Minister of Health Gan Kim Yong gave some updates on the measures taken to boost IT security on Singapore's healthcare system during his ministry's Committee of Supply debate on March 6.

Specifically he talked about measures to ensure that the National Electronic Health Record (NEHR) system is protected from cyber attacks.

In explaining what these measures were, Gan stated that they could be broadly categorised into three levels of safeguards:

1. Protection against cybersecurity attacks and unauthorised access

Gan explained that this level consisted of technical training for cybersecurity specialists, regular security audits and ongoing cybersecurity robustness tests.

With regard to the security audits and tests, Gan stated that the last audit had been conducted in Oct. 2018, while the tests were conducted by the Cyber Security Agency (CSA), GovTech and an independent third party, PricewaterhouseCoopers (PWC).

Gan said this meant that there are several lines of defences before the NEHR database, with intrusion detection at each line.

Gan also stressed that the NEHR was strictly meant for direct patient care, with use of it for other purposes, such as research, forbidden.

In this regard, Gan stated that controls had been put in place against unauthorised access and that the system does not allow users to download records onto their workstations.

2. Breach detection and enforcement measures

Gan acknowledged that in the event an attacker still got through, the next level of safeguards were measures to detect the breaches quickly, so as to escalate the issue to the appropriate level of investigation and containment.

One such measure highlighted by Gan was the recording of all NEHR accesses and subjecting them to monthly audits, making use of analytics to detect unusual usage patterns.

Gan also made mention of a future measure to be implemented by IHiS, in which patients will be able to  view access made to their NEHR records, so that they too are able to report any suspicious access.

3. Deterrence

On this level, Gan had the following to say:

"We must take stern action against anyone who is directly or indirectly responsible for the breach, including our staff who have failed their duties. This way, we can ensure a strong data protection system."

Top image collage from MOH Facebook and MS