Thinking about CyberSecurity for healthcare

The incident

Singapore’s healthcare systems, provided by Singtel health was declared breached by MCI & MOH on 20/07/2018 with 1.6 Million non-medical personal records stolen and 160,000 patient prescription records stolen.

“Our goal has to be to prevent every single one of these attacks from succeeding. If we discover a breach, we must promptly put it right, improve our systems, and inform the people affected.

This is what we are doing in this case. We cannot go back to paper records and files. We have to go forward, to build a secure and smart nation.”

~Lee Hsien Loong, on the cyberattack that stole 1.6 million SingHealth patients’ non-medical records and 160,000 prescription records

We cannot go back

As LHL correctly points out, there is no going back for is from digital in healthcare, in case we forget in these dark moments of fear, let me remind you of why we cannot revert to a world before electronic records. We cannot move healthcare into the digital age without the electronic systems.

But why must healthcare move into the digital age and economy? To meet these 3 objectives;

1. Better allocation of resources to meet needs, better sharing, better parity, better capabilities to supply to long tail niches. In the digital age, healthcare will do better at matching supply to demand, providing personalisation and improving access to information, consultation and care beyond the limits of geography.

2. Better understanding of trends and patterns on a larger epidemiological scale, down to cohorts and even the individual. Digital will unlock insights at the speed of computers and assist care providers to make better decisions.

3. Better engagement of patients, putting them in control and driving behaviour towards healthier choices. Better experience for Clinicians and providers as well, providing more positive prevention and better strategies collaboratively with patients with a goal for better outcomes.

So this is not about electronic records but healthcare in this digital economy and world.

Malaysia take note

Highest profile medical record breach in Malaysia was that of the report from Doctors in Hospital Puswari of Mohd Saiful in the Anwar Ibrahim sodomy trial in 2008. This was a paper record – which is inherently not secure. You don’t have logs to determine if a paper record has been compromised or copied. So electronic records may increase the threat surface area, from those with physical access to anyone from the global network – but these risk can be mitigated and that access is precisely the same enabler of digital health. We cannot stop commercial air travel because terrorist crashed some planes – instead we learn and adapt and endeavour to prevent.

Malaysia needs to consider this incident and rush to prevent it from happening to us.

  • We need a national CyberSecurity framework for healthcare from MOH the same way BNM has a framework for our banks
  • Observe how even access to 1.6 million patient demographic data (or Patient ID. data) did not give access to the medical data. This looks like a well architectured design
  • We need an evidence based approach to CyberSecurity instead of the current way we do things, for example, some providers feel their DataCenters on premise are more secure than that of a cloud provider – nevermind the fact that the cloud provider has better certifications to prove otherwise
  • We need a national cyber threat monitoring centre and service for all healthcare and critical infrastructure, to provide that level of detection and response, to expensive and burdensome for an individual hospital or provider.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s