This is article is published as a part of the CIO – CISO Knowledge Series: Powered by Smart CEO, in partnership with Sophos. 

In conversation with Arvind Sivaramakrishnan, Chief Information Officer, Apollo Hospitals

Arvind Sivaramakrishnan, Chief Information Officer, Apollo Hospitals, is responsible for IT strategy and implementation across the Apollo Hospitals group. He has extensive experience in management consulting, architecting, and building solutions for enterprise-wide applications across a wide range of sectors.

Sivaramakrishnan also leads the digital transformation initiatives at the Apollo Hospitals Group. He has led Apollo Hospitals in achieving the prestigious HIMSS Level 6 Health care IT maturity model certification in 2013 and also spearheaded the Apollo team to be recognized with the HiMSS-Elsevier award (2013, 2016, 2018) for outstanding use of IT in patient care delivery in the Asia Pacific region. Under his leadership, Apollo Hospitals was awarded the Microsoft Health Innovation award in 2016 for the use of effective big data analytics in infection control surveillance in health systems.

We invited Arvind Sivaramakrishnan to share his views on building a robust cybersecurity model for the healthcare industry. This is a part of a 10-article thought leadership series we’re publishing with India’s most exciting CIOs and CISOs. Smart CEO’s CIO – CISO Knowledge Series is powered by Sophos, a world leader in cybersecurity solutions that serves 400,000+ enterprise customers in 150 countries around the world.

How do you see the fast pace of digital transformation impacting the healthcare industry?

Digital transformation is a necessity to ensure that we are always 100% quality-focused, aligned towards customer expectations, and with a high degree of efficiency internally and externally. It is a very human-resource-intensive industry, and any slackness is unacceptable because we are dealing with the lives of people. Therefore, we have to drive towards 100% perfection and ensure replicability of service.

Today, digital transformation is becoming a base necessity, and though healthcare is a little late to the game because of aversion to risk-taking, it is catching up at a pace faster than other industries.

In India, the government has been focused on the Digital India initiative and there is a thrust on healthcare due to the large quantum of people who need access to healthcare versus those who can offer healthcare services. Also, the massive skill gap that exists is a major constraint.

Technology in India is moving at a good pace and startups are disrupting the way we deliver and manage healthcare services, including clinical, non-clinical, operational and human resources. I would rate India as being more organized, structured and disruptive than what I see in healthcare digital trends across the world.

The challenge is in the size, the scale and the sustainability – it has to be made the DNA across the country.

In the healthcare industry, what are some threats related to data security and integrity as a result?

Healthcare is a very personal world and a degree of confidentiality has always been important, not only as a statutory, legal requirement but even at the level of human engineering. So, the healthcare leaders are aware of the security and privacy concerns and that translates to the need for effective governance in the digitally-enabled, technology-driven work processes.

Though the level of maturity may not be high, there is an effort towards aligning people, processes and technology towards data governance. When we talk of people, it includes all the stakeholders that are part of the ecosystem, such as the insurance agency, the government agencies such as the municipal corporation or health department or other governing agencies.

What is missing is that the governing laws of the land are not very clear and many of the laws are not enforced strictly. Awareness of legal compliance requirements because of a lack of strong enforcement is absent at large. Knowledge of the law is partial, enforcement even more partial, so slackness in compliance is high. India as a whole needs some serious effort before we talk of tightening those laws, make them more effective, make them more governing. And all of us need to discharge our responsibilities diligently.

Every little piece of data (and information) in healthcare is classified information; it is front, core, and centre as we are dealing with personal reputation. But another aspect that needs equal attention is the nature of information itself. We see many unfounded, unqualified information about treatment modalities being circulated freely. We saw that during the Covid-19 pandemic, for instance. We saw that a few years ago about fertility treatment. Governance around sharing information on the correct treatment options and the prognosis around it are also important.

In several industries, people are talking about threat hunting – the process of proactively and iteratively spotting cyber threats and staying prepared. How can the healthcare industry set up a process for threat hunting?

Currently, healthcare is not as mature as probably the financial sector is when it comes to threat hunting. It requires some well-planned investments but the cost and the skill gap are a cause for worry. We need cost-effective solutions. But having said that, threat hunting needs to be done post haste since some threats are morphed to look genuine but can be a malicious attack. Using cognitive algorithms for a continuous corrective mechanism is also an important need.

What are some of the best practices for security and governance as more digital initiatives are implemented?

I would say the three best practices would be: design of the entire enterprise system; an effective, constructive governance model with role management defined by the duration for when it is relevant; and training. It must become part of the DNA of the organization, embedded into every role and responsibility, job description, into the organizational culture for all stakeholders, be it the suppliers, the patients, and even their family.

The enterprise system design should detail the design of storage, application systems, the interaction of data, interoperability, their execution, and maintenance. In fact, more than design and execution, I would lay stress on maintenance. You have to keep the platform great. You cannot start slipping after a great implementation phase. You must constantly evaluate the applicability of older guidelines and incorporate the new ones. It is a fast-changing space and you can’t do it one time and call it done. Having a maturity model of solid governance structure – both internal and external — so that there are no lapses and everything is dealt with by a subject matter expert, in a constructive manner for continuous improvement, is essential.

What can be some of the bottlenecks to healthcare providers implementing these best practices?

There are three challenges to implementing security best practices. Definitely, the cost is a factor. The solutions need to be made affordable as otherwise budgetary constraints can compel one to choose a sub-optimal option.

The second is to build a highly skilled, knowledgeable team that is responsible for information security and other cybersecurity efforts.

Third, I believe that we need clearly defined laws and regulations which are constructive in nature and require healthcare businesses to develop a level of maturity when it comes to information security. It should not be about penalizing.

What are some of the ways in which healthcare providers can be prepared for digital crises?

I think the key is to build from the ground up for security and look at the information architecture at a fundamental level and design accordingly.

How can healthcare providers future proof their security efforts?

All of this is interlinked. Making security best practices part of the DNA of the organization is probably going to be key. It is a cultural thing where the entire digital team is thinking about building not only for functionality and efficiency but also security.

Scalability automatically comes with manageability and talent, which is dependent on processes and governance. Trying to achieve it in a manual manner, even for a very small organization, raises the question of sustainability. Digital technologies can automate these processes enabling healthcare enterprises to build cognitive tools to further improve it continuously. AI and ML can enable building predictive and prescriptive analytics and simplify the magnitude of the work in front of us.

Broadly speaking, any technology must be supported by governance, compliance, and accountability. These three layers are as important as building the technology itself.