Continuing Education: One Team’s Approach To Warding Off Ever-Changing Security Threats

When leadership at Henry Ford Health System began to float the idea of combining IT and privacy/security under one umbrella, they knew it might be met with skepticism, so they took to the road. Meredith Harper, now Chief Information Privacy & Security Officer, traveled to every hospital and business unit to speak with stakeholders about why it was necessary, making sure to tailor the message to each group. The plan worked, and HFHS implemented a program that leverages the strengths of five individual verticals to create a more collaborative environment. In this interview, Harper and CIO Mary Alice Annechario talk about the key challenges in securing patient data in a complex setting, their approach to education, how they work to bring consumers into the fold, and their thoughts on how the industry can address the growing workforce gap.

Chapter 1

Chapter 2



* Building a business case for security

* “No organization can put into place everything that needs to be done.”

* Combining IT & security under one umbrella

* IP & S roadshow: “It took a year of talking, socializing & evangelizing.”

* Constant education — “The threat horizon is changing every year.”

* Dialogues with medical device manufacturers

* “The more conversations we have, the better understanding we have.”



LISTEN NOW USING THE PLAYER BELOW OR CLICK HERE TO SUBSCRIBE TO OUR iTUNES PODCAST FEED

Bold Statements

No organization can afford to put in place everything that needs to be done, and risk doesn’t go away once you have completed a technology or a program. It is forever growing, and we need to be vigilant about what risk looks like, because that threat window always changes.

They knew it was going to be a shift in their normal processes, but it was for the better. It wasn’t because there was a hammer being brought down by the security team saying, ‘you have to do these things.’ We did tell them they had to do it, but we also told them why they had to do it.

We’d find them training and educating each other on the fly as things were happening, and that was a really good thing for us to see where they were starting to take ownership of what even their coworkers were doing.

That’s a space that is relatively new for IT to manage. It has opened up a world of tremendous opportunity for us to standardize the footprint of the technologies that we will use across the system.

Annecharico:  Another way to emphasize what we do outside of the organization and in the consumer realm is the speaking engagements that we have as well as the other committees and memberships that we have with peers across the industry. Everyone is looking for best practices, and we believe that in many ways we’ve enabled other organizations to start thinking differently about the separation of privacy from security, one aspect perhaps being within the IT domain and another aspect not being in that space. It really doesn’t matter where it ultimately ends, but we felt that we had a great grounding by being able to incorporate cellophane around a program that made it as transparent and made it as workable and believable across this organization, so that when we are talking with our consumers either inside or outside the organization, the messaging is the same.

We look at risk from the lens of consumer: what would we do, what should we do, and if we were in the shoes of the consumer, what should be done for us to protect information about us. And that means looking at the strategy within the organization and building a budget that will help us incorporate the things that we know we must do and that we should do...