It has come to light that the data of approximately 1.5 million patients who visited SingHealth’s specialist outpatient clinics and polyclinics between the date of 1 May 2015 to 4 July 2018 have been illegally accessed and copied. The data stolen include the names, NRIC numbers, addresses, genders, race and dates of birth of the patients. Information on outpatient dispensed medicines of about 160,000 of these patients were also compromised. With a cyber hack of such a magnitude, it is no wonder that the Prime Minister himself has publicly addressed the issue
In an open Facebook post, Prime Minister Lee Hsien Loong (PM Lee) wrote: “Of course, I also knew that the database would be attacked, and there was a risk that one day despite our best efforts it might be compromised. Unfortunately that has now happened.”
If he had known that the database would be attacked, why didn’t he ensure that more stringent measures were taken to prevent this cyber attack? While an attack may have been unavoidable, could it have been more limited? 1.5 million in a population of less than 6 million is a staggering percentage. A follow up question would be what the “best efforts” amounted to. Also, what recourse would those affected have? Will they be compensated by SingHealth for the breach of their data?
While PM Lee may wish to “go forward” and build a “secure and smart nation”, it may be worthwhile to pause and take stock in light of this massive security breach. Are we rushing things to much such that we are compromising security? Are we allowing enough time to trial the systems and test them? Has time efficiency taken precedence over technical supremacy?
Singapore is pushing for it to be mandatory for all healthcare institutions (both in the private and public sectors) to contribute patient data to the National Electronic Health Record (NEHR), in a move aimed at providing better care for patients. While this might be more efficient for the government to manage health records and the like, has it considered that patients may not wish for their personal data to be made available in this manner? At the end of the day, shouldn’t patients have a choice as to who they choose to share their data with? In light of the current cyber breach, will the government reconsider this proposal?
I know that the authorities have said that there are safeguards in place to ensure that only those providing care to patients access their records. Clearly in light of this recent cyber attack, that is not the case. If we cannot even safeguard our own Prime Minister’s data, this does not bode well for the rest of us. If going “smart” is inevitable, at least spend more time thinking about potential vulnerable points to prevent and reduce the magnitude of future attacks. Trial the system from all angles. Increase the testing timelines. I would urge the government to take a step back from rushing to be “smart” when they are not yet “secure”.
We also need to think of suitable redress for victims of cyber attacks. If the government is going to force us to share our data then we ought to be compensated if the data is breached due to their security being compromised.
Perhaps, we should try not to set arbitrary timelines for this like how we do for other things like Worldcup 2010 which we all know never materialised. Not only did it flop, Mindef is now trying to make sure that it would never ever happen by rejecting Benjamin Davis’ request for deferment to National Service. I leave you with that thought!