Helping Healthcare Teams
Navigate AI, Privacy,
and Cyber Risk

Senior healthcare IT practitioner sharing 15 years of operational experience in AI governance, PHIPA compliance, and cybersecurity. I collaborate with peers, contribute to knowledge, and advise colleagues, because better-informed healthcare teams build safer systems.

Start a Conversation View Achievements
Hospital IT Leadership AI Governance PHIPA · Privacy Cybersecurity
Hospital IT & Security Leadership
Acute-care environment · 15+ years
AI Governance & Policy
LLM auditing · Responsible AI · Healthcare context
Privacy, TRA & Compliance
PHIPA · PIPEDA · IPC-ready programs
Microsoft, Cisco & Healthcare Platforms
Azure · M365 · Cisco · ServiceNow · HL7
Areas of Expertise

Four Interconnected
Focus Areas

My work spans four areas that, in healthcare, don't exist in isolation. AI governance fails without privacy controls. Privacy programs fail without security fundamentals. And both depend on regulatory literacy. These are the domains where I've built the deepest operational experience, and where I most enjoy sharing knowledge and collaborating with peers.

01
AI & LLM Governance

How to evaluate, approve, and govern AI tools in clinical and administrative settings, including LLM-specific risks like data leakage, hallucination, and consent violations, grounded in day-to-day healthcare practice.

AI Governance LLM Risk NIST AI RMF
02
Privacy & Impact Assessment

Structured privacy analysis for new systems, AI tools, and vendor onboarding. Practical PHIPA-compliant PIA methodology developed through real audit cycles in Ontario's healthcare context.

PHIPA PIPEDA PIA Design
03
Threat & Risk Assessment

NIST-aligned threat and risk analysis for hospital networks, cloud environments, and medical devices. Translating technical findings into governance language that boards and clinical leadership can act on.

NIST CSF IoMT Security Risk Register
04
Canadian Healthcare Compliance

Navigating PHIPA, OHA standards, and IPC requirements in Ontario's bilingual healthcare system. What compliance documentation actually needs to look like when the regulator arrives, not just what policy says.

IPC Readiness OHA Gap Analysis
My Approach

How I Think About Problems

Whether I'm working through a challenge with a colleague, contributing to a peer review, or advising informally, this is the mental model I follow. It's also how the hospital initiatives below were structured.

Step 01
Understand the Context

Stakeholders, systems, regulatory obligations, and operational constraints. No two hospitals are identical, context shapes everything.

Step 02
Assess Honestly

Evidence-based, not checklist-driven. The goal is an accurate picture of reality, not a comfortable score that doesn't hold up under scrutiny.

Step 03
Communicate Findings Clearly

Risk findings only matter if the right people understand them. I translate technical realities into language that boards, clinical leads, and privacy officers can work with.

Step 04
Build a Practical Path Forward

Prioritized, sequenced, and calibrated to what an organization can actually execute, not an aspirational list that stalls on the first implementation.

Step 05
Support Governance That Lasts

The goal isn't a one-time fix, it's durable capability and governance ownership inside the organization.

How I Can Help

Ways to Collaborate

I'm open to knowledge exchange, peer review, informal advising, and speaking opportunities. I genuinely enjoy helping teams in healthcare think through hard problems.

Peer Conversation

Talking through a governance challenge, a PHIPA question, or an AI evaluation you're working through, no agenda, just knowledge exchange.

Document & Framework Review

Reviewing a PIA, a security policy, or a risk register draft and giving honest feedback from an operational healthcare perspective.

Speaking & Panels

Contributing to conferences, webinars, and working groups on AI governance, healthcare cybersecurity, or Canadian privacy compliance.

Community & Working Groups

Participating in healthcare IT, CISO, or privacy communities where shared experience makes everyone's organization stronger.

Selected Achievements

Initiatives & Outcomes

A selection of initiatives delivered across healthcare environments throughout my career. All outcomes reflect real operational results, not projections.

AI Governance LLM Review PHIPA

AI Clinical Tool Governance Program

0
Privacy Events
3
AI Tools Deployed
34%
Admin Time Saved
Situation

Clinical departments across hospitals and clinics are requesting AI-assisted tools (note transcription, scheduling optimization, triage support) faster than most organizations have governance structures in place to evaluate or approve them safely under PHIPA.

Challenge

Build a governance framework that can assess AI tools quickly enough to meet clinical demand while maintaining privacy controls, regulatory compliance, and keeping patient data in-house.

What I Built

AI governance policy covering vendor criteria, data residency requirements, and a clinical steering committee process. Conducted LLM-specific reviews on three tools before deployment. Designed an on-premise inference pipeline to prevent PHI from leaving the hospital network.

Frameworks & Tools
PHIPA PIA NIST AI RMF Azure OpenAI Microsoft Purview
Outcome

Three tools in production. Zero privacy incidents across 18 months. A reusable governance template now used for all subsequent AI vendor evaluations.

Threat & Risk Assessment Zero Trust IoMT

Network TRA & Zero Trust Architecture

97%
Policy Compliance
312
Devices Segmented
18
Security Zones Created
Situation

Many hospitals and clinics still operate on legacy flat networks with medical devices sharing segments with administrative workstations, creating significant lateral movement risk as sector-wide ransomware activity continues to rise across Canadian healthcare.

Challenge

Complete a full network redesign and Zero Trust rollout within a single fiscal year without disrupting 24/7 clinical operations or patient care systems.

What I Built

NIST CSF-aligned TRA across all network zones. Micro-segmentation with 18 VLANs separating clinical, administrative, and IoMT traffic. Identity-based access controls and a phased rollout plan that maintained clinical availability throughout the migration.

Frameworks & Tools
NIST CSF CIS Controls Cisco ISE Microsoft Defender Claroty
Outcome

97% policy compliance at 90-day review. Risk register reduced from 84 open findings to 6 accepted residuals. Board-presented executive summary delivered on schedule.

PHIPA Compliance IPC Audit Privacy Program

PHIPA Compliance Program & IPC Audit

0
IPC Findings
98.7%
Staff Training Done
Pass
Audit Result
Situation

Healthcare organizations often carry fragmented privacy programs with inconsistent access logging, undocumented consent workflows, and no formal breach notification procedure, an exposure that becomes visible the moment an IPC review is announced.

Challenge

Build a defensible, auditor-ready PHIPA compliance program in under nine months, covering documentation, training, technical controls, and incident response, while managing routine IT operations in parallel.

What I Built

Gap analysis against PHIPA Part IV. Automated access audit trail. Consent management workflow redesign. Breach notification protocol. Role-based training program with completion tracking across all clinical and administrative staff.

Frameworks & Tools
PHIPA Part IV IPC Guidelines ServiceNow GRC Microsoft Purview
Outcome

Zero findings at the IPC review. Privacy policy suite, PIA template library, and breach notification runbook now embedded in standard hospital operations.

Incident Response Business Continuity Ransomware Resilience

Ransomware Resilience & EHR Recovery Architecture

<4h
Containment Time
6h
Full EHR Recovery
0
Data Lost (RPO)
Situation

Following sector-wide Canadian ransomware advisories, healthcare boards increasingly require a validated ransomware resilience capability, not a policy on paper, but an operationally tested recovery architecture with confirmed RTOs.

Challenge

Design and validate a recovery architecture that can restore critical EHR and clinical systems within clinically acceptable downtime windows without relying on potentially encrypted production backups.

What I Built

Full tabletop exercise with clinical and IT leadership. Immutable backup architecture (air-gapped, offsite). Isolated recovery environment. EHR restoration runbook tested under realistic conditions and validated by a third-party red team engagement.

Frameworks & Tools
NIST IR Veeam Immutable Azure Site Recovery CISA Playbooks
Outcome

Board-certified Business Continuity posture. Sub-4-hour containment and 6-hour full recovery confirmed in third-party exercise. IRP and runbook embedded in annual hospital drill cycle.

Frameworks & Platforms

Tools I Work With

The frameworks, standards, and platforms I apply day-to-day in a live acute-care environment.

NIST
NIST CSF 2.0
Security Framework
PHIPA
PHIPA / PIPEDA
Privacy Legislation
NIST
NIST AI RMF
AI Governance
CIS
CIS Controls v8
Security Controls
M365
Microsoft 365
Productivity & Security
AZ
Microsoft Azure
Cloud Infrastructure
CSC
Cisco Security
Network Security
SN
ServiceNow GRC
Risk & Compliance
HL7
HL7 / FHIR
Clinical Interop
IPC
IPC Ontario
Regulator Guidance
OHA
OHA / OntarioMD
Healthcare Standards
ITIL
ITIL 4
IT Service Mgmt
Ramzi Naouali
Ramzi Naouali
AI-Powered Cybersecurity & IT Infrastructure Leader
CCISO · CISM · CISA  |  Leveraging AI for Business Transformation
CISSP ITIL 4 Azure Cisco
About Ramzi

Practitioner First.
Always.

I'm Ramzi Naouali, a senior healthcare IT leader with over 20 years of experience delivering infrastructure, cybersecurity, and compliance programs in live acute-care environments where the stakes are real and the margin for error is zero.

My work sits at the intersection of operational IT leadership and emerging governance challenges. The programs I write about are ones I've built and run, including AI governance frameworks, PHIPA compliance structures, and Zero Trust architectures, taken through the full cycle of board approval, implementation, and independent audit.

I share knowledge here because I believe healthcare IT teams, in Canada and worldwide, are stronger when practitioners speak to each other honestly. This site is my contribution to that conversation.

AI Governance LLM Risk Review PHIPA / PIPEDA Threat & Risk Assessment Zero Trust Design Network Architecture Incident Response Azure / M365 Cisco / ISE ServiceNow GRC Team Leadership Board Communication
Insight & Speaking

Thought Leadership

Articles, panels, and speaking contributions on AI governance, healthcare cybersecurity, and Canadian privacy compliance.

Speaking

Governing AI in Clinical Settings: A Practitioner's Framework

Keynote at CHIA covering the gap between AI vendor marketing and the governance realities facing hospital IT leaders, and what a workable approval process actually looks like.

CHIA 2025 Ottawa
Article

Why Most Hospital PHIPA Programs Fail the Audit, And How to Fix Them

Three structural failures I see repeatedly in Ontario hospital privacy programs, and the governance changes that actually address them based on lived experience.

Healthcare IT Canada 2025
Panel

The Ransomware Threat to Canadian Hospitals: Lessons from the Field

Panelist at the OHA Digital Health Conference discussing operational lessons from ransomware preparedness exercises and what boards need to understand about cyber risk.

OHA Digital Health 2024
Article

LLMs in Healthcare: What Your AI Vendor Isn't Telling You About Privacy

What hospital procurement teams should be asking during AI vendor evaluations: the privacy and governance questions most aren't asking, and why they matter under PHIPA.

LinkedIn 2025
Workshop

Practical Zero Trust for Healthcare: A Technical Workshop

Half-day workshop for hospital IT teams on micro-segmentation, IoMT isolation, and identity-based access controls in clinical environments. Hands-on, not theoretical.

Health Sector CISO Forum 2024
Commentary

Bilingual Healthcare IT: The Francophone Compliance Context

The unique compliance and operational challenges facing francophone healthcare institutions in Ontario, where bilingual service obligations intersect with PHIPA data governance.

ACFO-ACFO 2024

The best place to connect is LinkedIn

Articles, updates, and conversations on AI governance, PHIPA compliance, and healthcare cybersecurity, all there. LinkedIn is where most of my professional exchange actually happens.

in Connect on LinkedIn
Get in Touch

Start a Conversation

Whether you're working through a governance challenge, looking for a peer perspective, or exploring a collaboration, I'm happy to connect.

The easiest ways to reach me are LinkedIn (preferred) or email. I respond to genuine peer outreach: questions, collaborative ideas, speaking invitations, and knowledge exchange.

in
LinkedIn (preferred)
linkedin.com/in/ramzinaouali
Based in
Canada
Languages
English · Français · Arabic
I'm open to
  • Peer knowledge exchange and informal advising
  • Document or framework review with a colleague
  • Speaking, panels, and conference contributions
  • Healthcare IT and AI governance working groups
Send a Note

No agenda required. Introduce yourself and tell me what's on your mind.

Message received

Thanks for reaching out, I'll get back to you soon.