Jack Kufahl – Michigan Medicine

Jack Kufahl hadn’t been chief information security officer for Michigan Medicine for very long when he was confronted with a computer problem in a radiology imaging lab.

The lab staff knew its computer was aging. Its software had been patched and pieced together over the years. It was past upgrading and because of the cost, it would be a few years before a full replacement could be implemented.

But until Kufahl visited the imaging lab—at 6:30 a.m. before the imaging services began for the day—he hadn’t realized the computer was so integral even though it couldn’t be upgraded with new security features.

Jack Kufahl | Chief Information Security Officer | Michigan Medicine

“It was providing diagnostic care and in high use,” Kufahl recalls. “It was essential but frail. I wouldn’t have understood that without a visit.”

Kufahl worked with the IT team to replicate the computer’s programming and features to another one where he could update the security. In a few years, he helped the lab fully replace the system when funds became available.

The episode underscores how Kufahl secures the Michigan Medicine network and infrastructure—he and his staff need to understand the environments they work in before applying procedures and fixes.

“This is a mission-driven atmosphere and we have to show the context of our work,” Kufahl says. “We need to reduce risk landscape by understanding it while partnering with people who aren’t regularly engaged in tech support.”

Tech for classrooms and clinics

As part of the University of Michigan, Michigan Medicine has 20 clinical departments including cardiac surgery, family medicine, neurosurgery and pathology. Michigan Medicine has nine science departments such as pharmacology, biological chemistry, human genetics and learning health sciences.

The medical school was founded in 1850 and the system also includes almost 1,800 faculty physicians who care for patients at three hospitals and 40 health centers.

As the first CISO for Michigan Medicine, Kufahl says he wants to build a sustainable and resilient security network—one that will enable “the next person be able to pick up the thread and continue,” he says.

Kufahl adds that ever-changing threat levels and new modes of attack make it impossible to create an impregnable system.

“Sustainability and resiliency in security comes from your strategy and relationships, not from technologies,” he says. “You have to balance your approach with common sense protections paired with workforce engagement and recovery planning. When an event occurs, the impacts can be understood and mitigated.”

Accessible and secure

He compares trying to stop all attacks to an epidemiologist telling someone, “Just don’t get sick.” However, Kufahl says overseeing security for the network, hardware and an immense amount of data that can also be used for research causes conflicting expectations between the health care and academic environments.

The health care providers managing personal health information are concerned the information isn’t protected enough. Researchers who need shared information worry when access is limited.

Michigan Medicine is currently shifting some operations to the cloud. Kufahl isn’t leading the project but does have a stake in the effort as the conversion creates a more centralized approach to IT operations.

Kufahl says the cloud conversion allows for better data storage and retrieval. It also provides analytics for research, but adding cloud platforms can create resiliency gaps he needs to address, such as ensuring security is provided by design, not as an add-on.

Michigan Medicine has a compliance team for IT operations and its network, but Kufahl says he needs to know what the compliance requirements are as he advises on technology.

“There’s oodles of it, too,” he says.

For instance, the Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health, or HITECH, Act regulations govern tech use in providing health care and protecting patient information and data. On the academic side, Michigan Medicine needs to comply with the Family Educational Rights and Privacy Act, or FERPA , rules for educational records.

A teachable skill

“I don’t come by cybersecurity honestly. I grew into it because of my career at Michigan Medicine,” Kufahl says.

He began college at Illinois State University planning to major in computer science. Though he earned a bachelor’s degree in history in 2002, he never strayed far from tech as he provided tech support and training for university staff and faculty.

After he graduated, Kufahl joined what was then the University of Michigan Medical School as an IT manager—thanks in part to a referral from a friend from ISU who joined the Michigan IT staff as a web master.

In 2003, Kufahl became coordinator of operations for the research IT co-op, coordinating the service desk and systems support for five research departments with a total of 750 clients. In 2009, he was named IT planning manager and was senior director of solutions delivery from 2011 to 2016 before being named to his current position.

Kufahl has also chaired the board and served as president and incorporating officer for the Michigan Healthcare Cybersecurity Council since 2016. He served as health IT commissioner with the Michigan Department of Health and Human Services from July 2019 to August 2021.

He says while he doesn’t have military or intelligence experience like others working in cybersecurity, he’s made the transition from IT leadership into security leadership—and others can, too.

“Cybersecurity is eminently teachable,” Kufahl says. “What I’ve observed as somewhat of an insider, is that cybersecurity is a role and theme that seems inaccessible. But when I look to hire people, I ask ‘do you know how you like to learn for yourself and do you know how to teach others?’”

View this feature in the Winter I 2023 Edition here.