Behind the Screens: Munson Healthcare's CIO on cybersecurity, AI and mountains of data
January 2026
Munson Healthcare has a lot of data. Just how much, you ask?
“A thousand gigabytes is a terabyte. And a thousand terabytes is what’s called a petabyte,” Munson’s Chief Information Officer Michael Saad said. “We have several petabytes of data at Munson Healthcare.”
SaadManaging this eye-popping amount of data – much of it highly sensitive – is just one of the many critical tasks of the information technology team at northern Michigan’s largest hospital system.
About 300 in-house employees (and contractors where needed) handle data, networking, security and other IT tasks across the system’s eight hospitals and dozens of additional facilities.
The TCBN connected with Saad to learn more about the intricacies of IT at Munson, what opportunities lie ahead and what keeps him up at night.
On cloud nine?
Munson’s data is housed in a mixture of several on-site data centers spread throughout its large service area along with cloud-based services. What goes where depends on what it is, Saad says, with the most mission-critical data sometimes going both places for redundancy.
“A hybrid model is a good model because you’re not all-in [in either place],” Saad said. “If something happens on premise it can create its own set of challenges, and likewise, we’ve [recently seen] what happens when cloud vendors become unavailable. So I think the sweet spot is in the middle.”
Munson will continue with this careful balancing act for now, though Saad is keeping his eye on a shift in strategy as it relates to this issue.
“A few years ago, there was a big push to move away from local data centers because there are a lot of capital investments needed to keep those systems up,” Saad said. “Now the story has really changed and we're seeing local data centers become huge in demand because of AI. Now, health systems and organizations across the country are trying to invest more in data centers so they have computing power and can leverage AI.”
Patient records make up the bulk of Munson’s data and are the reason it has so much, particularly because it has to be retained for a long time. Michigan law requires records to be kept for a minimum of seven years from the last date of service (as a general rule). Munson's policy sets the retention period at a minimum of 10 years from the last date of service, with some types of records retained in perpetuity.
This data is also very sensitive due to the Health Insurance Portability and Accountability Act (HIPAA) and internal policies, which adds another layer of complexity to its management. Employees come and go, and Munson regularly audits who has access to what.
“There are some very, very stringent and strict guidelines around what we can do with that data and who has access to that data, even among our own employees,” Saad said. “[We make sure] our employees have exactly the right amount of access they need to do their job, and no more.”
Munson this year completed a somewhat herculean task of combining separate health records and patient portals from several sites into one system, allowing patients and staff to go to one place for patient data instead of several.
“Our employees did a tremendous job to make this happen. The frontline staff, our registration clerks, everyone really stepped up and did a great job of making sure that was successful,” Saad said. “Our organization was really excited to see that come to life, and it’s really made a significant difference in the way we communicate with each other and the way our patients now have that single system.”
The work doesn’t stop though, as such projects often need optimization after they launch.
“You start to use the system, and you realize we’d be better off if we did X or Y or made this change,” Saad said. "[Our employees] provided a list of over 300 ways that we can enhance the existing product, so our IT team is now very focused on taking that enhancement list and implementing them to make that tool even better.”
Circling the wagons
Cybersecurity is at the top of Saad’s list of concerns, in large part because the stakes are higher and the bad actors are far, far more capable.
“Ten years ago, it was people in mom and dad's basement just trying to hack in systems for fun or to have bragging rights: ‘Hey, I got into Munson Health,’” he said. “It is a very, very different environment now. We as an industry are being attacked by nation-sponsored entities. These are very well funded, very smart individuals that are leveraging the latest technology.”
There are now geopolitical motivations behind these attacks, Saad says, part of the reason they’ve become so sophisticated.
“President Trump put a 50% tariff on Brazil in August, and we had an immediate uptick in attacks from Brazil after that announcement was made,” he said.
Under its IT umbrella, Munson has an entire cybersecurity team tasked with nothing other than keeping the system safe from attacks and ready to respond should one be successful.
“It’s a tremendous group of professionals; men and women that do a great job every day waking up thinking about this and going to bed thinking about this,” Saad said.
This team fends off attacks “literally every minute” to the tune of thousands a day, Saad says. While Munson has been fortunate enough to dodge any major incursions, they are still constantly planning for one.
“The latest statistic I saw is that when an organization succumbs to a cyberattack, they’re down for 28 days,” Saad said. “So what we’re thinking about, is should that happen to us – and obviously we have a lot of protections and hope it does not – how are [we prepared]?”
Twice a month, Munson’s executive team gets an update from a committee that is tasked with planning for just such a scenario.
“If a system goes down, whether it’s the result of something on the Munson side or a [vendor outage], how do we make sure we have that business continuity plan in place? How do we make sure we continue to care for our patients?” Saad said. “There are a lot of very robust planning and conversations that go into that.”
This game involves more than battles with shadowy, anonymous attackers from far off lands. The vast majority of attacks still require an employee to do something wrong – click on a link, for example, or be tricked into changing a setting – so there’s a ton of internal messaging about avoiding such pitfalls. The biggest threat, after all, might be Tom from accounting.
“People are still the weakest link in cybersecurity, in many cases well-intentioned people,” Saad said. “There’s a social engineering aspect of this, and our team is very focused on education.”
Dealing with cybersecurity from a personnel standpoint is a fine line.
“We need to make sure that we're thoughtful about how we put protections in place, because it’s a balancing act,” he said. "You can be so locked down [that employees] can’t perform the functions of the organization. How do you protect the environment and still allow the providers to do what they need to do?”
AI and automation
Along with many organizations, Munson is leaning into AI where it makes sense. As just one example, radiologists are now assisted by programs that help prioritize MRIs for reading by a radiologist.
“If there's a lung nodule, that’s different than a ... collapsed lung. The collapsed lung should go higher in the queue, and the radiologist should read that one first because it's more critical,” Saad said. “It’s just flagging the radiologist to say, ‘This one needs to go higher in the queue than that one.’”
It's a scenario where Munson sees great potential for AI: Tools that enhance and speed up care provided by actual humans, ultimately improving patients’ access to timely care.
“It doesn’t make a clinical diagnosis, but it helps prioritize the work for the radiologist and speed up some of those reads, which then would translate back to more patients having MRIs done and getting the results faster because these tools help enhance the work by some of our clinicians,” Saad said.
Munson isn’t interested in having AI do anything more than support human caregivers, Saad says, though it could stand to help tremendously on that front.
“The radiologist still is the ultimate say and still does a manual review of everyone. AI could never replace the clinician, whether it's nurses or the physicians. They are skilled in what they do, and we need those skill sets,” Saad said. “But what it can do is help supplement and provide support around them.”
Munson’s employees are generally free to experiment with AI and share their findings with others, Saad says, though leadership has taken steps to ensure that only programs that protect data sensitivity are available. Throwing information into ChatGPT is a big no-no, whereas certain programs developed with data sensitivity in mind are fine.
“We want you to use AI, leverage it, find ways that you can learn from it and then share those experiences and those learnings with others, but we have guardrails in place,” Saad said. “We have HIPAA requirements we have to make sure we’re adhering to.”
While Saad is generally bullish on AI, he and the organization are taking a measured approach instead of diving in head first.
“AI can be a solution looking for a problem, and you can wear yourself out chasing all of these solutions. My inbox is … full of vendors reaching out trying to provide solutions to problems that either we don't have or are not top of mind,” he said. "What we do is we bring it back to: What problem are we actually trying to solve?”
While it may not necessarily involve AI, Munson is also leaning into automating basic tasks so its professionals can spend time on more worthwhile endeavors.
"How do we leverage technology to enable our employees to operate at top of license or top of skill set?" Saad said. "What are those mundane tasks our employees are doing that we can leverage technology to help address?"
