Boban Krsic has been Vice President of IT Security at Fresenius Digital Technology since 2021. How do you protect a healthcare group working in multiple branches against threats? What specifications and measures are required? How do you manage the development of such an important department? Boban answers these questions and more in this interview.
We provide IT security. This is important for any business but especially for a healthcare group such as Fresenius. Ultimately, a breakdown in the system or applications causing a halt to production or logistics could quickly become life threatening for our patients. We aim to seamlessly combine security measures, trusting working relationships, and creative solutions. We want to safeguard Fresenius’ mission: better medicine for ever more people – and to do so with the highest level of security. We provide accessibility, reliability and integrity of information and data across all of Fresenius Digital Technology’s services and platforms. This is how we contribute to protecting the supply chain.
All our projects are exciting – I wouldn’t like to rank them. We are currently working on around 12 projects in different areas, taking care of IT security at various levels across the majority of the group’s segments and in close cooperation with them. We simply didn’t exist before; we are a newly formed central function and that in itself is exciting. On the one hand, we take care of the implementation of governance frameworks for cyber security, for example, as well as the application of relevant processes and measures within FDT’s area of responsibility. On the other hand, we are responsible for checks and security measures in the system environment such as cloud application security. As well as co-operating closely with cloud providers such as Microsoft or SAP, we also work with internal sectors such as Application Operation or Global Infrastructure. At the other end of the spectrum, we take care of endpoint security, which involves protecting each individual workstation. We have tools and policies to regulate the conditions under which different devices must be used.
If we take the example of handling removal media – this includes practically everything that can be connected to a computer, whether wired or wirelessly, we have precise specifications regarding what is permitted. But specifications alone aren’t the end of the story. So, for example, can USB sticks be used when they could be infected with malware? If we decide that only Fresenius’ own USB sticks are allowed, this has practical consequences: Where do I get them from? What happens if someone else uses them? Do I receive a warning message or does the USB stick not function? Everything must be operationalized. Here we have an intersection with many other departments in the business, such as Procurement, Service Desk, and Communication. Other practical examples include the handling of administrative users and the use of antivirus software. Here we repeatedly contribute by setting up a cross-group program which in close cooperation with other security experts within the Fresenius Group implements up-to-date security standards safeguarding our IT infrastructures. Naturally, we also need to check that the service providers we use comply with security requirements. Add in a pandemic, geopolitical events and actual cyber attacks, and you can see that our job is really exciting – and stressful. By way of example, when everyone began to work from home at the start of the Covid pandemic, we had to adapt our security structures. Or ensure that, despite the war in Ukraine and power and internet outages, our dialysis centers can continue to operate and that, above all, IT systems remain secure. Here we closely cooperate with our cybersecurity colleagues in order to to assess the possible threat of Russian cyber attacks and take precautions against these. In addition, a trade embargo by US companies such as Microsoft could have a real impact – e.g., if updates can no longer be installed, then this could lead to gaps in security.
Cybersecurity at Fresenius is following our supply chains (data, hospitals and manufacturing) in order to make sure that the digital backbone of the company is reliably protected. Therefore, we face various challenges and IT security contributes considerably to coping with them and has an unbelievable opportunity to help shape the direction. We are a new, dynamic function – so much that it sometimes feels like working at a start-up. At the same time, we also have a broad remit, so together with the security experts of the Fresenius Group, we can set standards which are then applied throughout the group. What’s more, in our global company, mergers are common. When 1,000 employees come on board in one go and need to be integrated into the security landscape, then it’s all systems go. Anyone who says “I am keen to develop” is in the right place. We need people with that proverbial hands-on-mentality who are looking to build something.
My team is still a manageable size, which makes it easier for me to stay in close contact with them. We communicate pretty much constantly, using agile methods to create and maintain transparency, and we come together as a whole team several times a week. Thus, we create and enhance trust in our transformation. Of course, we also have daily tasks that we typically hand over on an informal basis. Everything is very fluid. Since people still report directly to me, lines of communication are short. But, regardless of the size of the team, I believe that trust isn’t just important – it is the foundation of co-operation.