January 2026
Munson Healthcare has a lot of data. How much, you ask?
“A thousand gigabytes is a terabyte. And a thousand terabytes is what we call a petabyte,” said Michael Saad, Munson’s chief information officer. “We have several petabytes of data at Munson Healthcare. »
SaadManaging this overwhelming amount of data – much of it highly sensitive – is just one of many critical tasks for the IT team at northern Michigan’s largest hospital system.
About 300 internal employees (and contractors if necessary) manage data, networking, security and other IT tasks across the system’s eight hospitals and dozens of additional facilities.
THE TCBN reached out to Saad to learn more about the intricacies of IT at Munson, the opportunities that await him, and what keeps him up at night.
On a little cloud?
Munson’s data is hosted in a mix of multiple on-premises data centers across its large service area as well as cloud-based services. What goes where depends on what it is, Saad says, with the most critical data sometimes going both ways for redundancy purposes.
“A hybrid model is a good model because you don’t completely agree (in either area),” Saad said. “If something happens on-premises, that can create its own set of challenges, and similarly, we’ve (recently seen) what happens when cloud providers become unavailable. So I think the sweet spot is somewhere in the middle.”
Munson will continue this careful balancing act for now, although Saad is keeping an eye on a change in strategy when it comes to this issue.
“A few years ago, there was a strong trend away from local data centers because a lot of capital investment was required to keep these systems healthy,” Saad said. “Now the situation has really changed and we see that local data centers have become in high demand due to AI. Now health systems and organizations across the country are trying to invest more in data centers in order to have computing power and be able to take advantage of AI.”
Patient records make up the bulk of Munson’s data and are the reason why there is so much of it, particularly because they must be retained for a long period of time. Michigan law requires records to be retained for at least seven years from the last date of service (as a general rule). Munson’s policy sets the retention period at a minimum of 10 years from the last date of service, with certain types of records retained in perpetuity.
This data is also highly sensitive due to Health Insurance Portability and Accountability Act (HIPAA) and internal policies, which adds another level of complexity to its management. Employees come and go, and Munson regularly checks who has access to what.
“There are very, very strict, strict guidelines around what we can do with this data and who has access to this data, even among our own employees,” Saad said. “(We ensure) that our employees have exactly the level of access they need to do their jobs, and no more.”
Munson accomplished the somewhat herculean task this year of combining separate health records and patient portals from multiple locations into a single system, allowing patients and staff to access a single location for patient data instead of several.
“Our employees did a tremendous job to make this happen. The front-line staff, our registration clerks, everyone really stepped up and did a great job to make this a success,” Saad said. “Our organization was really excited to see this system come to life, and it has really made a significant difference in how we communicate with each other and how our patients now have this unique system.”
The work doesn’t stop though, as such projects often require optimization after launch.
“You start using the system and you realize we would be better off if we did X or Y or if we made this change,” Saad said. “(Our employees) provided a list of over 300 ways to improve the existing product, so our IT team is now very focused on that list of improvements and implementing them to make this tool even better.”
Circling the wagons
Cybersecurity is at the top of Saad’s list of concerns, largely because the stakes are higher and bad actors are far more capable.
“Ten years ago, it was people in mom and dad’s basement just trying to hack systems for fun or for bragging rights: ‘Hey, I got into Munson Health,'” he said. “It’s a very, very different environment now. As an industry, we’re under attack from domestically sponsored entities. These are very well-funded, very smart individuals operating the latest technologies.”
There are now geopolitical motivations behind these attacks, Saad says, which is part of the reason they have become so sophisticated.
“President Trump imposed 50% tariffs on Brazil in August, and we immediately saw an increase in attacks from Brazil after that announcement,” he said.
Under his IT umbrella, Munson has an entire cybersecurity team tasked with nothing more than protecting the system from attacks and ready to respond if successful.
“It’s a great group of professionals, men and women who do great work every day, waking up thinking about it and going to bed thinking about it,” Saad said.
This team repels attacks “literally every minute,” to the tune of thousands of people a day, Saad says. Although Munson was lucky to avoid any major incursions, they are still planning one.
“The latest statistic I saw is that when an organization succumbs to a cyberattack, it remains unavailable for 28 days,” Saad said. “So what we’re thinking about is if this happens to us – and obviously we have a lot of protections and hopefully it doesn’t – how are we going to (prepare)?”
Twice a month, Munson’s leadership team receives an update from a committee tasked with planning for such a scenario.
“If a system goes down, whether it’s because of something on Munson’s side or a (vendor outage), how can we make sure we have that business continuity plan in place? How can we make sure we continue to take care of our patients?” Saad said. “There’s a lot of planning and very robust conversations that go into this.”
This game involves much more than battles with shadowy, anonymous attackers from faraway lands. The vast majority of attacks still require an employee to do something wrong – click on a link, for example, or be tricked into changing a setting – so there is a tonne of internal messages to avoid such pitfalls. After all, the biggest threat might be Tom on the accounting side.
“People remain the weak link in cybersecurity, and in many cases, well-intentioned people,” Saad said. “There’s a social engineering aspect to this, and our team is very focused on education.”
Approaching cybersecurity from a staff perspective is a fine line.
“We need to make sure that we’re thoughtful about how we put protections in place because it’s a balancing act,” he said. “You can be so confined (that employees) can’t perform the functions of the organization. How do you protect the environment while still allowing contractors to do what they need to do?”
AI and automation
Like many organizations, Munson is looking to AI where it makes sense. For example, radiologists are now assisted by programs that make it possible to prioritize the reading of MRI scans by a radiologist.
“If there’s a lung nodule, that’s different from a…collapsed lung. The collapsed lung should be higher in the queue, and the radiologist should read it first because it’s more critical,” Saad said. “It’s just signaling to the radiologist, ‘This one should be higher in the queue than that one.’ »
This is a scenario in which Munson sees great potential for AI: tools that enhance and accelerate care provided by real humans, thereby improving patient access to timely care.
“It doesn’t make a clinical diagnosis, but it does help prioritize the radiologist’s work and speed up some of those readings, which would then result in more patients having MRIs and getting results more quickly, because these tools help improve the work of some of our clinicians,” Saad said.
Munson isn’t interested in AI doing anything other than supporting human caregivers, Saad says, even though it could be extremely useful on that front.
“The radiologist always has the final say and always does a manual exam of everyone. AI can never replace the clinician, whether it’s nurses or doctors. They are skilled at what they do and we need those skills,” Saad said. “But what it can do is help complement them and provide support.”
Munson employees are generally free to experiment with AI and share their findings with others, Saad says, although management has taken steps to ensure that only programs that protect the sensitivity of the data are available. Feeding information into ChatGPT is a big no-no, while some programs developed with data sensitivity in mind are fine.
“We want you to use AI, exploit it, find ways to learn from it, and then share those experiences and those learnings with others, but we have guardrails in place,” Saad said. “We have HIPAA requirements that we need to make sure we meet.”
Although Saad is generally optimistic about AI, he and the organization are taking a measured approach instead of diving in headfirst.
“AI can be a solution in search of a problem, and you can get exhausted looking for all these solutions. My inbox is…full of vendors trying to provide solutions to problems that we don’t have or don’t care about,” he said. “What we do is bring it back to: What problem are we actually trying to solve?”
While it doesn’t necessarily involve AI, Munson is also moving toward automating basic tasks so its professionals can spend time on more interesting activities.
“How to leverage technology to enable Should our employees operate at the peak of their license or skill set?” Saad said. “WWhat are these mundane tasks oWhat do your employees do and we can leverage technology to help fix it? »