Between the 27th of June and the 4th of July, Singapore experienced its biggest and most serious cyber attack to date.
A joint press release by the Ministry of Communications and Information (MCI) and Ministry of Health (MOH) revealed that SingHealth, Singapore’s largest healthcare group, was subject to a "deliberate, targeted and well-planned cyberattack." About 1.5 million patients had their personal data stolen, with outpatient medication records from 160,000 patients also copied and taken.
The SingHealth cyberattack involved two different classes of data. First, non-medical personal data (e.g., name, NRIC number, address, gender, race, and date of birth); and the second, information on outpatient dispensed medicine. These two classes of data are valuable and can be used by malicious actors in various ways. For example:
Unsurprisingly, given their wide range of potential uses and abuses, Forbes estimates medical records to be worth up to USD 1000 on the black market.
Who should bear responsibility in a medical cyberattack?
Is it the doctor or his IT vendor who bears responsibility for such a cyber attack? Unfortunately, the answer could possibly be both.
Medical professionals cannot simply push responsibility to their IT vendors. The Singapore Medical Association (SMA) has previously stated that it is the doctor himself who is "statutorily responsible for any system instituted within his practice for the management (storage, access, and integrity) of medical data." With increasing digitization of healthcare records and new regulations on contributions to Singapore’s National Electronic Health Record (NEHR), doctors should ideally possess baseline knowledge on information security, whether by training or otherwise.
The clinic’s and/or hospital’s legal entity may be liable as well. Section 24 of the Personal Data Protection Act requires organizations to protect personal data in their possession or control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks. These include technical measures such as network security, the strength of access controls, and the regularity and extent of patching and vulnerability fixing.
More obligations could also apply depending on the nature of the computer systems in question. Under Singapore’s newly-passed Cybersecurity Act, acute hospital care services and services relating to disease surveillance and response are considered "essential services." If designated as critical information infrastructure (CII) by the Cybersecurity Agency of Singapore (CSA), computer systems owners would be subject to various obligations, such as bi-annual audits, annual risk assessments, as well as compliance with specific codes and standards. It is possible for such owners to be IT vendors, corporate legal entities, or even doctors themselves.
What can be done?
Singapore’s aging population requires the healthcare industry to adapt to an expanding and increasingly complex patient base. While online pharmacies, automated scheduling systems, remote diabetic check-ins and other innovations have arisen to address this need, their increased use requires healthcare providers to pay greater attention to the security of patients’ personal and medical information.
Although a first in Singapore, incidents involving millions of personal records such as the SingHealth cyberattack are not new. In fact, many similar breaches, some on an even larger scale, have occurred in the past. For example:
No single cybersecurity solution can eradicate cyber risk completely. However, a great factor in mitigating cyber risk lies in educating the user - in this case, doctors and healthcare IT vendors themselves. This is because effective cyber security begins with sponsorship from organizational leaders and the cultivation of a cyber-aware culture within the organization.
Holistic cybersecurity involves people, processes, and technology. In relation to people, doctors and IT vendors should be aware that they could be targets for phishing and impersonation. The risk of phishing is not unique to the healthcare industry and affects other industries (e.g., financial services, legal services) which deal with sensitive data but have no guidance dealing with cybersecurity or understand the risks they must deal with.
In relation to processes and technology, doctors and IT vendors should work with a cybersecurity partner to build and maintain a secure technology environment. This could include vulnerability and threat assessments, setting up multi-factor authentication and application notifications. These solutions can be tailored to the size and scale of your clinic and organization. For more sophisticated healthcare enterprises and CIIs, cybersecurity experts can provide periodic vulnerability assessments, audits, and penetration tests for regulatory compliance.
This article is contributed by QuanHeng Lim, Director of CyberOps, Horangi Cyber Security. The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends.