Issue link: https://securitytechnologyexecutive.epubxp.com/i/130352
IN FOCUS: HEALTHCARE SECURITY By Ray Coulombe The Cure for Security Inconsistency Genzyme, a Sanofi company, may specialize in rare diseases, but its security team has made integrating disparate systems their specialty W hile a great deal of the focus when it comes to healthcare security is on patients, HIPAA, workplace violence, emergency rooms and pharmacies, the reach of the "healthcare market" actually stretches much further. Take Genzyme, a Cambridge-based biotechnology company, as an example. Genzyme's goal is finding and developing treatments for Multiple Sclerosis, thyroid cancer and rare genetic diseases known as lysosomal storage disorders (LSDs); thus, while you likely won't find them on a hospital campus, security for such an organization is vital to protect its facilities, staff, information and products. Genzyme was founded in 1981 as a tiny startup researching rare genetic-related diseases. The small company did not really consider security as a major issue until a problem was discovered with missing lab notebooks. "The senior leadership of the company understood the importance and advantage of a security program with a unified approach to physical and information security," says Dave Kent, Vice President and Head of North American Security. The company's security department and procedures evolved from the notebook incident to become a model for holistic security and risk management in a multi-national, multi-cultural company. When French global healthcare giant Sanofi acquired Genzyme in 2011, it got more than it bargained for. While it added an important new source of bio-technology research and products, little did company officials realize that they were also acquiring a world-class security capability. An Integrated Security Program In the mid-1990s, two key managers, Kent (now Sanofi Vice President and Head of North American Security) and Bhavesh Patel (Senior Director, Security Services and Technology) joined Genzyme to begin the process of constructing a comprehensive security operation and program. By 1998, they had implemented "convergence" — long before the term had become a buzzword in 18 SECURITY TECHNOLOGY EXECUTIVE • May 2013 security industry circles — by tying HR strongly into the access control system. By 2000, security was fully integrated into the company's real estate process, where no property went online until all security issues had been properly addressed. This, and subsequent alignment with Finance and IT, set the environment for breaking down silos and creating a pervasive atmosphere of security awareness. Security was defined in a broad sense, encompassing enterprise risk, supply chain, insurance and competitive technical information. Physical security, IT security and product security were all placed under Kent, a single "Head of Security." This path to integration did not occur without challenges. Due to a number of acquisitions, an estimated 30-40 different access control systems were put into the Genzyme mix. "We didn't want to take a cookie-cutter approach or drive a corporate mandate," Patel explains. "We established a cross-functional team and built a new standard based on the business culture and risk." The two-way dialog resulted in agreement that a fully integrated company-wide approach would not only provide better security and functionality, but also immediate day-to-day benefits. These included savings in both time and money, resulting from centralized Tier 1 and 2 support, system troubleshooting and badge provisioning. The Management System Badges are extremely important — those new to the company by acquisition or hire must be provisioned with a credential that would be recognized in any company facility worldwide, thus facilitating both access and also company unity and morale. These efforts led to the deployment of enterprise-level access control across 110 locations in 46 countries with personnel data from 23 different systems, using a single security management system, Pro-Watch by Honeywell. "The Pro-Watch suite of software was developed from the onset to support multiple access www.SecurityInfoWatch.com