Cyber and Data Security Landscape and Context
With increasing digitalisation of health information technology (IT), such as networked systems, wireless technology, and software medical devices amongst others, healthcare providers and systems are becoming more connected than ever, to better provide care for our patients. The need for responsible and secured health information sharing across providers within the health ecosystem will increasingly become more important, as we move towards strengthening the coordination between providers and community partners. This is all the more crucial as we work towards requiring selected patient records to be contributed by healthcare licensees to the National Electronic Health Records (NEHR), as part of the future Health Information Bill (HIB).
According to the Cybersecurity Agency of Singapore (CSA)¹ , cybercrimes continue to grow in terms of scale and sophistication, with a total of 33,669 cybercrime cases reported locally. In 2022, the CSA Singapore Cyber Emergency Response Team (SingCERT) team handled around 8,500 phishing attempts, which more than doubled the 3,100 cases handled in 2021, as well as 132 ransomware cases, mirroring a continued growth of such cyber threats globally. The healthcare sector was also consistently the top 3 most commonly targeted sectors for ransomware attacks.
While the healthcare system becomes increasingly digitalised and interconnected, some healthcare providers may also continue to hold onto paper medical records, and it is critical that such records continue to be properly secured. As such, while ensuring that appropriate cybersecurity safeguards are in place to protect the confidentiality, integrity and availability of IT systems, appropriate data security measures should also be in place to ensure hardcopy records are adequately protected.
1 Cybersecurity Agency Singapore (CSA): Singapore Cyber Landscape 2022
Why are cybersecurity and data security safeguards important?
Cybersecurity is critical to the provision of quality and safe healthcare services. Cyber-attacks and data breaches are particularly threatening to the healthcare sector with serious consequences such as interruptions to business operations, compromised patient data, patient safety issues, financial losses, as well as reputational damage. For instance, in 2020, a ransomware attack² on a hospital in Düsseldorf, Germany, had left its IT systems crippled, forcing it to turn away emergency patients. As a result, one critically ill patient died due to treatment delays.
As more patient data are collected, stored, and shared by healthcare providers to inform data-driven decisions, robust data security practices are also important to secure the privacy and confidentiality of sensitive patient information, and to mitigate the risks of any inappropriate, unauthorised, unintended usage or leakage.
2 The Verge: Woman dies during a ransomware attack on a German hospital
What are some common breaches in healthcare?
Cyber-attacks and data breaches are not new or unique to Singapore’s healthcare sector, and healthcare industries based overseas are similarly impacted. These range³ from distributed denial of service (DDoS) attacks, phishing emails, malware (e.g., ransomware), attacks on connected medical devices, and insider, accidental or intentional data loss. There are also instances of organisations breaching the Personal Data Protection Act (PDPA) obligations as they have failed to put in place reasonable security arrangements to protect personal data belonging to their corporate clients and patients.
As such, building on the Healthcare Cybersecurity Essentials (HCSE) issued in August 2021, the Ministry of Health (MOH) has launched the Cyber & Data Security Guidelines for Healthcare Providers (“Guidelines”) which provides an early introduction of what the enforceable standards under the HIB may look like. This serves to provide more time for healthcare providers to familiarise themselves with the steps needed to uplift their cyber and data security posture prior to the enforcement.
3 For more information on the common cyber threats and anticipated trends, please refer to CSA’s website.