Lessons from SingHealth: Having a culture of data security and open line of communication is essential

Ongoing investigations into the SingHealth cyber attack have revealed more insights into one of the biggest data breaches to hit Singapore’s shores to date (“IHiS deputy director ‘shocked’ to find data stolen after being told otherwise”; Sept 27).

One of the key testimonies given was that there was apprehension among staff members to report any signs of a potential security threat to management. The officer who testified had the understanding that “an incident must be confirmed before being reported”.

In other words, warning signs of a potential breach were brushed aside. Such warnings, had they have been flagged to management earlier, could have kickstarted efforts to bolster security for the medical records managed by the Integrated Health Information Systems.

An important learning point from the data breach is the importance of establishing a culture of data security.

This involves educating all employees within the organisation, ensuring that they are aware that they all have a part to play in safeguarding patient data.

For instance, every employee needs to ensure that confidential information in physical or digital form, is shredded or destroyed securely when it is no longer required, in compliance with Personal Data Protection Commission’s requirements.

Moreover, a culture of data security should include having open communication among all relevant parties involved in safeguarding patient data — from senior management to entry-level employees.

This will help ensure that security threats are identified and dealt with quickly and safely, in the best interest of those likely to be affected.

Sometimes, employees may choose not to raise a concern unless it has been confirmed as a security incident, for fear of embarrassing themselves or inconveniencing their superiors. Employees should be encouraged to communicate potential threats and be praised for responding pro-actively, even if it turns out to be a false alarm.

In addition, carrying out routine checks on physical and digital data maintained or stored by the organisation helps to identify potential risk areas.

Ensuring that employees have the resources and knowledge to protect patient data is crucial, to prevent a data breach from occurring. We can now see the fallout of what happens when there are insufficient protocols in place.