In her keynote presentation to the audience at the Cybersecurity Forum, on day two of the Health IT Summit in Raleigh, sponsored by Healthcare Informatics, Meredith Harper, chief privacy officer at Henry Ford Health System (Detroit), urged audience members to move assertively to bake attention to patient data security and privacy into their organizations’ cultures. In an address entitled “Beauty and the Breaches: Results of an Attack at Henry Ford Health System,” Harper described four data breaches within the period of a few years that rocked her health system, but which also led to a transformation of Henry Ford’s culture around data, especially protected health information (PHI). And Harper’s presentation was followed by a lively discussion of CIOs’ responses to the WannaCry and Petya/NotPetya global cyberattacks this spring.
As the conference’s program agenda noted, “For Henry Ford Health System, cybersecurity has been a journey of continuous quality improvement and team collaboration. Response plans ultimately netted beautiful results, as Henry Ford’s Privacy and Security team ultimately expanded i’s security scope following multiple high-risk scenarios over the course of the past seven years.”
Speaking of the first breach, which involved the theft of a physician laptop with PHI on it, Harper said that it was becoming clear to her and her team that the Henry Ford organization faced certain ongoing set of vulnerabilities, despite having taken a series of actions to remediate the immediate situation. Referring to the executives in her organization, she said, “What I wanted them to see was that our culture was structured in such a way that this would happen again and again. And three months before we had put into place a policy for breach response, we had a breach involving the family of a [Detroit] Tigers player. What we realized,” she said, “was that the [data security] program was quite fragmented. We had security controls being put in place that were creating privacy problems.”
One of the most important points, Harper told her audience, is this: “The key to all of this is that your organization’s culture has to be a part of the discussion. The old adage that ‘culture will eat strategy for lunch every time’ is absolutely true,” she said.
Harper and her team made numerous important changes—among them, consolidating four previously disparate areas around information privacy, risk management, and network information, together into a single unit under her direction, and tightening many processes. Among other things, Harper said, “We realized that we did not have a centralized investigative unit within my department, so I created it,” in order to achieve a level of investigative rigor needed and avert the leaking of information beyond appropriate team members. With regard to the physician who was at fault in the second breach, she told her audience, “We found that some levels of leadership were trying to cover for the physician in order to prevent his being disciplined, so we had to take that responsibility out of their matrix. Now, no line manager can investigate privacy or security breaches; any such situations have to come to our team for investigation.”
Further, the breach led to the creation of integrated privacy and security councils, as well as to a rapid-response team, called the “Code B Alert Team,” with “B” standing for “breach” in that context. “The rapid-response workgroup established to centrally respond to and manage all system data breaches,” Harper noted.
Nevertheless, a second breach occurred in 2011, when a pharmacy resident lost his unencrypted flash drive in the parking lot of a local McDonald’s restaurant. Given that that flash drive stored a spreadsheet of compiled information on 4,000 patients, Harper personally led a team of colleagues who combed through the lot physically, but who were unable to locate it. That incident led to an additional policy and operational change at Henry Ford: a new rule was instituted in which no flash drives would be allowed to be used in the health system that were not provided by and authorized by the organization, and fully encrypted.
“We reported this incident to the CEO, COO, and board again,” Harper noted. “And I looked back at the previous incident to see if we had some frequent flyers who had been part of the previous incident; and it turned out that we did. So the thing is that this is bigger than just containing an incident; our job is to restore patients’ faith in Henry Ford Health System.” As a result, she required the pharmacy resident to sit in the room with her as she notified patients affected by that breach.
Meanwhile, Harper said, referring to an icon that was created in order to notify Henry Ford staff of any future breach, “We trained all 30,000 team members that anytime you see that big blue B, for a Code Breach Alert, you need to discuss the situation with your group We actually had not briefed the frontline staff in the clinics and hospitals, and realized that we needed to figure out how to help them comfort patients on the front line” when patients were notified.
Harper and her team also created a new program, called the iComply Program, in order to safeguard health system information. It includes the following phases:
> Phase I targeted portable storage devices
> Phase II targeted “culture” through educational modules
> Phase III focused on reducing the organization’s “unsecured” printer footprint
> Phase IV targeted the culture in order to reinforce HITECH and Omnibus federal privacy requirements