A joint press release by the Ministry of Communications and Information (MCI) and Ministry of Health (MOH) revealed that SingHealth, Singapore’s largest healthcare group, was subject to a “deliberate, targeted and well-planned cyberattack”. About 1.5 million patients had their personal data stolen, with outpatient medication records from 160,000 patients also copied and taken.
The SingHealth cyberattack involved two different classes of data. First, non-medical personal data (e.g. name, NRIC number, address, gender, race and date of birth); and the second, information on outpatient dispensed medicine. These two classes of data are valuable and can be used by malicious actors in various ways. For example:
- Medical impersonation. By impersonating the affected patient, malicious actors can purchase and resell controlled medical equipment and drugs, or even file fictitious insurance claims based on the patient’s medical records;
- Identity verification.Malicious actors can verify and authenticate business email addresses and personal bank accounts, and perform actions “on behalf of” the affected patient; and
- Spear phishing.Using such information, malicious actors can phish the affected patient for even more sensitive data. There have been unverified reports of phishing SMSes copying the legitimate SMS meant to inform users of the SingHealth breach.
Unsurprisingly, given their wide range of potential uses and abuses, Forbes estimates medical records to be worth up to $1000 on the black market.
Who should bear responsibility in a medical cyberattack?
Is it the doctor or his IT vendor who bears responsibility for such a cyberattack? Unfortunately, the answer could possibility be both.
Medical professionals cannot simply push responsibility to their IT vendors. The Singapore Medical Association (SMA) has previously stated that it is the doctor himself who is “statutorily responsible for any system instituted within his practice for the management (storage, access and integrity) of medical data.” With increasing digitisation of healthcare records and new regulations on contributions to Singapore’s National Electronic Health Record (NEHR), doctors should ideally possess baseline knowledge on information security, whether by training or otherwise.
The clinic’s and/or hospital’s legal entity may be liable as well. Section 24 of the Personal Data Protection Act requires organisations to protect personal data in their possession or control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. These include technical measures such as network security, strength of access controls, and the regularity and extent of patching and vulnerability fixing.
More obligations could also apply depending on the nature of the computer systems in question. Under Singapore’s newly-passed Cybersecurity Act, acute hospital care services and services relating to disease surveillance and response are considered “essential services”. If designated as critical information infrastructure (CII) by the Cybersecurity Agency of Singapore (CSA), computer systems owners would be subject to various obligations, such as bi-annual audits, annual risk assessments, as well as compliance with specific codes and standards. It is possible for such owners to be IT vendors, corporate legal entities, or even doctors themselves.
What can be done?
Singapore’s aging population requires the healthcare industry to adapt to an expanding and increasingly complex patient base. While online pharmacies, automated scheduling systems, remote diabetic check-ins and other innovations have arisen to address this need, their increased use requires healthcare providers to pay greater attention to the security of patients’ personal and medical information.
Although a first in Singapore, incidents involving millions of personal records such as the SingHealth cyberattack are not new. In fact, many similar breaches, some on an even larger scale, have occured in the past. For example:
- In South Korea, the breach of 35 million user recordsby the Cyworld social network and Nate portal in 2011; and
- In the United States, the breach of 80 million user recordsby Anthem Healthcare in 2015 and the leak of 143 million user records by Equifax in 2017.
No single cyber security solution can eradicate cyber risk completely. However, a great factor in mitigating cyber risk lies in educating the user – in this case, doctors and healthcare IT vendors themselves. This is because effective cyber security begins with sponsorship from organisational leaders, and the cultivation of a cyber-aware culture within the organisation.
Holistic cyber security involves people, processes, and technology. In relation to people, doctors and IT vendors should be aware that they could be targets for phishing and impersonation. The risk of phishing is not unique to the healthcare industry, and affects other industries (e.g. financial services, legal services) which deal with sensitive data, but have no guidance dealing with cybersecurity or understand the risks they must deal with.
In relation to processes and technology, doctors and IT vendors should work with a cybersecurity partner to build and maintain a secure technology environment. This could include vulnerability and threat assessments, setting up multi-factor authentication and application notifications. These solutions can be tailored to the size and scale of your clinic and organisation. For more sophisticated healthcare enterprises and CIIs, cyber security experts can provide periodic vulnerability assessments, audits, and penetration tests for regulatory compliance.