Cybersecurity – SingHealth in Singapore
ADVOCATING FOR PATIENT CYBERSECURITY?
The recent media coverage of the hacking of 1.5 million patient health records at SingHealth in Singapore, including those of the Prime Minister and other ministers, revealed a key gap. Those directly affected – the ordinary patients and their patient groups – appear to go largely unheard.
How much pressure could patient organisations around the world put on health systems to improve cybersecurity?
Electronic Health Records and most aspects of eHealth and mHealth depend on secure data. So many security breaches in recent years, often in countries where healthcare is relatively well-resourced, risk undermining patient and clinician confidence.
How bad are things really?
Whenever we have been to events where health cybersecurity is discussed, it is the stuff of nightmares. The general risk is that systems, records and medical devices are not ‘secured by design’, leaving them vulnerable.
In the last major attack on the UK National Health Service, I was at a hospital where patient records and appointments could not be accessed. Staff were valiantly trying to improvise a paper-based system, not knowing when their systems could be fixed.
Cybersecurity experts tend to argue that it’s down to resourcing.
- in health services funded by tax, budgets are tight, and so software, hardware and security processes can be very out of date and vulnerable
- in commercial organisations, some experts say that in the need to maximise profit, it’s cheaper to bear fines and disruption than to invest in prevention.
The US cybersecurity think tank, the Institute for Critical Infrastructure (ICIT) is straight-talking on this:
“private organizations will continue to sacrifice long-term patient security in favor of short-term profits” – ICIT paper, August 2017
Controversial legislation in the US is intended to shift healthcare provider focus from paying fines to more active risk management. Part of the pressure was intensified by President Obama’s push for ehealth and Electronic Health Records, which in itself introduced fines for providers not participating in eHealth.
Greater transparency on scale
Part of the current US legislative move is to help uncover the true scale of cybersecurity breaches in healthcare. Ahead of this strengthened obligation to share information on breaches, the ICIT data for the US is quite stark:
- Firstly, from 2010 to 2013, healthcare organisations reported 949 security breaches that put 29 million patient records at risk.
- Secondly, over 113 million Electronic Health Records have been ‘exfiltrated’ since 2015 (unauthorised transfer of data).
- And thirdly, over 90 percent of hospitals suffered a breach in the last two years. – ICIT
What about the patients?
Cybersecurity experts argue that not only are healthcare systems vulnerable, but also that a patient’s health information is even more valuable on dark markets than financial records. The US Government’s Department of Health and Human Services’ has set up a ‘Healthcare Industry Task Force’.
One of the task force members stands out as being very different. ‘I am the Cavalry’ describes itself as:
“A grassroots organization that is focused on issues where computer security intersect public safety and human life.”
A digital hippocratic oath
‘I am the Calvary’ sees medical devices as a key risk area. So, they launched a Hippocratic Oath for Connected Medical Devices:
“As one who seeks to preserve and improve life, I must first do no harm.
To that end, I swear to fulfill, to the best of my ability, these principles.
- Cyber Safety by Design: I respect domain expertise from those that came before. I will inform design with security lifecycle, adversarial resilience, and secure supply chain practices.
- Third-Party Collaboration: I acknowledge that vulnerabilities will persist, despite best efforts. I will invite disclosure of potential safety or security issues, reported in good faith.
- Evidence Capture: I foresee unexpected outcomes. I will facilitate evidence capture, preservation, and analysis to learn from safety investigations.
- Resilience and Containment: I recognize failures in components and in the environment are inevitable. I will safeguard critical elements of care delivery in adverse conditions, and maintain a safe state with clear indicators when failure is unavoidable.
- Cyber Safety Updates: I understand that cyber safety will always change. I will support prompt, agile, and secure updates.” – ‘I am the Cavalry’
This example of a digital Hippocratic oath could easily be adapted by groups concerned about any aspect of eHealth or mHealth, from Electronic Health Records to apps.