Healthcare and incident management: just like the doctor ordered

For 93 years, the massive bronze doors of the Mayo Clinic’s Plummer Building have closed fewer than a dozen times. Indeed, they are not easy to close, weighing in at two tons each and standing 16 feet high. The open doors symbolize that the world-renowned institution is always available to take in those who need its care.

The landmark building was designed for efficiency, ease of movement and collaboration. But those features became more difficult to sustain as the hospital grew in size, geography and complexity. For example, about 20 different departments conduct or consult on investigations and maintain or contribute to case management systems, and many use their own software, processes and terminology.

Security was balkanized as well. Until a few years ago, the department was campus focused. “Global Security as a shared service didn’t really exist,” explains Ryan Hatton, Manager, Security Technology and Global Security Operations Center at the Mayo Clinic.

The organization has three main campuses — in Rochester, Minnesota; Phoenix/Scottsdale, Arizona; and Jacksonville, Florida. It also has a health system in Minnesota, Iowa and Wisconsin, as well as facilities in London, England. Each campus maintained its own security operations centers, technology, procedures, data collection and terminology. In the case of terminology, incidents might be defined differently among campuses based on state law, so a battery in Wisconsin would be equivalent to an assault in Minnesota. That proved confusing.

“We recognized that we needed to change,” Hatton recalls.

Several years ago, Mayo brought in a well-regarded chief security officer (CSO) to temporarily lead the security team as the clinic searched for a long-term candidate. Brad Brekke, former CSO of Target, answered the call. The security team credits him with centralizing security and laying the foundation for improved professionalism, standardization and innovation.

Matt Horace succeeded Brekke as CSO, joining Mayo in May 2019. “I came in with a blueprint,” Horace recounts. Leveraging available funding and a highly capable staff, he reinvigorated the security brand. “We changed our name from Security to Global Security because we are transnational; we serve people all over the world,” Horace says. “It was important to have the brand change to elevate the perception of security and to move away from the gates, guards and guns of the past.”

Security’s plan aligned perfectly with Horace's vision: to develop a single security operations center and to standardize workflows, processes, software, terminology, and other investigatory and case-management aspects. As part of this effort, the security team began scoping software tools that combined security risk management, case and incident management, investigations and command center management.

After putting out a request for proposals and reviewing the submissions, Global Security selected Resolver’s suite of software tools. The Global Security team reports to Risk Management, and in early 2020, Mayo Clinic leadership tasked Risk Management with streamlining all investigative teams into a single tool. They leveraged Global Security’s ongoing efforts and chose the same software suite. Delayed by the COVID-19 pandemic, the project was in development for almost two years before the software was implemented in the summer of 2021.

“We heard from other teams with the same issues,” Hatton says. The project caught the attention of Mayo leadership, which set out to see whether the software could help standardize procedures and practices beyond security — to all departments with incident/case management, investigations and similar processes. Mayo has to comply not only with a bevy of federal, state, local and international laws and regulations, but with the requirements of the Joint Commission, the organization that accredits healthcare institutions in the United States.

Previously, an employee might have had issues with HR, privacy and security, but because of the size and complexity of the organization, the incidents would be siloed. For example, says Amy Runkle, Manager of Investigative and Legal Discovery, “[The Investigative and Legal Discovery group] might have reached out to Compliance to see if there were any hotline reports, to Security to see if there were global security issues, or to HR for other historical matters, and merge the information.”

Sara Elton, Principal Risk Analyst, was tapped to project manage the task of getting multiple departments on board. The various groups she wrangled had their own concerns. An external audit determined that there was no consistent process for investigating possible fraud. Also, Mayo’s personnel committee wished to streamline its own investigative process. “Global Security had a relationship with Resolver, so it made sense to use them, though we looked at a couple of other products too,” Elton says.

Elton reached out to 20 or so departments to participate, and the 10 with investigative/case management responsibilities have signed on, joining Global Security. Overall, six departments (Global Security, Compliance, Privacy, Revenue Compliance, Education Compliance, and Health Information Management) are live; three departments (Operational Risk Management, Manufacturing Compliance, and Human Resources) are in the requirements process; and two departments (Research Compliance and the Drug Diversion Response Team) will join in 2022. Other departments, such as Legal, will have a consulting role.

In his department, Privacy Officer John Signorino needs to maintain a record of privacy investigations, corrective actions, individuals involved and related information to meet regulatory requirements in case of an audit. In this project, he saw the opportunity to integrate workflows. “Now, you could do that by taking an off-the-shelf risk management product, but we took the more difficult path of taking an existing tool focused on security and updating it so it could enhance all other compliance workflows.”

Signorino had already worked with various software tools, such as Compliance 360 and CompliancePro, but realized it made sense to use one that Global Security had already put to the test.

A critical part of the process has been developing metrics that translate across departments. Clifford Hodde, Manager, Security Standards, Data, and Training for Global Security’s Support Services, says that security had practitioners design a standard set of report metrics to enable better data analytics. For example, users will better be able to identify hotspots, which may differ from one campus to the next.

“We were really conscious of how people reported things like terms and definitions,” Hatton explains. Security worked with Resolver on populating fields and customizing reports, then integrating the information with Mayo’s patient databases. “So now we only have one record per person,” Hatton says. The security team also added a training program on how to limit reporting differences when entering data into the system.

The departments are just getting up to speed on the new system, though results so far have been favorable.

“We can get things that we couldn’t get before,” Horace says. “When we are managing critical incidents, it’s going to be much more visible and relevant; we can see what data is coming from the interviews, did we recover items, did the incident involve weapons or mentally ill persons, and so on. We can use that to figure out why this happened, what it meant and what is next. It gives us the ability to get more info now and to understand the data points in real time.”

Though the implementation is still in its early stages, “Efficiencies will come down the line,” predicts Signorino, as consistent reporting yields enhanced data analytics, eliminates duplication, and saves time and expense. Staff from different departments will get to know the look and feel of interview notes, for example. “Strategically, workflows will become familiar to both users and external stakeholders so that the experience of a privacy investigation is not entirely unlike the experience of an ORM or legal inquiry,” he adds.

Every new tool has its limitations, but Runkle says the software provider has been highly responsive to Mayo’s requests and concerns. For future improvements, Mayo is looking for enhancements in the user interface and more robust workflow tools in the software. “It’s the first time [the tool] was built beyond [use by] security,” Runkle says, pointing out that the company has worked hard to tailor its software for such broad use.

And interdepartmental collaboration is essential, adds Director of Security Services Scott Anderson, because, “Bad guys don’t care how you’re built.… They don’t care about our silos or that we don’t talk. You can’t deliver incredible healthcare if you don’t feel safe.”

The software both helps fulfill the Plummer Building’s original purpose to foster a more collaborative environment and plays a key role in ensuring that the facility never has to figuratively close its massive doors.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

This webinar will assist those responsible for developing a comprehensive K-12 safety and security program by helping security professionals and administrators understand the goals and objectives of a district-wide safety and security program.