TUCSON, Ariz. -- On his 50th birthday, John Halamaka, the CIO of Beth Israel Deaconess Medical Center in Boston, was surrounded by his senior staff having cake. Then his second-in-command came in with "some" news.
A physician had gone to the Apple store and returned with a MacBook, downloaded email, and then left the office. When he returned, the new MacBook was gone. On it was a spreadsheet embedded in a PowerPoint with information on 3,900 patients, data for which the hospital was responsible.
The hospital issued a news release, in which Halamka pointed out how the incident was being treated, "extremely seriously," but also being used to bring about change. In this case, accelerating implementation of a program to assist employees with protecting devices they purchase personally.
That's how Halamka operates. He doesn't let any crisis go unused as either a teachable moment, or as a chance to lead IT into new directions -- or both. For him, communication comes naturally.
A recent post by Halamka was about managing wood, another about electronic health records. That one begins: "There's nothing like a crisp New England winter evening, a roaring fire, a cup of cider, and a 242 page Notice of Proposed Rulemaking to fill your Friday night."
Halamka, who is also a full professor at Harvard Medical School and a practicing emergency room physician, has some clear ideas about how to manage a crisis that don't follow the typical corporate mold of secrecy or downplaying a problem until events force full disclosure.
If Halamka had been the CIO of Target, you get the impression that its breach would have been handled differently.
"Be open, be honest, be forthcoming, hide nothing and use it as a podium, a bully pulpit to move an entire industry," said Halamka.
Commenting on Target's handling of its security, Halamka said he would have advised disclosing fully, up front, the severity of the breach instead of building up to it. "Customers would rather hear about what you experience and why it is making you stronger and what adversity you are working through," said Halamka.
On the day of the Boston Marathon bombing, Halamka was on a plane heading back to Boston. He got a message about the bombing. His 25 most senior IT leaders were all volunteering at the finish line, though none were injured. But cellular telephones were shut down. Other issues soon arose.
Among the patients who ended up at Beth Israel were Tamerlan Tsarnaev and Dzhokhar Tsarnaev, the two brothers and alleged bombers. Tamerlan died in a police shootout, but Dzhokhar survived. This made the hospital a global target for hackers, said Halamka.
The hospital's compliance officials wanted IT engineered in such a way that they had real-time views on everything going on with the records, said Halamka.
Again, Halamka used this crisis as an opportunity to bring reform. A consulting organization was brought in to look at the hospital's security policies, and the hospital embarked on a three-year program to improve security, with the goal of making the hospital a national leader.
"Do you become the CIO who is the guy in the trenches just trying to deliver services day-to-day," said Halamka, or do you become the person "leading the charge as the exemplar on how an industry can change its security practices?"
Halamka has answered that question for himself.
Dr. John Halamka, CIO for Beth Isreal Deaconess Hospital in Boston, chats with Computerworld's Tracy Mayor about some of the IT lessons learned following last year's Boston Marathon bombings.
Patrick Thibodeau covers cloud computing and enterprise applications, outsourcing, government IT policies, data centers and IT workforce issues for Computerworld. Follow Patrick on Twitter at @DCgov or subscribe to Patrick's RSS feed. His e-mail address is email@example.com.
Read more about it leadership in Computerworld's IT Leadership Topic Center.