Do doctors have the knowledge to ward off data infiltration?

Lack of situational awareness, tardy responses, workstation infections, malware distribution, weak passwords and data infiltration were some of the terms the Committee of Inquiry used to describe the SingHealth data breach incident (Tardy responses, security failings led to SingHealth breach; Sept 22).

My guess is that many people will have difficulties understanding and responding to these terms.

How then are they to avoid such recurrences?

The next potential targets could be private and public physicians, as they are going to get access to patients' health information through the National Electronic Healthcare Record (NEHR) system, a different system from SingHealth's.

Many discussions are focused on the centralised system's security and its protection. However, the weakest link of any security system is always the user.

All physicians are presumed to have been granted access rights, with appropriate guidelines in place, to all patients' healthcare records so that optimal treatment can be provided in a timely manner.

This offers opportunities for those looking to profit through the patients' healthcare records or those seeking fame via the hacking of a major database system.

With close to 14,000 physicians in Singapore last year according to the Singapore Medical Council's 2017 annual report, how can these physicians defend their individual access points against the spectre of cyber attacks?

With both private and public physicians having the same level of access to patient records, the issue is whether all of them possess the necessary knowledge to ward off intrusions or infiltration.

Is there a requirement to implement an Internet surfing separation? Are there separate intranet and Internet systems?

Are doctors aware that the ubiquitous Wi-Fi system in their clinics can serve as an open door to hackers?

Are they also aware of regular system updates and security breach alerts?

Furthermore, when there is a patient record retrieval request, can the system differentiate between a bona fide physician access and a hacker?

Lastly, who shall own the burden of proof and be responsible for healthcare record leaks in the NEHR as a result of security breaches in physicians' personal access terminals?

Tay Kar Woo

A version of this article appeared in the print edition of The Straits Times on September 26, 2018, with the headline 'Do doctors have the knowledge to ward off data infiltration?'. Print Edition | Subscribe