Interconnected Processes Must Guarantee Data Security

Q: How does digitalization complement CHRISTUS MUGUERZA’s offering?

A: CHRISTUS MUGUERZA’s drive is focused on patient-centric solutions, which is what defines us as a health institution. Through technology, we have been able to expand our commitment to the patient and our mission as a catholic institution throughout our network of hospitals in the US and now in Latin America. Technology has enabled CHRISTUS MUGUERZA to offer homogenous, standardized care for patients. When standardizing our care, we were targeting excellence throughout the entire network, making sure that all technological processes we use are evidence-based and following the best practices of the country we work in.

Q: With a 100 percent digital hospital, how do you protect against cyberthreats?

A: Fully digital hospitals interconnect every process of the facility, including full control of internal processes. For instance, in the case of a medication process, this would mean knowing the providers involved in the medicine supply, the moment when medicine is given to the patient, the treatment of that patient and the reactions it caused.

One of the key components to avoid cyberattacks is to have a very robust administrative system that complies with enough security measures. At CHRISTUS MUGUERZA for example, doctors use a computerized physician order entry (CPOE) to prescribe a treatment for a patient. This system also has standardized measurements of medicine and times to avoid mistakes in care provision while making it easier for other divisions of the hospital to be aware of the patient’s situation. Communication between nurses and doctors is key in every process and by having digitalized information, they can easily be on the same age, which is what CPOE allows. All these processes are patient-centric and are created to offer personalized services. Moreover, CPOE is a robust system that ensures information is safe.

There are also systems for hospitals that, through big data and AI, can automatically suggest a treatment for the patient. These will never replace the doctors’ practice but they are valuable tools that allow doctors to provide a safer practice. These hospitals are paperless facilities, which we have not been able to achieve in Mexico because the norm does require printed documents from hospitals. 

Being digital does not make a hospital more vulnerable to cyberattacks. Have digitalized tools is different than having online information. Online information generates awareness and this can lead to possible cyberattacks. However, having information online has become necessary because patients want to access their information and doctors need to consult their patients’ progress in case both parties cannot meet.

At CHRISTUS MUGUERZA, we are very serious about cyberattacks. Our Chief Information Security Officers (CISOs) are in charge of electronic security to make sure all data centers are protected and that access controls function properly.

Q: What is Mexico doing to build cybersecurity norms for healthcare that complement the sector’s digital transformation?

A: The industry is in the process of forming a health-tech association to talk to legislators and bring this subject to the table. The goal is to have a standard like HIPAA in the US to protect healthcare information by law. The misuse of information from companies could generate negative outcomes for the user. Gaps have stopped the Mexican healthcare sector from fully digitalizing because of a lack of regulatory processes, which leaves room for mistakes that could damage companies on many fronts.

CHRISTUS MUGUERZA is getting ready to respond for when the sector is ready to share and standardize its information. Within out network, the information we are generating is easily shared among our own facilities but for a universal healthcare system in Mexico, we know we have to be very organized and precise regarding best practices related to data to have it available for the patients and the entire sector.

More recently, NOM-024 added a new chapter that included cybersecurity. The federal government is building a digital healthcare ecosystem in Mexico but open dialogue and communication between all entities is still needed to make this happen. The goal would be that all products that generate digital health information follow universally accepted standards. COPARMEX, for instance, is one actor pushing to make this a reality but a more active role from the government is still needed to really set the foundation and make this real.

Q: Social engineering is a fast-growing issue in Mexico. What do you think is the most effective approach to this problem?

A: I do not see the healthcare sector as attractive for those perpetrating this threat as banks would be, for instance. What could be a problem for health facilities is the lack of education among users. User education plays a key role in avoiding security breaches that could compromise an institution. When an institution suffers an attack, it could have started internally. Simple mistakes that can be seen as irrelevant have the potential to create a window of opportunity for an attack. Cybersecurity offices have to be complemented with another area that we call the Compliance office. These two leave no room for corruption or privacy issues and make sure associates and users are not oversharing information.

CHRISTUS MUGUERZA is a Catholic health system made up of 11 hospitals, five social assistance clinics, two nursing schools, first contact and short-stay medical care centers, an ambulance system and more than 5,000. It is part of the international ministry CHRISTUS Health with a presence in the United States, Colombia and Chile.