Use 2-factor authentication to access health records

A number of private practitioners have expressed their reservations about participating in the National Electronic Health Record (NEHR) (Electronic health records could curb patients from seeking psychiatric help, by Dr Desmond Wai Chun Tao, May 12; and Consider all stakeholders' views, concerns over electronic health records, by Dr Leong Choon Kit, May 24).

Their main reservation is the privacy of patients' medical data relating to socially sensitive conditions, such as sexually transmitted diseases and mental illnesses.

Although only authorised healthcare professionals are allowed to access the NEHR, with penalties for unauthorised access or use of information, the question remains whether the usual safeguards for computer-accessible information are adequate.

As there are black sheep in every profession, these safeguards may fall short in the real world. After all, there have been news reports about people who abuse their data access privileges.

For the NEHR, there is a case for a two-factor authentication (2FA) to safeguard the medical data.

The first factor is the doctor or healthcare worker, while the second factor is the patient himself.

When a patient sees a doctor for the first time, the patient can record his consent for the doctor to access or update his NEHR by using the doctor's computer to sign into the NEHR system himself.

After this, the NEHR should "remember" this consent so that the doctor can subsequently access this patient's NEHR without further need for 2FA.

This 2FA would prevent any other doctor not directly treating the patient from accessing his medical records without his expressed consent. The patient can also view his own personal data in the NEHR system using his SingPass.

Hospitals and healthcare facilities can designate a responsible administrative officer to be given temporary access in emergency situations where the patient is unable to use his SingPass.

This two-key arrangement for emergencies serves to deter any rogue healthcare personnel from misusing their authorised access.

Steven Lo Chock Fei

A version of this article appeared in the print edition of The Straits Times on May 30, 2018, with the headline 'Use 2-factor authentication to access health records'. Print Edition | Subscribe