Boston, MA
Dec. 5-7, 2016
Vice President, Privacy & Information Security, Associate Counsel

John Houston is vice president, information security and privacy, and associate counsel for the UPMC, a $11 billion health system headquartered in Pittsburgh, Pa. ( In this position, he has broad accountabilities across UPMC, including accountabilities related to privacy, information security and legal matters associated with the acquisition, licensing and use of technology.  Mr. Houston is responsible for the UPMC startup “CloudConnect”, a company that offers cloud-based IT services to healthcare providers. He is also an adjunct assistant professor in the Department of Biomedical Informatics in the University of Pittsburgh School of Medicine.

John has been significantly involved in UPMC’s compliance with the privacy and security provisions of HIPAA and the American Recovery and Reinvestment Act. He has testified twice before the United States Senate’s Health, Education, Labor and Pension Committee and once before the U.S. Senate Judiciary Committee. He has also spoken nationally and internationally on such topics as health care privacy and health care information systems.

John was also a member of the National Committee on Vital and Health Statistics (NCVHS) from 2002 until 2010.  NCVHS is a public advisory body that makes recommendations to the secretary of the U.S. Department of Health and Human Services. As a member of NCVHS, Mr. Houston co-chaired the NCVHS Subcommittee on Privacy, Confidentiality and Security. 

John completed his undergraduate studies in 1986 at the University of Pittsburgh and received a Bachelor of Science in Computer Science and History.  Mr. Houston later attended the Duquesne University School of Law where he received his JD degree in 1994. 

December 6, 2016
1:30pm - 2:00pm
Grand C

John Houston is the Vice President of privacy and security and Associate counsel for UPMC, a $12 billion integrated healthcare delivery system headquartered in Pittsburgh, Pa. Among his many duties, John plays a key oversight role in the acquisition, licensing, and use of technology.

UPMC spends millions on technology. These days, most acquisitions are "cloud-based deals", with far fewer being made for on premise software, when compared to the past. Needless to say, when it comes to securing data in the cloud, UPMC has a lot at stake.

In this session, John will discuss the market forces driving UPMC to the cloud. More importantly, he'll provide an overview of UPMC's cloud acquisition process, which he developed to make sure remote IT services are reliable and effectively delivered and that the data is appropriately safeguarded.

This information will benefit all providers, large and small.

December 6, 2016
3:50pm - 4:30pm
Grand Ballroom

As more data from medical devices is fed into EHRs on a provider’s network, finding ways to secure and protect the devices from viruses and other cyber threats has become a vital part of any comprehensive security program.

But securing these devices is a tough nut to crack for a number of reasons. Many are not managed by the IT department; clinicians are often resistant to new security safeguards that may impact their workflow; medical device vendors are often unresponsive to requests for security upgrades to existing software; and some of the upgrades can be prohibitively expensive.

In this session, senior security officers at three major healthcare systems share with attendees their approach to securing medical devices.

Among other things, they’ll address:

  • Practices for assessing and mitigating medical device risks
  • Processes for approving requests for new medical devices
  • Responding to infected devices
  • Vendor management
  • Educating clinicians and administrators to the security risks medical devices pose.

Get Updates

Sign up to get the latest information on upcoming events.