Canada’s healthcare system is one of the best in world and we are fortunate to live here. Often, we take for granted the complexities that face our healthcare delivery organizations working to provide us the best care possible.
Today, more than ever, security is top of mind for CEO’s and boards across virtually every industry. And just like any other company, healthcare delivery organizations need to continually innovate to improve patient care while at the same time reducing costs with the use of new technology. From this perspective, the role of a chief information security officer (CISO) in Canada’s healthcare system requires deep expertise and a holistic view of the technology world in order to be an enabler of better patient outcomes.
One of those important leaders in Canada’s healthcare system is Robert Martin, chief information security officer at Alberta Health Services. I connected with Martin to gain a deeper understanding of modern-day healthcare challenges and opportunities. There is much to learn here from Robert’s pragmatic insight irrespective of industry – whether you’re a CISO, CIO or CEO.
Brian: Alberta Health Services (AHS) has many facets. Tell me more about the world of AHS that people may not know?
Robert: “AHS is the largest healthcare delivery organization in Canada and one of the largest organizations of any kind in Canada. Our budget for this year is over $13 billion with 130,000 staff, physicians and volunteers. One of the first benefits that I realized when AHS was formed was that of critical mass. Since we were formed from multiple organizations across Alberta, we were able to consolidate several smaller security and risk teams into one. Some of these teams were really only one or two people. Combining those teams gave us critical mass so instead of having to do things serially – policy one year, control frameworks the next and then work on technical controls – we were able to do all of those and more in parallel. That has really paid dividends over the years in the level of maturity in our teams and processes.”
Brian: What challenges do you see facing the healthcare industry today?
Robert: “In a single payer system like we have in Canada, the biggest challenge has to be how much of provincial budgets we consume. Sustainability in healthcare is a concern for healthcare leaders and politicians across the country. Aging populations and ever-increasing expectations of what quality health care means to people drive costs up every year. We have to constantly look for ways to deliver better care for less money. More universally, healthcare data is a valuable commodity in underground markets which makes targets of our systems and our users. But a stereotypical security response of locking down data does not work because healthcare data needs to be shared to enable quality patient care. As a result, healthcare security and risk teams need to find a balance between data availability and security, and our teams at AHS are no exception in that regard.”
Brian: As you look to continually innovate at AHS to improve patient care, what is your view on the value of cloud computing?
Robert: “In my mind, the shift to the cloud is much less of a concern than previous shifts like client-server computing. In that shift, we moved to immature and unmanaged PC environments and lost several if not all of the controls from our mainframe data centres. In the shift to cloud computing, we can now apply everything we know about how to manage data in large environments while still giving users access to the data they need. In one security review we did, we compared a cloud service against our existing service offering. In no cases were the controls in the cloud worse than our existing environment and in some cases there were actually better. Looking at it that way, as a security professional, you are compelled if not obligated to move to the cloud service.”
Brian: When can security be an enabler to the business? What mindset should leaders have for thinking about security when looking at cloud solutions for their organization?
Robert: “I have said since Day 1 at AHS that we had to stop being the ‘No’ people and instead be the ‘Yes, but’ people. For example – ‘Yes, we can enable that process but here is the residual risk you need to accept’ or ‘Yes, we can enable that data exchange, but here are the controls that need to be in place in the production environment.’ As a CISO, I do not have access to any of our data centres, and that is a good thing. I have no operational responsibilities so I have no reason to go in our data centres. So why is it a big deal if the data center is in a different jurisdiction? Physical proximity is not a control and data sovereignty has nothing to do with geography. As a CISO, if I am not enforcing access controls, encryption, vulnerability management programs, periodic audits, and myriad other controls, then I am not doing my job. Those controls are just as relevant for cloud services as they are for the data centers we physically run in our organization.”
Brian: Lastly, let’s talk about engagement at the board level. As the chief information security officer, what does having ‘board visibility’ mean to you in the context of your role?
Robert: “If you are a CISO without any visibility with the board, you really need to be concerned. You need to be communicating how you are identifying and mitigating security risks. If you review material from any of the large consultancies or organizations like ICD (Institute of Corporate Directors) it is clear that security and cyber concerns are top concerns for boards right now. CISOs need to anticipate those questions and have answers for them. Visibility with the board means that the CISO will constantly be asked questions like that and will become adept at providing answers to the board. A CISO without visibility to the board should be preparing answers to those questions proactively in case they, or someone higher up in the organization, does get asked.
Brian: Do any specific board experiences come to mind?
Robert: “One board member asked me, “how do I know you know what you are doing?” and that really stuck with me. If the board members I brief are confident that I am identifying and mitigating the right risks and that I have a proper incident response plans in place when things go bad, then I know I have the right level of visibility with them. One thing that board visibility does not mean is any funding guarantee. I do not go to the board looking for money. That is a conversation with executive internal to the organization.”
Innovation in healthcare continues to be a driving force in the quest to balance cost containment and health care quality. Information technology has played a vital role in the innovation of healthcare aimed at enhancing life expectancy, diagnostic capabilities and treatment, and, ultimately, our quality of life.