Meredith Phillips, Henry Ford Health System: Tackling the 'core of security'
Meredith Phillips knows a little something about how to remake an enterprise-wide security team. As chief information security officer and chief privacy officer at the six-hospital Henry Ford Health System in Detroit, Phillips together with her team of 42 FTEs are never short of new projects. And her successful approach is one to pay attention to.
After Henry Ford reported three HIPAA breaches back in 2010 and 2011, involving theft or loss of unencrypted devices or computers, they realized something big had to happen.
Enter the health system's iComply initiative, launched in 2011, which helped Phillips and her team identify all electronic devices and have employees turn them in for ones that were secured and encrypted. In the first round, they had some 4,500 external hard drives and flash drives returned.
Also an integral part of the iComply initiative, as Phillips pointed out, was the "robust" education piece.
"Every year, all 23,000 employees are trained and educated on privacy and security," said Phillips. Currently, Henry Ford boasts nearly a 99 percent completion rate for that education.
One of the biggest things that allowed her to do this? Phillips pointed to the buy-in from their executive leadership and board. "(They) really got behind those initiatives in a way where it's become a service expectation," she said.
The big project they're working on now is around identity access and management -- an item "top of mind" for Phillips.
Just recently, Henry Ford moved and established a core group of individuals within Phillips' team whose job is to focus solely on the health system's enterprise approach for identity access management.
"Truthfully, that's the core of security," said Phillips. "What is it that we give access to based on their role they have here at Henry Ford?"
Phillips and her team are not without their own challenges, though.
Securing medical devices, she said, stands as one of the biggest -- especially when considering Henry Ford can have upwards of 50,000 to 60,000 medical devices floating throughout their facility.
"There's a lot of challenges there," she said. "Especially when we're dealing with devices that are FDA-approved, where we can't really encrypt them; we can't touch them; we can't change them." Instead, they have to focus their attention on education and other controls.
One of the things they have done is move their clinical engineering division into their IT division, said Phillips, so now it ties their devices over to a lot of the IT components like her security team, she added.
For smaller healthcare organizations looking for advice, Phillips has this: Don't underestimate what it takes to have a dedicated team.
"It doesn't mean that you have to have a dedicated team of 50 people. You can have a dedicated team of four people in a smaller institution and really be able to carry out the same work we're carrying out," she said. "I think the mistake they typically make is not really making this investment and designating these individuals to have responsibilities for this."
|CISOs: Healthcare's new rock stars|