A CIO who masters disasters

Protecting institutional reputation means communicating problems, says John Halamka

TUCSON, Ariz. -- On his 50th birthday, John Halamka, the CIO of Beth Israel Deaconess Medical Center in Boston, was eating cake, surrounded by his senior staff. Then his second-in-command came in with "some" news.

A physician had gone to the Apple Store and returned with a MacBook. He used the laptop to download email and then left the office. When he returned, the new MacBook was gone. On it was a spreadsheet embedded in a PowerPoint presentation with information on 3,900 patients -- data for which the hospital was responsible.

The hospital issued a news release about the laptop's disappearance in which Halamka pointed out that the incident was being treated "extremely seriously" but also noted that it was being used to bring about change -- specifically, it was a catalyst for implementation of a program to help employees protect devices that they purchase on their own.

That's how Halamka operates. He doesn't let any crisis go unused as either a teachable moment or as a chance to lead IT into new directions -- or both.

For Halamka, who spoke here today at the Computerworld Premier 100 IT Leadership Conference, communication comes naturally. He runs a blog, "Life as a Healthcare CIO," where he discusses his career in healthcare IT and life on his farm. He is also a Computerworld columnist.

In a recent blog post, Halamka outlined his plan for managing wood on his farm. In another, he discussed electronic health records. That one begins: "There's nothing like a crisp New England winter evening, a roaring fire, a cup of cider, and a 242 page Notice of Proposed Rulemaking to fill your Friday night."

Halamka, who is also a full professor at Harvard Medical School and a practicing emergency room physician, has some clear ideas about how to manage a crisis that don't follow the typical corporate mold of retreating behind a veil of secrecy or downplaying a problem until events force full disclosure.

If Halamka had been the CIO of Target, you get the impression that the retailer's breach would have been handled differently.

"Be open, be honest, be forthcoming, hide nothing and use it as a podium, a bully pulpit to move an entire industry," said Halamka.

Commenting on Target's handling of its security breach, Halamka said he would have advised disclosing the severity of the incident fully, up front, instead of building up to it. "Customers would rather hear about what you experience and why it is making you stronger and what adversity you are working through," he said.

On the day of the Boston Marathon bombing, Halamka was on a plane heading back to Boston. He got a message about the bombing. His 25 most senior IT leaders were all volunteering at the finish line -- and fortunately none were injured. But cellular phone service was shut down. Other issues soon arose.

A few days after the marathon, the two alleged bombers, brothers Tamerlan Tsarnaev and Dzhokhar Tsarnaev, were brought to Halamka's hospital, BIDMC, after being apprehended in a police manhunt. Tamerlan died in a shootout with police, but Dzhokhar survived and was kept in the hospital for treatment. This made BIDMC a global target for hackers, Halamka said.

The hospital's compliance officials wanted IT engineered in such a way that they had real-time views on everything going on with the records, said Halamka.

Again, Halamka used the crisis as an opportunity to bring reform. A consulting organization was brought in to look at the hospital's security policies, and the hospital embarked on a three-year effort to improve security, with the goal of making Beth Israel Deaconess Medical Center a national leader.

"Do you become the CIO who is the guy in the trenches just trying to deliver services day to day," said Halamka, or do you become the person "leading the charge as the exemplar on how an industry can change its security practices?"

Halamka has answered that question for himself.

Dr. John Halamka, CIO for Beth Isreal Deaconess Hospital in Boston, chats with Computerworld's Tracy Mayor about some of the IT lessons learned following last year's Boston Marathon bombings.

Patrick Thibodeau covers cloud computing and enterprise applications, outsourcing, government IT policies, data centers and IT workforce issues for Computerworld. Follow Patrick on Twitter at  @DCgov or subscribe to Patrick's RSS feed . His email address is pthibodeau@computerworld.com.

See more by Patrick Thibodeau on Computerworld.com.

Join the discussion
Be the first to comment on this article. Our Commenting Policies