Privacy and Security Consciousness in Health IT
Unfiltered Perspectives
How the Culture of Privacy, Security and Risk Can Elevate the Health Ecosystem
Smile Interview Series: featuring Luis De Barros, by Aarti Mathur
Date: October 20, 2023
Chief Privacy and Security Officer (CPSO), Smile Digital Health
Luis’ IT career started in software development. Over the course of his two decades career in the healthcare sector, he has developed clinical business solutions, provided information security leadership and enforced several evolving privacy controls. He is driven to come up with options that are both realistic, optimistic and forward-thinking.
In his free time, he enjoys yelling at clouds, encrypting random prime numbers and counting in German (because it just makes so much sense!)
Security, privacy and risk management are not topics most of us look forward to discussing. Prepare for that to change!
In this fourth release of our Thought Leadership Series, we learn new ways of handling privacy and security concerns in work culture, at an organizational level, and as an industry. Our Chief Privacy and Security Officer, Luis De Barros, shares his insight on the subject in his usual upbeat way and shares how Smile leads the way in elevating IT standards across the health ecosystem.
AM: Tell me a little bit about your career journey. You started as a software programmer. How did you find your way to privacy and security in healthcare?
LDB: Some of my earliest memories are of programming on the old 8-bit computers using BASIC and that took me on the path that I am on now. I always got a lot of joy coming up with an idea for an application and then having the ability to create it. My first jobs and contracts were all development jobs, and it was when I started working for the largest hospital in Ontario that I started thinking differently about the web applications/services that I was creating. Many of them were externally-facing and at risk of being misused or abused. But sometimes, even internal applications would get targeted by staff who were bored or workstation that were left compromised; so I started taking a more preventative approach which led me to the field of information security (InfoSec). I always felt that being a developer gave me a different perspective from my InfoSec and Privacy colleagues.
Luckily, I had supportive leaders and an environment where staff were not pigeon-holed into a specific role if they wished to expand. I took it upon myself at the time to ensure that not just the applications, but also the infrastructure were robust and could withstand unexpected activity or potential abuse. Of course, being in healthcare there was also the impetus to ensure that confidential data remained secure and that the services critical to providing care could be available and reliable. Over time, the privacy elements started entering as well. Much before ‘security or privacy by design’ was an industry concept, I had been actively working on ensuring that applications and infrastructure were resistant and effective in reducing any malicious exploits.
The interesting part of the journey for me is the present. That I ended up working here at Smile, where many of my former healthcare colleagues also are, ensuring that the same principles I worked towards 20 years ago are implemented in our products and services.
AM: You’ve worked within the area of security in telecom, as a consultant at a hospital and now at Smile. What have these experiences taught you about the culture of security in healthcare?
LDB: For a long time, the healthcare sector looked to the financial sector with an envious eye in regards to information security practices and controls. Finance always appeared to have the most resources and all the shiny toys. Obviously, they have desirable targets to protect and an obligation to their customers. I have learned over the years that we have the same duty to patients and in my opinion it should be held to a higher standard than the other sectors. In the healthcare industry, we have been forced to be a bit more creative and innovative due to a lack of budget for IT; this allowed us to explore open source options, form partnerships with other organizations, and many times create our own solution from scratch.
Things have certainly changed significantly in the last few years as the value of medical information becomes a more prominent target. Organizations have to invest more in ensuring that the right protections are put in place from the beginning. In the past this was more a nice-to-have or an afterthought. The topic of security is now one of the main discussion points we have with our clients which is great to see! Healthcare organizations are now becoming much more discerning with storage needs—they don’t select the solution that meets their immediate needs, but will cost more if a data breach occurs.
I understand now that many times organizations have to make a risk-based decision about implementing a security control or not. To come up with the perfect solution, you need almost infinite resources. At the end of the day, once you make a service available to users you leave yourself exposed. The approaches and cultures that I have seen across industries tend to differ somewhat, yet the end-result is the same—ensuring that the individual’s data is protected and that the organization is not adversely impacted due to disruptions.
I find myself working for an organization that is a commercial and private entity that maintains and shares the principles and perspectives I value in healthcare. I’m fortunate that the leadership is open-minded and considers the implications of their choices, because they've experienced vendors struggling with those choices. They don't want that to happen to Smile's customers.
AM: I’ve watched a few of your talks, and you are generally very upbeat and optimistic around topics that are not traditionally ‘fun’. What is it that excites you about the current and future of how we handle risk, privacy, ethics, and security in healthcare?
LDB: It is my responsibility as a privacy and security professional to instill confidence in people’s own abilities and provide practical solutions. Like in many other fields, individuals sometimes just need a little bit of encouragement or support.
For my colleagues starting out in the industry, I try to enforce the message that they should put themselves in their client’s shoes and empathize with the challenges they face. Most of the time, I’m thinking about what I would like to see if I were the end-user, patient, or client. Typically, I share those exact concerns and attempt to strike a balance between what is useful and what the standards dictate. Having a more constructive and positive approach certainly makes the message come across a lot better.
Early in my career, I remember reading an introductory book about how an InfoSec professional “should have an opinion”. I completely agree with that! This forces you to care about the issue at hand and also do your research before coming up with a recommendation. I should make the point that privacy and security professionals are typically in a position of influence; that is a very privileged role and one that should not be abused. Anyone in this field should be held to a higher standard and be seen as welcoming.
I personally gravitate towards people who are fun, knowledgeable, don’t take themselves too seriously, are open-minded and engaging. While I’m far from perfect, I do work hard to ensure that colleagues have a similar perception of my traits.
AM: Since October is cyber-security month, can you share why you believe Smile’s products and processes are creating a higher standard in healthcare?
LDB: I have been on this journey, on the front-row with Smile, for more than three years. When I think about growth within the company, what struck me initially was how many security and privacy conscious individuals we have working here. I was impressed with the group of developers we had and how little I had to get involved because they were doing all the right things in regards to secure coding practices, testing and consent management. This made my job in regards to our Software Development Lifecycle (SDLC) more a matter of fine-tuning.
My team has received a lot of compliments on how quickly our organization was able to achieve our ISO 27001 and 13485 certifications. The only reason we were able to do it in under a year was due to the amazing staff that we have. Any security or privacy professional will tell you that the culture change and staff education is the hardest part. I was fortunate that the staff already had all the necessary knowledge and I only needed to formalize, reinforce and, of course, apply for the certifications. Since then, all those individuals have hired other colleagues with the same mind-set.
The founders have always been supportive of my program, and Duncan (our CEO) is, in my opinion, the best InfoSec professional I worked with and was (and still is) a mentor to me. It makes prioritizing security and privacy initiatives much easier when the entire senior management team and especially George (our President) have your back. There are no difficult conversations with my peers; we’re all on the same page. In this company, security and privacy truly goes across all lines of business and it’s been like that since I started.
Smile has also made a clear commitment to support our Privacy and Security roadmap. Not only did we build on our initial certifications to obtain HITRUST, SOC®-2 and other ISO certifications, but we now have been expanding and maturing our Privacy and Security program which directly improves our products and services. Honestly, it would be a lot easier for us to forgo a lot of the formal certifications or third-party reviews while still being able to deliver highly secure products. But these certifications are driven by our own desire to get independent and objective reviews on how well we are doing. As well, they have the added benefit that we can share this evidence with our clients so that their risk and compliance departments can make decisions quickly and with confidence.
In addition to that, adhering to industry standards positions our products for better growth as we introduce new technology or expand on our functionality, like AI (artificial intelligence). Smile tends to be ahead of the curve when it comes to meeting many of the regulatory requirements, which benefits our clients because we have a future-proof solution in place. This is how we are elevating the standard of healthcare technology companies.
AM: When you hear about national or institutional cybersecurity attacks, what comes to your mind? What would you tell the head of security at those agencies or organizations?
LDB: InfoSec and Privacy leadership roles are not easy jobs. It takes a strong person to make that work. Everyone who takes on this profession, and especially the ones in leadership, have my utmost respect. The average timespan for the role of a CISO (Chief Information Security Officer) is 26 months.
I totally understand what an organization faces when they are targeted or are victims of cybersecurity. I typically dread the hindsight analysis that comes from random security experts who may have no idea what the day-to-day operations or pressures that lead to the situation to arise. Sometimes you don't do anything wrong and you still have an incident to deal with. These events are learning experiences. Your root-cause analysis will tell you what the weak links were, you learn who supports you and more importantly, you learn about your own capacity. Every incident I have dealt with has made me a stronger and more experienced professional, and I don’t think I would be half as good if I led a seamless and uneventful career. And as importantly, I forged some of my strongest relationships during those times; I treasure those individuals.
It’s important not to despair, since everyone will look to you for leadership and you have to put on a brave face. It’s okay to feel scared, embarrassed, and disappointed when an incident occurs. It’s only human. Do find someone to speak to, because if you don’t deal with those strong emotions, they will manifest themselves at the wrong time and at the wrong place.
AM: What is the riskiest thing you’ve done in your life?
LDB: I love Costa Rica, and on one of the trips we decided to do the tree-top zipline in the middle of the rainforest. My wife wasn’t too keen, and my youngest was too young. So, my son and I went on this amazing outing. At the end of it, the guide said, “Hey, you can now do a bungee jump if you want”. My immediate thought was: “Hmm, we are the only people here in the middle of Costa Rica with no one aware that we’re here”. I continued to think that I’ve already pushed my luck with the zipline and made it unscathed; bungee jumping may be a step too far. But before I could say “No, thanks”, my son said that he would love to do it!
As a semi-responsible parent, I figured that I should go first to make sure it was safe for him. So, I got all strapped up and stood on the platform. When my son got up there, he (wisely) changed his mind. For a couple of seconds, I considered spending 10 minutes untangling myself from the gear and calling it a day. But I decided to jump off the edge! Mostly because stepping off just felt silly. This was totally out of character for me.
I had never planned to bungee jump in my life, but I am glad I did.
AM: Wow! At least you were strapped up and secure for this risky endeavor! Thank you Luis, for sharing your perspective!