Hi, you won’t be able to see our tweets if you are accessing this website from a mobile device. The alternative is to access them via www.twitter.com/DrAdamChee
Most folks working in the healthcare industry, especially for those of us in Singapore would have heard by now, that SingHealth’s IT System was hacked where records of 1.5 million patients (including our Prime Minister, Mr Lee Hsien Loong’s) were stolen.
Before I continue, it is important for me to provide some context so one apply relevant perspectives when evaluating my thoughts below;
- First and foremost, I do not consider myself to be a Cyber Security expert but I am definitely not “yet another know-it-all who read an online article on this topic and decided to provide their divine expertise on the subject via the Internet“
- I am sharing the following thoughts as a practising Health Informatiction who happens to have both actual experience and formal qualification in the area of Infocomm Security (In case you wonder, I have yet to meet another real Health Informatiction with actual working experience and formal training in Cyber Security so if you are one or if you know one, feel free to make the mutual introductions)
With the above, here are my two sense worth;
- Cyber Security in Health(care) is more complicated that you think
- One cannot apply conventional IT security best-practices in the domain of healthcare because health(care) is different (if this statement baffles you, you are definitely not from our industry)
- Some folks I’ve met argued that one can handle Cyber Security in Health(care) like the Military given both are consider “Critical Infrastructure”
- My personal experiences with the military is limited to the actual service time (of 2.5 years full-time + reservist training till the age of 40) spent during my stint of compulsory National Service (mandated by law) in Singapore so I would not say that I am an expert but I think the nature, operational focus, priorities and budget between these two settings are drastically different (and yes, I have worked in clinical departments, in actual hospitals)
- The problem with Cyber Security in Health(care) has been around for a long long time
- Case in point, I first wrote, publish and spoke on this topic back in 2004
- It is important to take things into context: I authored the first paper back in 2003 where the eco-system (technology, threats, accessibility etc.) is very different from what we have today so take note when you read the whitepaper(s)
- However, the underlying threat identified back then remains relevant even today. The method of entry described in the SingHealth incident – “An Internet-facing computer is first breached, and then used as a launchpad to gain deeper access into the network” is similar to what I described in my first paper
- So don’t go around thinking that it happened out of the blue, the fact that SingHealth was able to detect and “reduce the damage” shows that they are somewhat prepared for such attacks as opposed to being caught totally off guard and losing more valuable data or worst, a total operational shutdown. So kudos to the unsung heroes
- The problem has been around for a long long time because it is a difficult one “to fix”
- There have been several attempts over the years by both regulatory bodies (e.g. FDA) and Industry to try and address this “glaring” issue and to be honest, it’s not an easy one to resolve
- If you truly wonder why, go take an actual technical course on Cyber Security and you will understand not only the complexity involved but also how it is IMPOSSIBLE not to be hacked – its just a matter of magnitude in terms of “depth of the breach“
- In this case, post incident investigation shows that “Method of attack showed high level of sophistication” and as mentioned in my previous point, it is IMPOSSIBLE to expect any internet facing” computer (including devices with embedded computing capabilities) not to be hacked, one can only limit the “depth of the breach” <- and from the reports, I think the folks at SingHealth did a pretty decent job
Now, I am not saying everything is fine and dandy and we should all have a good laugh at this saga then forget all about it after a nice cup of coffee. However, I think there are too many ‘experts’ out on the internet dishing out unwarranted (sometimes out of context) remarks that are totally unacceptable. (in other words, vent if you must but give the folks at SingHealth a break).
What is really important is to learn from this incident and figure out how to build in better mechanism so we are better equipped to handle such incidents in the future. To quote our Prime Minister, Mr Lee Hsien Loong “We cannot go back to paper records and files. We have to go forward, to build a secure and smart nation“.
Lastly, the above opinions are my own and if you strongly disagree – I wrote, publish, spoke on this topic since 2004, show me your published work specifically on this subject and we will have a conversation 🙂
I tweeted about the official launch + MOU signing of the Nanyang Polytechnic (NYP) – Starhub Centre for Connected Care but thought I will also do a detailed blog post here.
First things first, for the interested, the news coverage of the centre is available at Straits Times and I’ll be paraphrasing some of it’s contents (why reinvent the wheel) while sharing some of the ‘history’ and context of this centre.
My role with the NYP-Starhub Centre for Connected Care started back in June 2012 where I started serving as the Solution Architect for the NYP-HIMSS Centre of Excellence (Health IT), which was officially launched backed on 27 November 2013.
It is important to note at this point that my involvement is pro-bono, as part of the BinaryHealthCare Collaborative Outreach Programme (BCOP) so if you are an interested Institution of Higher Learning, drop us an email.
The NYP-HIMSS Centre of Excellence (Health IT) focused more on the acute-care settings (mainly ICU and in-patient wards), covering healthcare IT solutions such as electronic medical record systems, wireless vital signs monitoring and close loop medication management system that are used in many hospitals in Singapore (remember, this was 2012-2013) while the NYP-Starhub Centre for Connected Care focuses on the seniors (elder care) and those living with dementia.
In other words, this centre focuses on the ageing population and long-term care sector, adopting smart technologies to enable the “Smart Home” concept, including innovations such as mobile beds, elder-friendly cupboards as well as open-concept designs etc.
Now here is the million dollar question: why am I dedicating an entire blog post on this centre? The answer is workflow. “How fantastic is the workflow optimisation? Well, if you visit the centre (which I highly encourage), you will noticed that almost all the “high tech” stuff are blended in (to the extend of being invisible – like electricity!), that’s how awesome the implementation has been,
Workflow is not a synonym for Processes – non Health Informaticians usually confuses these two concepts as synonyms, if you are scratching your head right now, I suggest you read this whitepaper on workflow or attend our signature course – Mini-HI : Mini Health Informatician
So what my role with the NYP-Starhub Centre for Connected Care? As mentioned earlier, my journey with this centre started back in June 2012 because I also serve it’s Solution Architect (agin, pro-bono, as part of BCOP) as both centres serves to cover different segments across the Continuum Care!
The story of NYP-Starhub Centre for Connected Care have just started so stay tune for more exciting developments 🙂
BinaryHealthCare (BNHC) wishes everyone a Fantastic Lunar New Year !
But where did January go ??😧??
BinaryHealthCare (BNHC) wishes everyone a joyous holiday season and may all of us enjoy a fantastic 2018!
Someone commented that I am “too academic” in my work approach and “lack” industry perspective.
My reaction was one of more surprised than annoyed because I’ve been told on most occasions that my approach was too pragmatic (taking situations contextually and using the most cost-effective way to fix the underlying causation) resulting in lack of “fudge” to publish anything “sexy” – this was the case even when I was working in a hospital, way before I venture into adjunct teaching and research.
As a practising consultant, feedback is very important to me but I have learned over the years, the importance of identifying genuine feedback versus people talking bad about me because they feel intimated by my work.
Taking a hard look at the context reveals that the person has no real experience working IN health(care), be it in hospitals (or any healthcare facility), HealthTech or MedTech companies, or even in a consulting firm offering services in a related area. This person also have no academic or professional qualification in health(care), technology, health informatics or anything remotely related.
Instead, this person work “loosely” WITH us health(care) professionals (imagine a cashier working in a two star michelin restaurants, just because he works in an associated role doesn’t mean he knows how to run a restaurant nor make great food).
Of course, there is nothing wrong with working “loosely” with us, health(care) professionals can’t do everything by ourselves but what was puzzling was – why would this person feel intimated by my work? I’m a consultant and trainer, he is not (both in ability and reality) doing any of the stuff that I do and I don’t see myself doing anything of the stuff he is making a living on.
Nevertheless, I want to make it clear to the person, a very basic concept;
Just because you don’t understand the complexity and technical aspects of what I do / advocate / teach doesn’t mean I am “too academic”, it merely means you are not a real subject matter expert
(Don’t worry, it’s not your fault and I encourage you to attend the Mini-HI (Mini Health Informatician) so you can start talking sense to us)