Structured For Success: How A Realignment Helped Elevate Security at Henry Ford

When leadership at Henry Ford Health System began to float the idea of combining IT and privacy/security under one umbrella, they knew it might be met with skepticism, so they took to the road. Meredith Harper, now Chief Information Privacy & Security Officer, traveled to every hospital and business unit to speak with stakeholders about why it was necessary, making sure to tailor the message to each group. The plan worked, and HFHS implemented a program that leverages the strengths of five individual verticals to create a more collaborative environment. In this interview, Harper and CIO Mary Alice Annechario talk about the key challenges in securing patient data in a complex setting, their approach to education, how they work to bring consumers into the fold, and their thoughts on how the industry can address the growing workforce gap.

Chapter 1



* About Henry Ford

* 5 verticals of privacy & security

* “It’s a different structure than you might see in other organizations.”

* A balanced approach to people, process & technology

* Building a “culture of confidentiality”

* Importance of branding

* Consumer council — “We feel like it’s our job to educate them.”



LISTEN NOW USING THE PLAYER BELOW OR CLICK HERE TO SUBSCRIBE TO OUR iTUNES PODCAST FEED

Bold Statements

We’ve tried to balance our approach across all of those areas, because to me, good security hygiene is not just a technical fix. It is strong processes put in place to support the business, as well as a focus on training and education.

IT plays a very significant role to create appropriate access protocols, and to teach the organization why this matters, and what our role-based responsibilities are to one another.

That has been one of the heralding successes for us as an organization; that we’ve been able to put together a structure and work together as a solid team without feeling like we had created internal barriers.

We always try to take a very unique approach to things that people don’t always want to listen to.

We’re sharing that message, even if the focus isn’t specific to Henry Ford, and I think that really strengthens our brand. I think it helps our patients feel very comfortable that there are folks who are really paying attention to this and taking it seriously.

Gamble:  Let’s start by getting some background on Henry Ford Health System — what you have in the way of hospitals, group practices, things like that.

Harper:  As I typically say to people, we are a very large organization with a lot of moving pieces. We have six acute care facilities. We have two behavioral health facilities as well as specialty care and service lines that are pretty robust. We have a health plan, we have a medical group with about 1,900 members, and we have the Henry Ford Physicians Network, which has about 900 members. We have a retail division which does things like optical care, pharmacy, and things of that nature. We have a robust research engine and an administrative arm there as well, and about 29,000 employees that are walking and moving and actually providing superb care throughout the system. So again, a pretty large system with a lot of moving pieces.

Gamble:  Right, which makes it all the more critical to have a strong security privacy strategy so that’s where you come into play.

Harper:  Absolutely.

Gamble:  Okay, so I want to talk about the relationship between the CIO and CISO, but I think the best thing to do first is to talk about some of the primary components of the security strategy, and what the main focus is for you.

Harper:  What we tried to do several years ago was take a critical look at what we had built across our enterprise, whether it was focused on the privacy side or the security side.