We are creating some awesome events for you. Kindly bear with us.

Strengthening Cybersecurity in Singapore’s Healthcare Sector

A wave of ransomware attacks disrupted operations in healthcare organisations around the world throughout the pandemic. Cyber threat actors have taken advantage of the uncertainty and disruption caused by Covid-19 to carry out malicious cyber activities.

In recent months, cyber threat actors have been drawn to the valuable research data and intellectual property relating to Covid-19 vaccines, treatments, and testing developed and held by healthcare organisations. Many frontline workers documented records by hand and struggled to deliver effective care in the absence of electronic patient health information (ePHI) and lifesaving, Internet-connected medical equipment as they fought to keep patients alive.

Since hospitals cannot afford downtime, and the need to access health records and computer systems creates urgency, victims are more likely to pay their extortionists, the healthcare industry remains a prime target for cybercriminals. This incident brought to light the dangers of ransomware attacks, which can completely shut down business processes for weeks and have tremendous consequences. Locally, the Cyber Security Agency of Singapore (CSA) received 89 reports of ransomware cases in 2020, marking a 154 per cent rise from the 35 cases reported in 2019. The cases included sectors from the healthcare industry.

As more healthcare organisations in Singapore move beyond digitisation to focus on innovation, it is becoming increasingly important for them to establish a solid digital foundation based on security and compliance. Healthcare data has long been a tempting target for cybercriminals. Hospitals and other private healthcare organisations routinely keep ePHI records that contain Personally Identifiable Information (PII). Many regulations and standards, such as Singapore’s Personal Data Protection Act, must be met by these records (PDPA).

According to Integrated Health Information Systems’ investigations, hospital patients’ data was stolen between June 27 and July 4, 2018. They obtained the records by breaking into the networks of SingHealth, the country’s largest healthcare conglomerate. The 1.5 million stolen records belonged to patients who visited SingHealth clinics or hospitals between 1 May 2015 and 4 July 2018.

Because of the attack, all of Singapore’s Smart Nation plans have been put on hold. One such initiative is mandatory participation in the National Electronic Health Record (NEHR) project, which allows hospitals to share patient data.

Most of these security upgrades and enhancements are expected to be completed by the end of this year. This includes both technical and process improvements, as well as an in-depth external review conducted independently. In the future, patients’ electronic health records will be required to be uploaded to the NEHR. Following an unprecedented cyber-attack on SingHealth’s IT system, such measures were put in place.

In light of the global COVID-19 pandemic, the NEHR system upgrades will also allow it to meet the requirements for COVID-19 vaccination display, reporting, and alerts. The NEHR will also provide healthcare professionals with easy access to their patients’ COVID-19 test results as well as their existing medical conditions prior to vaccination.

While increasing ePHI, computer system and IoT device interconnectivity is assisting providers in transforming the way they deliver care, it is also adding to the growing list of cybersecurity concerns.

Local data protection guidelines, such as Singapore’s personal data protection act (PDPA), offer prescriptive recommendations to help strengthen defences, emphasising the importance of identity restrictions as the foundation of a modern cybersecurity programme based on Zero Trust.

Organisations work to prevent identity and privilege abuse at critical points in the attack chain by “trusting nothing completely and verifying everything systematically.” As a result, threats can be identified and mitigated before they cause harm. Once these controls are in place, healthcare institutions can concentrate on improving cybersecurity awareness and skill training, revisiting digital security fundamentals, and hardening and backing up critical hospital systems to protect against future attacks.

Send this to a friend