Ross A. Leo: A ‘Polymath’ Ensuring Compliance, Security, and Privacy in Healthcare System

The 10 Most Influential CISOs of the Year 2022

InvisALERT Solutions, Inc. offers products that solve the problems associated with high-reliability patient monitoring for high-risk patient populations. Information security is an essential part of the healthcare industry. With attacks by malicious elements, armed with advanced skills and tools increasing, it has become imperative to have a strong information security strategy to prevent unauthorized access and exploitation. As the Chief Information Security Officer (CISO) and Data Protection Officer (DPO) for InvisALERT Solutions, Ross A. Leo oversees and ensures compliance, security, and privacy in the system solution they provide.

Ross is a veteran of the information security industry, with a career spanning more than 35 years. In April of 2019, Ross joined InvisALERT Solutions. Since becoming a member of the company, he has been leading the effort to attain HITRUST certification, which he considers one of the significant achievements in his long career. Under his leadership, they are on track to this “gold level” enterprise certification by the first quarter of 2023. “It is a very difficult thing to get but I have excellent support, and we are committed to attaining it,” says Ross.

In his profession, according to him, success means achieving a “very difficult goal” – which is giving customers what they require – a secure, compliant service – and helping his company succeed without undue cost and complexity. Managing a balance between the two can be very illusive, but Ross has managed to do that consistently by staying focused on the business needs of both the company and the customer.

In this role, the solutions needed to achieve that balance frequently require a good deal of creativity.  Ross says he has found being a “polymath” has proven essential in pursuit of those answers: “the situations I encounter are often complex, with competing and sometimes mutually exclusive alternatives. Dealing effectively with these demands requires flexibility and adaptability, and I have found that having strong and creative problem-solving skills is all but mandatory.”  He says that this necessity reminds him of one of his favorite quotes, which is from Charles Kettering, “Logic is an organized way of going wrong with confidence.”

The Universe Had a Better Idea

The career that Ross ended up with is not the one he started out to do. When he was in the Navy, he decided to continue serving as a commissioned Public Health Officer. “The Navy agreed with my plan, too,” Ross says. However, various plan changes occurred as they often do he left San Francisco, moved to Houston to continue his Master’s program, and ended up working for NASA as an IBM contractor, assigned to oversee mainframe security.

After about 10 years, Ross realized that he had an aptitude for information security – more to the point, he actually enjoyed doing it as it involved solving riddles, finding solutions to difficult problems, and so on. “There were – and still are – times when it can be very frustrating, but I never really found anything I preferred as much to do,” he says.

“Honestly, it was never about a leap of faith,” Ross adds. “I just discovered that sometimes the Universe has a better idea about what a person should be doing than they have. Being a little bigger than me, the Universe got its way.”

Now, when Ross looks back on his long career, he feels that things turned out very well for him once he got that message and went along.

Feels More Fulfilled as a Professional

InvisALERT is a company with a very strong focus on patient safety and an industry-leading solution to achieve significant improvements in it. Ross points out that privacy and security are “very big concerns” these days, particularly in healthcare. The collaboration with associates is enabling InvisALERT to reshape this landscape by integrating its security achievements with its product’s performance. It is also showing other companies how it is done, which makes the company different from the rest. “Telling this story of achievement has further improved an already strong history of success,” Ross says.

Along with overseeing the security and compliance aspects of the company, Ross also helps his teammates to use their security posture as a differentiator when dealing with customers and prospects. As the CISO, he has made a conscious effort to ensure the security of their products and services as well as to apply the same effort to the sales and customer service processes, as he believes that these days, it is critical to have “genuinely” strong privacy and security program. Ross explains that when this can be shown to greatly benefit a company’s customers’ operations when using its product as well, that becomes a “story worth telling” to add validation to their decision to engage with them.

Ross’s life prior to InvisALERT, in some ways, was not much different. It was almost similar to what it is now – collaborating with clients, designing, and implementing compliance programs. InvisALERT, however, has a special spot in Ross’s professional journey. “I think the biggest difference since joining InvisALERT is that I feel more fulfilled as a professional and as a person,” Ross says. He feels he has been fortunate to have worked with some very smart, very competent people throughout his career. “There is an abundance of those at InvisALERT,” he adds.

There is a “very positive atmosphere” at InvisALERT; Ross calls it “very healthy.” That adds “tremendously” to the important contribution the company makes to its customers, and to the quality of its patients’ care. “Knowing this makes me believe in the importance of what we do here and my wanting to contribute to that,” says Ross.

Challenges and Achievement

Ross agrees with the thought that challenges make one stronger. However, he also points out that challenges that present no hope of resolution – like those erected by people, including themselves – can end up being very damaging through frustration.  “The ones that taught me the most valuable lessons were this sort – the challenges erected by people since the technology was almost always solvable,” he adds.

Other challenges taught him to understand the dynamics of the personalities and how to collaborate with them to achieve positive results — the mutually beneficial sort, whenever possible, including the fact that it was not always possible. “And, for the ones I put up myself, I had to do much the same thing,” Ross says. From this type of challenge, he learned about his own philosophical factors, his own biases, and his own blind spots. The lesson that he learned was that sometimes he had to get out of his own way so that he could adapt and overcome the challenge ahead of him.

When it comes to finding a solution to a problem, Ross believes Dr. Albert Einstein put it perfectly: “We cannot solve our problems with the same thinking we used to create them.”

Challenges have never stopped Ross from achieving his “very difficult” goals. In his illustrious career, he has accomplished many things. There are several impressive achievements to his name.  One of them is the telemedicine system he deployed for the State of Texas.  Between 2002 and 2006, he took an existing concept, re-engineered and improved the design and technology, and directed its implementation.

When the system was completed, his team had built a data center, connected 126 locations around the state, created a unique workstation as the main endpoint, assisted with the design of several “tele” versions of digital medical instruments, operated a medical records system to manage more than 350,000 patient records.  As the project progressed, Ross found that what they were doing was unique; that while many other projects employed some of the same instruments and techniques, no one else had brought it all together in the way his team had.  Looking back on that period, Ross notes that only in the last few years has that achievement of nearly 20 years ago been equaled.  “We did not fully realize at that time how much of a trailblazer we were.”

“The system ran real-time, high-speed voice/video/data between patient and doctor over a state-wide secure network and had 12 private “broadcast studios” for the docs to connect with their patients,” Ross points out. “That was the goal and I and my team achieved it in less than 3 years.”

Later, Ross learned that they had built what was then the world’s largest telemedicine network, allowing routinely 3500 to 4000 virtual patient encounters per month – also a record for volume.

A Regular Day at Work

Ross’s regular day at work may involve performing a third-party compliance attestation for a prospect or renewal for an existing customer, and supporting customer meetings to address similar issues, either presales or operational. He says that sometimes it involves sitting in on design meetings to stay current on the various features and offerings to ensure proper security is being designed. “And, when international opportunities come our way, I will be working to satisfy GDPR compliance needs,” Ross adds.

Ross believes in leading by example. He keeps his team on track by remembering that they have lives and families, as, according to him, that compassion and respect can go a long way especially when expectations are high.

Like most successful leaders, Ross, too, finds maintaining a work-life balance not easy. “Another work in progress, I guess,” he says. “One thing that makes things easier is that I really enjoy what I do and know when to take a rest from it.”

Changing Landscape of the Industry

Ross has given much thought to the changing landscape of the information security industry. “I think the landscape has actually changed in only a few fundamental ways,” he notes.

First, criminal exploitation, which has always been there across businesses, has operationalized the monetization of stolen information. Ross explains that there is now a full spectrum of business operations at work – product acquisition, manufacturing, marketing, distribution, revenue cycle, and more. It is not something truly new – more than two decades in evolution – but now completely entrenched like many other industries, according to him. They probably even have ISO 9001-like quality measures they try to achieve.

And, the second fundamental change, Ross notes, is not so much a change as it is an expansion. He recalls that when he started in this profession, information theft was almost exclusively an insider act of physical theft. Now, Ross is noticing that it is planetary in scope and facilitated by every kind of computing device, the tools, and methods simple enough that amateurs can make profitable use of them.

Ross views the technology as “instrumentality.” He points out that it is the same for everyone, and the bad guys can know just as much about it as others can. And, as far as innovation is concerned, he has yet to decide about it and its impact. “Certainly, tech has advanced a great deal during my career, and we have been able to improve security alongside that,” Ross says. “But I am not really sure this has helped all that much since a single human mistake, say with a phishing exploitation, can put a torch to our best efforts.” He believes that it is certainly a work in progress, and very likely always will be.

Plans for the Future

“Simple” is how Ross describes his plans for the future of InvisALERT. He will continue ensuring that the company attains and maintains its current posture so that their future customers, too, will have confidence that using the company’s system adds real strength to their own privacy and security compliance.

“By our continuing to keep our system both beneficial to their operations and an improvement to their own compliance, we contribute to their greater success in achieving their own mission,” adds Ross.

Message to Aspiring Leaders

Ross’s message to aspiring leaders in information security is drawn from the lessons he has learned. He underscores the importance of having a tech background as the foundation and staying current on skills, issues, and development in his message.  But he points out that technical skill is only part of the picture, and that completing that picture successfully requires the ability to integrate with the business leaders to fully grasp the risks and concerns they face, and then lead to effort to achieve the optimal solutions.

“When I started in this business, I quickly learned that everyone thought I worked for “The Department of No”, because my predecessors apparently told the others quite often “no, you can’t do that because it’s not secure”.  I had to work hard to change that impression so that my department would become “The Department of Here’s How”.  It took effort and time, but I eventually succeeded at that.  In the highly competitive and international environment we have today, it is more important than ever to maintain the “here’s how” mindset, on both sides of the conference table.”

Ross strongly recommends aspiring leaders to not lose focus on the real and most immediate concern. “It is about your business, whatever industry you may be in, and about protecting their most precious assets:  their customers and their information.  This may seem a most obvious thing to say, but it is often that the most obvious thing is the first thing to get lost.  Keeping this as one of the primary guiding principles and delivering on it every day makes you stand apart from others as a leader who really delivers.

Definitely words to work and live by.