1. As a preface, would you like to tell us a little about yourself, and how your services and products impact the health sector?
   We are an exclusive Healthcare IT company, and have all the offerings related to hospitals to make it fully operational and paper-lite facilitating in-premise, cloud, as well as mobile computing. Our solutions include HIS/EHR/EMR for Hospitals, Clinics and Diagnostic Centres with clients in India, UK, Malaysia and Middle east. Started in 2012 and with more than 50+ Healthcare Facilities, 7000+ beds and 10 million records.
2. What type of healthcare set-ups make up the majority of your business?
   Though our offering is for all types of HCFs, the majority of business are 150+ bedded hospitals. 
3. How has the health IT industry changed over the past few years and what are the major changes you have seen concerning the adoption of digitization in the healthcare sector in the last five years?
   Digital Health has evolved over the time. During initial days, it was only the Operations and Billing which was used extensively and gradually adopted in departmental systems like Radiology (PACS), Laboratory and Pharmacy. Recently, the focus has shifted to clinical documentation as well as Patient experience. Both of these give an immense push to overcome the traditional challenges of user reluctance and other behavioral issues which were impediment to the change. The newer generation practitioners which are very tech-savvy, government regulations including management expectations is what is helping the health digital landscape a push.
4.  What are the main security risks that a practice faces when shifting from the paper-based to electronic records? What are some of the best ways to minimize those risks?
   While transitioning from paper based to electronic records, the main security risk is “data going in wrong hands” and “data not being accessible when required”. The best way to minimize these risks is to ensure that the infrastructure is robust.
5. At your end what security compliances and practices do you follow?
   We are ISO 27001:2013 and ISO 9001:2015 certified companies and the user access management is thoroughly regulated. The access to infrastructure/server is only to relevant people and is monitored every 30 days.
6.  Would you like to share any cyber incidents that you have faced in the recent past in your setup or at your clients and how did you handle it?
   Recently, there was an article published by an ethical hacker which showed vulnerabilities at the client servers and also showed servers being compromised. We immediately informed them to ensure that the server, network as well the application security measures are readdressed and rules changed to ensure there is no threat. 
7. What is your assessment of the upcoming Personal Data Protection bill, will it impact your business? What challenges do you see for the health sector?
   The Personal Data Protection (PDP) Bill is very much required as it ensures that “data doesn’t go in wrong hands without consent”. Since there is no regulation as of now, there are many organizations which are taking undue advantage of this.  This might have any impact to our business as we ensure safekeeping and no data is shared with any 3rd party. 
8. How do you think enforcement of the proposed DISHA act will impact your business?
   DISHA is a very welcome step from the government to ensure it has relevant and right information about its citizens. It would ensure electronic health data privacy, confidentiality, security and standardization and provide data for establishment of National Digital Health Authority and Health Information Exchanges. This would ensure the communication and sharing of RIGHT data of the patient/citizen and plan a better plan of care. This would also ensure the government agencies to plan for the healthcare budget funding based on the population health. 
9. In regards to improved security in the digitisation journey of Indian health sector. What is your advice to healthcare delivery organisations?
   One of the foremost advice for healthcare facilities would be to “treat data and its sensitives with utmost care”. This is an asset and not a liability and hence they should ensure adequate infrastructure measures and its spending to ensure data is safe and secure.
10. With AI and other emerging technologies in mind. What are the opportunities and challenges you see in handling large scale health data? New job roles that you foresee in regards to data protection and processing?
    I have heard many times that there is a perception that AI, ML and other newer technologies like cognitive computing etc would take away jobs on healthcare and also would make the entire treatment mechanical and take away the humane touch. IMO, nothing of that sort would happen. The technological advancements in healthcare is just a step to assist in better and efficient care and definitely not to replace. It would act as a “coach” to the doctors and definitely not “replace” them in the entire value chain. One of the challenges we face in India is that we are still primitive in terms of capture of the data. So, while we evolve to capture more and more data, we have to ensure we keep our safeguards to ensure data protection. Government and Regulations have a big role to play in ensuring that. Data Scientist, Data Manager, Data security experts are few of the new roles that would be required by many IT companies, data companies as well as HCFs.
11. What are your future plans and any message for our readers?
    While we intend to extend our services and operations to APAC and EMEA, the focus is also to build products which use AI, ML etc to give seamless experience to the clinicians to help them give efficient patient care. Our focus would also be to strengthen the features and offerings on the mobility platform as the world is evolving to adopt mobility and use it in all the streams within the healthcare administration and clinical care including patient engagement and experience. 

1. As a preface, would you like to tell us a little about yourself, and how your services and products impact the health sector?
   MocDoc is a modern healthcare platform which provides integrated clinical, financial and management solutions to hospitals, clinics and laboratories. Since our solution integrates every department, unlike other patchy solutions, it is able to provide holistic information to management.
2. What type of healthcare set-ups make up the majority of your business?
   Our solution (MocDoc HMS, MocDoc LIMS and MocDoc CMS) is capable of serving a single clinic to a chain of hospitals and labs. Our lab solutions are used by small labs to big labs with hub and spoke models with centralised processing centers & sub processing centers, collection centers and with home collection primarily using smart phone apps. Our focus currently on hospitals, labs and chain of clinics in India and few other countries.
3. How has the health IT industry changed over the past few years and what are the major changes you have seen concerning the adoption of digitization in the healthcare sector in the last five years?
   We have been witnessing a lot of startups innovating in healthcare IT in the last 5 to 10 years. From doctor discovery platforms to digitizing internal processes to provide advanced medical care to those in need and many of them seem to be working on preventive space too.  Usually healthcare is slow to adapt technology advancements due to various reasons but technology is really penetrating and a lot of young doctors are adapting and realizing the benefits of technology. We are simplifying technology inside healthcare setup by integrating with various departments, equipment and automating many processes. Once inside processes are standardized we have opportunities to connect the doctors
4.  In general, then, what are the main security risks that a practice faces when shifting from the paper-based to electronic records? What are some of the best ways to minimize those risks?
   One of the primary reasons for digitizing patient records is easy access by care providers so that they can do better care by accessing, analysing it and also help reduce errors besides other benefits. Security should be considered after though, it should be part of people, process and technology – it goes multiple ways into multiple layers. Since servers are connected (on prem or on cloud), all basic security measures to be taken care of. Security best practices and technology around that is already in place and getting evolved too. Basic security measures like transport level security (https and http2) guarding and updating security components periodically whenever security fix got released, using right encryption for data storage plays an important role in modern healthcare systems. Besides, application level security like secure hashing, role and privilege based access control etc should be used across the system. However every organization should also have social behaviour around security measures like password management and multi factor authentication plays an important role. Especially in healthcare setup, understanding the importance of HIPAA compliance and taking that into every department and people working on the healthcare system is vital to maintain patient security and privacy. Having a security audit in place is very important. 
5. At your end what security compliances and practices do you follow?
   We are following all security best practices right from basic transport & application security to what guidelines advocated in OWASP and more importantly HIPAA which is vital in healthcare setup. ISO 27001 prescribes technical, legal and physical controls. 
6.  Would you like to share any cyber incidents that you have faced in the recent past in your setup or at your clients and how did you handle it?
   Since we follow security procedures meticulously, we periodically undergo audits and try to find out security vulnerabilities as early as possible. We quickly patched POODLE, Heartbleed vulnerabilities soon it was known.
7. What is your assessment of the upcoming Personal Data Protection bill, will it impact your business? What challenges do you see for the health sector?
   We are always trying to adapt best practises and law of land. Certain industries object to certain clauses in PDP but every country should have measures to protect their citizens. GDPR is the best example but still there are issues in understanding and how it is got to be enforced etc. It is a double edged sword, security/privacy/protection is very important but that should not stifle the innovation.
8. How do you think enforcement of the proposed DISHA act will impact your business?
   DISHA act is an important step in the right direction. As we serve multiple countries with even stringent regulations, we see this is going to be a good opportunity for others to improve security and privacy of patient data. 
9. In regards to improved security in the digitisation journey of Indian health sector. What is your advice to healthcare delivery organisations?
   Complete comprehensive Security is the moving target. Threat is evolving at the same time security measures and mitigation are also evolving. Data breach not only costs money but it costs the reputation of the organisation. We have seen many million dollar ransomware attacks, disclosures of private data etc happening across the world including in India. Consider security as an important pillar and build right into application and align processes and people with it. It is good to follow web and healthcare standards and best practices like OWASP, HIPAA etc. 
10. With AI and other emerging technologies in mind. What are the opportunities and challenges you see in handling large scale health data? New job roles that you foresee in regards to data protection and processing?
    If you look at the kind of data generated in healthcare, it is huge and it varies from structured to unstructured. We can see AI is successful to some extent in image recognition and processing. There are companies successfully piloted AI in healthcare especially in the imaging side.  The problem is complexity of human health and factors associated with it are wider. AI can be successful to certain extent when we narrow down the focus and point towards specific problems. We at MocDoc are exploring AI in the laboratory side combined with clinical outcomes. With mass adoption of wearable technology, and improvement in sensors there is an opportunity to provide good quality data that can be used to train models  in future. 
11. What are your future plans and any message for our readers?
    This is going to be a golden period for healthcare technology. Wearable tech, consumerization of health tech is happening in a fast phase driven by Apple watch and other wearable vendors. Since healthcare is a big and complex industry, it needs common and simple standards but it is riddled with compliance and myriad of standards. Some of our customer facing tech like telemedicine (online consultation) and mobile health apps gaining support from our customers and patients alike. We are taking the B2B2C approach and going deep with technology so that our customers get a chance to work on a simple holistic platform. 

• As a preface, what would you like to tell us about yourself and how your services and products impact the health sector?
  We have been in this domain since last call decade. We started our journey, in a healthcare domain specifically in healthcare IT, by providing that end to end automated solution for managing their operations. So whenever you’re saying managing their operations, which includes their clinical and nonclinical aspects of any healthcare entity, like a hospital, hospitals, nursing homes, clinics, diagnostic centres, pathologies, radiology, blood banks. So we have a wide range of products. We provide that end to end solution for managing their entire business process flow from starting till end, for these healthcare providers like hospitals, laboratories, pathology blood banks and clinics.
• What type of healthcare setups make up the majority of your business?
  We only deal in the private sector. We do have some clients, in government sectors, but primarily in the 95% of our business totally based on private sector-healthcare providers.The reason behind it being, we started this company as a start-up company with a one single percent structured company. So, we invested a lot of expertise and domain knowledge on developing that product and implementing it. We only started catering our solutions to the private sector. We have not given a thought to the public sector because when you go for a bigger project, then it will be out of your reach because of their different procedures. We rank as a small-medium enterprise. So, we did some of our business with the government like one with Indian railways, but it is not the major chunk of our business. So, 95% of our business comes from the private sector, like hospitals and healthcare service providers, but we do some, uh, predict Indian railways, defence, Delhi govt. and some small setups. There’s nothing that is specific.Well, this question is very close to my heart. When we purposely started this company because, during our inception, we wanted to enter into the sector and start our journey with a sector, which is very unorganized, especially in terms of IT. So, in 2007-08, when we thought of starting something in healthcare we found that there is a lot of scope in the enhancement of education in healthcare. So, when we got into this, we did a lot of research work on ground. Then he found that in Indian healthcare especially, that IQ and the need of IT in 2006-07, still people are not aware about the IT and tech systems and we were lagging behind in terms of technologies and in terms of securities. And especially when we entered into the market 95% of the market were working on the window systems and old systems. Now, as business is growing it actually can be managed with the latest technology. So that gives them the option of entering and then managing healthcare and they are able to log on and provide the kind of tool for their business expansions. So in these coming years, we were one of those few companies which were using the web-based models for the centralised databases. And then there was a time when mobile apps got into 2012-13, there was a time when we started using apples and these phones and 4G really quickly came into the picture. So, in 2006-07, we were designing a mobile compatible app, these are the most important things to get into the market. Indian health care industries and not much open-ended acceptable for these EHR systems, EMR systems. They were only looking for a system which can be good in finance, can be good in Indian business operations, managing their marketing and not, but still we have seen in these times, now people are looking for a product who could be good in the clinical part also. So, we have seen the inclination of clients and the healthcare providers more into the clinical aspect of the products.
• How has the health IT industry changed over the past ten years, since you are in this field for more than 10-11 years. And what are the major changes that you have seen concerning the adoption of digitization in the healthcare sector in the last five years?
  Well, this question is very close to my heart. When we purposely started this company because, during our inception, we wanted to enter into the sector and start our journey with a sector, which is very unorganized, especially in terms of IT. So, in 2007-08, when we thought of starting something in healthcare we found that there is a lot of scope in the enhancement of education in healthcare. So, when we got into this, we did a lot of research work on ground. Then he found that in Indian healthcare especially, that IQ and the need of IT in 2006-07, still people are not aware about the IT and tech systems and we were lagging behind in terms of technologies and in terms of securities. And especially when we entered into the market 95% of the market were working on the window systems and old systems. Now, as business is growing it actually can be managed with the latest technology. So that gives them the option of entering and then managing healthcare and they are able to log on and provide the kind of tool for their business expansions. So in these coming years, we were one of those few companies which were using the web-based models for the centralised databases. And then there was a time when mobile apps got into 2012-13, there was a time when we started using apples and these phones and 4G really quickly came into the picture. So, in 2006-07, we were designing a mobile compatible app, these are the most important things to get into the market. Indian health care industries and not much open-ended acceptable for these EHR systems, EMR systems. They were only looking for a system which can be good in finance, can be good in Indian business operations, managing their marketing and not, but still we have seen in these times, now people are looking for a product who could be good in the clinical part also. So, we have seen the inclination of clients and the healthcare providers more into the clinical aspect of the products.
• What are the main security risks that you face in your practice cases, when shifting from paper-based to electronic format and what are the best ways to minimize those risks?
  In this last, almost 12-13 years of my experience, I have experienced both cultures, that workflow in Indian market is totally different than when you work for any overseas client in the Middle East, or maybe in African country. The workflow is a bit different. So, let me just answer that and address this question, uh, keeping in mind that we are catering to Indian healthcare industry. When we talk about the paperless, it could be a very abstract and bold word to say, but yes, achieving the goal of, paper less or would say, uh, totally electronic form in healthcare scenario is a very challenging task. I don’t see many challenges in terms of designing the product or in the technical aspect of the product. Nowadays, any company can work on any of the tools in terms of their product, they have a plethora of opportunities and knowledge. They have the skillset to manage different types of securities, application level, in terms of level, there are new challenges everywhere. But the biggest challenge that I have experienced in my journey specifically is in hospitals. So, when we talk about major giants, like any hospital, it could be a hundred, 200, 500 bedded hospital. The major challenge, which I personally observed and feel is dealing with the psychology of the users. There are two different challenges and categorizing challenges in two different aspects. One is the implementation of the product and the execution of this aim to move your hospital into completely electronic. And the second challenge, certainly technology has their own challenges and they have their own limitations that we can address separately. And one more important thing. Every technology has different set of challenges, but the major challenge I came across in my journeys, dealing with the psychology of the user, the user to do so. And, and the kind of load the patient loads in our Indian hospitals are very hard to manage this real time.You know, there are two ways of digitalisation, something that you can do posts, but I would never say if you’re, planning and if you’re executing this way of automation, where you are just converting your papers into digitalisation form of data, that you are running your own organisation on parallel nod, means you are doing the conventional way of your papers and after that, you are converting all those papers into digitalisation form of data. But if you actually want to make your hospital paperless, then you need to have executed the process in real time. It means each and every data related to patient health related to the patient course of treatment has to be punched in, into the software or an application, whatever they are using it currently. And really the biggest health care industry and specifically Indian hospitals because of their huge patient load, usually they are not able to do so. So, this is the biggest challenge, which we came across during our implementations, and it is very difficult and it is one of the show stopper to deal with the psychology of Indian doctors, as well as Indian paramedical staff, to train them, to make them use these things, and to motivate them, to overcome with their conventional way of writing and get onto the digitalisation. 

1. As a preface, would you like to tell us a little about yourself, and how your services and products impact the health sector?
   We have been in the healthcare industry for more than 25 years. And have been a major player in providing healthcare IT Solutions to the hospitals making them digitized and free from manual work.
   The company was co-founded by my wife Rekha Jain and me with a vision in mind to bring out the change in Indian healthcare system. ASPL is working in the single domain bringing out various solutions over the time such as Miracle Hospital Information System, Laboratory Information Systems, Patient Portals, and Mobile Apps etc. to bridge the gap between the provider and the patient. 
2. What type of healthcare set-ups make up the majority of your business?
   Proving IT solutions to Hospitals, Nursing Homes, Medical Colleges with varied bed strength, Diagnostic chains across all over India and abroad makes the majority of our business. After the embarking of the 25th Year in 2019, we have now made our presence in the small & medium-sized healthcare facilities too.
3. How has the health IT industry changed over the past few years and what are the major changes you have seen concerning the adoption of digitization in the healthcare sector in the last five years?
   With the majority of hospitals now investing in the digital infrastructure building of their facility, it has been a positive growth for the Health IT industry overall. We have seen many of the major players in the market opting for the latest technology and solutions to minimize the burden of the operational activities on the hospital staff. Small hospitals in 2-tier/3-tier cities also have been seen opting for comprehensive solutions like Biometric Registration.Over the past 5 years, with the Govt stressing on digital India and the upcoming PDP Bill, the importance of IT in health has been very recognized across the nation. Whether it is a Doctor in a standalone clinic or at a well-established hospital, everyone wants to be at some level of a digital platform, few examples like, Telemedicine, Appointment portals, Insightful dashboards for management and evaluation purposes etc.
4. What are the main security risks that a practice faces when shifting from the paper-based to electronic records? What are some of the best ways to minimize those risks?
   The paradox of shared healthcare information is that it simultaneously makes patients safer while also putting them at risk. The larger the network becomes, the more useful it is in providing top-quality medical care, but its data also becomes more attractive to criminals like:
   • In addition to a patient’s records, medical provider networks can contain valuable financial information.
   • Since there are very few people who do not see healthcare providers, nearly everyone’s personal information is available in some form.
   • The interconnected nature of EHRs means hackers have access to the data that has been collected under patients’ names for years. Sharing patient information is integral to providing the best possible treatment to patients, but that same sharing also makes networks extremely valuable targets.

   But at the same time, there are more gains than risk in shifting from paper-based to electronic records like:

   • Electronic health records enable you to give only authorized personnel access to patient data.
   • Strong encryption protocols make sure that confidential patient information remains secure.
   • Paper records pose a number of security risks and it can be difficult to detect when they have been tampered with.
   • With electronic health records, you can maintain your patient data in secure backups, enabling your organization to quickly recover after a data disaster.
   • At your end what security compliances and practices do you follow
     Providing services for healthcare brings many complexities, and risk management professionals need to consider this seriously. However, issues such as accreditation or licensing standards, regulations and third-party requirements can be mitigated with the introduction of formal policies and procedures for hospital information security infrastructure. These policies and procedures help promote safe and good quality care for patients, workplace safety, compliance to regulations, and, most of all, uniformity of healthcare practices across the hospital network.

   To minimize those risks, we have multiple options like:

   • Access Control – is the means by which access to people such as patients, visitors, and staff is granted or denied throughout the healthcare facility and access to its IT assets. These areas include, but are not limited to, maternity wards, pediatric department, emergency, intensive care unit ICU, pharmacy, etc.
   • Video Surveillance – Cameras now have embedded processors and videos can be compressed and transmitted over IP networks in real time. This concept of having the ability to view and record any activity at any time from any location has fundamentally helped healthcare facilities to optimize their security with video surveillance.
   • Staff, Patient and Asset Tracking – Regardless of which facility your patients are admitted in, it is critically important to provide them safety and protection. With the help of technology, security professionals and concerned staff can now identify, track and locate patients to provide safeguard against patient abduction or elopement.
5. At your end what security compliances and practices do you follow
   Providing services for healthcare brings many complexities. However, issues such as accreditation or licensing standards, regulations and third-party requirements can be mitigated with the introduction of formal policies and procedures. These policies and procedures help promote safe and good quality care for patients, workplace safety, compliance to regulations, and, most of all, uniformity of healthcare practices.We do following in across our applications.
   • Observe recognized professional practices.
   • Ensure compliance with health regulations and standards, such as HIPAA, CMS conditions of participation, etc.
   • Create a standard system for practices in a single health unit.
   • Provide knowledge to staff, particularly new employees, on how various functions are carried out.
   • Reduce the chances of human error by providing documented guidelines rather than relying on memory.
6. What is your assessment of the upcoming Personal Data Protection bill, will it impact your business? What challenges do you see for the health sector?
   The Bill was a much-awaited step which was needed to have certain set of regulations around the data protection of India. It is of no surprise that India sits on a huge volume of data that has been collected through social media or apps. The PDP bill is definitely a historic step for the nation. It will change the way we have been handling and viewing the privacy of the customer across various fields and not just healthcare.
   Although it is true that healthcare data is most important as we have seen it getting valued in countries like the US and EU. Talking about the data transfer, compliance cost will be an additional cost that will have to be borne by global companies which by far were storing personal data at remote locations. It also might affect the investment by international firms in India, depending on how stringent the rules are.
7. How do you think enforcement of the proposed DISHA act will impact your business?
   Digital Information Security in Healthcare Act, ground breaking bill introduced under National e-health Authority, gives the ownership of the data to whom it belongs. During this unfortunate time of Covid-19, the importance of it has been widely recognized that how the health of one person can affect that of the other.
   The coronavirus has opened up new opportunities for digital infrastructure in healthcare. On the other side, it is also not hidden that cybersecurity crimes have been on the rise at global level. Data breach is not new news to us. With DISHA in place, the process of collecting, storing and sharing healthcare data will become more standardized. It will ensure the privacy, confidentiality and security of the healthcare data of each individual.
   The impact on any business will be seen in a positive light only as this was a long pending in regards to the data security. The companies will need to shell out extra from their pockets to train their personnel so that they can maintain all the necessary compliances apart from the physical, administrative, and technical measures. The failure to which will attract monetary fines too.
8. In regards to improved security in the digitization journey of Indian health sector. What is your advice to healthcare delivery organizations?
   We have to adopt multiple strategies for improving cyber security like:
   • Establish a security culture: Ongoing cyber security training and education emphasize that every member of the organization is responsible for protecting patient data, creating a culture of security.
   • Protect mobile devices: An increasing number of health care providers are using mobile devices at work. Encryption and other protective measures are critical to ensure that any information on these devices is secure.
   • Maintain good computer habits: New employee onboarding should include training on best practices for computer use, including software and operating system maintenance.
   • Use a firewall: Anything connected to the internet should have a firewall.
   • Install and maintain anti-virus software: Simply installing anti-virus software is not enough. Continuous updates are essential for ensuring health care systems receive the best possible protection at any given time.
   • Plan for the unexpected: Files should be backed up regularly for quick and easy data restoration. Organizations should consider storing this backed-up information away from the main system if possible.
   • Control access to protected health information: Access to protected information should be granted to only those who need to view or use the data.
   • Use strong passwords and change them regularly: The Verizon report found that 63 percent of confirmed data breaches involved taking advantage of passwords that were the default, weak or stolen. Health care employees should not only use strong passwords, but ensure they are changed regularly.
   • Limit network access: Any software, applications and other additions to existing systems should not be installed by staff without prior consent from the proper organizational authorities.
   • Control physical access: Data can also be breached when physical devices are stolen. Computers and other electronics that contain protected information should be kept in locked rooms in secure areas.
   • Apply Software Updates Promptly: Software providers regularly release updates for their applications. Any delay in applying these patches to your systems leaves you vulnerable to opportunistic attacks. (for instance, you could check for and apply updates every Saturday).
   • Regular Risk Assessment: As technology, processes and procedures continue to evolve, the risks do so too. Performing a technology risk assessment at least once a year allows you to catch these new threats before they are exploited by third parties.
9. With AI and other emerging technologies in mind. What are the opportunities and challenges you see in handling large scale health data? New job roles that you foresee in regards to data protection and processing?
   Artificial Intelligence in healthcare has proven to be the ideal combination since its inception.AI in clinical, administrative and operational areas can be seen with the popularity of products in the market like IBM Watson, various clinical decision support systems such as Up-to-date, CIMS is helping out to make smarter decisions for better patient care.
   A huge amount of data is being collected across such technology driven platforms. Talking about the opportunities, a product like Microsoft based Cardiovascular Risk prediction. Tools and many others like that have been collecting and analyzing healthcare data of Indian Population to provide future plans and make smart decisions accordingly.
   Poor quality of data is a major challenge that has come up when handling large scale health data. The absence of standardization in collecting, capturing and storing data leads to the drop in the quality of healthcare information collected. The healthcare IT providers operating in Silos also hinders the exchange of data which is of prime importance as the care seeker moves from one location to another or another facility.
10. What are your future plans and any message for our readers?
    India’s healthcare industry is one of the fastest growing in the world, Indian healthcare sector is much diversified and is full of opportunities in every segment which includes providers, payers and medical technology. With the increase in the competition, businesses are looking to explore for the latest dynamics and trends which will have a positive impact on their business. There are many exciting opportunities like:Redefined care delivery: Emerging features including centralized digital centers to enable decision-making, continuous clinical monitoring, targeted treatments (such as 3-D printing for surgeries), and the use of smaller, portable devices will help characterize acute care hospitals.Digital patient experience: Digital and artificial intelligence (AI) technologies can help enable on-demand interaction and seamless processes through a choice of devices to improve patient experience.Enhanced talent development: Robotic process automation (RPA) and AI can allow caregivers to spend more time providing care and less time documenting it; as well as help enhance development and learning among caregivers.Operational efficiencies through technology: Digital supply chains, automation, robotics, and next-generation interoperability can drive operations management and back-office efficiencies.Healing and well-being designs: The well-being of patients and staff members—with an emphasis on the importance of environment and experience in healing—will likely be important in future hospital designs. Technology will likely underlie most aspects of future hospital care, but care delivery—especially for complex patients and procedures—may still require hands-on human expertise. Many future technologies can supplement and extend human interaction.In the end technology can help in simplifying admission, discharge, and other processesHospitals frequently stumble in their admission and discharge processes, particularly when it comes to efficiency and patient satisfaction. Patients often complain about filling out multiple forms that ask for similar data, or receiving conflicting discharge instructions. As hospital processes go digital, staff can use AI to learn from and improve these processes.

Mr. Sachin Gupta: Before starting this interview, I would just like to tell you that we are into the software part. Cyber security comes more in the infra part like, for any hospital to implement this they need an infrastructure then on the top of that they need the software. So we are basically looking after the software part. So, I will be sharing my views from a software perspective. 

1. As a preface, what would you like to tell us about yourself and how your services and products impact the health sector?
   Ever since Accurate started in 1995, we are making health care products, starting with DOS, Windows, web and now the mobile base. Our software contains a complete end-to-end solution for hospitals from the patient to hospital perspective. So the main advantages are, instant information to the patients, good efficiency pilferage control, better generation of Management Information System (MIS). So, all these things can help a healthcare establishment in serving the patients and hence increasing the revenue.
2. What kind of healthcare setups do you target, and what makes a major part of your business.
   A major part of business is made up of the big hospitals. By big, I mean a hundred bedded to thousand bedded hospital. As these hospitals have the required infrastructure to maintain our software but nowadays as the focus is shifting on the cloud, even the small hospitals can use our softwares on a monthly subscription basis. 
3. Do you target private as well as public hospitals?
   Basically we are more into the private hospitals. For public hospitals, it requires a whole together different process like filing a tender etc. And it requires a lot of formalities, so we are more into the private hospital groups.
4. How has the health IT industry changed over the past ten years. And what are the major changes that you have seen concerning the adoption of digitization in the healthcare sector in the last five years. 
   In the last five years, I have seen a very dramatic change in the healthcare industry and the reason being patients’ expectations. Before, 5 or 15 years ago, you just needed to give the bills and give reports to the patient. But now the expectations have advanced like receiving SMS/reminders, availability of reports on mobile etc. So, now software is serving as an assistant to the patient and now the patient is the part of the software. Patients can log in and see their own details, request for appointments and everything. Now patients are more aware and more involved in the software. Previously softwares were only known as the billing clerks of the hospital as they only used to give the print out of the bills. But now patients are very much involved in the software, they log in and they can update their information, they can fetch their information. So it’s a complete turn around, now the patient is also a part of the software and everyone is a part so you can call it a system instead of just calling it a software.
5. In general, what are the main security risks that you face in your practice cases, when shifting from paper-based to electronic format and what are the best ways to minimize those risks?
   In the manual times, there was no security there. They used to have a register and all, so they were safe. When we moved to computers 20 years ago, the issues were that their hard disk might crash and no surety for backup, these were the main issues. But now, when the things are online, the server has to be on the internet. Now, the major security issues are ransomware and virus and hacker attacks. So there are a lot of tools at hardware level and also from the software level that we have to use the tools to prevent data theft, cyber attacks and ransomware. These are the major issues apart from the hardware failure like, some hard disk crash and all. 
6. What are the security compliance practices that your company follows to prevent these attacks or how do you minimize them at your level? 
   We are trying our best to keep our security updates like a good firewall and then HTTP, now they also issue a certificate on their site and call it https secure certificate. We install that on our website, then the password encryption and data encryption whenever data travels through the internet, it should be in the highly encrypted form. So there are some issues for the ransomware, no antivirus company has been successful against ransomware and only Firewall can block them. So we suggest that there should be a separate web server and separate data server so that they cannot enter the data server. So these are some measures and above all whatever these measures are there. We have to take backups at regular intervals, maybe 2 times a day. So we have given us some backup solutions to our customers. Also we maintain their backup at our data centers so their backup will be copied after every one hour. So, instead of the security measure it should be a preventive measure and backup is one of the very important measures so that whatever happens suppose you can immediately recover and go online.
7. Since you have been in this industry, would you like to share any cyber incidents that might have happened in your organization or at your clients organization? How did you handle it? 
   Different types of incidents have happened at different times. Nowadays, any incident that happens at a frequency of two times in a year and majorly it is a ransomware attack. They just hack the server and then they ask for some Ransom money in dollars, then they restore it back. We have also faced this problem in our data centers also, so ransomware is the major security threat from the last two-three years. And before that, there were other threats like, staff trying to manipulate the data for their profit or theft issue and virus issues were there three-four years back. So with the changing time, the level of threats are increasing.
8. You must have heard about the personal data protection bill. What is your viewpoint on that? And how do you think that it will impact your business?
   It is a very good initiative by the government because till now we were just curbing the issues technically. But now it is declared as a criminal offense so if somebody tries to fiddle with the data or any malfunctioning with the data, there would be some fear of doing these things. So I think this is a very good move by the government concerning cybersecurity. 
9. What is your Viewpoint about the Disha act? How can it impact the business with its enforcement?
   Sorry, I haven’t heard about that.
10. With regard to improving the Security in the digitization Journey of Indian Health sector, as we are moving more towards it. So, what is your advice to the healthcare delivery organizations? 
    The advice is that they should use good quality servers, good certificates, good data security measures, whatever it takes and they should only allow the encrypted data to travel across the servers. So these are the major things that we can do and moreover with the personal security bill we can now act with the criminal prosecution also. These are the only things we can do.
11. With the AI and other emerging Technologies what are the opportunities and challenges you see in handling large-scale Health Data and what are the new job roles that you foresee in regards to data protection and processing?
    This argument is running on from the last 25 years, about the pros and cons of AI. From the customers perspective, the Pros would be they can get answers faster, they can get more relevant data, they can get the better view of data, 360 degree view of data using Ai. In medicine there is a lot of new software like MRI, CT scan, almost everything is digitalized now. The software now is telling where the problem is and providing the diagnoses And for the last 20 years, I’m hearing that it will do the job loss in the industry because a single robot can do work of more than 10 people. Now we are also using some bot in our software so that they can analyze and do everything they require. So I think it’s very helpful for our industry and for the customer. It’s very helpful.
12. Out of my curiosity, I want to ask you a question since you are in this industry for so many years. So have you seen any job loss due to this, AI and other technology 
    See the ones who are not updated at the right time will be not successful in the future and so one has to stay updated to be in the market. Otherwise, I have seen many people 20 years ago who did not update and now they become a liability and organization trying to get rid of them. So my advice to all of them to keep them updated with new trends. 
    For the readers. I like to say that just welcome technology. Let’s try to use a technology to the fullest, it will definitely help in growing the business and technology is the future now. 

1. What is the role of a CISO/CIO in the hospital? Educate our readers?
   CISO and CIO are two entirely different profiles. CISO is responsible for Information Security. Given the increasing role of information and information technology, this role has gained prominence over the past few years. CIO is IT Leader who works closely with business and leads business transformation through effective use of IT. In hospitals, CIO and CISO roles are generally performed by one single person. In some hospitals, CISO reports into CIO. This is not the best practice. Either CIO should perform CISO roles also, or CISO should be an independent authority directly reporting to the CEO (time will soon come when this person will have a place on board).
2. Your current job, share with us your typical routine and how much of it is about cyber security? What is the level of digitisation in your hospital?
   Our digital footprint has increased significantly over the past 4-5 years. We carry out most of our transactions online. Going with Mobile App and patient portal, we need to give careful consideration to cyber security related risks.
3. With the increasing digital adoption do you also see the increase of cyber risks?
   Absolutely. More you are visible in the cyber world, the more you get vulnerable from these attacks.
4. Have you carried out any formal information/ Cyber Risk Assessment / Audit in the recent past?
   We keep assessing periodically. We in fact invited a leading audit firm to carry out comprehensive information security risk assessment. It was a great experience and we developed a to-do list to strengthen our security posture.
5. Share with us a quick highlights of information security policy that a hospital should focus on?
   • Hospitals should first identify crown jewels of information they want to protect. Then identify how these are created, stored, processed, published and deleted. With each touch-point, it is important to ascertain that the principle of need to know is strictly adhered to. Security has three basic ingredients: Availability, Integrity and Confidentiality. 
   • A good back-up system enabled by online back-up software is very helpful in making sure data is available. Back-up policy must be carefully written and reviewed by business to decide the frequency of back-up and number of generations to be kept. It is important to document and audit the information recovery process periodically to ensure you will be able to recover the data when you need it.
   • Data Classification Policy is a must to differentiate between strictly confidential data, data for limited distribution and data available for public consumption.  As we are going for more and more digitalization, enormous data is being generated each day. We cannot keep everything within limited storage capacity. Therefore, data retention policy is a must to retire data periodically.
   • If the network is exposed to the external world through the internet, then we must have clearly defined access policies in the firewall. A strong firewall coupled with Intrusion Detection System (IDS) and Intrusion Protection System (IPS) is a must to act as a gatekeeper. However, this is not enough. Since we allow external agencies to interact with our services, a strong demilitarized zone (DMZ) is required and it needs to be equipped with a full spectrum of security apparatus. 
   • A policy to conduct VA-PT (Vulnerability Assessment and Penetration Testing) is a must to see how strongly our servers are protected. Since our employees are accessing our network from outside the premises also, it is important to strengthen the security keeping this aspect in mind. The traditional Castle and Moat approach is not relevant any longer. People are talking about Zero Trust Network. 
   • Finally, it is important to have a web access firewall, DDoS prevention, Access Policy Management etc. in place. Network should be intelligent to figure out any unusual packet or set of packets traversing through it (surveillance, rather than gate management).
   • The list is very long. These are a few basic components that should form part of a hospital’s security policy framework. 
6. Do you have dedicated staff/resources to look after, ensure and report to you about the information/ cyber status?
   Yes. There is a report generation on a daily basis that reaches me the same day.
7. As we see connected health also becoming a reality, what are your thoughts on Medical device security risks?
   This is going to be a huge risk. CISOs need to work closely with IT and Biomedical Engineering teams to secure these devices
8. If you have outsourced Hospital management / information system (HMS) and Data processing to a third party vendor, What steps are you taking and propose for hospitals who rely on a third party to ensure data protection aspects?
   No. We are using the Hospital Information System (HIS), Electronic Health Record (EHR), Picture archiving and communication system (PACS) and Enterprise Resource Planning (ERP) Products but we don’t give control of the production environment to them. It is our in-house team that controls these environments
9. Your Personal experience of Cybersecurity in the Health Sector versus other sectors? How do the Hospital Owners treat this subject?
   Two sectors are predominantly sensitive; financial sector and health sector. Financial sector has been the front runner of IT usage and the processes there are reasonably mature. On the other hand, hospitals were relatively safe until recently due to low digital footprint. However, with digital transformation, IoT, RPA etc. the vulnerabilities have significantly increased and are increasing day-by-day. The Government of India is about to notify the Personal Data Protection Act (PDPA). It will have a serious ramifications for cyber security related incidents.
10. Share a middle of the night call up from the hospital related to Information security.
    This actually happened early this year. One of our core applications crashed. I received a distress call precisely at 12:35 AM in the night. Fortunately, it was not an attack. It was a scheduled job that was supposed to run the previous night to move the physical database from a slow tier of storage to a faster tier. The job ran the previous night and did its job.
    However, the operator forgot to un-schedule it and it ran the next night again (over-writing all the day’s transactions). We had the back-up taken 3 hours before this crash and a full log of transactions. The back-up was restored and the transaction log was re-processed to reach the current state. However, it was quite a sweat for the team.
    Looking back, even our DR could not help in this situation. A strong lesson was learnt leading to improvements in operating procedures. It was an internal security incident caused completely inadvertently.

1. What is the role of a CISO/CIO in the hospital? Educate our readers?
   The role of CISO/ CIO is to manage the high level security related to the network system and protect patient data in a hospital. Hospitals nowadays are also involved in e-commerce and the diagnostic systems which are implemented are digitalised this eventually increases the possibility of cyber attacks. Here the CIO’s role comes into play by protecting the system of hospitals from any possible cyber threat.
2. Your current job, share with us your typical routine and how much of it is about cyber security?
   My current job is to manage the network, wireless and point to point security of hospitals. I spend the maximum time of my job assuring that the security systems are working and in case any possible threat enters in our system, it must be taken care of. I also provide connectivity and security to remote users and from one unit to another unit inside the hospital. In addition to this, a typical day of mine spent in implementing security in our systems and monitoring any threat that enters our network on day to day basis   for e.g.  If any unauthorised IP address that are getting access to information of our system then we have to deny and surpass access of those threats in our security system.
3. What is the level of digitisation in your hospital?
   In our hospital, the Hospital Information System (HIS) is implemented, which takes care of all patient data and clinical data, day to day transactions and other activities. EMR is also implemented in our hospital, we are able to successfully implement EMR in about 60-70% of our OPD’s. During Covid-19 digitalisation was enhanced at our part, as we introduced a new application of online consultation (telemedicine) in our hospital.
4. With the increasing digital adoption do you also see the increase of cyber risks?
   Digital Adoption in Hospitals is based on the adoption of future technology, like online consultancy, telemedicine, digitalization of   payment, Report transfer, sharing the vital information from patients’ side through 256 encryption base apps and websites link. During this COVID-19 scenario because of digital adoption patients, attendant and doctors can talk easily through 256 encryption base chat, calls and video calls, one to one talk to patients, doctor monitor patient record through EMR (electronic medical records) and also dispensing of consumable item can now be done by robotic trolley to reduce the infection level and 100% successfully digitization methods. Many hospitals go for Mitra Robots. They basically are easy to use and improve patients care services, productivity, safety norms and government guidelines.
5. Do you have dedicated staff/resources to look after, ensure and report to you about the information/ cyber status?
   In our hospital the responsibility regarding cyber security relays on the Head of Information technology (me). Head of IT manages all the security issues in the hospital. Create the new policies, norms for the security purpose and implement them and actively monitor the security policies and cyber threats.
6. As we see connected health also becoming a reality, what are your thoughts on Medical device security risks?
   For a hospital purpose, medical devices like connected cardiac monitor and lab equipment and radiology motilities it is easy to transfer information from one unit to another.In case of medical devices, high level security is required because there is risk to the patient’s personal data. In our hospital we have implemented the whole security devices and point to point connectivity and data encryption. Data lab reports and demography data is travelled by encrypted format like MPLS connectivity.
7. If you have outsourced Hospital management / information system (HMS) and Data processing to a third party vendor, What steps are you taking and propose for hospitals who rely on a third party to ensure data protection aspects?
   Most of the time HIMS is developed by a third party, some hospitals have a self developed HIMS, like Narayana Hrudayalaya (Multi Speciality Hospital) have a self developed HIMS but small hospitals generally do not have  self developed HIMS. Maximum single or five unit connectivity hospitals have opted for the outsource HIMS. Only 2-3 people manage the HIMS and implement the new strategies and new business policies. Developing team can rely on third parties. Cloud based HIMS is already under secure like SAS security is applicable and already provides the security. Every data on the third party is secured. Point to point connectivity by which data travels do not share the link easily to cloud based HIMS, certificates and tokens are must for security measures.
8. How your Hospital has implemented EMR format and adoption? Also, Medical Device security and Telemedicine Security?
   EMR is available in our hospital and doctors provide printed format prescriptions. Every order goes to our HIMS. Approximately 60-70% doctors use the EMR and utilizes the EMR data. For NABH purposes and ISO quality tests every EMR data is helpful. Telemedicine is for online consultations like Tele consultations and it is very famous. Various technologies are coming and Telemedicine is used widely by the patients. These are very useful in this current scenario of COVID-19 and in emergency conditions because online consultations are available now which helps in calling, chatting and video consultations which connect patients and doctors. Data is properly encrypted by telemedicine technology and data transfer is also possible easily. Our hospital is using this technology and maximum patients and staff support this technology. With regard to security purposes every telemedicine guideline is followed by MoHFW.
9. In your view, what should be an ideal security setup in a hospital?
   Basically Data encryption is the most important aspect, which service we use for creating the setup for the security purpose. Every hospital should have security policies and the implementation part is very important. Policies should be made properly and implemented more accurately. In addition to this, only authorized people should have the permission to go to the Connectivity department for the security purpose.
10. Share a middle of the night call up from the hospital related to Information security.I have provided the VPN technology, this technology connects me to the billing executives and at the night time I can help them through this. Our hospital is open for 24*7 call services for security purposes.
11. Any comment on the current scenario of cybersecurity in hospitals among India.
     Cybersecurity still is not considered as a concern among many hospitals. Even in Delhi NCR itself, there are very few hospitals who have this cybersecurity component in their hospitals. We don’t have enough policies and implementation tactics for cybersecurity in Indian hospitals as this is still in its evolving phase but as many hospitals are opting digitalisation in them, we can expect there would be advancement in the cybersecurity status in Indian hospitals in future.

1. What is the role of a Chief Information Officer (CIO) in the hospital? Educate our readers?
   A CIO should read first and then educate. CIO should read the kind of practices, policies, processes in the organizations and then he should mix his experience with that processes and educate the organizations.
2. In your current job, share with us your typical routine and how much of it is about cyber security?
   In context to cyber security, there is a periodic review for the cyber security and tools available in assistance in the organizations. The infrastructure team is always looking for the cyber security part. We have Audit teams which provide reports periodically. We generally analyse all the threats and we take actions accordingly.
3. What is the level of digitisation in your hospital? With the increasing digital adoption do you also see the increase of cyber risks?
   In terms of Indian healthcare industry, doctors are not very used to the patients using technology. They always believe that there should be physical meetings for consultation between doctors and patients. Because of this current scenario of COVID-19 doctors have to take care of the patients and look for their financial condition also. So when COVID-19 came they had to tackle both these issues. At that time we came out with Digital Solutions like Tele-consultations, EMR and when they used this type of Digitization it became habitual for them to use it. Major part of these practices will continue even after COVID-19 era.
4. Have you carried out any formal information/ Cyber Risk Assessment / Audit in the recent past?
   We have done Cyber Risk Assessment (CRA) last year, not this year.
5. Share with us a quick highlights of information security policy that a hospital should focus on?
   Information Security Policies in the hospital should be like:
   • In terms of IT point whatever applications are going in the public transform, we have to ensure that the Database structure and Domain controller (DC) should be protected.
   • The applications of the users should be well defined so that right users should use the right information. 
   • The level of information shared to users should be measurable.

   So, these three areas should be focused to build up a policy.

6. The pending acts of DISHA and PDP, how do you see that they will impact operations of your hospital?
   The PDP part is not known to me but DISHA is definitely giving impact on the hospital operations.
7. Do you have dedicated staff/resources to look after, ensure and report to you about the information/ cyber status?
   We have a proper infrastructure, team and the project manager of the team which gives the Cyber security report periodically to me.
8. As we see connected health also becoming a reality, what are your thoughts on Medical device security risks?
   Sir Ganga Ram Hospital does not have well experienced IoTs specifically. Further, It depends on the devices like what kind of medical devices are the hospitals using, the kind of data which is coming to the HIS and to the clinical applications running in the hospitals. Data authentication or any kind of data should come in proper applications, that measure is definitely concerned so whenever we will be integrating any IoT things we will take care of all these things. 
9. Have you also covered yourself from the legal point of view when it comes to agreement with third parties whose IT tools you use? Your advice for other hospitals on this?
   Yes, we have legal cells that take care about the cybersecurity laws. While taking any type of services from third party vendors we definitely go through all the cybersecurity laws that it should be intact. So, there is a process that we follow for any third party services. We check all the points and the papers which come from cybersecurity departments or legal departments and if all is fine, only then we go forward.
10. When procuring services and products which have a dimension of cyber, what aspects do you assess to safeguard your organisation against any cyber risks?
    In terms of data transactions, type of data entering and leaving the systems have to be checked before anything. Before taking any kind of application or giving accessibility to the patients, we check all the cyber security aspects like Data Security laws, authentication and data encryption.
11. Share also with us the people aspect of cyber security, what steps you are taking from the HR processes to capacity building of your employees for preventing cyber incidents? 
    I will explain this by an example, we are running with Oracle HCM which is totally a cloud based software and every employee has the accessibility of their self-portal.We have strict policies when it comes to authentication on the portal. Before giving any kind of accessibility of our software or application there are forced inbuilt policies for the employees which ensures that there are no cyber security flaws from the employee’s end
12. Any personal experience/scenario when patient safety may have got affected by Cybersecurity?
    No kind of patient safety has got affected by cybersecurity.  
13. Your Personal experience of Cybersecurity in the Health Sector versus other sectors? How do the Hospital Owners treat this subject?
    In terms of Health Sector Cybersecurity, hospital owners have very less experience rather than having knowledge. The organizations with whom I have worked with, always look for good systems to run their operations. They don’t think about the cybersecurity part of their operations. CIO/CISO have the responsibility that they have to educate the owners of the hospitals that they should take these kinds of measures like patient protection law and data protection, and it should be clearly defined in the hospitals SOPs. This is the part of CIO/CISO not the Hospital owner.
14. How your Hospital has implemented EMR format and adoption? 
    Hospital EMR implementation is a very challenging job. I have been working with Sir Ganga Ram Hospital for the last two and half years. In the last one year we have successfully implemented an EMR system. In my career I have worked with 5-6 Healthcare Organizations. This is the first time I have successfully implemented an EMR system, 70-75% not 100% even. EMR format should be a top down approach until and unless healthcare organizations owner or CIO/CISO should think about EMR implementation and that it should be mandatory for every consultant then it can be implemented. Here, fortunately, we have the most talented and tech savvy Chairman, according to his guidance and instructions this implementation has been done. EMR implementation is a part of the routine IT implementation project itself.
15. In your view, what should be an ideal security setup in a hospital?
    By the definition of the security policies,3 points every hospital should keep in mind are: 
    • Patient must have an equal right to see his/her data but it should be ensured that his data cannot be shared to any other person except that patient, who is the owner of that data.
    • In between transactions, between patient and the organization the data should be properly encrypted.
    • No external threat should be there in the data security of the hospitals.

    These are common in every hospital, these are the main baseline for data security in the hospitals.

16. How Cybersecurity is coping during this current scenario of COVID-19?
    There is nothing exceptional; it’s the same as it was earlier before COVID-19. Because we have already implemented EMR, we are already into the cloud so we have already taken all security measures.
17. Any comments or feedback about this interview or anything you would like to tell to our readers?
    Definitely this kind of analysis should be accumulated and our government and national security bodies should implement standard security policies across the Hospitals so that patient’s data can be secured at all points. Hospitals should think about the data security certifications also. 

1. What is the role of a CISO in the hospital? Educate our readers?
   With the rapid digitization of functions, processes and medical equipment in healthcare, the need for adopting secure cyber practices is becoming extremely important. A cyber breach can cause severe financial damage, bringing the functioning to standstill. In a healthcare domain extremely large data of patients is being produced from various sources like PACS (Picture Archive and Communication System), HIS (Hospital Information system) and other modalities.CISO has to play an important role around it. He has to ensure the cyber security domain must be strong enough to prevent cyber threat caused by lack of cyber security product deployment, lack of cyber security skills and lack of cyber security awareness in people. CISO has to present cyber threats status and risk to business to be well aligned with the business road map.
2. Your current job, share with us your typical routine and how much of it is about cyber security? What is the level of digitization in your hospital?
   CIO has to design strategies to ensure that technology adds the maximum value to a company to facilitate the patients for better care and life saving. The CIO sets a technology vision to leadership in healthcare to provide best medical care to patients and Develops and implements user-training programs.We have digitized many functions, processes that takes care of digital journey of patients, also finalized and designed the roadmap for the complete digitally integrated journey of the patient which helps the patient in various ways like reduced patient waiting time, well informed and guided patient, patient historical records on the clicks, faster medical care and remote medical care.Evaluation and finalization of technologies for healthcare is a crucial act of the CIO. Healthcare CIO acts on privacy and security of data including compliance.A structured Cyber Security review is scheduled on a weekly basis consisting of KPIs pertaining to ATP, IPS/IDS and Critical Alerts etc. and reviewing security incident reports focusing on high threats, intrusions and vulnerabilities.
3. Have you carried out any formal information/ Cyber Risk Assessment / Audit in the recent past? 
   Security Risk Assessment is intended to protect and secure health information (electronic protected health information) from a wide range of threats, whether in emergencies or during a system failure that constitutes a risk compromising confidentiality, integrity. In Max healthcare, we ensure (to have a cyber security audit done at least twice in a year for) cyber risk assessment and (ITGC) Information technology general control audit. In the past few months, we also hired a security (industry well known agency) professional to assess and deploy the best practices in cyber security. Intensive (Immense) cyber security assessments are also conducted by Investors from time to time. The management board is security focused and thus motivates to invest a significant amount in cyber security space to make Max Healthcare a safe place for better patient care and life saving service. 
4. Do you have dedicated staff/resources to look after, ensure and report to you about the information/ cyber status?
   Cyber security is a domain where continuous refinement is mandatory to avoid cyber threat. We have a qualified cyber security team who ensures the implementation of best practices in cyber security. Team is well aligned with the cyber security partner and ensures implementation of cyber security solutions, continuous monitoring of cyber threats. Cyber security team swift responses the security Incident response in case of cyber security incident, releases the tips & guidelines on cyber security awareness of the employee.Cyber Security teams prioritize most valuable assets and Information and ensure their safety. They optimize the processes and make relevant changes to security control systems.Outsourcing of business functions has become common and the teams have to ensure threat protection from these vulnerable gateways.Cyber security team presents security postures of the organization to CIO and consequently takes decisions to optimize it further.We have implemented various leading cyber security solutions to protect information and focused on segmentation of network, patch management, privileged ID management, password management.
5. With the increasing digital adoption, do you also see the increase of cyber risks?
   Healthcare is adopting a large number of digital platforms like digital medical equipment, cloud computing, mobile, IoT and consequently the size of the data is increasing extensively.In today’s world, the importance of patient data is extremely high (valuable) which attracts hackers to the healthcare domain worldwide. The competitors can use data to blackmail/threaten the organization for extortion of money, or sell the confidential data in the grey market for gaining advantages, and threaten individuals. We have adopted various cyber security practices to protect patient information (like ATP, Web filtering URL, WAF, DDoS, robust widely known Antivirus, antispyware, firewall endpoints protections solution, and strict password policies, added by regular governance under the umbrella of ITIL processes.
6. Share with us quick highlights of information security policy that a hospital should focus on?
   Failing to protect a patient’s data means failing to protect his trust in your organization and consequently Healthcare loses his reputation.With a proactive approach Cyber security team must identify threats in the network and prioritize the security plan. Teams must be well aligned and well aware of new threats trends and continuous cyber security assessment is imperative to avoid possibilities of security breaches. They must also conduct a cyber security awareness program for the employee and specially focus on Privileged user assessment and user access rights management and strong password policy. Hardening of IP devices to protect it from cyber threat and effective implementation of security solutions are essential and strengthen cyber security.
7. In your view, what should be an ideal security setup in a hospital?
   In a large health care organization, a skilled cyber security team is essential to continuously monitor, assess and handle threats. Well known Security agencies should work for you which transfers the security intelligence to the internal cyber security team and visibility of threats is an essential aspect.Cyber security team must develop a security culture in the organization; Proactive plans to protect Mobile & Medical devices, effective use of security devices, training to users, plans to handle surprises, controlled access of network and data, controlled physical access, strong password policy, restricted Physical access of critical devices. Moreover, addition and amendments are going on in best practices of healthcare security which must be implemented from time to time.
8. What checks and balances do you implement for processing of your data by the third party vendor? 
   We do have a dedicated & certified team to take care of Data protection and Information Security.We do conduct Security & capabilities Assessment on all major parameter like Data in motion & rest Protection,  Vulnerability Management Program, Data Leak prevention capabilities, Identity & Access management, Physical and personnel security, Application Code level security, Incident Response, Privacy (data anonymization), Business continuity plan & Disaster recovery plan, Compliance check, Lawfulness, fairness and transparency, Accuracy & confidentiality and finally the availability in case of any security incident. Periodically audit is performed to ensure all above parameters.