LESSONS FROM SINGAPORE
The recent breach of personal data of a large number of patients in Singapore has thrown a very serious challenge to the healthcare industry which is moving fast to be more and more digital across the world. The sheer magnitude of the breach explains the level of hacker’s capacity to penetrate into the digital record system and seriousness of the issue.
Over 1.5 million patients of SingHealth have lost their personal data. In addition 160,000 Out Patient Department (OPD) patients’ data is also compromised. Besides that a very big number of patients is involved in this data breach and equally serious issue is that even the Prime Minister, Lee Hsien Loong is one of them. It indicates that even VVIP records are not safe.
The only relief is that though the personal data of the patients has been compromised no other patient records like diagnosis, test results, doctors’ notes were stolen or tampered with. There was also no detection of any similar breach in other local public healthcare IT records.
As an immediate preventive measure to stop further theft, the SingHealth authorities has banned employees from accessing the internet on all of its 28,000 workstations. But a lot of damage has already been done. Damage even to image, perception and belief – the incident has maligned the image of the Integrated Health Information System (IHIS) and SingHealth and severely affected the patients’ perception and belief that the data they provide to health authorities is completely safe.
The breach came to light when the database administrators of the IHIS detected unusual activity on SingHealth’s IT system on July 4. Later investigations showed that the stealing and copying of the data had begun eight days prior to the detection. The data was being stolen since June 27.
This has naturally raised questions about the late detection of the data theft. Experts feel that better detection tools would have been able to identify an unusual level of daily data access and duplication. But it seems to not have not happened. However, some other experts feel that detecting the breach in eight days is a “comparative success”. Many other countries are not capable of detecting such breach even within a month.
The experts attribute this to the highly heterogeneous healthcare environment with various devices and systems in place which are not operating with uniform security effectiveness. This, they feel, could be a possible cause of the breach.
The data breach has put on hold Singapore’s Smart Nation plans, more importantly doctors’ mandatory contribution to the National Electronic Health Record (NEHR) project that enables sharing of patients’ medical data among hospitals. Such an online access to a patient’s medical record is actually very useful in an emergency situation. Still, in view of the data breach doctors have now expressed concern over proposed law, making it compulsory for them to submit patients’ data to national e-records system. Interestingly, FAQs in a brochure on NEHR deals with the question of data security and the response says “Rigorous security defences designed according to industry best practices are in place to protect your data…… These defences are regularly reviewed and enhanced. ….” Despite this clear assurance the patients’ confidence in the technical system, no doubt, is going to shatter. A lot of efforts will be required to restore the patients’ belief in the system. Even doctors will find it difficult for some time at least to convince the patients to allow to submit their records to NEHR.
Singapore is known for data security due to its strong laws & heavy fines and fast justice system. Still, such a major data breach has happened disregarding all these factors. One can imagine the situation in countries where these factors are not so strong. Singapore is learning its lessons. But there are more important and serious lessons other countries need to learn from Singapore.