Skip to main content

Advertisement

Advertisement

MPs raise concerns on cyber health of public, private systems; MOH taking steps to tighten processes

SINGAPORE — “Some processes” at healthcare institutions have “slowed down” because cyber-security measures have been put in place after the SingHealth cyber attack, Health Minister Gan Kim Yong said, but patient care and safety have not been affected.

Health Minister Gan Kim Yong addressed questions on the quality of patient care, the cyber health of computer systems and more in Parliament on Tuesday (Jan 15).

Health Minister Gan Kim Yong addressed questions on the quality of patient care, the cyber health of computer systems and more in Parliament on Tuesday (Jan 15).

Follow TODAY on WhatsApp

SINGAPORE — “Some processes” at healthcare institutions have “slowed down” because new cyber-security processes have been put in place after the SingHealth cyber attack, Health Minister Gan Kim Yong said, but patient care and safety have not been affected.

This included the roll-out of the Internet surfing separation procedure, or the cutting of Internet access from work computers. 

Mr Gan was speaking in Parliament on Tuesday (Jan 15) in reply to a question raised by Dr Chia Shu Lu, chairman of the Government Parliamentary Committee for Health, who asked if the cyber attack and the measures taken after that had affected patient care.

Mr Gan said that some processes of patient care are taking longer because more steps have to be taken to enter computer systems, but “by and large, we have not compromised in quality of care, particularly in patients’ safety”.

After he delivered his ministerial statement on the cyber attack, he also addressed several questions from other Members of Parliament (MPs) on the various measures taken by the Ministry of Health (MOH).

Here are some of the concerns raised during the session:

1. DELAYED ROLL-OUT OF THE NEHR

Dr Chia and Dr Lily Neo, MP for Jalan Besar Group Representation Constituency (GRC), wanted an update on the progress of the National Electronic Health Record (NEHR) system.

At first, the Government wanted to make it compulsory by law for all doctors to submit data to the NEHR system. However, in the wake of the SingHealth cyber attack, mandatory contribution of patient medical data was deferred.

The system is also undergoing a series of cyber-security assessments conducted by the Cyber Security Agency, the Government Technology Agency of Singapore (GovTech), and independent audit and consultancy firm PWC.

Mr Gan said that the roll-out of the system should not be delayed unnecessarily, but extra precaution has to be taken to test it “again and again” before making submissions mandatory.

He thus foresees that a “complete review” of the system will be done within this year.

2. INCREASED RISKS FROM PRIVATE-SECTOR SYSTEMS

Dr Neo asked if MOH will assist private practitioners in ensuring that their computer systems are robust.

With private doctors contributing to and tapping the NEHR, their private systems could be linked to those in the public sector and perpetrators could gain access to the public healthcare system through this connection.

Mr Gan said he is aware that “there are risks” present when many private operators use the NEHR. That is why “we are taking many precautions to ensure that (the system is) robust before everyone is required to submit (data)”, he added.

MOH will be developing an advisory to help private practitioners strengthen and conduct audits on their patient systems, to ensure that they are protected.

“Even without NEHR, many doctors have their own data system and keep their own patient records,” Mr Gan said. “While it is their private patients, nevertheless it is important for private doctors to ensure that the patient data collected are protected from potential cyber attacks.”

He stressed that doctors should have a “sense of responsibility” to safekeep data — regardless of whether it is electronic or not.

3. PAY AND BONUSES OF OTHER SINGHEALTH AND IHiS EMPLOYEES

Mr Patrick Tay, MP for West Coast GRC and assistant secretary-general of the National Trade Unions Congress, asked if the salaries and bonuses of rank-and-file employees from the Integrated Health Information Systems (IHiS) and SingHealth will be affected by the disciplinary action taken against top management and key individuals for their roles in the cyber attack.

IHiS, which runs the IT systems of all public healthcare institutions, and SingHealth, as the owner of the patient database system, were collectively fined S$1 million on Tuesday by the Personal Data Protection Commission. It is the highest fine imposed by the commission to date.

Mr Gan said that other than staff members who were disciplined, “the rest… should not be affected and continue to get what they deserve”.

For IHiS employees who were commended, “their contributions will also be recognised”, he added.

4. TIGHTENING CYBER SECURITY IN PUBLIC HEALTHCARE SYSTEMS

Mr Gan laid out the plans that MOH will be taking to beef up cyber security in the public healthcare sector. The ministry will continue to defer mandatory contributions by doctors to NEHR until the review of the system is done.

Separating portfolios

  • The chief information security officer of MOH is also the director of cyber-security governance at IHiS.

  • Moving forward, the two roles will be separate.

  • The chief information security officer will be supported by a dedicated office in MOH and report to the ministry’s Permanent Secretary.

  • The office of MOH’s chief information security officer will be the cyber-security sector lead for the healthcare sector. It will coordinate efforts to protect critical information infrastructure in the healthcare sector and ensure that the sector fulfils its regulatory obligations under the Cybersecurity Act.

  • For its part, IHiS will have its own separate director of cyber-security governance.

  • At the cluster level, the group chief information officer’s office of a cluster will now be made fully accountable to the respective cluster management and boards.

Controlled access to the Internet

  • Virtual browsers, which allow access to the Internet through strictly controlled and monitored client servers, will be deployed for selected job functions at certain departments and clinics.

  • The pilot will begin in the first quarter of this year, at the National University Health System. Some of those taking part in this pilot include frontline pharmacists and emergency department clinicians.

  • Should the virtual browser solution prove effective, a tiered model of Internet access will be in the works for the whole healthcare sector.

  • Under this model, Internet surfing separation will remain for those whose job roles do not need such access, for example, administrative staff members who perform back-end tasks. But a virtual browser could be set up for roles where access to the Internet and the internal healthcare group's network is needed on the same device.

Checks on IT systems

  • Improvements will be made at three levels for employees working with IT systems.

  • The first line of defence comprises units and personnel who develop, deliver and operate the IT systems.

  • The second comprises units and personnel who have the specific responsibility to oversee security strategy, risk management and compliance.

  • The third seeks to improve checks and assurances independent of IHiS and public healthcare clusters. This will be done by MOH Holdings’ group internal audit team and other independent third parties where appropriate.

Read more of the latest in

Advertisement

Advertisement

Stay in the know. Anytime. Anywhere.

Subscribe to get daily news updates, insights and must reads delivered straight to your inbox.

By clicking subscribe, I agree for my personal data to be used to send me TODAY newsletters, promotional offers and for research and analysis.