Most folks working in the healthcare industry, especially for those of us in Singapore would have heard by now, that SingHealth’s IT System was hacked where records of 1.5 million patients (including our Prime Minister, Mr Lee Hsien Loong’s) were stolen.
Before I continue, it is important for me to provide some context so one apply relevant perspectives when evaluating my thoughts below;
- First and foremost, I do not consider myself to be a Cyber Security expert but I am definitely not “yet another know-it-all who read an online article on this topic and decided to provide their divine expertise on the subject via the Internet“
- I am sharing the following thoughts as a practising Health Informatiction who happens to have both actual experience and formal qualification in the area of Infocomm Security (In case you wonder, I have yet to meet another real Health Informatiction with actual working experience and formal training in Cyber Security so if you are one or if you know one, feel free to make the mutual introductions)
With the above, here are my two sense worth;
- Cyber Security in Health(care) is more complicated that you think
- One cannot apply conventional IT security best-practices in the domain of healthcare because health(care) is different (if this statement baffles you, you are definitely not from our industry)
- Some folks I’ve met argued that one can handle Cyber Security in Health(care) like the Military given both are consider “Critical Infrastructure”
- My personal experiences with the military is limited to the actual service time (of 2.5 years full-time + reservist training till the age of 40) spent during my stint of compulsory National Service (mandated by law) in Singapore so I would not say that I am an expert but I think the nature, operational focus, priorities and budget between these two settings are drastically different (and yes, I have worked in clinical departments, in actual hospitals)
- The problem with Cyber Security in Health(care) has been around for a long long time
- Case in point, I first wrote, publish and spoke on this topic back in 2004
- It is important to take things into context: I authored the first paper back in 2003 where the eco-system (technology, threats, accessibility etc.) is very different from what we have today so take note when you read the whitepaper(s)
- However, the underlying threat identified back then remains relevant even today. The method of entry described in the SingHealth incident – “An Internet-facing computer is first breached, and then used as a launchpad to gain deeper access into the network” is similar to what I described in my first paper
- So don’t go around thinking that it happened out of the blue, the fact that SingHealth was able to detect and “reduce the damage” shows that they are somewhat prepared for such attacks as opposed to being caught totally off guard and losing more valuable data or worst, a total operational shutdown. So kudos to the unsung heroes
- The problem has been around for a long long time because it is a difficult one “to fix”
- There have been several attempts over the years by both regulatory bodies (e.g. FDA) and Industry to try and address this “glaring” issue and to be honest, it’s not an easy one to resolve
- If you truly wonder why, go take an actual technical course on Cyber Security and you will understand not only the complexity involved but also how it is IMPOSSIBLE not to be hacked – its just a matter of magnitude in terms of “depth of the breach“
- In this case, post incident investigation shows that “Method of attack showed high level of sophistication” and as mentioned in my previous point, it is IMPOSSIBLE to expect any internet facing” computer (including devices with embedded computing capabilities) not to be hacked, one can only limit the “depth of the breach” <- and from the reports, I think the folks at SingHealth did a pretty decent job
Now, I am not saying everything is fine and dandy and we should all have a good laugh at this saga then forget all about it after a nice cup of coffee. However, I think there are too many ‘experts’ out on the internet dishing out unwarranted (sometimes out of context) remarks that are totally unacceptable. (in other words, vent if you must but give the folks at SingHealth a break).
What is really important is to learn from this incident and figure out how to build in better mechanism so we are better equipped to handle such incidents in the future. To quote our Prime Minister, Mr Lee Hsien Loong “We cannot go back to paper records and files. We have to go forward, to build a secure and smart nation“.
Lastly, the above opinions are my own and if you strongly disagree – I wrote, publish, spoke on this topic since 2004, show me your published work specifically on this subject and we will have a conversation 🙂