InnoHEALTH Magazine Interviews CIO, Sir Ganga Ram hospital
Hospitals, like any other modern organization, increasingly rely upon IT systems for a wide variety of administrative and clinical functions. These establishments are highly complex in terms of processes, which can have constant activity 24/7×365. Also, we must not ignore the fact that most of the equipment and diagnostics technologies used in medicine are using highly computerized components. This entire network of devices, equipment and systems that often require connection to external systems, is a very critical and complex environment to control.
Cybersecurity helps in keeping the information of the patient confidential for legal purposes and also prevents cybercrimes. With increasing cyber crimes nowadays, InnoHEALTH magazine took initiative to interview some big hospitals to see how resilient are our healthcare establishments and what steps they are taking to mitigate it and to spread awareness for cybersecurity amongst the healthcare establishments.
Kritika Aroroa and Varsha Prasad interviewed Mr. Shuvankar Parmanick CIO, Sir Ganga Ram Hospital on behalf of InnoHEALTH magazine.
- What is the role of a Chief Information Officer (CIO) in the hospital? Educate our readers?
A CIO should read first and then educate. CIO should read the kind of practices, policies, processes in the organizations and then he should mix his experience with that processes and educate the organizations. - In your current job, share with us your typical routine and how much of it is about cyber security?
In context to cyber security, there is a periodic review for the cyber security and tools available in assistance in the organizations. The infrastructure team is always looking for the cyber security part. We have Audit teams which provide reports periodically. We generally analyse all the threats and we take actions accordingly. - What is the level of digitisation in your hospital? With the increasing digital adoption do you also see the increase of cyber risks?
In terms of Indian healthcare industry, doctors are not very used to the patients using technology. They always believe that there should be physical meetings for consultation between doctors and patients. Because of this current scenario of COVID-19 doctors have to take care of the patients and look for their financial condition also. So when COVID-19 came they had to tackle both these issues. At that time we came out with Digital Solutions like Tele-consultations, EMR and when they used this type of Digitization it became habitual for them to use it. Major part of these practices will continue even after COVID-19 era. - Have you carried out any formal information/ Cyber Risk Assessment / Audit in the recent past?
We have done Cyber Risk Assessment (CRA) last year, not this year. - Share with us a quick highlights of information security policy that a hospital should focus on?
Information Security Policies in the hospital should be like:- In terms of IT point whatever applications are going in the public transform, we have to ensure that the Database structure and Domain controller (DC) should be protected.
- The applications of the users should be well defined so that right users should use the right information.
- The level of information shared to users should be measurable.
So, these three areas should be focused to build up a policy.
- The pending acts of DISHA and PDP, how do you see that they will impact operations of your hospital?
The PDP part is not known to me but DISHA is definitely giving impact on the hospital operations. - Do you have dedicated staff/resources to look after, ensure and report to you about the information/ cyber status?
We have a proper infrastructure, team and the project manager of the team which gives the Cyber security report periodically to me. - As we see connected health also becoming a reality, what are your thoughts on Medical device security risks?
Sir Ganga Ram Hospital does not have well experienced IoTs specifically. Further, It depends on the devices like what kind of medical devices are the hospitals using, the kind of data which is coming to the HIS and to the clinical applications running in the hospitals. Data authentication or any kind of data should come in proper applications, that measure is definitely concerned so whenever we will be integrating any IoT things we will take care of all these things. - Have you also covered yourself from the legal point of view when it comes to agreement with third parties whose IT tools you use? Your advice for other hospitals on this?
Yes, we have legal cells that take care about the cybersecurity laws. While taking any type of services from third party vendors we definitely go through all the cybersecurity laws that it should be intact. So, there is a process that we follow for any third party services. We check all the points and the papers which come from cybersecurity departments or legal departments and if all is fine, only then we go forward. - When procuring services and products which have a dimension of cyber, what aspects do you assess to safeguard your organisation against any cyber risks?
In terms of data transactions, type of data entering and leaving the systems have to be checked before anything. Before taking any kind of application or giving accessibility to the patients, we check all the cyber security aspects like Data Security laws, authentication and data encryption. - Share also with us the people aspect of cyber security, what steps you are taking from the HR processes to capacity building of your employees for preventing cyber incidents?
I will explain this by an example, we are running with Oracle HCM which is totally a cloud based software and every employee has the accessibility of their self-portal.We have strict policies when it comes to authentication on the portal. Before giving any kind of accessibility of our software or application there are forced inbuilt policies for the employees which ensures that there are no cyber security flaws from the employee’s end - Any personal experience/scenario when patient safety may have got affected by Cybersecurity?
No kind of patient safety has got affected by cybersecurity. - Your Personal experience of Cybersecurity in the Health Sector versus other sectors? How do the Hospital Owners treat this subject?
In terms of Health Sector Cybersecurity, hospital owners have very less experience rather than having knowledge. The organizations with whom I have worked with, always look for good systems to run their operations. They don’t think about the cybersecurity part of their operations. CIO/CISO have the responsibility that they have to educate the owners of the hospitals that they should take these kinds of measures like patient protection law and data protection, and it should be clearly defined in the hospitals SOPs. This is the part of CIO/CISO not the Hospital owner. - How your Hospital has implemented EMR format and adoption?
Hospital EMR implementation is a very challenging job. I have been working with Sir Ganga Ram Hospital for the last two and half years. In the last one year we have successfully implemented an EMR system. In my career I have worked with 5-6 Healthcare Organizations. This is the first time I have successfully implemented an EMR system, 70-75% not 100% even. EMR format should be a top down approach until and unless healthcare organizations owner or CIO/CISO should think about EMR implementation and that it should be mandatory for every consultant then it can be implemented. Here, fortunately, we have the most talented and tech savvy Chairman, according to his guidance and instructions this implementation has been done. EMR implementation is a part of the routine IT implementation project itself. - In your view, what should be an ideal security setup in a hospital?
By the definition of the security policies,3 points every hospital should keep in mind are:- Patient must have an equal right to see his/her data but it should be ensured that his data cannot be shared to any other person except that patient, who is the owner of that data.
- In between transactions, between patient and the organization the data should be properly encrypted.
- No external threat should be there in the data security of the hospitals.
These are common in every hospital, these are the main baseline for data security in the hospitals.
- How Cybersecurity is coping during this current scenario of COVID-19?
There is nothing exceptional; it’s the same as it was earlier before COVID-19. Because we have already implemented EMR, we are already into the cloud so we have already taken all security measures. - Any comments or feedback about this interview or anything you would like to tell to our readers?
Definitely this kind of analysis should be accumulated and our government and national security bodies should implement standard security policies across the Hospitals so that patient’s data can be secured at all points. Hospitals should think about the data security certifications also.
Interviewed by: Kritika Aroroa and Varsha Prasad