At the Raleigh HIT Summit, Henry Ford Privacy Chief Harper Urges HIT Leaders to Action
Henry Ford Health System chief privacy officer Meredith Harper kicked off the Cybersecurity Forum—day two of the Health IT Summit in Raleigh—with a compelling presentation on the journey of her organization into intensified IT security readiness
Henry Ford’s Meredith Harper kicked off the Cybersecurity Forum in Raleigh with a compelling presentation
In her keynote presentation to the audience at the Cybersecurity Forum, on day two of the Health IT Summit in Raleigh, sponsored by Healthcare Informatics, Meredith Harper, chief privacy officer at Henry Ford Health System (Detroit), urged audience members to move assertively to bake attention to patient data security and privacy into their organizations’ cultures. In an address entitled “Beauty and the Breaches: Results of an Attack at Henry Ford Health System,” Harper described four data breaches within the period of a few years that rocked her health system, but which also led to a transformation of Henry Ford’s culture around data, especially protected health information (PHI). And Harper’s presentation was followed by a lively discussion of CIOs’ responses to the WannaCry and Petya/NotPetya global cyberattacks this spring.
As the conference’s program agenda noted, “For Henry Ford Health System, cybersecurity has been a journey of continuous quality improvement and team collaboration. Response plans ultimately netted beautiful results, as Henry Ford's Privacy and Security team ultimately expanded i's security scope following multiple high-risk scenarios over the course of the past seven years.”
Speaking of the first breach, which involved the theft of a physician laptop with PHI on it, Harper said that it was becoming clear to her and her team that the Henry Ford organization faced certain ongoing set of vulnerabilities, despite having taken a series of actions to remediate the immediate situation. Referring to the executives in her organization, she said, “What I wanted them to see was that our culture was structured in such a way that this would happen again and again. What we realized,” she said, “was that the [data security] program was quite fragmented. We had security controls being put in place that were creating privacy problems.”
One of the most important points, Harper told her audience, is this: “The key to all of this is that your organization’s culture has to be a part of the discussion. The old adage that ‘culture will eat strategy for lunch every time’ is absolutely true,” she said.
Harper and her team made numerous important changes—among them, consolidating five previously disparate areas around information privacy, risk management, and network, and information security, together into a single unit under her direction, and tightening many processes. Among other things, Harper said, “We realized that we did not have a centralized investigative unit within my department, so I created it,” in order to achieve a level of investigative rigor needed and avert the leaking of information beyond appropriate team members. It gave us the ability to objectively investigate events without the inherent conflict with some line managers.
With regard to the physician who was at fault in the second breach, she told her audience, “We found that some levels of leadership were trying to cover for the physician in order to prevent his being disciplined, so we had to take that responsibility out of their matrix. Now, line managers support privacy and security investigations, but they don’t lead any such investigations; any such situations have to come to our team for investigation.”
Further, the breach led to the creation of integrated privacy and security councils, as well as to a rapid-response team, called the “Code B Alert Team,” with “B” standing for “breach” in that context. “The rapid-response workgroup established to centrally respond to and manage all system data breaches,” Harper noted.
Nevertheless, a second breach occurred in 2011, when a pharmacy resident lost his unencrypted flash drive in the parking lot of a local McDonald’s restaurant. Given that that flash drive stored a spreadsheet of compiled information on 4,000 patients, Harper personally led a team of colleagues who combed through the lot physically, but who were unable to locate it. That incident led to an additional policy and operational change at Henry Ford: a new rule was instituted in which no flash drives would be allowed to be used in the health system that were not provided by and authorized by the organization, and fully encrypted.
“We reported this incident to the CEO, COO, and board again,” Harper noted. “And I looked back at the previous incident to see if we had some frequent flyers who had been part of the previous incident; and it turned out that we did. So the thing is that this is bigger than just containing an incident; our job is to restore patients’ faith in Henry Ford Health System.” As a result, she engaged the executives who led the calls to the impacted patients. That gave them the ability to understand all that goes into restoring the faith of an affected patient.
Meanwhile, Harper said, referring to an icon that was created in order to notify Henry Ford staff of any future breach, “We trained all 30,000 team members that anytime you see that big blue B, for a Code Breach Alert, you need to discuss the situation with your teams. We realized that we had not briefed the frontline staff in the clinics and hospitals, and realized that we needed to figure out how to help them comfort patients on the front line.”
Harper and her team also created a new program, called the iComply Program, in order to safeguard health system information. It includes the following phases:
> Phase I targeted portable storage devices
> Phase II targeted “culture” through educational modules
> Phase III focused on reducing the organization’s “unsecured” printer footprint
> Phase IV targeted the culture in order to reinforce HITECH and Omnibus federal privacy requirements
> Phase V targeted BYOD (bring-your-own-device) mobile and broad mobile device management
> Phase VI focused on vendor risk management
> Phase VII involved a maturity assessment of the cybersecurity program
> Phase VIII involved the creation of a video series entitled “Why iComply?”
Ø Phase IX involved threat intelligence-sharing initiatives
The work around all this is ongoing, Harper told her audiences. “We continue to roll out iComply training—which is mandatory for all staff—across the organization.”
Meanwhile, a third breach within nine months occurred late in 2011. In that case, an iMac device was stolen that had information on 500 patients with HIV/AIDS on it. In that case, a staff member working in one of the health system’s research labs had propped open a door to one of the lab rooms so that she could run to the restroom and come back in without having to enter securely; during the time the chair was keeping the door open, someone came in and stole the laptop. “We moved through things pretty quickly and smoothly” she noted, having improved processes around breaches. What’s more, “technology would not have helped me in this instance,” as it was human misconduct that had led to that breach.
So that third incident, Harper told her audience, led to an intensification of efforts to continually educate all staff members. “We went directly to departments, and trained individuals with access to [sensitive data]. We did board training. We also found that we were getting a lot of general questions from patients and community members, often having nothing specifically to do with Henry Ford; so we took the opportunity to brand the conversations we were having them. We now do chat sessions with our patients, so that they can ask questions.” That initiative has been branded under the moniker “SecureSpeak.”
Still, the saga was not yet over even after that third incident. In 2013, a storage facility experienced a strange kind of theft. As Harper explained to her audience, there is silver embedded in old radiological films, silver that can be extracted and sold. In this incident, two workers who worked around a loading dock stole a batch of old films and attempted to themselves extract the silver from those films. The old-style films carry patient information directly on them, which meant that the PHI of more than 15,000 patients had been exposed.
That incident led to further refinements of the organization’s privacy and security initiative. Harper told her audience, “I had no idea at that point how many business associates we had. At that point, any manager could enter into a contract with a business associate; so we decided to bring that in-house, inside our team. And we made it so that only I and one other person could authorize the signing of an outside contract with a business associate. We have more than 1,500 business associates—that’s 1,500 opportunities for breaches. So we’ve centralized that, and we have a robust program. And we can do it in a more streamlined fashion,” she noted.
Meanwhile, a fifth incident occurred in 2014. In that instance, a Henry Ford physician went out and privately purchased an unencrypted flash drive, thus violating the organization’s iComply policy. He then added to the violation by lending that unencrypted flash drive to a fellow physician, who took the flash drive with him to an out-of-state conference, where he lost it. That flash drive contained the PHI of 2,336 patients. In that case, polices were already in place, and the offending physician was disciplined.
One of the key points of this narrative, Harper told her audience, is that “Repetition helps. We have to continuously educate and train our employees.”
In concluding her speech, Harper reemphasized the critical importance of developing a culture of data privacy and security, focusing on protecting patients and communities. She urged her audience to develop a full program of data privacy and security, and to constantly reinforce that program through continuous staff education, and rigorous application of policies and procedures.
After WannaCry
After Meredith Harper had completed her keynote presentation, that session was immediately followed by a panel discussion, focusing on CIOs’ responses to the WannaCry and Petya/NotPetya global cyberattacks earlier this year. Johannes (John) Boehme, chief information security officer at Wake Forest Baptist Health (Winston-Salem, N.C.) led a panel of two other hospital system healthcare IT leaders and one FBI agent. The two CIOs were Pamela Banchy, CIO of Western Reserve Hospital (Cuyahoga Falls, Oh.) and Colleen Ebel, CISO of UNC Healthcare; and they were joined by FBI supervisory special agent Jessica Nye, who is based in Raleigh.
Boehme led off the panel, entitled “Lessons Learned: Reviewing Incident Response to the WannaCry and Petya Global Outbreaks,” by asking the hospital panelists what actions they took in May, when the WannaCry virus exploded globally.
“We had a technical response team that notified me and the rest of us that morning, and made technical changes on our network, etc., doing an assessment across our network to find out where patches were absent,” Abel noted. “And then we opened up a command center that afternoon, which carried through to the next week. The state of security that you’re currently in, will influence what you do. The early response involved tightening up our current security controls, got into our antivirus protection software.”
Boehme offered that, at Wake Forest Baptist, “We have 2,500 servers, and found that 900 servers were missing that March patch” implicated in the WannaCry attack.
“We identified several that weren’t patched as well, so we applied those patches,” Banchy reported. “Meanwhile, others, we took off the network. We also did a complete inventory of our medical devices. We did have a war room or command center as well, but it was a weekend-long project to manage the situation. We did create an incident response protocol, and used some best practices along the way. We did have a highly controlled incident response area.”
“We have over 5,000 servers at UNC Healthcare, and the WannaCry incident led to a long response cycle,” Ebel said.
Meanwhile, in the regional FBI office, agent Nye said, “On that day, I received notification from our headquarters about the attack. And once we started getting that information, we started getting notifications from victims here in our AOR. We tried to start connecting the dots. Each victim would have a different experience. So we tried to quickly execute legal process, and go after the individuals” responsible for the attack. She noted that there are 56 FBI office and 358 satellite offices across the country, working with all types of business and professional organizations that might be affected by any such attack. What’s more, she said, it’s important to note that “It’s not just technology” that is very involved in responding to these situations, “it’s the personnel as well.”
“One of the biggest things is the executive awareness, and the financial investment,” Banchy emphasized, as the panel discussed the complexities and nuances of managing cyber risk.
“Do you work with HR to raise awareness?” Boehme asked his fellow panelists. “We have had situations where we’ve had to disable an account,” Ebel reported; and there have been situations in her organization when it’s been necessary to discipline staff members who have made very poor decisions.
“One of the things we’re moving toward is to absolutely lock down our production network, to where only medical center devices can be on the production network. That’s not gaining real favor with HR and employees, but it’s very necessary,” Boehme noted.