logo

Introduction

For this part of the assignment, we have conducted a video interview with Mitra Minai, who is currently working as Chief Security Information Officer (CSIO) Healthscope.

The meeting is not recorded as per the request of the interviewee. Mitra’s career, current role, employer and education are outlined in this page. Mitra has an extensive technology background specialising in security, technology risks and control frameworks.

Mitra has worked across the finance industry in both the private and public sector. She also worked for consulting firms. She is currently working in the health industry.

Details of the meeting are recorded in the Questions & Answer section. The meeting lasted for 45 minutes, impacting our ability to get through all of the questions we had prepared.

Mitra

Mitra Minai

Chief Security Information Officer (CSIO) Healthscope

Current Position

In Charge of defining & implementing Healthscopes's Security and Data Privacy strategy and road map to uplift the security posture of the Organisation and deliver effective Information Security and Privacy solutions and service across Healthscopes 43 hospitals.

About Healthscope (From https://healthscopehospitals.com.au)

Healthscope is one of Australia’s largest private hospital operators. They have 43 private hospitals (30 acute, seven mental hospitals & six rehabilitation hospitals) and mange three on behalf of Adelaide Community Healthcare Alliance. With over 18,000 employee’s, their aim is to provide quality clinical outcomes and excellent patient experiences.

Career

Nab (2015-2019)

Head of Technology Specialist Controls
Led a team of highly specialised Risks and Controls professionals to deliver consistent and comprehensive risks and controls management frameworks and processes.

Principal Cyber Security Risks and Controls Advisor
Improve visibility of Security and Cybersecurity risks and related controls environments across the Enterprise by designing and rolling out a robust Security Threats and Controls framework.

Cybersecurity and Data Security Risk Lead
Charged with leading NAB’s Cybersecurity Risk Management Program, undertaking a risk based approach to identify the most critical business functions and sensitive Customer and Business Data; detect key threat exposures; and use insights to mobilise security solutions and key controls around the Bank’s riskiest operations.

Group Technology Risk Director
Responsible for formulating and prioritising the implementation of pragmatic solutions to meet Monetary Authority of Singapore(MAS) Technology Risk Management(TRM) requirements and uplift Technology Risk Management capabilities across the organisation.

ANZ (2009-2012)

Governance Integration Senior Manager
Operational Risk and Compliance Senior Manager

Earnest & Young (2007-2009)

Senior Manager Risk Advisory Services

Accenture (2006-2007)

Manager Finance and Performance Management

Nab (2005)

Technology Risk Manager

PWC (2003-2004)

Senior Technology Risk Consultant

ASIC

Forensic Investigator

Education

Monash University

Masters of Business Systems, Application Development
Bachelor of Accounting/Bachelor of Computing

Questions & Answers

Please tell us about your IT work. What exactly do you do?

CSIO – Develop & deliver on the cybersecurity and data privacy strategy & vision to ensure that critical assets are protected.
Responsible for 5 Key areas :

A) SOC – Perimeter control processes in place to protect systems and access to the network Small internal team with outsourced SOC function that provides key services. As an example, the internal team will do further investigation in events such as phishing by isolating end-user machines.

B) Data privacy – given this is in the health industry; the management of data is critical as they are dealing with patient health files, including mental health. Ensuring that controls, process and policy in place, & ensuring data classification and handling is tightly controlled.

C) IT governance Risks & Controls – SOX is being implemented here, dealing with the accuracy & completeness of IT application & general controls from a financial reporting perspective. The key term used by Mitra here was “protecting the crown jewels” is paramount.

D) Business facing Security architects – for a change initiative, this is something that Mitra has introduced to ensure that IT security & privacy is covered when new initiatives are introduced.

E) Cyber security and privacy education across the organisation. The human factor is one that is easily manipulated, particularly given the 20000 strong workforce managing this piece is really important to protect the organisation. They target Payroll, Finance executive. They use proof point as their email gateway with really powerful scanning algorithms.

Please tell us about the industry you work in.

Health. 43 Hospitals across the country. Owned by Brookfield Business Partners (https://www.brookfield.com)

How has COVID 19 impact you?

In March they needed to increase 20 concurrent VPN users to 1000 within a short period of time.

Hospitals were converted to have the ability to take COVID patients.

Some hospitals were converted to take in the aged from aged care facilities where there were infections – i.e. to house the non-effected.

Elective surgery was stopped, which impacted their bottom line – later in the interview, Mitra was talking about investment spend, and the link between the two is not lost on how this may impact the IT investment.

Who are all the different people you interact with in your work?

Mitra interacts with the executive leadership team, the board (4 times within the last five months), Brookfield Partners, owners of Healthscope, App developers, service delivery, software developers, engineers, audit committee, state managers, general managers and CEOs of individual hospitals.

They use NIST Cybersecurity Assessment to determine the Gaps, residual risks and what needs to be implemented tactically and strategically. Then put this in front of the decision-makers

What happens when a person or organisation has bad cybersecurity?

Data breaches, spear phishing, there are many examples on the web around this. They have had ransomware events. They target Payroll, Finance executive. Healthscope use proof point as their email gateway with really powerful scanning algorithms

What is changing in your industry right now?

Data Breaches.Given this is a newly elevated role there is significant interest from senior executives, board & owners (due in part to the Foreign Investment Review Board(FIRB)) * https://firb.gov.au/about-firb requirements of foreign ownership - they are very understanding of the current external landscape and the significance of protecting the assets, systems and health records. They are seeing breaches occurring at other Health providers. Maturity in cyber is a critical factor in the changing landscape – Financial Industry and Telco’s are heavily regulated and have been for some time – therefore they have stronger control over data and systems – this has seen a shift in activity to other industries, including the health where threat actors are seeing money to be made from data.

What is likely to be possible in cybersecurity in the future that wasn't before?

This question wasn’t asked however discussion pertinent to this was around the internal procurement processes. One of the responsibilities is to help the executive to absorb the possible problem in a simple way by simplifying the terminologies in the sector.

Individual Hospitals have procured their own equipment, often with a tech interface. IOT equipment, that are connected to the Web. The company can be faced with serious problems if the devices are hacked as it could impact a patient’s health even life. For example, a possible breach in the network can cause major damage simply because, IV drips, IV pumps, pacemakers are part of the network and they have vital importance for the patience. Previously the equipment hasn’t been PEN tested, they are taking significant steps now to ensure that there is governance around this process.

Outsourcing the Pen testing to see with a given device