An enormous amount of sensitive information is
generated each day within The Johns Hopkins University and
The Johns Hopkins Health System, from student and employee
data to medical records, in paper documents and electronics
files. To make sure this information is collected and
stored in a safe and secure manner, Johns Hopkins has
appointed Darren Lacey to serve as chief security
officer/information security policy coordinator for the
university and the health system.
In his new role, Lacey, a university employee since
February 2000 who currently is executive director of its
Information Security
Institute, will draw on his training as an attorney and
as an information technology specialist.
"This will be a complex position," Lacey said.
"There's a lot of new privacy and security legislation that
Hopkins is required to comply with, including several
[regulations] dealing with student information and medical
records. The idea of this position was to coordinate the
ways we protect our information, whether it's being stored
or transmitted. We need to maintain the privacy of this
material and at the same time make sure we have a strategy
in place to recover the data in case some type of
electronic problem or property loss occurs."
Lacey will report to Stephanie L. Reel, chief
information officer for the university and the health
system.
"Darren is uniquely qualified to provide leadership in
this complex area," Reel said. "His appreciation for the
law, for technology and for institutional values is rare,
and valued."
Lacey, who assumes his new post Oct. 1, believes
Hopkins already is doing a good job of protecting its
information. He pointed out that Hopkins' networks held up
better than those of many other universities and
corporations during the recent flurry of computer virus
attacks.
At the same time, he said, one of his key challenges
will be to make sure all offices of the university and the
health system are coordinating information security rules
and procedures.
For the first year or more, Lacey will focus much of
his energy on the newly published HIPAA security
requirements, coordinating his activities with the Johns
Hopkins Medicine HIPAA Office, reporting to Joanne Pollak,
JHM general counsel. He will work with Carol Richardson,
the JHM HIPAA privacy officer, to ensure that the
institutions are compliant with these regulations across
the enterprise.
He will be responsible for the safe and secure
handling of paper and electronic data at the Homewood
campus, East Baltimore medical campus, Bayview Medical
Center, Howard County General Hospital and other Johns
Hopkins locations.
"I'll be making recommendations about privacy and
security regarding our files and records," Lacey said.
"Security is what allows privacy to take place. If I leave
patient records or confidential student files open and
unattended on my desk, I'm not securing privacy for these
materials. If I use faulty passwords that make it easy for
someone to break into our computer system, that can
compromise privacy, too."
In his new role, Lacey will confer with attorneys for
the university and the health system, as well as their
information technology staffs. He comes to the job with a
law degree from Harvard and extensive experience in
electronic data systems. But because of the size and
diversity of Hopkins' operations, he expects to have his
hands full during the coming months.
"There will be a great coordination challenge here at
Hopkins because this is such a large and far-flung
institution," Lacey said. "My job will be to help people
work together on information security matters."
Lacey expects to retain his affiliations with both the
Information Security Institute and the Enterprise
Development Office but not in day-to-day management
roles.