Hospitals Archives - InnoHEALTH magazine

InnoHEALTH Magazine Interviews CIO, Rajiv Gandhi Cancer Institute and Research Centre

InnoHEALTH magazine digital team — Tue, 07 Jul 2020 14:05:28 +0000

InnoHEALTH Magazine Interviews CIO, Rajiv Gandhi Cancer Institute and Research Centre

Hospitals, like any other modern organization, increasingly rely upon IT systems for a wide variety of administrative and clinical functions. These establishments are highly complex in terms of processes, which can have constant activity 24/7×365. Also, we must not ignore the fact that most of the equipment and diagnostics technologies used in medicine are using highly computerized components. This entire network of devices, equipment and systems that often require connection to external systems, is a very critical and complex environment to control.

Cybersecurity helps in keeping the information of the patient confidential for legal purposes and also prevents cybercrimes. With increasing cyber crimes nowadays, InnoHEALTH magazine took initiative to interview some big hospitals to see how resilient are our healthcare establishments and what steps they are taking to mitigate it and to spread awareness for cybersecurity amongst the healthcare establishments.

Kritika Aroroa and Varsha Prasad interviewed Mr J.P. Dwivedi CIO, Rajiv Gandhi Cancer Institute and Research Centre, on behalf of InnoHEALTH magazine

What is the role of a CISO/CIO in the hospital? Educate our readers?
CISO and CIO are two entirely different profiles. CISO is responsible for Information Security. Given the increasing role of information and information technology, this role has gained prominence over the past few years. CIO is IT Leader who works closely with business and leads business transformation through effective use of IT. In hospitals, CIO and CISO roles are generally performed by one single person. In some hospitals, CISO reports into CIO. This is not the best practice. Either CIO should perform CISO roles also, or CISO should be an independent authority directly reporting to the CEO (time will soon come when this person will have a place on board).
Your current job, share with us your typical routine and how much of it is about cyber security? What is the level of digitisation in your hospital?
Our digital footprint has increased significantly over the past 4-5 years. We carry out most of our transactions online. Going with Mobile App and patient portal, we need to give careful consideration to cyber security related risks.
With the increasing digital adoption do you also see the increase of cyber risks?
Absolutely. More you are visible in the cyber world, the more you get vulnerable from these attacks.
Have you carried out any formal information/ Cyber Risk Assessment / Audit in the recent past?
We keep assessing periodically. We in fact invited a leading audit firm to carry out comprehensive information security risk assessment. It was a great experience and we developed a to-do list to strengthen our security posture.
Share with us a quick highlights of information security policy that a hospital should focus on?
- Hospitals should first identify crown jewels of information they want to protect. Then identify how these are created, stored, processed, published and deleted. With each touch-point, it is important to ascertain that the principle of need to know is strictly adhered to. Security has three basic ingredients: Availability, Integrity and Confidentiality.
- A good back-up system enabled by online back-up software is very helpful in making sure data is available. Back-up policy must be carefully written and reviewed by business to decide the frequency of back-up and number of generations to be kept. It is important to document and audit the information recovery process periodically to ensure you will be able to recover the data when you need it.
- Data Classification Policy is a must to differentiate between strictly confidential data, data for limited distribution and data available for public consumption. As we are going for more and more digitalization, enormous data is being generated each day. We cannot keep everything within limited storage capacity. Therefore, data retention policy is a must to retire data periodically.
- If the network is exposed to the external world through the internet, then we must have clearly defined access policies in the firewall. A strong firewall coupled with Intrusion Detection System (IDS) and Intrusion Protection System (IPS) is a must to act as a gatekeeper. However, this is not enough. Since we allow external agencies to interact with our services, a strong demilitarized zone (DMZ) is required and it needs to be equipped with a full spectrum of security apparatus.
- A policy to conduct VA-PT (Vulnerability Assessment and Penetration Testing) is a must to see how strongly our servers are protected. Since our employees are accessing our network from outside the premises also, it is important to strengthen the security keeping this aspect in mind. The traditional Castle and Moat approach is not relevant any longer. People are talking about Zero Trust Network.
- Finally, it is important to have a web access firewall, DDoS prevention, Access Policy Management etc. in place. Network should be intelligent to figure out any unusual packet or set of packets traversing through it (surveillance, rather than gate management).
- The list is very long. These are a few basic components that should form part of a hospital’s security policy framework.
Do you have dedicated staff/resources to look after, ensure and report to you about the information/ cyber status?
Yes. There is a report generation on a daily basis that reaches me the same day.
As we see connected health also becoming a reality, what are your thoughts on Medical device security risks?
This is going to be a huge risk. CISOs need to work closely with IT and Biomedical Engineering teams to secure these devices
If you have outsourced Hospital management / information system (HMS) and Data processing to a third party vendor, What steps are you taking and propose for hospitals who rely on a third party to ensure data protection aspects?
No. We are using the Hospital Information System (HIS), Electronic Health Record (EHR), Picture archiving and communication system (PACS) and Enterprise Resource Planning (ERP) Products but we don’t give control of the production environment to them. It is our in-house team that controls these environments
Your Personal experience of Cybersecurity in the Health Sector versus other sectors? How do the Hospital Owners treat this subject?
Two sectors are predominantly sensitive; financial sector and health sector. Financial sector has been the front runner of IT usage and the processes there are reasonably mature. On the other hand, hospitals were relatively safe until recently due to low digital footprint. However, with digital transformation, IoT, RPA etc. the vulnerabilities have significantly increased and are increasing day-by-day. The Government of India is about to notify the Personal Data Protection Act (PDPA). It will have a serious ramifications for cyber security related incidents.
Share a middle of the night call up from the hospital related to Information security.
This actually happened early this year. One of our core applications crashed. I received a distress call precisely at 12:35 AM in the night. Fortunately, it was not an attack. It was a scheduled job that was supposed to run the previous night to move the physical database from a slow tier of storage to a faster tier. The job ran the previous night and did its job.
However, the operator forgot to un-schedule it and it ran the next night again (over-writing all the day’s transactions). We had the back-up taken 3 hours before this crash and a full log of transactions. The back-up was restored and the transaction log was re-processed to reach the current state. However, it was quite a sweat for the team.
Looking back, even our DR could not help in this situation. A strong lesson was learnt leading to improvements in operating procedures. It was an internal security incident caused completely inadvertently.

Interviewed by: Kritika Aroroa and Varsha Prasad

The post InnoHEALTH Magazine Interviews CIO, Rajiv Gandhi Cancer Institute and Research Centre appeared first on InnoHEALTH magazine.

InnoHEALTH Magazine Interviews HIT, Maharaja Agrasen Hospital

InnoHEALTH magazine digital team — Tue, 07 Jul 2020 13:51:06 +0000

InnoHEALTH Magazine Interviews HIT, Maharaja Agrasen Hospital

Cybersecurity helps in keeping the information of the patient confidential for legal purposes and also prevents cybercrimes. With increasing cyber crimes nowadays, InnoHEALTH magazine took initiative to interview some big hospitals to see how resilient are our healthcare establishments and what steps they are taking to mitigate it and to spread awareness for cybersecurity amongst the healthcare establishments.

Kritika Aroroa and Varsha Prasad interviewed Mr Niraj Kumar Singh, Head of Information Technology, Maharaja Agrasen Hospital on behalf of InnoHEALTH magazine.

What is the role of a CISO/CIO in the hospital? Educate our readers?
The role of CISO/ CIO is to manage the high level security related to the network system and protect patient data in a hospital. Hospitals nowadays are also involved in e-commerce and the diagnostic systems which are implemented are digitalised this eventually increases the possibility of cyber attacks. Here the CIO’s role comes into play by protecting the system of hospitals from any possible cyber threat.
Your current job, share with us your typical routine and how much of it is about cyber security?
My current job is to manage the network, wireless and point to point security of hospitals. I spend the maximum time of my job assuring that the security systems are working and in case any possible threat enters in our system, it must be taken care of. I also provide connectivity and security to remote users and from one unit to another unit inside the hospital. In addition to this, a typical day of mine spent in implementing security in our systems and monitoring any threat that enters our network on day to day basis for e.g. If any unauthorised IP address that are getting access to information of our system then we have to deny and surpass access of those threats in our security system.
What is the level of digitisation in your hospital?
In our hospital, the Hospital Information System (HIS) is implemented, which takes care of all patient data and clinical data, day to day transactions and other activities. EMR is also implemented in our hospital, we are able to successfully implement EMR in about 60-70% of our OPD’s. During Covid-19 digitalisation was enhanced at our part, as we introduced a new application of online consultation (telemedicine) in our hospital.
With the increasing digital adoption do you also see the increase of cyber risks?
Digital Adoption in Hospitals is based on the adoption of future technology, like online consultancy, telemedicine, digitalization of payment, Report transfer, sharing the vital information from patients’ side through 256 encryption base apps and websites link. During this COVID-19 scenario because of digital adoption patients, attendant and doctors can talk easily through 256 encryption base chat, calls and video calls, one to one talk to patients, doctor monitor patient record through EMR (electronic medical records) and also dispensing of consumable item can now be done by robotic trolley to reduce the infection level and 100% successfully digitization methods. Many hospitals go for Mitra Robots. They basically are easy to use and improve patients care services, productivity, safety norms and government guidelines.
Do you have dedicated staff/resources to look after, ensure and report to you about the information/ cyber status?
In our hospital the responsibility regarding cyber security relays on the Head of Information technology (me). Head of IT manages all the security issues in the hospital. Create the new policies, norms for the security purpose and implement them and actively monitor the security policies and cyber threats.
As we see connected health also becoming a reality, what are your thoughts on Medical device security risks?
For a hospital purpose, medical devices like connected cardiac monitor and lab equipment and radiology motilities it is easy to transfer information from one unit to another.In case of medical devices, high level security is required because there is risk to the patient’s personal data. In our hospital we have implemented the whole security devices and point to point connectivity and data encryption. Data lab reports and demography data is travelled by encrypted format like MPLS connectivity.
If you have outsourced Hospital management / information system (HMS) and Data processing to a third party vendor, What steps are you taking and propose for hospitals who rely on a third party to ensure data protection aspects?
Most of the time HIMS is developed by a third party, some hospitals have a self developed HIMS, like Narayana Hrudayalaya (Multi Speciality Hospital) have a self developed HIMS but small hospitals generally do not have self developed HIMS. Maximum single or five unit connectivity hospitals have opted for the outsource HIMS. Only 2-3 people manage the HIMS and implement the new strategies and new business policies. Developing team can rely on third parties. Cloud based HIMS is already under secure like SAS security is applicable and already provides the security. Every data on the third party is secured. Point to point connectivity by which data travels do not share the link easily to cloud based HIMS, certificates and tokens are must for security measures.
How your Hospital has implemented EMR format and adoption? Also, Medical Device security and Telemedicine Security?
EMR is available in our hospital and doctors provide printed format prescriptions. Every order goes to our HIMS. Approximately 60-70% doctors use the EMR and utilizes the EMR data. For NABH purposes and ISO quality tests every EMR data is helpful. Telemedicine is for online consultations like Tele consultations and it is very famous. Various technologies are coming and Telemedicine is used widely by the patients. These are very useful in this current scenario of COVID-19 and in emergency conditions because online consultations are available now which helps in calling, chatting and video consultations which connect patients and doctors. Data is properly encrypted by telemedicine technology and data transfer is also possible easily. Our hospital is using this technology and maximum patients and staff support this technology. With regard to security purposes every telemedicine guideline is followed by MoHFW.
In your view, what should be an ideal security setup in a hospital?
Basically Data encryption is the most important aspect, which service we use for creating the setup for the security purpose. Every hospital should have security policies and the implementation part is very important. Policies should be made properly and implemented more accurately. In addition to this, only authorized people should have the permission to go to the Connectivity department for the security purpose.
Share a middle of the night call up from the hospital related to Information security.I have provided the VPN technology, this technology connects me to the billing executives and at the night time I can help them through this. Our hospital is open for 24*7 call services for security purposes.
Any comment on the current scenario of cybersecurity in hospitals among India.
Cybersecurity still is not considered as a concern among many hospitals. Even in Delhi NCR itself, there are very few hospitals who have this cybersecurity component in their hospitals. We don’t have enough policies and implementation tactics for cybersecurity in Indian hospitals as this is still in its evolving phase but as many hospitals are opting digitalisation in them, we can expect there would be advancement in the cybersecurity status in Indian hospitals in future.

Interviewed by: Kritika Aroroa and Varsha Prasad

The post InnoHEALTH Magazine Interviews HIT, Maharaja Agrasen Hospital appeared first on InnoHEALTH magazine.

InnoHEALTH Magazine Interviews CIO, Sir Ganga Ram hospital

InnoHEALTH magazine digital team — Tue, 07 Jul 2020 13:14:57 +0000

InnoHEALTH Magazine Interviews CIO, Sir Ganga Ram hospital

Kritika Aroroa and Varsha Prasad interviewed Mr. Shuvankar Parmanick CIO, Sir Ganga Ram Hospital on behalf of InnoHEALTH magazine.

What is the role of a Chief Information Officer (CIO) in the hospital? Educate our readers?
A CIO should read first and then educate. CIO should read the kind of practices, policies, processes in the organizations and then he should mix his experience with that processes and educate the organizations.
In your current job, share with us your typical routine and how much of it is about cyber security?
In context to cyber security, there is a periodic review for the cyber security and tools available in assistance in the organizations. The infrastructure team is always looking for the cyber security part. We have Audit teams which provide reports periodically. We generally analyse all the threats and we take actions accordingly.
What is the level of digitisation in your hospital? With the increasing digital adoption do you also see the increase of cyber risks?
In terms of Indian healthcare industry, doctors are not very used to the patients using technology. They always believe that there should be physical meetings for consultation between doctors and patients. Because of this current scenario of COVID-19 doctors have to take care of the patients and look for their financial condition also. So when COVID-19 came they had to tackle both these issues. At that time we came out with Digital Solutions like Tele-consultations, EMR and when they used this type of Digitization it became habitual for them to use it. Major part of these practices will continue even after COVID-19 era.
Have you carried out any formal information/ Cyber Risk Assessment / Audit in the recent past?
We have done Cyber Risk Assessment (CRA) last year, not this year.
Share with us a quick highlights of information security policy that a hospital should focus on?
Information Security Policies in the hospital should be like:
- In terms of IT point whatever applications are going in the public transform, we have to ensure that the Database structure and Domain controller (DC) should be protected.
- The applications of the users should be well defined so that right users should use the right information.
- The level of information shared to users should be measurable.
So, these three areas should be focused to build up a policy.
The pending acts of DISHA and PDP, how do you see that they will impact operations of your hospital?
The PDP part is not known to me but DISHA is definitely giving impact on the hospital operations.
Do you have dedicated staff/resources to look after, ensure and report to you about the information/ cyber status?
We have a proper infrastructure, team and the project manager of the team which gives the Cyber security report periodically to me.
As we see connected health also becoming a reality, what are your thoughts on Medical device security risks?
Sir Ganga Ram Hospital does not have well experienced IoTs specifically. Further, It depends on the devices like what kind of medical devices are the hospitals using, the kind of data which is coming to the HIS and to the clinical applications running in the hospitals. Data authentication or any kind of data should come in proper applications, that measure is definitely concerned so whenever we will be integrating any IoT things we will take care of all these things.
Have you also covered yourself from the legal point of view when it comes to agreement with third parties whose IT tools you use? Your advice for other hospitals on this?
Yes, we have legal cells that take care about the cybersecurity laws. While taking any type of services from third party vendors we definitely go through all the cybersecurity laws that it should be intact. So, there is a process that we follow for any third party services. We check all the points and the papers which come from cybersecurity departments or legal departments and if all is fine, only then we go forward.
When procuring services and products which have a dimension of cyber, what aspects do you assess to safeguard your organisation against any cyber risks?
In terms of data transactions, type of data entering and leaving the systems have to be checked before anything. Before taking any kind of application or giving accessibility to the patients, we check all the cyber security aspects like Data Security laws, authentication and data encryption.
Share also with us the people aspect of cyber security, what steps you are taking from the HR processes to capacity building of your employees for preventing cyber incidents?
I will explain this by an example, we are running with Oracle HCM which is totally a cloud based software and every employee has the accessibility of their self-portal.We have strict policies when it comes to authentication on the portal. Before giving any kind of accessibility of our software or application there are forced inbuilt policies for the employees which ensures that there are no cyber security flaws from the employee’s end
Any personal experience/scenario when patient safety may have got affected by Cybersecurity?
No kind of patient safety has got affected by cybersecurity.
Your Personal experience of Cybersecurity in the Health Sector versus other sectors? How do the Hospital Owners treat this subject?
In terms of Health Sector Cybersecurity, hospital owners have very less experience rather than having knowledge. The organizations with whom I have worked with, always look for good systems to run their operations. They don’t think about the cybersecurity part of their operations. CIO/CISO have the responsibility that they have to educate the owners of the hospitals that they should take these kinds of measures like patient protection law and data protection, and it should be clearly defined in the hospitals SOPs. This is the part of CIO/CISO not the Hospital owner.
How your Hospital has implemented EMR format and adoption?
Hospital EMR implementation is a very challenging job. I have been working with Sir Ganga Ram Hospital for the last two and half years. In the last one year we have successfully implemented an EMR system. In my career I have worked with 5-6 Healthcare Organizations. This is the first time I have successfully implemented an EMR system, 70-75% not 100% even. EMR format should be a top down approach until and unless healthcare organizations owner or CIO/CISO should think about EMR implementation and that it should be mandatory for every consultant then it can be implemented. Here, fortunately, we have the most talented and tech savvy Chairman, according to his guidance and instructions this implementation has been done. EMR implementation is a part of the routine IT implementation project itself.
In your view, what should be an ideal security setup in a hospital?
By the definition of the security policies,3 points every hospital should keep in mind are:
- Patient must have an equal right to see his/her data but it should be ensured that his data cannot be shared to any other person except that patient, who is the owner of that data.
- In between transactions, between patient and the organization the data should be properly encrypted.
- No external threat should be there in the data security of the hospitals.
These are common in every hospital, these are the main baseline for data security in the hospitals.
How Cybersecurity is coping during this current scenario of COVID-19?
There is nothing exceptional; it’s the same as it was earlier before COVID-19. Because we have already implemented EMR, we are already into the cloud so we have already taken all security measures.
Any comments or feedback about this interview or anything you would like to tell to our readers?
Definitely this kind of analysis should be accumulated and our government and national security bodies should implement standard security policies across the Hospitals so that patient’s data can be secured at all points. Hospitals should think about the data security certifications also.

Interviewed by: Kritika Aroroa and Varsha Prasad

The post InnoHEALTH Magazine Interviews CIO, Sir Ganga Ram hospital appeared first on InnoHEALTH magazine.

InnoHEALTH Magazine Interviews Director and CIO, Max Healthcare

InnoHEALTH magazine digital team — Tue, 07 Jul 2020 12:58:52 +0000

InnoHEALTH Magazine Interviews Director and CIO, Max Healthcare

Kritika Aroroa and Varsha Prasad interviewed Mr Prashant Singh Director and CIO at Max Healthcare, Delhi on behalf of InnoHEALTH magazine.

What is the role of a CISO in the hospital? Educate our readers?
With the rapid digitization of functions, processes and medical equipment in healthcare, the need for adopting secure cyber practices is becoming extremely important. A cyber breach can cause severe financial damage, bringing the functioning to standstill. In a healthcare domain extremely large data of patients is being produced from various sources like PACS (Picture Archive and Communication System), HIS (Hospital Information system) and other modalities.CISO has to play an important role around it. He has to ensure the cyber security domain must be strong enough to prevent cyber threat caused by lack of cyber security product deployment, lack of cyber security skills and lack of cyber security awareness in people. CISO has to present cyber threats status and risk to business to be well aligned with the business road map.
Your current job, share with us your typical routine and how much of it is about cyber security? What is the level of digitization in your hospital?
CIO has to design strategies to ensure that technology adds the maximum value to a company to facilitate the patients for better care and life saving. The CIO sets a technology vision to leadership in healthcare to provide best medical care to patients and Develops and implements user-training programs.We have digitized many functions, processes that takes care of digital journey of patients, also finalized and designed the roadmap for the complete digitally integrated journey of the patient which helps the patient in various ways like reduced patient waiting time, well informed and guided patient, patient historical records on the clicks, faster medical care and remote medical care.Evaluation and finalization of technologies for healthcare is a crucial act of the CIO. Healthcare CIO acts on privacy and security of data including compliance.A structured Cyber Security review is scheduled on a weekly basis consisting of KPIs pertaining to ATP, IPS/IDS and Critical Alerts etc. and reviewing security incident reports focusing on high threats, intrusions and vulnerabilities.
Have you carried out any formal information/ Cyber Risk Assessment / Audit in the recent past?
Security Risk Assessment is intended to protect and secure health information (electronic protected health information) from a wide range of threats, whether in emergencies or during a system failure that constitutes a risk compromising confidentiality, integrity. In Max healthcare, we ensure (to have a cyber security audit done at least twice in a year for) cyber risk assessment and (ITGC) Information technology general control audit. In the past few months, we also hired a security (industry well known agency) professional to assess and deploy the best practices in cyber security. Intensive (Immense) cyber security assessments are also conducted by Investors from time to time. The management board is security focused and thus motivates to invest a significant amount in cyber security space to make Max Healthcare a safe place for better patient care and life saving service.
Do you have dedicated staff/resources to look after, ensure and report to you about the information/ cyber status?
Cyber security is a domain where continuous refinement is mandatory to avoid cyber threat. We have a qualified cyber security team who ensures the implementation of best practices in cyber security. Team is well aligned with the cyber security partner and ensures implementation of cyber security solutions, continuous monitoring of cyber threats. Cyber security team swift responses the security Incident response in case of cyber security incident, releases the tips & guidelines on cyber security awareness of the employee.Cyber Security teams prioritize most valuable assets and Information and ensure their safety. They optimize the processes and make relevant changes to security control systems.Outsourcing of business functions has become common and the teams have to ensure threat protection from these vulnerable gateways.Cyber security team presents security postures of the organization to CIO and consequently takes decisions to optimize it further.We have implemented various leading cyber security solutions to protect information and focused on segmentation of network, patch management, privileged ID management, password management.
With the increasing digital adoption, do you also see the increase of cyber risks?
Healthcare is adopting a large number of digital platforms like digital medical equipment, cloud computing, mobile, IoT and consequently the size of the data is increasing extensively.In today’s world, the importance of patient data is extremely high (valuable) which attracts hackers to the healthcare domain worldwide. The competitors can use data to blackmail/threaten the organization for extortion of money, or sell the confidential data in the grey market for gaining advantages, and threaten individuals. We have adopted various cyber security practices to protect patient information (like ATP, Web filtering URL, WAF, DDoS, robust widely known Antivirus, antispyware, firewall endpoints protections solution, and strict password policies, added by regular governance under the umbrella of ITIL processes.
Share with us quick highlights of information security policy that a hospital should focus on?
Failing to protect a patient’s data means failing to protect his trust in your organization and consequently Healthcare loses his reputation.With a proactive approach Cyber security team must identify threats in the network and prioritize the security plan. Teams must be well aligned and well aware of new threats trends and continuous cyber security assessment is imperative to avoid possibilities of security breaches. They must also conduct a cyber security awareness program for the employee and specially focus on Privileged user assessment and user access rights management and strong password policy. Hardening of IP devices to protect it from cyber threat and effective implementation of security solutions are essential and strengthen cyber security.
In your view, what should be an ideal security setup in a hospital?
In a large health care organization, a skilled cyber security team is essential to continuously monitor, assess and handle threats. Well known Security agencies should work for you which transfers the security intelligence to the internal cyber security team and visibility of threats is an essential aspect.Cyber security team must develop a security culture in the organization; Proactive plans to protect Mobile & Medical devices, effective use of security devices, training to users, plans to handle surprises, controlled access of network and data, controlled physical access, strong password policy, restricted Physical access of critical devices. Moreover, addition and amendments are going on in best practices of healthcare security which must be implemented from time to time.
What checks and balances do you implement for processing of your data by the third party vendor?
We do have a dedicated & certified team to take care of Data protection and Information Security.We do conduct Security & capabilities Assessment on all major parameter like Data in motion & rest Protection, Vulnerability Management Program, Data Leak prevention capabilities, Identity & Access management, Physical and personnel security, Application Code level security, Incident Response, Privacy (data anonymization), Business continuity plan & Disaster recovery plan, Compliance check, Lawfulness, fairness and transparency, Accuracy & confidentiality and finally the availability in case of any security incident. Periodically audit is performed to ensure all above parameters.

Interviewed by: Kritika Aroroa and Varsha Prasad

The post InnoHEALTH Magazine Interviews Director and CIO, Max Healthcare appeared first on InnoHEALTH magazine.