InnoHEALTH Magazine Interviews Director and CIO, Max Healthcare
Hospitals, like any other modern organization, increasingly rely upon IT systems for a wide variety of administrative and clinical functions. These establishments are highly complex in terms of processes, which can have constant activity 24/7×365. Also, we must not ignore the fact that most of the equipment and diagnostics technologies used in medicine are using highly computerized components. This entire network of devices, equipment and systems that often require connection to external systems, is a very critical and complex environment to control.
Cybersecurity helps in keeping the information of the patient confidential for legal purposes and also prevents cybercrimes. With increasing cyber crimes nowadays, InnoHEALTH magazine took initiative to interview some big hospitals to see how resilient are our healthcare establishments and what steps they are taking to mitigate it and to spread awareness for cybersecurity amongst the healthcare establishments.
Kritika Aroroa and Varsha Prasad interviewed Mr Prashant Singh Director and CIO at Max Healthcare, Delhi on behalf of InnoHEALTH magazine.
- What is the role of a CISO in the hospital? Educate our readers?
With the rapid digitization of functions, processes and medical equipment in healthcare, the need for adopting secure cyber practices is becoming extremely important. A cyber breach can cause severe financial damage, bringing the functioning to standstill. In a healthcare domain extremely large data of patients is being produced from various sources like PACS (Picture Archive and Communication System), HIS (Hospital Information system) and other modalities.CISO has to play an important role around it. He has to ensure the cyber security domain must be strong enough to prevent cyber threat caused by lack of cyber security product deployment, lack of cyber security skills and lack of cyber security awareness in people. CISO has to present cyber threats status and risk to business to be well aligned with the business road map.
- Your current job, share with us your typical routine and how much of it is about cyber security? What is the level of digitization in your hospital?
CIO has to design strategies to ensure that technology adds the maximum value to a company to facilitate the patients for better care and life saving. The CIO sets a technology vision to leadership in healthcare to provide best medical care to patients and Develops and implements user-training programs.We have digitized many functions, processes that takes care of digital journey of patients, also finalized and designed the roadmap for the complete digitally integrated journey of the patient which helps the patient in various ways like reduced patient waiting time, well informed and guided patient, patient historical records on the clicks, faster medical care and remote medical care.Evaluation and finalization of technologies for healthcare is a crucial act of the CIO. Healthcare CIO acts on privacy and security of data including compliance.A structured Cyber Security review is scheduled on a weekly basis consisting of KPIs pertaining to ATP, IPS/IDS and Critical Alerts etc. and reviewing security incident reports focusing on high threats, intrusions and vulnerabilities.
- Have you carried out any formal information/ Cyber Risk Assessment / Audit in the recent past?
Security Risk Assessment is intended to protect and secure health information (electronic protected health information) from a wide range of threats, whether in emergencies or during a system failure that constitutes a risk compromising confidentiality, integrity. In Max healthcare, we ensure (to have a cyber security audit done at least twice in a year for) cyber risk assessment and (ITGC) Information technology general control audit. In the past few months, we also hired a security (industry well known agency) professional to assess and deploy the best practices in cyber security. Intensive (Immense) cyber security assessments are also conducted by Investors from time to time. The management board is security focused and thus motivates to invest a significant amount in cyber security space to make Max Healthcare a safe place for better patient care and life saving service.
- Do you have dedicated staff/resources to look after, ensure and report to you about the information/ cyber status?
Cyber security is a domain where continuous refinement is mandatory to avoid cyber threat. We have a qualified cyber security team who ensures the implementation of best practices in cyber security. Team is well aligned with the cyber security partner and ensures implementation of cyber security solutions, continuous monitoring of cyber threats. Cyber security team swift responses the security Incident response in case of cyber security incident, releases the tips & guidelines on cyber security awareness of the employee.Cyber Security teams prioritize most valuable assets and Information and ensure their safety. They optimize the processes and make relevant changes to security control systems.Outsourcing of business functions has become common and the teams have to ensure threat protection from these vulnerable gateways.Cyber security team presents security postures of the organization to CIO and consequently takes decisions to optimize it further.We have implemented various leading cyber security solutions to protect information and focused on segmentation of network, patch management, privileged ID management, password management.
- With the increasing digital adoption, do you also see the increase of cyber risks?
Healthcare is adopting a large number of digital platforms like digital medical equipment, cloud computing, mobile, IoT and consequently the size of the data is increasing extensively.In today’s world, the importance of patient data is extremely high (valuable) which attracts hackers to the healthcare domain worldwide. The competitors can use data to blackmail/threaten the organization for extortion of money, or sell the confidential data in the grey market for gaining advantages, and threaten individuals. We have adopted various cyber security practices to protect patient information (like ATP, Web filtering URL, WAF, DDoS, robust widely known Antivirus, antispyware, firewall endpoints protections solution, and strict password policies, added by regular governance under the umbrella of ITIL processes.
- Share with us quick highlights of information security policy that a hospital should focus on?
Failing to protect a patient’s data means failing to protect his trust in your organization and consequently Healthcare loses his reputation.With a proactive approach Cyber security team must identify threats in the network and prioritize the security plan. Teams must be well aligned and well aware of new threats trends and continuous cyber security assessment is imperative to avoid possibilities of security breaches. They must also conduct a cyber security awareness program for the employee and specially focus on Privileged user assessment and user access rights management and strong password policy. Hardening of IP devices to protect it from cyber threat and effective implementation of security solutions are essential and strengthen cyber security.
- In your view, what should be an ideal security setup in a hospital?
In a large health care organization, a skilled cyber security team is essential to continuously monitor, assess and handle threats. Well known Security agencies should work for you which transfers the security intelligence to the internal cyber security team and visibility of threats is an essential aspect.Cyber security team must develop a security culture in the organization; Proactive plans to protect Mobile & Medical devices, effective use of security devices, training to users, plans to handle surprises, controlled access of network and data, controlled physical access, strong password policy, restricted Physical access of critical devices. Moreover, addition and amendments are going on in best practices of healthcare security which must be implemented from time to time.
- What checks and balances do you implement for processing of your data by the third party vendor?
We do have a dedicated & certified team to take care of Data protection and Information Security.We do conduct Security & capabilities Assessment on all major parameter like Data in motion & rest Protection, Vulnerability Management Program, Data Leak prevention capabilities, Identity & Access management, Physical and personnel security, Application Code level security, Incident Response, Privacy (data anonymization), Business continuity plan & Disaster recovery plan, Compliance check, Lawfulness, fairness and transparency, Accuracy & confidentiality and finally the availability in case of any security incident. Periodically audit is performed to ensure all above parameters.
Interviewed by: Kritika Aroroa and Varsha Prasad