Interview with Lars Pontén, Chief Information Security Officer at Doctrin
According to Doctrin, technical safety is of the utmost importance. As the use of our platform grows, we will be exposed to new risks. Therefore, we are pleased to introduce Lars Pontén as the new Chief Information Security Officer at Doctrin. Lars has previously worked 18 years with security issues at the Armed Forces. Lars believes that high security does not have to be at the expense of efficiency. Please take part in his experience of what the public sector needs to consider when it comes to security issues when procuring subcontractors.
What is your previous experience?
I started my education at Lund University. About 20 years ago, I worked with telemedicine at Telia in the Baltic International Telemedicine Network. Among other things, we worked with health centers in Estonia on the island of Ösel, who used video to communicate healthcare on the mainland, so video in health care is not as new as you might think.
Above all, my background is 18 years in the Armed Forces, where I worked with defense logistics. Logistics is about getting the right things in the right place at the right time. I worked with secret defense logistics, including everything from securing logistics around food and healthcare to the maintenance of complicated machines such as submarines and IT security issues.
The Armed Forces and the health service have in common that there are very clear regulations that set the security framework. What you as an organisation must focus your security work on is how to combine security and efficiency so that one does not happen at the expense of the other.
What is the most important thing to consider as a caregiver regarding safety?
There are three important principles when we talk about safety. The first is about what you want to achieve. That is, one should strive for an efficient business in combination with high security. It is often a question of attitude. People tend to believe that safety is limited, but usually, there are ways to achieve both efficiency and high safety as long as that is what you strive for.
The other vital principle we talk about in security work is separation. That is, to secure the customer's operations, operating environment, and development so that security risks in one area do not affect the other.
The third principle is about transparency and that there is a culture in the organisation that encourages people to speak out when identifying security risks without being afraid of reprimands. How successful you are in your safety work is mainly about preventing hazards and acting quickly when incidents occur.
What should you ask for when purchasing digital platforms when it comes to security?
Essentially, you must demand from your subcontractors that they understand the business and respect the complexity that you as a care provider are responsible for maintaining. As a decision-maker in a region or purchaser of a digital system, I would like the supplier to proactively think about preventing security risks, rather than as a public purchaser or care provider having to come up with a long list of requirements.
Which areas of healthcare are particularly vulnerable when we talk about safety issues?
There are four areas when we talk about safety in healthcare. One is patient safety, i.e., ensuring that people do not die or get injured. Secondly, patient integrity ensures that patient data is not leaked to unauthorized people, such as patients with a protected identity, which can be a matter of life and death. In this area, Doctrin has worked from the start to ensure that our structure complies with and sometimes even exceeds existing legislation.
The technical IT security can be divided into two parts. General attacks such as ransomware affect all types of organisations, and the attacks aimed at a specific organisation, for example, to obtain protected identities or other sensitive information.
What do you need to do to maintain the best security possible?
Just because we talk about security it doesn't mean we have to be cumbersome and restrictive. One must have an optimistic and solution-oriented attitude in the organisation. For example, it is possible to think safety-consciously without limiting creativity or efficiency.
In addition to ensuring that existing legislation is complied with, it is a matter of culture and organisation. To get that process started, you have to start with employees and subcontractors and ask yourself - what is vital for an efficient business and what is essential for our safety?
You need to formulate it so that employees start thinking for themselves. The traditional way to raise awareness was to scare, e.g., about ransomware. But today, I think most people are much more positive in the dialogue about why and how to work with security issues.
How should one proceed to maintain safety without reducing efficiency?
The balance between patient integrity and information management, for example, in medical records systems, is formulated in great detail in the laws that the Riksdag has produced. Therefore, it is very clear what applies. The challenge for us who work with digital systems in healthcare is that the information protected by confidentiality must be able to be shared to achieve efficient and patient-centered care. So then we must find solutions within existing regulations that comply with the law.
How should the patient perspective be taken into account?
I am the father of a 17-year-old disabled son with special needs. It makes me happy to see how healthcare takes such good care of my child. In fact, my child loves and cares about looking after his best in all situations. But of course, there is a challenge, especially as he gets older, to ensure that he gets the help he needs without sacrificing his independence.
Not all people find it easy to work with digital tools. My son can not use BankID due to limited physical ability in his fingers. However, cognitively he has no problems, so in his case, voice-controlled functionality would be suitable, and we are now working on that at Doctrin.
What distinguishes Doctrin in security?
We take safety very seriously. A concrete example is that operations are located separately in Sweden. The interface with data is as small as possible. For example, we do not work within the specific patient cases, but it is located separately. The second is risk management. For a long time, we have had a risk management system with regular risk meetings, dialogue with customers on how it develops, measures, and follow-up to maintain levels.
We also work to ensure that if you see a weakness in the system, you let us know so that we can fix it. We notify customers when we see security problems to be as transparent as possible, but also because sometimes they can take measures that reduce the consequences. We perform recurring reviews. A review is an opportunity to get a new perspective on what you do and give recommendations about what needs to be improved. So I encourage everyone to do that.
Any final words on how to improve safety in healthcare?
A contribution to decision-makers and procurers is to have a requirements dialogue instead of a list of requirements. To ask the question of review in the procurement documentation, thereby conduct a discussion about how the company ensures external review rather than setting a specific requirement that is not always the most adequate.