|
Case Sudy
Ensuring Success With Information Security
Establishing an information security policy needs implementation,
operation, monitoring, review, maintenance and upgradation. Malabika Sarkar
explores how New Delhi based Max Healthcare, one of the leading players in the
healthcare sector, goes about setting up an information security policy to avoid
security disaster
 With
a vision to deliver world class healthcare with a service focus, Max Healthcare
is an institution committed to delivering standard medical service. In order
to keep and maintain all the medical records safe and sound, the Hospital required
a strong security management system and hence the role of IT came into limelight.
Max Healthcare has already deployed a number of security solutions across all
the locations. It is into eight locations all over Delhi and NCR, all connected
with dedicated lease lines. There is a central data centre and the Hospital
takes the best of the subjects which makes them choose separate vendors. While
the core software ie. Hospital Information System (HIS) is built in-house to
make it robust and there are other softwares integrated to this as well.
Tech Buzz
Ideally IT activities start from the Hospital construction stage where the networking
(the back bone) needs to be implemented. With right software in place, a huge
time is spent to put the workflow systematically and then implement the software
with proper training. Operationally a help desk should be in place to take care
of day-to-day support.
According to experts the potential of IT-Healthcare market in India is growing
in terms of size, products and applications. The hospitals are fully computerised
and have started linking with each other leading to a centralised medical record.
While earlier it was only billing system, but now with the introduction of technologies
like DICOM and HL7 all medical equipment are getting connected to the Hospital
Management System software which leads to high demand of computerisation. This
will soon reach 100 per cent IT compliance in the near future.
Commenting on the execution of the whole security system, Saha says, "IT
is the backbone of any business. It is very important to have robust controls
to implement perimeter security controls to protect Max Healthcare's IT facilities.
We also need to address the vulnerabilities inside the Hospital network especially
at the application layer. We make sure that all issues are resolved in the initial
stage of designing and not after the application is developed. With the introduction
of latest technologies, we have business continuity in place. Almost all departments
in our organisation use our software for their day-to-day functions."
Special Information Security Deployment
 "We
make sure that all the issues are resolved in the initial stage of designing
and not after the application is developed"
- Pradeep Kumar Saha
Head-IT
Max Healthcare
New Delhi
|
One of the most important solutions that the Hospital has
deployed is the process of desktop security policy, which is a part of Information
Technology Infrastructure Library (ITIL).
Initially, some of the major hurdles that the Hospital was
facing was that, users were changing their desktop wallpaper, screen savers
and also were deleting softwares and installing softwares of their own choice
from the control panel. There was no login password policy to prevent hackers.
Users were free to listen and download songs at their own wish. Moreover, a
user who was sitting at one location was free to access files of another user
at other locations.
Then the Hospital came up with a solution known as desktop security policy,
which has removed all administrative rights from the users.
With this particular solution, users can no more play around with their desktops,
they cannot install or uninstall softwares at their own convenience. Apart from
this, any logical approach to the database is restricted through strict authentication.
Users of one location cannot use the network to access PCs of other locations
and users cannot listen to or download any music.
Talking about this solution and its impact on the whole administrative system
Pradeep Kumar Saha, Head-IT, Max Healthcare says, "This process is one
very important implementation in Max Healthcare which has been already done.
We are highly satisfied with the control mechanism. This will bring out more
productivity in the work place."
Secure Records
Max Healthcare has implemented Electronic Medical Record (EMR) to keep all the
medical records safe. With the extent of computerisation, the Hospital now has
EMR which makes life easy as far as accesses to medical records are concerned.
Speaking on the implementation of EMR and its security features Saha says, "This
record includes clinical activities, diagnostic reports, doctor's advice, medication
and surgery history." He further adds that with this software, the medical
record of a patient is maintained from day one till he is a customer of the
hospital.
Identity Access Management Process
Another most important security solution is the Identity Access Management process.
The device used is known as Cyberom where IT has defined the identity access
policies. All the users just have to authenticate themselves in their logins
which is controlled by the active directory. One has to prove his identity before
entering.
Hospital Management System
This is one more solution, basically to find out the performances of different
locations. 'Business Intelligent Tool' is used to monitor which location is
generating the maximum revenue out of all, who are the doctors and also the
patient who has paid the highest amount of money. The status is continuously
updated.
Hospital Information System
Max Healthcare is planning to interface all the patient monitoring systems in
ICUs with HIS which can be accessed by the concerned doctors from anywhere in
Max Healthcare (including other locations). By this the doctors will automatically
recieve SMS as soon as his patient gets transferred to the ICU. In another case
the parents will receive messages in their mobile phone whenever the baby is
due for any vaccination.
These are some of the security solutions of Max Healthcare. Some of them are
already implemented and others are in the pipeline.
"1.5 per cent of the whole company budget is IT budget. We do not face
any problem convincing the management because to meet customer's demand and
operational requirements upgradation and sometimes deployment of a technology
is necessary. In order to enjoy the outcome of a particular deployment, investment
has to be made. This budget is flexible and if required increases. Last year
it went upto three per cent and this year five per cent," avers Saha. While
advanced technology is highly accepted by any user, with a clear presentation
on the benefits both tangible and intangible it gets approved by the management,
he adds further.
Healthcare Portal
The Hospital is in talks with the management and the doctors to create a healthcare
portal where in customers can log in and enjoy services like booking appointments
and payment of the bills by credit card.
Meanwhile, with Health Insurance Portability and Accountability Act (HIPPA)
becoming a standard requirement, Healthcare portal will help customers make
healthcare easily accessible. However there is very less part of the HIPAA regulation
is relevant to Max Healthcare. Since HIPAA is still not mandatory in India,
it is not in the priority list of the Hospital.
The Hospital also appears to have an enterprise- wide messaging solution, which
is an uncommon implementation. Commenting on how did they go about the ROI for
the security infrastructure investments Saha says, "We have hosted our
server to a service provider who is responsible for security of the messaging
system. There was no Capex neither an extra manpower to administer the system
which has justified our ROI." He further adds that financial and clinical
analytics are two very important things required by the organisation both to
measure the profit and loss and medical advancement. Also to minimise medical
error lot of computerisation is required which needs investments.
Other areas and IT Intervention
Admission, discharge and billing along with laboratory and pharmacy are the
front office areas which requires IT intervention, while material management
is the back office requirement. Clinical requirement to form the EMR is additional
and is a highly required area in any healthcare business. These together forms
the total healthcare requirements which are all implemented in Max Healthcare.
The Information security team is responsible for the maintenance and review
of all the security policy according to defined review process. The Hospital
has an IT process control team who reviews these policies. The internet and
email policies have recently been updated. The management is approached by IT
Governance team where the member controls the IT process and policies.
Future Vision
RFID and Smart Card are two newer technologies which the Hospital is planning
to have in the near future. Giving his opinion on newer IT applications like
Clinical Decision Support System (CDSS) and 3D training system Saha says, “While
IT have been doing a lot in Patient Billing. CDSS is the most important tool
that any hospital should have. The benefit of this is enormous with an immediate
benefit of minimisation of medical error and availability of clinical analytics.
3D forms a big strength in PACS and gives a good pre-operative lead to the surgeons."
The Hospital is on a very early process for ISO 27001 Certification. The approval
of the top management has been acquired and now the team has been formed to
make this happen. They target to complete it by next six months.
Many Australian and American companies have tied up with Indian partners to
put their healthcare modules in Indian hospitals. Solutions like HIPAA compliance
is expected to be deployed soon in healthcare organisations which will protect
the detail of individual identification information, such as social-security
numbers and names. Max Healthcare is gearing up to have many more and the best
of the hi-tech information security solutions.
malabika.sarkar@expressindia.com
|
