Parliament: Health IT systems being strengthened, says Gan Kim Yong

These measures follows last year's cyber attack on SingHealth that resulted in the theft of 1.5 million patients' personal particulars.
These measures follows last year's cyber attack on SingHealth that resulted in the theft of 1.5 million patients' personal particulars.ST PHOTO: JASMINE CHOONG

SINGAPORE - Integrated Health Information Systems (IHiS), the IT vendor for Singapore's healthcare sector, is working to roll out a feature that lets patients view the access logs of their own National Electronic Health Record (NEHR) data, Health Minister Gan Kim Yong said on Wednesday (March 6) in Parliament.

This will allow patients themselves to report any suspicious access, he said.

The feature is among the enhancements underway to strengthen the security of electronic health records and systems.

Mr Gan said there are three broad levels of safeguards protecting the NEHR: hardening protection against cyber attacks and unauthorised access; putting in place effective measures to detect and respond to security breaches; and deterring breaches from happening.

These measures follows last year's cyber attack on SingHealth that resulted in the theft of 1.5 million patients' personal particulars.

The Minister also said that regular security audits are conducted on the NEHR database, with the most recent penetration test done in October 2018.

"In addition, there are ongoing robustness tests conducted by the Cyber Security Agency, GovTech and an independent third party, PwC. At the user level, the NEHR should only be used for direct patient care. Other uses, including for research, are not allowed.

"There are strict controls to protect against unauthorised access. The system also does not allow users to download records onto workstations."

The new feature planned by IHiS falls under the detection level. In addition, all access to the NEHR is logged and subjected to monthly audits using analytics to detect unusual usage patterns, Mr Gan said.

 
 
 

In terms of deterrence, he said stern action would be taken against anyone responsible for breaches, including staff who failed in their duties.

He added that other enhancements have been made to Singapore's cyber-security safeguards since the cyber attack.