At the Raleigh HIT Summit, Henry Ford Privacy Chief Harper Urges HIT Leaders to Action
Henry Ford Health System chief privacy officer Meredith Harper kicked off the Cybersecurity Forum—day two of the Health IT Summit in Raleigh—with a compelling presentation on the journey of her organization into intensified IT security readiness
Henry Ford’s Meredith Harper kicked off the Cybersecurity Forum in Raleigh with a compelling presentation
In her keynote presentation to the audience at the Cybersecurity Forum, on day two of the Health IT Summit in Raleigh, sponsored by Healthcare Informatics, Meredith Harper, chief privacy officer at Henry Ford Health System (Detroit), urged audience members to move assertively to bake attention to patient data security and privacy into their organizations’ cultures. In an address entitled “Beauty and the Breaches: Results of an Attack at Henry Ford Health System,” Harper described four data breaches within the period of a few years that rocked her health system, but which also led to a transformation of Henry Ford’s culture around data, especially protected health information (PHI). And Harper’s presentation was followed by a lively discussion of CIOs’ responses to the WannaCry and Petya/NotPetya global cyberattacks this spring.
As the conference’s program agenda noted, “For Henry Ford Health System, cybersecurity has been a journey of continuous quality improvement and team collaboration. Response plans ultimately netted beautiful results, as Henry Ford's Privacy and Security team ultimately expanded i's security scope following multiple high-risk scenarios over the course of the past seven years.”
Speaking of the first breach, which involved the theft of a physician laptop with PHI on it, Harper said that it was becoming clear to her and her team that the Henry Ford organization faced certain ongoing set of vulnerabilities, despite having taken a series of actions to remediate the immediate situation. Referring to the executives in her organization, she said, “What I wanted them to see was that our culture was structured in such a way that this would happen again and again. What we realized,” she said, “was that the [data security] program was quite fragmented. We had security controls being put in place that were creating privacy problems.”
One of the most important points, Harper told her audience, is this: “The key to all of this is that your organization’s culture has to be a part of the discussion. The old adage that ‘culture will eat strategy for lunch every time’ is absolutely true,” she said.
Harper and her team made numerous important changes—among them, consolidating five previously disparate areas around information privacy, risk management, and network, and information security, together into a single unit under her direction, and tightening many processes. Among other things, Harper said, “We realized that we did not have a centralized investigative unit within my department, so I created it,” in order to achieve a level of investigative rigor needed and avert the leaking of information beyond appropriate team members. It gave us the ability to objectively investigate events without the inherent conflict with some line managers.
With regard to the physician who was at fault in the second breach, she told her audience, “We found that some levels of leadership were trying to cover for the physician in order to prevent his being disciplined, so we had to take that responsibility out of their matrix. Now, line managers support privacy and security investigations, but they don’t lead any such investigations; any such situations have to come to our team for investigation.”
Further, the breach led to the creation of integrated privacy and security councils, as well as to a rapid-response team, called the “Code B Alert Team,” with “B” standing for “breach” in that context. “The rapid-response workgroup established to centrally respond to and manage all system data breaches,” Harper noted.
Nevertheless, a second breach occurred in 2011, when a pharmacy resident lost his unencrypted flash drive in the parking lot of a local McDonald’s restaurant. Given that that flash drive stored a spreadsheet of compiled information on 4,000 patients, Harper personally led a team of colleagues who combed through the lot physically, but who were unable to locate it. That incident led to an additional policy and operational change at Henry Ford: a new rule was instituted in which no flash drives would be allowed to be used in the health system that were not provided by and authorized by the organization, and fully encrypted.
“We reported this incident to the CEO, COO, and board again,” Harper noted. “And I looked back at the previous incident to see if we had some frequent flyers who had been part of the previous incident; and it turned out that we did. So the thing is that this is bigger than just containing an incident; our job is to restore patients’ faith in Henry Ford Health System.” As a result, she engaged the executives who led the calls to the impacted patients. That gave them the ability to understand all that goes into restoring the faith of an affected patient.
Meanwhile, Harper said, referring to an icon that was created in order to notify Henry Ford staff of any future breach, “We trained all 30,000 team members that anytime you see that big blue B, for a Code Breach Alert, you need to discuss the situation with your teams. We realized that we had not briefed the frontline staff in the clinics and hospitals, and realized that we needed to figure out how to help them comfort patients on the front line.”