Meredith Phillips, chief information privacy & security officer at Henry Ford Health System in Michigan, was presented the PHI Hero Award at the 2016 PHI Protection Network Conference in Philadelphia last week.
Phillips was recognized for building a culture of privacy and security across all departments and developing an innovative approach to data breach response. The first step toward a more nimble response to data breaches was the establishment of a new Information Privacy Office (IPO), which has approximately 60 employees, with an expanded scope to include all confidential data. Rather than individuals at separate facilities managing privacy, the new centralized IPO structure ensures consistency and allows the organization to respond more rapidly to new regulations.
Phillips recently became president of the board at the Medical Identity Fraud Alliance, which provides leadership, education and awareness to drive the development of best-in-class technologies and influences changes to regulation, regarding personally identifiable information and protected health information (PHI). She also became the chair of the Michigan Healthcare Cybersecurity Council, an independent public-private partnership whose mission is to protect the critical healthcare infrastructure in the State of Michigan and to mature and advance the state of cybersecurity preparedness across the healthcare industry in Michigan.
In accepting the award, Phillips described some of the challenges she has faced at Henry Ford and how she has learned from them. She said getting senior-level executives to embrace change is critical. When Henry Ford suffered a second breach in a fairly short period of time, she found that two people were affected by both breaches. “I required our chief operating officer to call those two patient,” she recalled. “I sat in the room with him, but I wanted him to understand what it took. When we got done, it changed the game for him. He understood the implications of letting physicians walk around with unencrypted Flash drives.”
Similarly, when a device was stolen in a research lab because someone propped open a door with a chair, she had the research administrator sign the letter to the 520 HIV/AIDS patients affected, explaining what happened.
Henry Ford has experienced several breaches over the past few years, and each one provided lessons for how to improve training and practices, and ammunition for Phillips to make a stronger case for change. For instance, in a 2013 breach, old X-ray film containing personal health information of 15,417 patients was stolen from a storage warehouse before the film could be destroyed. (Increasingly, health systems across the country are being targeted by individuals seeking to steal X-ray films to recover the silver embedded in the films.) That storage warehouse was a business associate. In response, Phillips made changes to the business associate program, so that only she and her assistant can sign business associate agreements.
A 2014 breach involved a physician losing an unencrypted Flash drive containing PHI. Phillips said that after all the training and previous breaches, her reaction was, “You have to be kidding me! We don’t use unencrypted Flash drives!” That forced her to redouble education efforts. It is a problem no amount of technology would solve, she said. If you ban Flash drives, employees would find some way around it or circumvent it.
“What I preach to our executives is that it is not about the data; it is about the people," she said. "Behind every line of data and medical record number there is a person. We do what we do because of the person, not the data. That’s what makes us passionate. When you get on the phone with patient whose information has been breached, and hear them cry, or how they feel violated, that is not a piece of data, that is a person.”
Precisely because Henry Ford has experienced breaches, its executive leadership has had a wakeup call, she said. They understand it is a reputational issue and doing a great job on privacy and security can be a competitive advantage.