people are patients, staff members, our senior leadership, or our doctors, and I work very hard to be able to make sure they see the value in what we’re doing and have a level of comfort that someone is keeping their eyes and their ears out for the organization.
So it was a great humbling honor. I’m a little shy when it comes to accolades and things of that nature, but it was a very humbling honor. I love to do work with the PHI Protection Network, and it’s been really a great experience over the years. I actually spoke at their first conference when Rick Kam first put that group together and so to see where we are now versus where we were several years ago, it’s really amazing. So it was a great honor.
Gamble: Another area I want to touch on is the talent and expertise in this field, which is certainly something we’d like to see increase. How are you working to try to build your own talent in this area, and what does the industry need to do?
Harper: This is definitely my favorite topic. I think there’s so much more work that we have to do in order to prepare students that have applied to degree programs that really put them in the space. I have attempted to work with organizations like universities within the Detroit market to sit on their advisory boards and help them device curriculums that really are going to be operational quickly. So when that person gets out of school, let’s teach them what they really need to know to hit the ground running.
We’ve had some really great successes with helping develop those programs for the University of Detroit Mercy as well as Walsh College in Troy, Michigan. I think we struggle when it comes to the talent gap that we see within security. And it’s nothing specific to Henry Ford or to the Detroit area; this is really a national crisis from my perspective.
We’ve seen data which tells us that by 2020, we’re going to have about 1.5 million security-related roles that will be unfilled. We have to figure out a way to fill those 1.5 million jobs across the world. How can we do that? I think we have to do a couple of different things. We have to expose children, as well as women and minorities, to STEM careers and STEM disciplines much earlier than we’ve been doing. It is bigger than just giving your kid an iPad and sitting them on the couch. I’m talking really exposing them to the world of coding or to the world of technology long before we give them an iPad to watch a movie on. It’s a little bit deeper than that.
Also, we have to be a little bit more creative. When I look at some of the streams of individuals that have come into our team, they haven’t been fully skilled in the things that we really want them to be skilled in from a technical standpoint, and so we taught them those things. Our philosophy has always been if we can find someone who is ambitious, who has a genuine interest in supporting our patients, who loves the mission of Henry Ford Health System, we will give them a chance. We will train them in the things we need them to know in order for them to be security, privacy, identity, or risk specialists. That’s the approach we have taken to close that gap a little bit, but I think as we start to look at the higher level of talent that we need — because the longer you stay in this field, the more skills are needed — that’s where we are going to be continually challenged. I think there is a pay inequity that happens in this space where we’re not always able to pay what some of these really high profile and highly skilled jobs require in order for us to retain them. And again, that’s not specific to Henry Ford; everyone is having this issue.
So I think you have to be creative. And we’ve attempted to be creative, whether we’re training people (we call them ‘green beans’) from the ground up and bringing them in, or whether we do some advocacy in the educational arena to see if we can increase the level of students coming out of these programs that we can tap for internships or for entry level roles within our within our team.
Diversity also is a huge thing for me. With Mary Alice being a woman leader and myself being an African-American woman leader, I really appreciate the diversity we have among our team at this point. It’s very much supported by Mary Alice and by Henry Ford Health System, and I think making sure we have a diverse workforce really helps us become the best that we can be, and to use everyone’s talents and experiences to be able to solve problems for our organization. I think there’s more work that the industry can do even in that space. We have to entertain women more. We have to entertain minorities more. We have to show that this is just not a male-dominated field. And the way we do that is by introducing girls to this much earlier than we typically have in the past.
Annecharico: Both Meredith and I have been heavily involved in STEM development across multiple different organizations. It is now becoming almost the footprint of development across many, many corporations that didn’t really think about it before, but as women have evolved in the industry whether it is technology, science, math, or even the evolution of innovation, we realize we need to do more. And now we are developing cohorts of organizations that are looking for the same types of things. So I think we are finally gaining some traction, but we need to be able to bring individuals into this line of work, because as Meredith was describing, we’re competing with the automotive industry in this area, with Microsoft, and with the banking industry, which can pay significantly more for talent. So are we going to be the development bid for inward and upward mobility, or will they be upward and outward transient members of the workforce? If we don’t create a pipeline to the evolution of those that become thirsty for learning and are challenged by the kind of work that healthcare invites, we aren’t going to make traction in that area.
Gamble: I’d like to get your final thoughts on the leaders’ evolving role in security, and the importance that all leaders — especially the CIO and CISO — are in lockstep when it comes to this.
Annecharico: They must be in lockstep. Whether they are in a direct reporting line or whether they’re in complimentary reporting lines, there’s a synergy that needs to be created and maintained between what a CIO’s responsibilities are to an organization, and those of the chief privacy and security officer. Those roles must be very much aligned. If we separate them out and think differently about our joint goals and objectives, neither one of us will succeed. I have truly been privileged to work with Meredith and develop the program that she has grounded here as an opportunity to give evidence to the fact that this can work — it does work. The growth we’ve had and been able to sustain is a positive product of that outcome.
We think back to the evolution of HIPAA hitting the healthcare environment with privacy in 2003 and security in 2005, as the regulations and format of the rules came out, we were very separate, because there wasn’t alignment. And it threw so many healthcare organizations into somewhat of a chaos state because they didn’t know how to manage the relationships, let alone manage the responsibilities. But I think over time we’ve realized we needed to create some practicability out of the rule and understand what we could do and what we should do together to unite to make that more organic to an organization’s culture.
Harper: I absolutely agree, Mary Alice. I liken our relationship to super heroes where you have to have that united front. We all have different powers, if you will, but I think when you look at the complement across the whole team, we bring all of our super powers together to really support the organization and protect it. The work that we do in our space will be much more difficult if the relationship between the CIO and the CISO was not a good relationship. And I’m going to honest, talking to my colleagues, I know many of them are challenged with that to the point where they’ll say, ‘Can we come and work for you? Because your CIO gets it.’ So I think there’s a lot more work that some CIOs may have to do to not see their CISOs as barriers or to see their CISOs as the opposing party or the enemy.
Mary Alice has offered an environment where we can all collectively ask our leadership team bring our own powers to the table. We all have something different, and I think it complements our entire environment, regardless of whether we’re speaking about a specific application or the infrastructure, or we’re talking about security.
So I think that relationship is key, and it’s critical. There are other reporting relationships that people have chosen to go with in terms of structure. Some of them have worked, some of them have not, but I have seen nothing but positivity coming from the way that we’ve chosen to do things at Henry Ford. And again, it has a lot to do with the relationships that we have between our two functions.
Gamble: Right. Well, I think that this is going to be really interesting for our readers and listeners. It’s been really fascinating for me too to hear about just the really unique approach that your organization has taken, and I want to thank you so much for the time.
Harper: Thank you. We appreciate it.
Annecharico: It’s been a pleasure for us as well, thank you.