With both private and public sector expertise, Sumit Ohri, GetInsured’s new Chief Information Security Officer, specializes in transforming and building up robust security programs in diverse industries. Sumit’s prior experience ranges from Verizon and the San Francisco Bay Area’s Metropolitan Transit Authority to Dell’s Force 10 Network. From 2013 to 2019, Sumit was the Chief Information Security Officer/Chief Information Officer for Health Source Rhode Island, where he led the implementation of the exchange. With a customer-first focus, Sumit is known for breaking silos to develop strategies and drive innovations in technology and security.
What is your role at GetInsured?
My primary focus is to understand our current security environment and assess the gaps. This will enable me to create a roadmap for security and privacy to ensure our technology and processes are in compliance across the organization so we can continue to deliver secure and robust platforms to our clients. I am planning to leverage my experience in working with federal and CMS agencies while at Rhode Island to address the strict requirements and concerns.
Where do you see the greatest opportunities to make an impact at GetInsured?
In the short time that I’ve been here, I have learned that streamlining some of the processes that we have and establishing new ones where none exist would help to bolster the security posture for the organization. For example, creating a process to centrally update information so it can be better consumed would greatly help during the multiple simultaneous audits across all our clients. I am also working with the team to create a secure development lifecycle framework.
Would it be correct to say that you bring a customer perspective to your role?
Most definitely. When I was at Rhode Island, the entire organization’s focus—from hiring to communications—was to ensure that the customer was satisfied with the experience they had on the exchange. Even when building technology enhancements and features, our goal was to enhance customer experience and minimize roadblocks. For example, we actually pushed back on CMS on some of the password expiry requirements they had because that would have created unnecessary hurdles for customer adoption. Even our targeted outreach to the uninsured market entailed a balance between data and compliance to ensure that we were not impeaching on a customer’s privacy. Now that I’m on the other side, I have a heightened sensitivity to understanding where our state customers come from, their pain points, and their desire to put customers first.
Can you tell me a bit more about how you handled compliance issues for the uninsured outreach program at Rhode Island?
Initially, we explored how we could marry our internal data with data from third party sources to design a targeted outreach program to the uninsured. But because there are strict guidelines around data from internal and external sources, dealing with compliance issues proved to be quite a balancing act. For example, we could not use data that contained personally identifiable information or infringed on anybody’s privacy. Obviously, we had to balance compliance with what was technologically feasible. Eventually, we settled on first analyzing the entire Rhode Island uninsured market at the zip code level, and then further broke this data down by income and race. When we started the outreach program in 2013, the uninsured population was about 14%; however, by the time I left in 2019, that number was down to four percent.