InnoHEALTH Magazine Interviews CIO, Rajiv Gandhi Cancer Institute and Research Centre
Hospitals, like any other modern organization, increasingly rely upon IT systems for a wide variety of administrative and clinical functions. These establishments are highly complex in terms of processes, which can have constant activity 24/7×365. Also, we must not ignore the fact that most of the equipment and diagnostics technologies used in medicine are using highly computerized components. This entire network of devices, equipment and systems that often require connection to external systems, is a very critical and complex environment to control.
Cybersecurity helps in keeping the information of the patient confidential for legal purposes and also prevents cybercrimes. With increasing cyber crimes nowadays, InnoHEALTH magazine took initiative to interview some big hospitals to see how resilient are our healthcare establishments and what steps they are taking to mitigate it and to spread awareness for cybersecurity amongst the healthcare establishments.
Kritika Aroroa and Varsha Prasad interviewed Mr J.P. Dwivedi CIO, Rajiv Gandhi Cancer Institute and Research Centre, on behalf of InnoHEALTH magazine
- What is the role of a CISO/CIO in the hospital? Educate our readers?
CISO and CIO are two entirely different profiles. CISO is responsible for Information Security. Given the increasing role of information and information technology, this role has gained prominence over the past few years. CIO is IT Leader who works closely with business and leads business transformation through effective use of IT. In hospitals, CIO and CISO roles are generally performed by one single person. In some hospitals, CISO reports into CIO. This is not the best practice. Either CIO should perform CISO roles also, or CISO should be an independent authority directly reporting to the CEO (time will soon come when this person will have a place on board).
- Your current job, share with us your typical routine and how much of it is about cyber security? What is the level of digitisation in your hospital?
Our digital footprint has increased significantly over the past 4-5 years. We carry out most of our transactions online. Going with Mobile App and patient portal, we need to give careful consideration to cyber security related risks.
- With the increasing digital adoption do you also see the increase of cyber risks?
Absolutely. More you are visible in the cyber world, the more you get vulnerable from these attacks.
- Have you carried out any formal information/ Cyber Risk Assessment / Audit in the recent past?
We keep assessing periodically. We in fact invited a leading audit firm to carry out comprehensive information security risk assessment. It was a great experience and we developed a to-do list to strengthen our security posture.
- Share with us a quick highlights of information security policy that a hospital should focus on?
- Hospitals should first identify crown jewels of information they want to protect. Then identify how these are created, stored, processed, published and deleted. With each touch-point, it is important to ascertain that the principle of need to know is strictly adhered to. Security has three basic ingredients: Availability, Integrity and Confidentiality.
- A good back-up system enabled by online back-up software is very helpful in making sure data is available. Back-up policy must be carefully written and reviewed by business to decide the frequency of back-up and number of generations to be kept. It is important to document and audit the information recovery process periodically to ensure you will be able to recover the data when you need it.
- Data Classification Policy is a must to differentiate between strictly confidential data, data for limited distribution and data available for public consumption. As we are going for more and more digitalization, enormous data is being generated each day. We cannot keep everything within limited storage capacity. Therefore, data retention policy is a must to retire data periodically.
- If the network is exposed to the external world through the internet, then we must have clearly defined access policies in the firewall. A strong firewall coupled with Intrusion Detection System (IDS) and Intrusion Protection System (IPS) is a must to act as a gatekeeper. However, this is not enough. Since we allow external agencies to interact with our services, a strong demilitarized zone (DMZ) is required and it needs to be equipped with a full spectrum of security apparatus.
- A policy to conduct VA-PT (Vulnerability Assessment and Penetration Testing) is a must to see how strongly our servers are protected. Since our employees are accessing our network from outside the premises also, it is important to strengthen the security keeping this aspect in mind. The traditional Castle and Moat approach is not relevant any longer. People are talking about Zero Trust Network.
- Finally, it is important to have a web access firewall, DDoS prevention, Access Policy Management etc. in place. Network should be intelligent to figure out any unusual packet or set of packets traversing through it (surveillance, rather than gate management).
- The list is very long. These are a few basic components that should form part of a hospital’s security policy framework.
- Do you have dedicated staff/resources to look after, ensure and report to you about the information/ cyber status?
Yes. There is a report generation on a daily basis that reaches me the same day.
- As we see connected health also becoming a reality, what are your thoughts on Medical device security risks?
This is going to be a huge risk. CISOs need to work closely with IT and Biomedical Engineering teams to secure these devices
- If you have outsourced Hospital management / information system (HMS) and Data processing to a third party vendor, What steps are you taking and propose for hospitals who rely on a third party to ensure data protection aspects?
No. We are using the Hospital Information System (HIS), Electronic Health Record (EHR), Picture archiving and communication system (PACS) and Enterprise Resource Planning (ERP) Products but we don’t give control of the production environment to them. It is our in-house team that controls these environments
- Your Personal experience of Cybersecurity in the Health Sector versus other sectors? How do the Hospital Owners treat this subject?
Two sectors are predominantly sensitive; financial sector and health sector. Financial sector has been the front runner of IT usage and the processes there are reasonably mature. On the other hand, hospitals were relatively safe until recently due to low digital footprint. However, with digital transformation, IoT, RPA etc. the vulnerabilities have significantly increased and are increasing day-by-day. The Government of India is about to notify the Personal Data Protection Act (PDPA). It will have a serious ramifications for cyber security related incidents.
- Share a middle of the night call up from the hospital related to Information security.
This actually happened early this year. One of our core applications crashed. I received a distress call precisely at 12:35 AM in the night. Fortunately, it was not an attack. It was a scheduled job that was supposed to run the previous night to move the physical database from a slow tier of storage to a faster tier. The job ran the previous night and did its job.
However, the operator forgot to un-schedule it and it ran the next night again (over-writing all the day’s transactions). We had the back-up taken 3 hours before this crash and a full log of transactions. The back-up was restored and the transaction log was re-processed to reach the current state. However, it was quite a sweat for the team.
Looking back, even our DR could not help in this situation. A strong lesson was learnt leading to improvements in operating procedures. It was an internal security incident caused completely inadvertently.
Interviewed by: Kritika Aroroa and Varsha Prasad