Name: Ana Ferreira
Employer: Center for Health Technology and Services Research (CINTESIS), Faculty of Medicine, University of Porto
Location: Porto, Portugal
Education: BSc in Computer Science, MSc in Information Security, PhD in Computer Science
Years in IT: 20
Years in cybersecurity and/or privacy: 16
Cybersecurity certifications: CISSP, HCISPP
How did you decide upon a career in healthcare security and/or privacy?
After I graduated in 1998, I went to work for a healthcare education institution as a researcher and IT specialist. After a few years, I realized that security and privacy, especially in the domain of healthcare, were crucial for the quality and protection of patient data. I decided to make a change and enter into information security and received a Master’s degree in Information Security at Royal Holloway, University of London. Royal Holloway is considered one of the best cybersecurity education programs in the world and helped guide me to the first certification - the CISSP.
Why did you decide to pursue your HCISPP?
I am located in Europe and focused on healthcare security research and applications. The main influence to pursue the HCISPP this year was the starting of the General Data Protection Regulation. It was important I be prepared to help my institution and colleagues to both understand and apply it into the daily practice.
In cybersecurity, no two days are the same – what is your main role in your organization?
Besides helping my colleagues in their own research projects to protect sensitive or personal health data they need to use and process, which is always a challenge due to their own specific requirements, I currently have a full-time research contract with the Portuguese Science Foundation. I am a principal investigator in the ongoing 5-year project TagUBig – Taming Your Big data (https://users.med.up.pt/~amlaf/tagubig/) at CINTESIS – University of Porto, Portugal. The main goal is to study if individuals can use their BiDa (Big Data) to control and improve transparency, privacy and usability, when interacting with an application.
Tell us about a project that you were particularly proud of -
I’m particularly proud of a project that was researched and developed within my PhD work which comprised the development of a new Role Based Access Control model – BTG-RBAC. This model won 1st place in the Fraunhofer Portugal Challenge - awarding research of practical utility (PhD Category), in 2010. This new model can be adapted to the healthcare reality of emergency or unanticipated situations where availability can be more important than confidentiality. “Breaking the glass” (BTG) to access unauthorized data in a controlled and temporary fashion can bring the required flexibility to such heterogeneous domain as is the healthcare practice. This model has been implemented at the second biggest hospital in Portugal, located in Porto, to provide BTG access to patient’s genetic data.
What impact has the HCISPP had on your career?
I received my certification in September 2018, so I cannot yet state the impact it has caused on my career. However, I can certainly predict that it will help myself and my future career to improve and always keep up-to-date with the cybersecurity needs within the healthcare domain as well as in other domains that my work intersects (e.g., computer science, social sciences, psychology, etc).
What advice would you give to those who are thinking about pursuing health IT security as a career?
This is a field that is constantly challenging you because it invariably involves humans and their private/sensitive data. You will probably never have a single boring day and will continually be “forced” to learn and deliver to the best of your ability, being on top of your game, as people’s lives and reputation are involved at a high stake.