Singapore is widely known for its high interconnectivity with cyberspace, rendering its critical infrastructure vulnerable to be exploited by cyber attacks.[i] Hackers recently launched an attack using malware against SingHealth—Singapore’s government digital health database—hitting around 1.5 million people, equivalent to the quarter of the population,[ii] marking as Singapore’s worst cyber attack ever occurred.[iii] The stolen data comprised the names and addresses of patients, but so far, did not extend to medical records such as diagnosis and test results.[iv] This cyber incident, however, does not exclusively happen in Singapore. Other countries that are also technologically advanced and wired—Germany, Ukraine, and the UK—are naturally attractive targets of similar attacks.[v] Given the impact and scale of the attack, this case sets a precedent for other countries as well as industries to start discussing and designing the ideal personal data protection in the long run. This article aims to briefly discuss the significance of Singapore’s health data theft and measures worth considering for enhancing its cybersecurity, particularly for the health service sector.
Singapore’s Health Data Breach: Reasons for Concern
Digitalizing health database is arguably indispensable for the betterment of healthcare service, making the delivery of the service and medicine more effective and efficient. Not only does it allow for the reduction of administrative cost, but the digital healthcare also enables the collaboration of doctors across different expertise and experience that they can treat their patients’ medical problem better.
The health sector, however, is highly susceptible to cyber attacks. First, health service data hold substantial information that can be exploited for the operation of many crimes. The average medical record contains a lot of personally identifiable information, including but not limited to family history, social security number, and insurance information. Such data could be harnessed to support other crimes, such as medication fraud, financial fraud, and insurance fraud.[vi] The identity number, birth date, or phone numbers, if successfully stolen, could be utilized to access Central Provident Fund (CPF)[vii] account, a Singapore’s compulsory social security savings collected from contributions of its employers and employees, aiming to meet the needs of retirement, housing, and healthcare funding.[viii] The CPF account is worth of a significant sum of money.
Second, a high monetary value potentially can be accrued from medical records. In the black market, the sale of health record could be highly lucrative, amounting to $100 each, depending on who is the owner of the data and how comprehensive it is.[ix] Moreover, healthcare organizations are also attractive objects for ransomware because of the high sensitivity of data they own, considering the health data is a matter of patients’ life-or-death situation. Being unable or delayed to access the data could potentially threaten patients’ livelihood, leaving hospitals with no choice but succumbing to the demand of hackers and paying the ransom.[x]
Lesson Learned and Ways Forward
Learning from the current major cyber attack, Singapore’s decision makers should be more vigilant and put more priority on improving cybersecurity, in particular, its healthcare sectors. Building appropriate risk mitigation can save much money and further, it can protect against reputational damage critical to the broader agenda of deeper digital penetration run by the government.[xi]
First, Singapore government could start designing the threshold of when healthcare organizations should notify authorities in times of data breach. Current Singapore’s legal framework, namely Personal Data Protection Act Overview (PDPA), only obliges organizations to apply reasonable and appropriate security safeguards, but not necessarily report to government cyber incidents they encounter since notification is not mandatory. The absence of clear threshold of which circumstances that should be forwarded to the government[xii] might result to late response, or even worse, organizations assume the obligation to notify government only in specific events with a fatal degree of damage. This situation could cripple stakeholders’ capacity to take actions sooner and prevent more significant harm.
Second, the government could encourage healthcare provider groups to regularly conduct information sharing and knowledge transfer of best practices in enhancing cyber resilience, risk assessment, and mitigation of cyber attacks. By doing this, healthcare groups and government might as well identify scalable best practices of cybersecurity.[xiii] This cybersecurity model has been applied in the United States, as a follow-up of its Health Care Industry Cybersecurity Task Force. Singapore can extrapolate this mechanism to improve its cybersecurity, especially for its healthcare sector.
[iii] Tham, I., 2018. Data of 1.5m patients stolen in Singapore's most serious cyber attack. [Online] Available at: http://www.thejakartapost.com/life/2018/07/20/data-of-15m-patients-stolen-in-singapores-most-serious-cyber-attack.html [Accessed 11 August 2018].
[vi] Lord, R., 2017. The Real Threat Of Identity Theft Is In Your Medical Records, Not Credit Cards. [Online] Available at: https://www.forbes.com/sites/forbestechcouncil/2017/12/15/the-real-threat-of-identity-theft-is-in-your-medical-records-not-credit-cards/#21e383b61b59 [Accessed 11 August 2018].
[vii] The Strait Times, 2017. Cyber attack on Mindef: Take steps to seccure online accounts, experts urge. [Online] Available at: https://www.straitstimes.com/singapore/take-steps-to-secure-online-accounts-experts-urge [Accessed 24 August 2018].
[viii] Ministry of Manpower, n.d. What is the Central Provident Fund (CPF). [Online] Available at: https://www.mom.gov.sg/employment-practices/central-provident-fund/what-is-cpf [Accessed 24 August 2018].
[ix] Lord, R., 2017. The Real Threat Of Identity Theft Is In Your Medical Records, Not Credit Cards. [Online] Available at: https://www.forbes.com/sites/forbestechcouncil/2017/12/15/the-real-threat-of-identity-theft-is-in-your-medical-records-not-credit-cards/#21e383b61b59 [Accessed 11 August 2018].
[x] Bhunia, P., 2017. NHS attack latest example of healthcare sector’s vulnerability to Ransomware. [Online] Available at: NHS attack latest example of healthcare sector’s vulnerability to Ransomware [Accessed 11 August 2018]
[xi] Health Care Industry Cybersecurity Task Force, 2017. Report on Improving Cybersecurity in the Health Care Industry. s.l.:s.n.
[xii] Tham, Y. M. & Austin, S., 2017. The Privacy, Data Protection and Cybersecurity Law Review - Edition 4: Singapore. [Online] Available at: https://thelawreviews.co.uk/edition/the-privacy-data-protection-and-cybersecurity-law-review-edition-4/1151342/singapore [Accessed 11 August 2018].