The Repercussions of the Singapore Health Data Breach

5/5 (1)

5/5 (1)

As a health analyst, I have always considered myself lucky that Singapore has been home for the last 9 years, and I have been a witness to the national ehealth initiatives from close quarters. So, when I received the SMS informing me that my son’s name, NRIC (identification number), address, gender, race and birth date are floating around in the cyberspace somewhere it was disconcerting to say the least. True that his medical and financial information had not been breached, but that’s small consolation for someone who took for granted the sophistication of the health records system in Singapore.

A Quick Recap

SingHealth, Singapore’s largest group of healthcare institutions, announced in June 2018 that non-clinical personal data of 1.5 million patients had been “accessed and copied”. Outpatient prescriptions information of 160,000 patients were also compromised. There was no evidence of this breach going deeper into actual patients’ clinical records and the other 2 healthcare groups were not affected. The breach was detected a week later, a relatively short period, but it was not immediate. Security – identification and threat management – is one of the mainstays of any Digital Transformation journey, and Singapore healthcare is considered to be well along on that journey.

It is commonly believed that security breaches are waiting to happen, and that organisations are not concerned with ‘if’ but ‘when’. Moreover, the disparity of the devices used in healthcare makes security a difficult proposition. This will only become more complicated once IoT sensors and devices are used from outside the walls of hospitals. AI-driven breach detection is being portrayed as the hope for the near future.

Why does this continue to concern me, even after 5 months?

  • A cautious approach to NEHR. One of the first statements that the government made in the wake of this disaster was that the government is reviewing the ongoing NEHR initiatives. Since then, the Cyber Security Agency (CSA), and PwC have been appointed to identify the weaknesses in the NEHR initiatives, with a view to address them. It is a good time to re-evaluate the possible weak links before going deeper into the program.
    But, almost 10 years after the NEHR was launched the country has still not been able to realise the full potential of the initiative, especially because of limited participation from the private sector. Will this lead to a conservative approach to creating the ‘One Patient, One Record’? Will this put on the brakes to ongoing progress of the ehealth initiatives?
  • Private Participation in NEHR. The private sector accounts for 80% of Singapore’s primary care. It is possible for a citizen who has never stepped into a public polyclinic, choosing the friendly, neighbourhood GP instead, and has had no acute care needs (whether inpatient or outpatient) to not be on the NEHR system. And this would include chronic disease management, which is the primary cause of concern in sustainable healthcare. The Singapore Personal Data Protection Act 2012 (PDPA) law governs the collection, use and disclosure of personal data by all private organisations. The Act, that came into effect in 2014,  states that organisations that fail to comply with PDPA may be fined up to $1 million and public reporting of the breach. However, the public sector is not included under the PDPA! So in effect the public healthcare consumers whose data was breached have no recourse under PDPA. But this might deter private healthcare providers with very rudimentary IT systems in place, who are liable under PDPA. The government has already been fighting a reluctance on the part of these private primary care providers to go digital with the patient records, and sharing them with the public system,  with a view to build a more comprehensive NEHR.
  • ‘Smart nations’ need ‘Smart’ citizens. This has been my mantra regarding Singapore’s Smart Nation initiatives for a while now. And smart citizens are not necessarily only those with access to multiple mobile devices and wireless connectivity. Smart citizens are also people who are aware of the pitfalls in the journey, and of their rights as they travel together with the government on the ride.
    What shocked me was the singular lack of concern among the average Singaporean, when I tried to discuss the gravity of the health data breach – which is considered even more dangerous than financial data breaches in most mature countries. The common response I received was that its only personal data. Well, your national identification number, along with your date of birth, in the hands of nefarious agents can do a lot of mischief, I reminded them. And what about the prescription data, I persisted. That got answered by a view that prescription data is not really health data! A lot can be inferred from your prescription data… I persisted with no avail! Healthcare is moving toward giving autonomy and control of health records to individuals. To be able to leverage this control, individuals have to be a) concerned about their health and wellness parameters b) ready to record and share their health data with the right people at the right time, and c) aware that health data is private and needs to be kept secure.

There is no doubt in my mind that Singapore will do all within its capacity to avoid a breach of this level – and other industries are feeling the repercussions too. But the government definitely has to manage the private participation in NEHR more delicately and diligently, in light of this breach. They also have a long way to go in educating the citizens on the privacy and compliance angles to health data.

 

5