Sacred Cow or Golden Calf?

SingHealth Cyberattack 2018

The cyberattack into Singhealth dominated healthcare news not just in Singapore, but in the world as well. News of the attack was made public on 20 July 2018, exactly 5 months to the day when this Hobbit published “NEHR: A Patient’s Perspective from A Doctor’s Eyes”. In the section on “Security” in the aforesaid article, this Hobbit wrote:

“The last point I would like to deal with is that of security. Security can basically be defined as measures put in place to prevent breaches of confidentiality. How secure is the NEHR? I am confident that the planners and implementers have tried their reasonable best to ensure best practices in IT security have been put in place or are being put in place. After all, the NEHR, being backed by government, has enormous resources to do so.

Even then, no IT system, especially one that is internet-based and cloud-based, with literally unlimited number of entry points (every clinic or hospital computer that is linked to the internet is an entry point into the NEHR) is hack-proof. If it were not so, there would be no need for the government to delink civil servants’ work computers and intranet from the internet last year. It was reported this affected all 143,000 civil servants. That is a tacit admission that no security system is fool-proof or hack-proof. I suppose this shows cyberthreats cannot be wished away, but they can be effectively partitioned away.

This hobbit is sure the NEHR is as secure as can be, but not quite more secure from the civil servants’ work computers before they were delinked from the Internet. In fact, the fact that the NEHR exists must in itself be a very tempting trophy database for hackers from all over the world to try and test and breach.

In the event a breach happens and records and medical information are stolen, what is the liability of the NEHR or the government with regard to this breach, and what are the rights of the affected patients? Can he seek redress, compensation, damages etc.?”

Sometimes, this Hobbit wishes he isn’t so spot-on, although he was referring to the NEHR and not the current IHIS-Singhealth Electronic Medical Records (EMR) that had been hacked into. But if you replace “NEHR” with “IHIS-Singhealth EMR”, everything else pretty much applies. In fact, DPM Teo Chee Hean pretty much said so too when he said in hindsight, that internet surfing separation for public hospital separation should and could have been done earlier.

And it was just as well that this attack occurred before the NEHR was rolled out to the private sector. If that had already happened, then the cyber-attacker would have even more access points to hack via any computer in any of the 2000+ private clinics and laboratories all over Singapore.

This hobbit supposes that all the computer terminals in the three public healthcare clusters are well maintained with up-to-date antiviral software, server firewalls and robust security measures such as high security passwords etc. The public healthcare sector has dedicated IT teams and resources to ensure this. The same cannot be said for the private clinics. Do they have anti-viral software? Let alone up-to-date ones? And what about passwords? I won’t be surprised if many passwords are “qwerty”…

So, it was fortuitous that NEHR hasn’t been made mandatory yet in the private sector, if not the cyber-attackers would have found it even easier to launch a cyberattack, and probably an even more massive and debilitating one.

The authorities also said that the data that had been exfiltrated was “not sensitive”, and were “basic demographic data”. This was an attack on 1.5 million people, which is about 25 to 30% of the populace on this island. It is really an attack on Singapore, plain and simple. Singhealth was probably chosen because many, many influential people seek care in SGH, and the Outram Campus, which are part of SingHealth. If you want to dig out medical information on most of Singapore’s VVIPs and CIPs, the most ‘rewarding’ place to look would be SingHealth. It wouldn’t be NHG or NUHS. Anyone in healthcare long enough knows this.

I am not sure downplaying the impact of the cyberattack is the right strategy here. Sure, someone needs to strike a balance between unnecessarily pressing the panic button and euphemising a clear and present danger. I can decide what is “sensitive”, thank you. My birthday and my NRIC number are sensitive data alright.

In addition, the 160,000 medication records that had been exfiltrated was surely sensitive information. Any healthcare worker, be it a doctor, pharmacist or nurse can quite easily infer from the medication records with reasonable accuracy what disease(s) the patient is being treated for. And if you think about it, this is the most efficient way to know about a patient’s medical status. If you go and look at his investigation results, there will be many ‘uninteresting’ normal results. If you look at the record of procedures done, you may miss the pure medical diagnoses the patient has. But when you look at the medication records, almost everything there is sensitive and ‘useful’. This is a medically-intelligent cyber-attacker.

The externalities of this attack are significant. The attack does not only affect the 1.5m people or the 160,000 medication records. The Monetary Authority of Singapore (MAS) has already instructed all bank to take more steps to verify the identity beyond the basic demographic data that was exfiltrated. Unless you do not have a bank account or use only human teller services, we will all have to answer more questions to verify our identity, beyond name, NRIC, address and birthdate. In other words, practically everyone is affected adversely.
NEHR

Since we are on the subject of NEHR, let’s discuss security of the NEHR in the wake of the attack. The authorities have categorically stated that the move towards NEHR is inexorable. There is NO turning back. It is true that the move away from paper cannot be avoided. But it is also true the NEHR has many issues that need serious re-thinking and ironing out.

This Hobbit senses that there is an almost religious fervour amongst those in power to developing a monolithic glorious NEHR that will be the pride of Singapore and establish the country amongst the pantheon of IT gods as soon as possible. To be in the pantheon of IT gods is the geek’s ultimate fantasy. But we need to face up to reality beyond geek-ish obsessions. Perhaps it is wise to take a leaf from Steven Spielberg latest directorial effort, the hit movie “Ready Player One”. In this movie set in the future (2045AD), most people in the world are living in slums and finding happiness only in a virtual reality gaming world called OASIS. The founder James Halliday becomes the richest man on the planet, with a fortune of $1trillion. But at the end of his life, he realised that “reality is real”; not OASIS.

Indeed, reality is real. Reality involves looking at the NEHR with detached objectivity. But it is difficult. The people right in the thick of things can get easily enamoured with the whole idea. Even a tech giant like Facebook is not immune to such failings. In the wake of the Cambridge Analytica scandal, Facebook CEO Mark Zuckerberg said in an interview on 18 July 18 that “we were too focused on just the positives and not focused enough on some of the negatives”. When you make a Golden Calf and worship it, you seldom look at its negatives.

If you look at the NEHR publicity so far, it is all about the positives: continuity of care, ease of care, more efficiency, patient safety etc. It’s terrific spin. Nobody talks about the potential negativities. But one must wonder if the people driving this believe in their spin? As the saying goes – never believe in your own spin.

Former editor of The Straits Times, Han Fook Kwang had his finger on the pulse when he wrote, “(NEHR is) A no brainer for the medical fraternity? You would have thought so. But doctors are divided over it”. (Singapore needs to get smarter about digital world, 5 Aug 2018)

He also said’ “It is easy to be seduced by the appeal of placing everything in a common system under one control: It can be more efficient and is easier to manage. Very Singapore Inc, you might say”. The key word here is “seduced”. Mr Han goes on to explain the pros and cons of a centralised system versus a distributed one. He used to be an elite Administrative Officer with experience working in MOH so he obviously knows more than a bit about healthcare.

For sure, many doctors in the private sector, like this Hobbit, don’t buy the spin. Many have quietly voiced their reservations about the security dangers, loss of privacy rights and costs of maintaining the system etc. But the feedback has always been “We are going full-steam ahead”. Until this massive cyber-attack happened and Smart Nation projects was paused for a total of 14 days (20 July to 3 Aug). A cyberattack that affected 1.5 million people did not quite put a dent in the Charge of the NEHR Brigade beyond 14 days.

This hobbit hopes someone in authority is finally looking at the negatives seriously even as we continue to brandish the positives. For one, if internet surfing separation is going to be permanent, does it mean that there will be at least one computer terminal in each clinic dedicated to just NEHR and which is not connected to the Internet? Who pays for that and its upkeep as well? Even if that happens, what is there to prevent hackers from physically breaking into a GP clinic located in the HDB heartlands at night and launching a cyber-attack from there? Does it mean we have to physically secure each clinic to the same level as SGH?

Regulation of the Public Sector

On 4 Aug, NUS Law Dean Simon Chesterman wrote eruditely in The Straits Times that we should not waste the opportunities afforded by this Singhealth cyber-attack crisis and take a good look at revisiting the issue of privacy on top of addressing the obvious issue of security. He was obviously not enthusiastic of the fact that the entire Singapore public sector was exempted from the “relevant legislation” (i.e. the Personal Data Protection Act or PDPA in short) that governs data protection. (Singhealth breach may give privacy new life, 4 Aug 2018).

Many official sources have said that the NEHR is subject to even higher standards than what the PDPA requires so no one should be worried. But that is NOT the point. The point here is when the public sector fails the public and fails the standards that it is supposed to meet, what happens? The PDPA provides for clear penalties to be meted out and the rights of the private individual is clearly spelled out. What is the equivalent of that in the public sector? Can the patients now sue IHIS or Singhealth? Who regulates IHIS and Singhealth under which piece of legislation when a cyberattack is successful and patients’ privacy and confidentiality suffer?

A private hospital administrator said to this hobbit that if this cyberattack had happened in the private sector, the PDPA would have been enforced and in all likelihood, the party involved, say a private hospital, would have been punished under the clear provisions of the PDPA with hefty fines etc. But since the PDPA doesn’t apply to the public sector, it’s anyone’s guess.

The SMA-AMS-CFPS Survey on Patient Perspectives of NEHR

This point is in fact quite well echoed in the results of a survey which was commissioned recently by the Singapore Medical Association, College of Family Physicians and Academy of Medicine, Singapore which has been released to the members of SMA and AMS. Out of the 2100 people surveyed, no less than 81.7% were concerned that the NEHR was not subject to the requirements of the PDPA. A whopping 82.9% (1741 of 2100) were concerned that their medical information would be used for matters of public interest by the Ministry without their consent.

Other significant findings include:
• 581 of 2100 (27.7%) definitely wanted to have their records maintained in the NEHR
• 1175 of 2100 (56.0%) would like their records maintained in the NEHR but did not want any healthcare provider to access it without their explicit consent except in emergencies. (i.e. privacy concerns)

On the issue of security:
• 77.5% (1627 of 2100) of the respondents were confident that their data in the NEHR was secure,
• 70.8% (1487 of 2100) were confident that their data would not be misused by others.

This survey was done before the cyber-attack. Will 77.5% of people still be confident of the security of the NEHR now?

But there is good news for the authorities. Singaporeans understand the importance of having a NEHR. 92.2% of those surveyed were supportive to varying degrees of having an NEHR. But of course, the devil is in the details. And as this Hobbit has said some five months ago, the concerns and dangers are lurking somewhere in the alleys of privacy and security which need to be faced squarely and addressed adequately.

As you can see, many people who had been surveyed were already concerned with some of the potential negatives of the NEHR, even though they saw the need for electronic medical records. The findings are not surprising.

Time For A Rethink, Repositioning and Redirecting ?

This hobbit feels that the NEHR urgently needs a re-positioning. In the wake of the cyber-attack, it is not just enough to say the NEHR is good for continuity of care, efficiency, cost-effectiveness, patient safety etc. Yes, the NEHR works for the patient’s interest in these areas. But the NEHR must also work for the patient’s rights and interests in other equally important areas such as privacy, confidentiality and security. And it is not just spin. The public that is now “sensitised” to such issues will want to know what are the concrete policies and measures taken to do so.

The public will also want to know what are their rights to redress, compensation and damages if their privacy and confidentiality rights have been compromised. This is still unclear in the context of the Singhealth cyber-attack and even more nebulous with regard to the NEHR.

What has happened in the last few weeks with the cyberattack calls for deep reflection,  serious repositioning. It may even need some redirecting – a change in course if necessary. But this hobbit doesn’t think there will be much of these. Instead, the focus is still on achieving rapid deification through the NEHR.

Come to think of it, this hobbit feels the NEHR is turning out to be something between a sacred cow and a golden calf…..

Perhaps it is time to revisit Lord Alfred Tennyson’s famous poem, “Charge of the Light Brigade”, in particular, the 2nd stanza:

“Forward, the Light Brigade!”
Was there a man dismayed?
Not though the soldier knew
Someone had blundered.
Theirs not to make reply,
Theirs not to reason why,
Theirs but to do and die.
Into the valley of Death
Rode the six hundred.

2 thoughts on “Sacred Cow or Golden Calf?

  1. The NEHR is specifically excluded from the PDPA in the draft Healthcare Services Bill but the Singhealth attack does come under the PDPA because Singhealth is a private company, albeit govt-owned. Of course, the PDPA has very broad discretion in setting penalties and unlike in a court, proceedings are no conducted in public, so your guess is as good as mine as to how heavy the slap on the wrist will be.

    Like

  2. Thank you for the post. I have been privy to parts of the NEHR proposal but I have not been convinced that it is a) needed b) is properly setup. Disclosure: I live in the open source world where I do not accept or very, very reluctantly accept closed/proprietary code for things that I need to work with. NEHR is built on a proprietary code base and no one in MOHH/IHIS will have sight of the code or even be able to inspect it for security – I could be wrong in that statement as things *might* have moved forward that MOHH/IHIS might have access to the code. Anything that deals with privacy and security has *necessarily* to be built on publicly available, auditable code. Not something hidden behind some high priced business model that extracts rent from usage.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s