‘’Since BYOD is already in, I would like to see to that we do not block it but, with the Fortinet Solutions, are able to control it’’

Manipal Hospitals recently deployed Fortinet’s security systems to help secure its network and enable application access over the Internet and through mobile devices. The solutions also help Manipal Hospitals meet compliance requirements for data security and access control. Nandkishor Dhomne, CIO, Manipal Health Enterprises explains to M Neelam Kachhap the rationale for using network security platform from Fortinet

Help us understand the IT environment at Manipal Health Systems. (extent of data generated, no of doctors staff accessing Internet, number of specific information systems and software deployed etc.)

At Manipal we have the following key applications:

• Hospital Information System (HIS) which covers all functions from patient registration, admission, billing, pharmacy, lab, nursing, OT, blood bank, radiology, dietary, etc. and automates the flow of information from one function to another seamlessly.
• Electronics Medical Record (EMR)
• Document Management System (DMS) which is used to digitise past patients records from Medical Records Division and link the same to HIS for a single window view without referring to the physical patient file (especially for OP patients).
• Back office systems for finance, HR and materials management The back office systems are integrated with HIS for automated data exchange like revenue posting, consumption posting etc.
• Picture Archiving and Communication System (PACS) & Radiology Information System (RIS)

The PACS component is a computer system that interfaces with the medical imaging device (i.e., X-Ray, CT Scan, MRI, ultrasound, etc.) used to capture the image in a digital format. Once captured, the image is stored, manipulated and transmitted over a computer network.

• SMS alerts – HIS is integrated for real time alerts like registration, billing, critical lab alerts etc.
• Email system and collaboration – This is used for day-to-day office communication.
• Information security framework to safeguard patient information and comply with NABH requirements related to information security and controls.

Tell us about bring-your-own-device (BYOD) environment at Manipal Hospital and how it poses a challenge for network security?

Nandkishor Dhomne

In the Indian healthcare industry, there is an increase in the number of professionals using mobile devices for work purposes, whether they are using tablets to look up patient records or access personal applications. For whatever purpose, BYOD has flourished in the industry and is a trend with promising growth.

At Manipal Hospital we have estimated that over the next two years, we’ll have around 200+ users on mobile devices, tablets and smart phones. This is the beginning of the BYOD wave in our organisation. Initially, we will allow doctors to access outpatient (OP) records so that they can prescribe and diagnosis using their mobile device. We are in the process of evaluating mobile applications that would meet our requirement.

In the next phase of the our BYOD enablement, we will allow doctors to access inpatient (IP) records from their personal devices. This will help doctors carry out basic tasks like ordering, vitals monitoring, viewing of the investigation reports etc.

We have prepared a multi-pronged strategy to allow mobile devices under certain terms with stringent security policies. Initially, we will be allowing iOS and android devices, depending on the situation, we will open it up for other OS as well.

Since BYOD is already in, I would like to see to that we do not block it but, with the Fortinet Solutions, are able to control it.

What security system was used before the new system was deployed and why was it changed?

Before we deployed Fortinet’s solution, Manipal Hospital did not have a structured security framework protecting our enterprise network. The earlier solutions deployed were fragmented and not adequate in terms of technology to mitigate current threats. Manageability and round-the-clock support was another area of concern. We were not in a position to provide reliable access to our applications over the Internet. Mobility and BYOD were new business trends which had to be enabled to provide better services to our patients.

We also had to safeguard our patients’ information and meet NABH compliance requirements, which was not possible with our old security solution.

What are National Accreditation Board for Hospitals & Healthcare Providers (NABH) compliance requirements related to information security?

Chapter 10, ‘Information Management System (IMS)’ of ‘Guide to NABH Standards for Hospitals’, provides guidelines and procedures to meet the information needs of the care providers, management of the organisations as well as other agencies that require data and information from the organisation. There are seven sections under Chapter 10 which are related to Information Technology and they are:

• Policies and procedures exist to meet the information needs of the care providers, management of the organisation as well as other agencies that require data and information from the organisation (5 Clauses).
• The organisation has processes in place for effective management of data (5 Clauses).
• The organisation has a complete and accurate medical record for every patient (6 Clauses).
• The medical record reflects continuity of care (7 Clauses).
• Policies and procedures are in place for maintaining confidentiality, integrity and security of information (7 Clauses).
• Policies and procedures exist for retention time of records, data and information (4 clauses)
• The organisation regularly carries out review of medical records (7 Clauses).

Section 4 exclusively deals with information security guidelines.

At Manipal, we have taken care of all these clauses, including IT security in our IT strategy and roadmap. We have implemented a comprehensive IT security solution using the Fortinet platform at an enterprise level which covers all our unit hospitals and the corporate office at Bangalore.

[email protected]