Unsurprisingly, given their wide range of potential uses and abuses, Forbes estimates medical records to be worth up to $1000 on the black market.
Who should bear responsibility in a medical cyberattack?
Is it the doctor or his IT vendor who bears responsibility for such a cyberattack? Unfortunately, the answer could possibility be both.
Medical professionals cannot simply push responsibility to their IT vendors. The Singapore Medical Association (SMA) has previously stated that it is the doctor himself who is “statutorily responsible for any system instituted within his practice for the management (storage, access and integrity) of medical data.” With increasing digitization of healthcare records and new regulations on contributions to Singapore’s National Electronic Health Record (NEHR), doctors should ideally possess baseline knowledge on information security, whether by training or otherwise.
The clinic’s and/or hospital’s legal entity may be liable as well. Section 24 of the Personal Data Protection Act requires organizations to protect personal data in their possession or control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks. These include technical measures such as network security, strength of access controls, and the regularity and extent of patching and vulnerability fixing.
More obligations could also apply depending on the nature of the computer systems in question. Under Singapore’s newly-passed Cybersecurity Act, acute hospital care services and services relating to disease surveillance and response are considered “essential services." If designated as critical information infrastructure (CII) by the Cybersecurity Agency of Singapore (CSA), computer systems owners would be subject to various obligations, such as bi-annual audits, annual risk assessments, as well as compliance with specific codes and standards. It is possible for such owners to be IT vendors, corporate legal entities, or even doctors themselves.
What can be done?
Singapore’s aging population requires the healthcare industry to adapt to an expanding and increasingly complex patient base. While online pharmacies, automated scheduling systems, remote diabetic check-ins and other innovations have arisen to address this need, their increased use requires healthcare providers to pay greater attention to the security of patients’ personal and medical information.
Although a first in Singapore, incidents involving millions of personal records such as the SingHealth cyberattack are not new. In fact, many similar breaches, some on an even larger scale, have occured in the past. For example:
- In South Korea, the breach of 35 million user records by the Cyworld social network and Nate portal in 2011; and
- In the United States, the breach of 80 million user records by Anthem Healthcare in 2015 and the leak of 143 million user records by Equifax in 2017.
No single cybersecurity solution can eradicate cyber risk completely. However, a great factor in mitigating cyber risk lies in educating the user — in this case, doctors and healthcare IT vendors themselves. This is because effective cybersecurity begins with sponsorship from organizational leaders, and the cultivation of a cyber-aware culture within the organisation.
Holistic cybersecurity involves people, processes, and technology. In relation to people, doctors and IT vendors should be aware that they could be targets for phishing and impersonation. The risk of phishing is not unique to the healthcare industry, and affects other industries (e.g. financial services, legal services) which deal with sensitive data, but have no guidance dealing with cybersecurity or understand the risks they must deal with.
In relation to processes and technology, doctors and IT vendors should work with a cybersecurity partner to build and maintain a secure technology environment. This could include vulnerability and threat assessments, setting up multi-factor authentication and application notifications. These solutions can be tailored to the size and scale of your clinic and organisation. For more sophisticated healthcare enterprises and CIIs, cybersecurity experts can provide periodic vulnerability assessments, audits and penetration tests for regulatory compliance.