Managing Security in a MergerDon't Overlook the Risks of Culture Clash
In a merger, communication is essential for ensuring security and privacy challenges are met, says Christopher Paidhrin, IT security compliance officer of PeaceHealth Southwest Medical Center, whose parent company recently went through one merger and is in the midst of another.
PeaceHealth, which owned six hospitals and numerous medical clinics and facilities in Washington, Oregon and Southeast Alaska, recently merged with Southwest Washington Health System, which included two hospitals and a network of primary care and specialty care clinics.
And soon PeaceHealth will undergo another merger. On August 17, PeaceHealth and Catholic Health Initiatives, which has seven hospitals in Oregon and Washington state, announced plans to merge in a transaction expected to be completed before June 30, 2013. The combined organizations will form a non-profit integrated health delivery network generating about $4 billion in annual revenue.
When coordinating efforts between the two organizations during the recent PeaceHealth and Southwest Washington merger, Paidhrin says communication was the key element for bringing the security and privacy objectives together and aligning them. "Having skilled people in the right positions makes a world of different in the success of a merger," Paidhrin says in an interview with HealthcareInfoSecurity's Marianne Kolbasuk McGee (transcript below).
Early on, it's important to frame the scope of the work that needs to be done and set priorities, Paidhrin explains. "I think that would be our biggest lesson - that we had an excellent project manager that used one channel for communicating all of the integration elements and that kept it a cohesive message, uniform for everyone," he says.
In the interview, Paidhrin also describes:
- How to make the most of limited resources;
- How incident handling procedures can change in a merger;
- Why early engagement from key stakeholders, including clinicians, is critical.
Paidhrin has been at PeaceHealth Southwest Medical Center, formerly Southwest Washington Medical Center, for 12 years. Earlier, Paidhrin worked for many years in higher education, as well as in private sector and entrepreneurial ventures, where he held a number of director-level positions.
The Merger Details
MARIANNE KOLBASUK MCGEE: Tell us a little bit about your organization and your role and a bit about the recent merger.
CHRISTOPHER PAIDHRIN: PeaceHealth is a northwest United States regional hospital system. [Southwest Washington Health System] merged with PeaceHealth over the last 15 months ... we agreed ... to merge to identify synergies and effectiveness, efficiencies that we could not do independently. ... We looked around to see who we could partner with to best leverage our strengths, and PeaceHealth was that partner. We're well on our way to completing that merger.
My role [at the medical center] as the IT security and compliance officer is specific to IT security, but also bridges over into HIPAA/HITECH compliance, both on security and support of the privacy side and to bring best practices maturity to the governance of our entire compliance program with the security focus.
MCGEE: Were the security and privacy cultures different at the two organizations, and what challenges did you face in integrating them?
PAIDHRIN: Yes, there were differences in the cultures. Both of our organizations are over 100 years old, and so our cultures over time developed in different ways to serve different markets. But merging them can be challenging both at a culture level but also separately at a systems and network level. The systems and networks, that's all by the numbers and that takes time, but the cultures are a little bit more challenging because there's workflow, there are policies, forms - but most difficult in our experience have been the expectations. We're creatures of habit and change is disruptive, so we develop expectations as to how things work or should work, and re-training to a new merged model can be a challenge.
But a good integration team and a viable plan can address most of those issues. Knowing the scope of transition helps to set a frame of reasonable expectations, and, of course, set priorities for what can be done, what must be done, and if not, why. Within the IT security domain of these mergers, we had different enforcement, different controls, different polices and procedures and certainly different technologies, and also some different standards, but fortunately many of them were overlapping. They were good models. The security frameworks we had aligned fairly well, and of course we would always hope that better practices will always win out, and where not - and sometimes it doesn't work that way - we have a model to work from. All of us are somewhere on a maturity spectrum, and ... as we have merged, we have recognized the strengths of each side, and we work toward a model that builds upon those mutual strengths.
MCGEE: Did your incident handling procedures change? And if so, how?
PAIDHRIN: At the front end we have a challenge of merging our help desks, how those incidents flow into the response phase. But there are efficiencies and knowledge to be gained in those processes, merging those two, and that's well under way. But as for procedures and actual incident handling, we have mature processes, procedure forms, protocols, so it's actually rather simple and already aligned. We took care of that right away.
Communication Lessons Learned
MCGEE: What communication or collaboration lessons did you learn?
PAIDHRIN: More communication is better. Structured communication is best. Having skilled people in the right positions makes a world of difference in the success of a merger, at any level of the merger. Early engagement by key stakeholders is vital and, as I mentioned, framing the scope and the priority for the work to be done also helps the stakeholders to comprehend the work that's ahead.
Finally, using a standardized notification form - a method, a tool, a format - having a consistent voice helps to keep the milestones, the metrics and the goal in focus. I think that would be our biggest lesson - that we had an excellent project manager that used one channel for communicating all of the integration elements and that kept it a cohesive message, uniform for everyone. One of the big challenges that many in healthcare are encountering is that we have limited resources and shrinking resources to do things like a transition or merger. And if those resources get side-tracked by the details of too many tasks, the merger and/or the integration and the smoothness of it, at least, is put at risk. Merger leadership - the people, the project managers, the governance board, the organization leadership - they really must identify the priorities. You have to focus on the business value, add elements, apply the resources to them, track and manage those to completion. Then you won't get lost in the details.
MCGEE: What would you do differently if you had to do it over again?
PAIDHRIN: Well, I hope that the lessons learned from all previous mergers, or the knowledge capital of individuals who have gone through mergers before, would be leveraged and captured and knowledge-based to create a best practices manual or a guide. This would provide a mature model for the essential steps, hopefully a streamlined project -managed control of the activities and tasks required. Hopefully, it would create a baseline for the next merger and to keep the current one on track. But I think some lessons are hard-learned and we should only need to learn them once. My hope is that we would have the best people in those key roles that I mentioned to make sure that our next lessons are refinements on what we already do well.
MCGEE: In terms of hard lessons learned, any examples?
PAIDHRIN: No, I think we had the right people and the right plans. Our systems, our services, our missions are virtually aligned - different wording, same concept. So we were already deeply aligned before the merger. In fact, a driving decision criteria for why [the two organizations] agreed to merge is that our processes, our values, the high rankings we have for the quality of services that we deliver, many, many aspects were already in alignment. They weren't hard lessons in terms of conflict or disparate functioning or processes that needed to be reconciled.
Data Security, Privacy Advice
MCGEE: Any final advice about data security and privacy for other healthcare organizations going through a merger?
PAIDHRIN: Certainly. As I say often, it's all about waking up without mindfulness and that means the attentive daily engagement of the workforce. We call our employees "caregivers." Without daily attentiveness to privacy and security, all the security controls in the world won't prevent a breach - won't stop you from losing a laptop or losing protected health information. You must have awareness and a training program, and during the merger it's really important to merge rapidly the expectations and the criteria for success for what the new agreed-upon model is and get that out as quickly as possible.