Who should bear responsibility in cyber attacks on healthcare IT systems?
On 20 July, the Singapore government revealed that the non-medical personal details of about 1.5 million patients who had visited SingHealth’s specialist outpatient clinics and polyclinics between 1 May 2015 and 4 July 2018 had been illegally accessed and copied in a deliberate, targeted and well-planned cyber attack.
Data taken included names, national identity card numbers, addresses and dates of birth. Information on the outpatient dispensed medicines of about 160,000 patients was also exfiltrated through an initial breach on a front-end workstation.
The unprecedented attack on Singapore’s public healthcare IT systems has since raised questions about who should bear responsibility in a medical cyber attack.
One might think that IT workers and their suppliers should be blamed, but doctors, at least in Singapore, are also “statutorily responsible for any system instituted within his practice for the management (storage, access and integrity) of medical data.”
This was pointed out by Quan Heng Lim, director of cyber operations at Horangi Cyber Security, who noted that with increasing digitisation of healthcare records and new regulations on contributions to Singapore’s National Electronic Health Record system, doctors should ideally possess baseline knowledge on information security, whether by training or otherwise.
Lim added that the legal entity of the affected clinics and hospitals – or SingHealth in this case – may be liable as well. Although SingHealth operates public healthcare services, it is in fact a corporate entity and hence is bound by the Personal Data Protection Act (PDPA).
Under Section 24 of the PDPA, organisations must protect personal data in their possession or control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. These include technical measures such as network security, strength of access controls, and the regularity and extent of patching and vulnerability fixing.
Lim said more obligations could also apply, depending on the nature of the computer systems in question. Under Singapore’s newly-passed Cybersecurity Act, acute hospital care services and services relating to disease surveillance and response are considered “essential services”.
“If designated as critical information infrastructure by the Cyber Security Agency of Singapore (CSA), computer systems owners would be subject to various obligations, such as bi-annual audits, annual risk assessments, as well as compliance with specific codes and standards.
“It is possible for such owners to be IT vendors, corporate legal entities, or even doctors themselves,” he added.
Faced with liabilities on several fronts, what can those parties do? Even though there’s no surefire way to stop all cyber attacks, IT suppliers and software developers, for one, should strive for zero defects in their systems. This has been lost today amid the rush to put out new software releases quickly.
Besides implementing air gap measures, which seem to be the favoured solution of the Singapore government when confronted with threats targeted at critical systems, a holistic approach towards cyber security that involves people, processes and technology is necessary.
“In relation to people, doctors and IT vendors should be aware that they could be targets for phishing and impersonation. The risk of phishing is not unique to the healthcare industry, and affects other industries (e.g. financial services, legal services) which deal with sensitive data, but have no guidance dealing with cyber security or understand the risks they must deal with,” Lim said.
As for processes and technology, Lim said doctors and IT vendors strive to build and maintain a secure technology environment. This could include vulnerability and threat assessments and setting up multi-factor authentication – just ask Google, which hadn’t had any of its employees phished on their work e-mail accounts since it mandated the use of Universal 2nd Factor (U2F) security keys in early 2017.