In an interaction with TechGraph, Surjeet Thakur, Founder and CEO of TrioTree Technologies, outlined how the pace of digitisation in hospitals has moved faster than the development of consistent security frameworks, with legacy systems, fragmented deployments, and uneven integration across HIS, LIS, and medical devices continuing to create gaps in access control, monitoring, and audit visibility.
He further explained how TrioTree Technologies addresses this by building security layers around existing infrastructure, with its HISTree platform following a multi-tier architecture that allows controlled intervention at different system levels, ensuring better visibility and more consistent security without disrupting ongoing hospital operations.
Read the interview in detail:
TechGraph: Over the past few years, hospitals have moved rapidly toward digitisation, yet cybersecurity has often remained an afterthought. From what you are seeing on the ground, where do Indian hospitals remain most exposed today?
Surjeet Thakur: We’ve seen digitisation move fast, but the biggest exposure today sits in three areas, that are: legacy systems, fragmented infrastructure, and low awareness at the user level. Not all hospitals have an updated HIS, LIS, and billing devices with a single control layer and are deploying partial implementations or older add-ons, which leave gaps in their access control, audit trails, and monitoring.
A second gap is the integration of the devices. ICU monitors, lab equipment, and third-party systems are linked by interfaces, but not all environments have uniform security policies across them.
Lastly, role-based workflows are supported by HIS systems, yet in most hospitals, there is typically no rigid mapping of privileges across departments.
IBM Security states that healthcare is among the most vulnerable industries in the world in terms of breaches. So it is not only that the risk in this case is external attack, but it is also uncontrolled internal access and a lack of visibility into the systems.
TechGraph: A large number of hospitals still rely on legacy systems that were never designed for today’s threat landscape. How do you secure such environments without forcing hospitals into expensive and disruptive overhauls?
Surjeet Thakur: We don’t replace core systems; instead, we work around their architecture. Think of it like reinforcing an old building rather than rebuilding it overnight. We start by adding protective layers, network segmentation, endpoint monitoring, and controlled access. Our information systems, like HISTree, already follow a multi-tier architecture (UI, application, database), which allows controlled intervention at each layer.
We secure legacy environments by isolating layers:
- Database level controls (restricted queries, audit logs)
- Session tracking and authentication at the application layer.
- Clinical, admin, and device network divisions.
Middleware integrations (particularly HL7-based interfaces) are also used by us to standardise communication between the old and new systems.
The concept is to minimize the risk in phases, as hospitals will be free to operate. In the long term, we bring them to gradual upgrades, yet without compelling major initial investments. Security does not necessarily imply disruption since it can be staged, focused, and in harmony with the functioning of hospitals in reality.
TechGraph: Systems like HIS and EMR sit at the core of hospital operations, and any disruption can directly impact patient care. How is TrioTree Technologies approaching security in a way that protects these systems without interrupting clinical workflows?
Surjeet Thakur: HIS and EMR systems are already designed around workflows such as OPD, IPD, ICU, pharmacy, and diagnostics, so security must be built into that structure, with a focus on how doctors and staff actually use them. We implement:
- Role-based access tied to clinical functions (doctor, nurse, admin)
- Audit trails across every transaction (clinical entries, billing, orders)
- ICD-10 compliant structured data capture, which reduces unstructured exposure
We also monitor systems in the background to detect unusual activity early, without interrupting usage. Such as authentication and access control are not barriers, but they occur automatically.
The aim is to safeguard critical systems without causing disturbance to clinicians as they remain focused on patients. When security becomes an issue of day-to-day activity, then it is normally a sign that it is getting in the way.
TechGraph: Cyberattacks on hospitals are no longer just data breaches; they can shut down entire operations and delay treatment. How prepared are Indian hospitals when it comes to early detection, incident response, and recovery, and where do you see the biggest operational gaps?
Surjeet Thakur: If you look at the current landscape, healthcare is becoming the most targeted sector in India, with 8,614 cyberattacks per organisation per week, nearly four times the global average, accounting for about 22% of all cyber threats, with a 20% annual rise. Globally, 77% of healthcare organisations have faced ransomware, and 53% have paid ransom. In 2025 alone, 508 breaches exposed 36.2 million medical records, which is significant.
Despite this, preparedness across Indian hospitals remains limited. Detection is still slow, with breach identification taking close to 197 days on average, pointing to weak real-time monitoring. In India, this gap is more visible due to resource constraints. The transition must now be shifted to more than prevention but preparedness by detecting early, responding swiftly, and recovering without interrupting care.
To address these issues, we work to develop systems that use solutions like centralised dashboards to monitor operations and anomalies, audit dashboards to track compliance, and the ability to deploy across multiple locations (useful in a failover environment). When cybersecurity is treated by hospitals in the same way as emergency preparedness, it will be much more likely to cope with such incidents.
TechGraph: Healthcare staff often operate in high-pressure environments where security protocols can be overlooked. What patterns have you observed in human-led vulnerabilities, and how can hospitals realistically strengthen this layer without disrupting care delivery?
Surjeet Thakur: I think breaches don’t just start with systems; they start more with people. Patterns that we have observed include poor passwords, phishing emails, shared logins, and unintentional data disclosure. Healthcare has the highest phishing susceptibility at 41.9%, and more than 60 to 65% of organisations report phishing attempts as a primary attack vector.
This is because employees are responding to continuous communication and emergency requests, and attackers are simulating such a sense of urgency and receive prompt responses.
In stressful workplaces, employees are concerned with speed and not security. And so the solution cannot be cumbersome protocols. A simple and practical way forward is to reduce friction with:
- Single Sign-On and fast authentication to remove login fatigue
- Strict role-based access so exposure is limited by design
- Short, continuous training instead of long sessions
- And most importantly, systems that guide behaviour, auto logouts, audit trails, and restricted data views
The concept is to render the safe path the simplest path. You can’t expect hospital staff to think or act like cybersecurity experts, but you can develop systems that help make better decisions without slowing them down.
TechGraph: With patient data becoming more digitised, questions around privacy, ownership, and compliance are becoming harder to ignore. How do you see Indian regulations evolving, and are hospitals taking these requirements seriously enough today?
Surjeet Thakur: If you look at how regulations are evolving in India, we are clearly entering a much more structured and accountable phase. The Digital Personal Data Protection Act, 2023, and the 2025 rules, which have established the Data Protection Board of India (DPB), introduce clear requirements around breach reporting timelines, consent management (including for children), and penalties for non-compliance.
It requires explicit patient consent, data minimisation, reporting breaches, and limiting the purpose, and harmonizes healthcare with other larger digital systems, such as the Ayushman Bharat Digital Mission, which is already rolling at scale (with more than 420 million health IDs issued).
But the reality on the ground is mixed; privacy policies are outdated or not aligned with Indian law, which shows a gap between regulation and execution.
We emphasize the role-based access, consent-managed workflows, work audit trails, and structured data exchange specifications, such as HL7, so that privacy is enforced in the system, and not in manual processes.
TechGraph: With increasing reliance on cloud infrastructure, connected medical devices, and data exchange between hospitals and labs, the attack surface is expanding rapidly. How is TrioTree Technologies securing this broader ecosystem while maintaining interoperability?
Surjeet Thakur: The attack surface has expanded significantly today; it’s not just the HIS, but cloud environments, connected medical devices, labs, and third-party integrations. In healthcare, more than 60 percent of information flows out of the main hospital system, and it is more exposed unless it is managed.
At TrioTree, we work on ensuring the flow of data instead of limiting it with standardised integrations based on HL7 protocols, thus all exchanges between HIS, LIS, devices, and external systems are organised, traceable, and auditable.
HISTree and LISTree, our platforms, run on the same architecture, and this minimizes fragmentation and keeps data in a controlled space. We also have a multi-tier configuration (UI, application, database) to separate and minimize risk.
For third-party integrations, we rely on middleware and controlled APIs, ensuring external systems don’t become entry points. Lastly, all this is supported by end-to-end audit trails and central dashboards, meaning that hospitals can see across systems and not inside them.
Our concept is straightforward and very targeted at allowing smooth interoperability, yet ensuring that every data transfer is designed to be controlled, visible, and responsible.
TechGraph: Lastly, as hospitals continue to digitise and threats become more sophisticated, what will define a truly secure healthcare system over the next few years, and how is TrioTree Technologies preparing for that shift?
Surjeet Thakur: A secure healthcare system won’t be defined by how many tools it uses, but by how well everything works together. It will be proactive, identify risks early, quickly respond, and recover without violating service. Security is internal, continuous, not a one-time setup.
At TrioTree, we are ready to make that transition with an emphasis on integrated systems, real-time monitoring, and scalable architecture, which can expand alongside hospitals. You can imagine it as an immune system that is not preventing all the threats, but rather recognizes, reacts, and adapts swiftly. That is what healthcare security should be in a couple of years.
