Cybersecurity Needs To Be At Centre Of Digitalisation Strategy: Sourav Chanda

In your opinion, what is the level of cybersecurity currently needed and currently available in the healthcare industry in India?

The Government of India has embarked upon the National Digital Health Mission (NDHM). With the entire backbone of NDHM being digitally enabled, it is imperative for the Indian healthcare industry to ensure implementation of adequate levels of cybersecurity for protection of the healthcare systems and data, and patient data confidentiality. 

Currently in India, most healthcare organisations have developed and implemented security policy, standards, and procedures, but there are many areas where more cybersecurity measures are immediately needed. For example, benchmarks for system design and configuration are needed for new systems along with modifying current systems. Security risk management frameworks also need to be built. Very few large organisations are doing this. Periodic assessments and audits are being done by most, but these are limited in scope. 

Centralised solutions are the way forward for security monitoring, threat detection and incident response, vulnerability scanning and patching, but these have either happened partially, at a basic level, or by very few organisations. For securing the infrastructure, basic network and endpoint security solutions have been implemented, but cloud security solutions have not been implemented, and most do not have a centralised monitoring system or active monitoring. Secure access for clinicians and privileged access users, both on-site and remote, is also implemented at a basic level that does not include multi-factor authentication (MFA). 

Healthcare is already embarking upon a giant digital journey. Do you think the country has enough cyber laws and effective implementation to tackle the security threats in healthcare of the coming future? What is the scenario globally for the same? 

With the rapid digitalisation of healthcare, India will see massive investments in cloud, mobility, IoT (Internet of Things), ML (Machine Learning) and bio-medical technologies. The complexity and speed of development and need to protect this data continues to challenge even the largest security operations. To protect these investments India needs legislation in 3 key areas: protection of healthcare infrastructure as critical infrastructure; protection of healthcare data as sensitive personal data; and cybersecurity responsibilities of healthcare system owners and manufacturers. 

Healthcare data is projected to grow at 36 per cent CAGR by 2025, exceeding any other industry, according to IDC. 

While the laws, namely Information Technology Act, 2000, along with Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, provides some protection to healthcare data, the speed of digitalisation in healthcare exposes security gaps that will leave data exposed. Rapidly enacting the Personal Data Protection (PDP) Bill, 2019 and Digital Information Security in Healthcare Act (DISHA) that equates to the EU GDPR and US HIPAA respectively can help close the gap. Regarding cybersecurity responsibilities, while updating the laws to plug the gaps, and enacting the bills will significantly advance cybersecurity responsibilities for healthcare system owners, these hardly establish any requirements for healthcare system and device manufacturers. Regulators must include legislation to have manufacturers take responsibility to secure systems and devices by design (pre-market) and address cybersecurity vulnerabilities after installation (post-market).  

While implementing legislation can be a challenge, introducing penalties for lack of adherence will go a long way in helping protect the data of our citizens, and protecting such a critical infrastructure as it matures. 

What are the challenges for efficient cybersecurity in Healthcare in India as well as globally and where should the push come from to tackle the challenges? 

The first and biggest challenge in establishing efficient cybersecurity in Indian healthcare is the lack of standardised and established healthcare infrastructure and practices in India due to the absence of a direct legislative framework on healthcare. Even though the National Health Policy, 2017 provides guidance on how India should progress, healthcare is neither explicitly designated as a fundamental Constitutional right, nor legislated as a service to every citizen. For example, in the US, even though healthcare is not a fundamental right, enacted legislations like Emergency Medical Treatment and Active Labour Act (EMTALA) and Affordable Care Act (ACA, popularly known as Obamacare) ensures that healthcare is available to all American citizens. 

The second challenge is the lack of a regulatory body for healthcare, like RBI for banking and finance or IRDAI for insurance, which should be  tasked with bringing in over-arching legislations for healthcare, including security and privacy focused legislations, enforcing implementation of those legislations and consequences of violation. Being a nation obsessed with digitalization, we must prioritise development of a comprehensive healthcare framework along  with rapid digitalisation to ensure effective healthcare availability to all Indian citizens. 

The third challenge is the lack of a comprehensive set of standards for Indian healthcare. While the National Health Mission suggests Indian Public Health Standards from a community to a district level, these are non-enforceable guidelines. Additionally, healthcare technology standards are limited to EMR / EHR Standards and Metadata and Data Standards for Health Domain, which do not comprehensively address today’s requirements of accessibility, portability, interoperability, and most importantly, security.  

What are the benefits of digitising the healthcare ecosystem whilst emphasising data protection? 

It is an opportune time for healthcare systems to use data to serve the interests of their patients as consumers and build first- and last-mile and add-on services, community health campaigns and more. For caregivers as well, digital and cloud-based platforms tools are  a boon to staff productivity. Most importantly, digitalisation in healthcare can also have a tangible  impact on healthcare outcomes. For example, at Providence, we use AI and predictive analytics to reduce the burden of strokes by improving the monitoring and quality of care in the management of strokes, which leads to lives saved. 

The complexity and speed of development of digital technologies such as cloud, mobility, IoT, and ML continues to challenge even the largest security operations. Cyber security needs to be at the centre of the digitalisation strategy and obtain prioritised investments proportionate to the transformation. Healthcare systems must implement a strategy that embeds data security principles into their governance frameworks and enforce risk-based decision-making.

Healthcare solutions must inherit these data security principles and more and remain compliant to data protection laws like HIPAA (US) and DISHA (India). The CISO must become an internal advisor to address the newfound challenges of digitalisation. Basic security practices like end-user training, asset inventory, sensitive data encryption, secure remote access, multi-factor authentication, least privilege access, logging and patching must be foundational elements of the digital operating model. 

How is Providence India helping to strengthen the healthcare infrastructure? 

Our work in healthcare focuses on the technology infrastructure that underpins care and the care experience at the Providence family of hospitals in the western United States. We share best practices with peers in the Indian healthcare industry.