How to balance convenience of consumerism in healthcare security: Hospital for Special Surgery CISO Vikrant Arora

Vikrant Arora is the chief information security officer at Hospital for Special Surgery in New York City, where he oversees security and IT services for the 215-bed hospital that includes a 33-member medical staff.

Mr. Arora has seen his role evolve from advisor to strategic designer and the most important initiatives the hospital will undergo in the near future.

Question: What initiative are you most proud of having led or participated in as a CISO?

Vikrant Arora: Building a culture of security where most users feel empowered to identify and report security incidents. The response can be in the form of calling the service desk and reporting virus-like behavior, reporting a phishing email or simply reaching out to the security team with questions, even for personal internet security matters. Just to give you an example, the first two scenarios significantly reduce the dwell time (time before detection) of malware in an environment to minutes from months, which is the current industry average with the most sophisticated security technology in place. This transition from a technology- or process-centric information security to people centric security information security has been one of the biggest satisfiers.

Q: How has your role evolved over the past 12 to 24 months and where do you see it headed in the future?

VA: My role has changed from being an 'advisor' responsible for a static program aligned with standard frameworks and architectures to that of a 'designer' developing a dynamic security program, mostly in the absence of frameworks (which are still being developed) and architectures that vary from application to application. One example is enabling based applications, which rely on computers and networks that are not physical devices such as servers and routers but microservices and serverless architectures or simply speaking lines of code.

Additionally, these applications are being designed to be accessed from anywhere and any device. Securing such applications not only requires new technologies but also a new mindset to think in terms of actual risks instead of simply slapping on existing security controls. I see this continuing in the next 12 months, which will lead to an evolutionary change in security team structures, processes and capabilities.

Q: What are the two to three biggest trends in healthcare affecting your decision-making process as a CISO?

VA: In healthcare the regulatory, threat and business landscapes are all changing at the same time and at a fast pace. However, two things that bubble up for me, that will challenge CISOs the most are, interoperability and consumerization. The former will expose any hospital's dirty laundry (legacy systems, XP based biomedical devices etc.) to the internet (via cloud) as we strive to connect everything and collect data from every possible sensor, modality and database. This not only increases the attack surface but also increases the complexity of the digital ecosystem.

Consumerization, on the other hand, requires providing convenient Facebook- and Uber-like solutions to our patients and business. Both complexity and convenience are usually at odds with security, so striking a balance will require the evolution I talked about earlier.

To participate in future Becker's Q&As, contact Laura Dyrda at

Join us for the Becker's 5th Annual Health IT + Revenue Cycle Conference, Oct. 9-12 in Chicago. Learn more and register here.

Copyright © 2022 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars