Meet Our Member: Tom Walsh, CISSP

Tom Walsh Consulting, LLC

Tom Walsh, CISSP, is co-editor of the new HIMSS book, Implementing Information Security in Healthcare: Building a Security Program. The book, which was edited by Walsh; Terrell W. Herzig, MSHI, CISSP; and Lisa A. Gallagher, BSEE, CISM, CPHIMS, offers a critical and comprehensive look at healthcare security concerns in an era of powerful computer technology, increased mobility, and complex regulations designed to protect personal information. Featuring perspectives from more than two dozen security experts, this book explores the tools and policies healthcare organizations need to build an effective and compliant security program.

Walsh has partnered with Brian Evans and Kerry McConnell to assist healthcare organizations throughout the country with building regulatory compliant information security programs. Walsh is a nationally recognized speaker and a co-author of three other books.

Before starting his own healthcare consulting business in 2003, Walsh’s experience included being the first information security manager for a large, multi-hospital healthcare system in Kansas City, Missouri. He has over 21 years of information security experience.


HIMSS:How did you become involved with HIMSS?

Walsh: I had begun working for the Saint Luke’s Health System in January 1998, and my boss decided that I should go to the HIMSS Annual Conference & Exhibit to become acclimated with health IT. I learned a lot that week, and it was a great way to launch my career in healthcare.


HIMSS: What has been the most rewarding aspect of your involvement with HIMSS?

Walsh: Meeting so many fantastic people over the years has been most rewarding. I am fortunate to have had many opportunities through HIMSS – with my local chapter and at a national level, to network with other professionals and learn from them.


HIMSS: Please describe the highlights of “Implementing Information Security in Healthcare:Building a Security Program.”

Walsh: This book offers a great deal of practical “how to” advice and samples. It’s one thing to tell others what they need to do, but it is far better to provide solid advice backed with examples. The book was a collaborative effort; all who participated willingly gave of their time and expertise to give something back to the industry. Finishing the book became a labor of love in honor of our colleague, Terrell Herzig.


HIMSS: Can you discuss Terrell Herzig’s legacy?

Walsh: It’s hard to believe that it has been a year since Terrell’s passing. He had a great deal of influence over the hundreds of people at University of Alabama at Birmingham (UAB), who knew him as their professor or information security officer.The book, Implementing Information Security in Healthcare: Building a Security Program,was dedicated to Terrell. There are many touching tributes to him.


HIMSS: Please describe some of the milestone events in your career.

Walsh: One milestone occurred in 1992, when  my boss at the time pushed me beyond my comfort zone by encouraging me to pursue information security and to do public speaking. An influential individual saw my first public presentation and invited me to speak at another conference. And with that, my public speaking career took off. One my greatest honors occurred when HIMSS asked me to be one of the “Views from the Top” speakers at the 2003 HIMSS Annual conference.

I have had the good fortune to co-author four books, and in 2003, I started my own consulting business.


HIMSS: What are the most notable changes you’ve seen in the field of health IT over the course of your career?

Walsh: When I started in healthcare, client-server technology was in its infancy and information security was barely discussed, even in IT. Now the topic of security has executive management’s attention. Today, mobile devices have revolutionized health IT, bringing with it both the benefits of access to patient data (anywhere, at any time on any device) and security risks.


HIMSS: What advice would you give professionals just entering the healthcare or IT field?

Walsh: “People, process, and technology – in that order.” I got this from the IT Infrastructure Library (ITIL). But it is the mantra I use when advising clients. Security and privacy are important, but the primary mission is the care of patients. IT needs to support the mission by making it easier for caregivers to do their job rather than constructing barriers. Just remember—if your loved one is in a hospital bed in critical condition, waiting for the lab results or the orders of a specialist – security and privacy become a lower priority.

Anyone who is new in healthcare IT needs to spend at least a half day just observing what goes on in the clinical care areas. It will change his or her perspective about their job in IT. It will give them the bigger picture. As the old saying goes, “Are you laying bricks, or building a cathedral?”