Current model of Internet separation unsustainable in longer run: MOH chief data advisor

SINGAPORE — Yet another senior healthcare official has questioned the tenability of Internet separation for the public healthcare system, outlining the measure’s impact on patient care, backend administration and operations, as well as research and teaching.

The Ministry of Health’s chief data advisor James Yip said on Monday (Nov 12) that the current model of Internet separation — cutting Internet access from work computers — is unsustainable in the long run.

While it has resolved or mitigated some cyber-security risks, Internet separation has come “at the price of increased time and costs, lost productivity and new risks”, he told the Committee of Inquiry (COI) investigating the massive cyber attack on public healthcare cluster SingHealth.

Internet separation was implemented by all three public healthcare clusters in the wake of the SingHealth cyber attack, which lasted from June 27 to July 4.

Dr Yip’s comments came a week after SingHealth’s group chief executive Ivy Ng expressed similar sentiments. Professor Ng told the COI last week about “multiple difficulties and inconveniences” resulting from Internet separation and expressed hope that the situation could be reviewed at some point, and new solutions considered.

Frontline public healthcare employees now need to use separate devices to check and retrieve patient information such as medical insurance details, financial or grant status, as well as Medisave balances from the Central Provident Fund.

Dr Yip told the committee on Monday that this initially led to "lengthened patients’ wait times" because such Internet-enabled devices are shared by users.

The time taken to obtain letters of guarantee from private insurers has tripled — from five minutes to between 15 and 20 minutes, Dr Yip said in a report submitted to the COI. A letter of guarantee is an assurance from insurers to hospitals on the portion of the bill the insurer could pay. This reduces the upfront cash deposit that a patient has to make.

“To avoid prolonged wait times, some hospitals have had to suspend their policies of disallowing staff from using their personal mobile phones while on duty, so that staff can use (the phones) to carry out their work,” he said.

Dr Yip, who is also group chief medical informatics officer of the National University Health System, also said that public healthcare institutions have had to plough a “significant amount” of resources to get separate devices and tools.

In some institutions, staff members have had to work overtime to complete tasks, he added.

He cited a few examples of how Internet separation has led to challenges in patient care and teaching.

Two public hospitals had to suspend teleconsultation with the National Neuroscience Institute, but this was later resolved through the provision of a dedicated leased line with sufficient bandwidth to support high-resolution video conferencing.

At one hospital, which was not named, Dr Yip said the class size for basic cardiac life support courses was halved because trainers were unable to access e-learning materials.

NEW RISKS, LONGER-TERM CONCERNS

The use of separate Internet-enabled devices leads to other risks and vulnerabilities because “some information will need to be transferred between (these devices) and the corporate machines through… emails and external storage devices”, he said.

In the longer term, with a shrinking healthcare employee pool and a rapidly ageing population, the “current model of (Internet separation) would not be sustainable”, Dr Yip cautioned.

While the short-term issues have been mitigated or resolved, there might be areas where “effective solutions” might not be available yet, he added.

And while healthcare professionals are “coping” now through measures such as using their own mobile devices, Dr Yip said “there might be reluctance to (do so) in the longer term”.

“In the immediate aftermath of the (cyber attacks), public healthcare staff have accepted the additional burden and challenges…patients have also accepted poorer service delivery standards, delays and inconveniences in some instances, for the moment,” he said.

Internet separation may hinder the deployment or trial of newer or more seamless modes of patient care, such as telemedicine or ways to shift patient care towards the community and home.

Dr Yip also mentioned, in his report, discussions with Prof Henrique Martins from Portugal. Prof Martins is from the Shared Services and eHealth and IT Authority of Portugal’s health ministry.

Portugal does not practise Internet separation, believing that it “increases the complexity of work in medical practice, and blocks access to important medical resources that are integral to patient care”.

Asked later by COI chairman Richard Magnus if the MOH takes a similar view, Dr Yip said yes.

“Healthcare professionals should have the data they need, to take care of patients in Singapore,” Dr Yip said.

On Monday, the committee also heard evidence from General (Retired) Keith Alexander, the former director of the United States’ National Security Agency, who presented a list of recommendations to prevent such attacks from recurring.

Among other recommendations, Gen Alexander called for better training, sharing of information within the healthcare cluster, and ensuring that SingHealth and other healthcare clusters have a “solid organisational structure” overseeing cyber security.

In the SingHealth cyber attack, sophisticated hackers stole the personal data of 1.5 million patients as well as the outpatient prescription information of 160,000 of them, including Prime Minister Lee Hsien Loong.

The COI hearings continue on Tuesday.