Parliament: Internet surfing separation may be permanent in some parts of public healthcare, says Gan Kim Yong

Health Minister Gan Kim Yong said: "We will study the impact of ISS on the ground, and determine whether we can keep it as a permanent measure, at least for some parts of our healthcare system."
Health Minister Gan Kim Yong said: "We will study the impact of ISS on the ground, and determine whether we can keep it as a permanent measure, at least for some parts of our healthcare system."PHOTO: SCREENGRAB FROM YOUTUBE/GOVSINGAPORE

SINGAPORE - Studies are underway to keep Internet surfing separation (ISS) a permanent measure in some parts of public healthcare organisations following Singapore’s worst breach involving the personal data of 1.5 million SingHealth patients, Parliament heard on Monday (Aug 6).

Revealing this in Parliament on Monday (Aug 6), Health Minister Gan Kim Yong said: "We will study the impact of ISS on the ground, and determine whether we can keep it as a permanent measure, at least for some parts of our healthcare system."

After the cyber attack was discovered last month, the Health Ministry implemented ISS - where confidential data systems are separated from the Internet - as a temporary measure across all the public healthcare clusters.

"We will need to develop longer term mitigation solutions to overcome the operational issues if ISS is to stay," said Mr Gan.

He noted that many healthcare systems in other countries - such as Hong Kong's Hospital Authority and United States-based managed care group Kaiser Permanente - have found it difficult to implement ISS for practical and operational reasons.

Hence, they have not implemented ISS fully across their operations.

An alternative approach is to use virtual browsers, which enable users to access the Internet safely via a set of quarantined servers, to reduce the number of potential attack points.

The Health Ministry is studying and piloting the system, scheduled to be completed by the end of September.

 
 
 

It will be deployed together with Advanced Threat Protection (ATP) technologies, expected to be ready by the end of August, to better fend off advanced cyber attacks.

Non-Constituency MP Daniel Goh asked if security measures taken after the attack have affected waiting time and consultation time at public hospitals and polyclinics.

In his reply, Mr Gan said: "Areas that have been affected include reading of diagnostic reports from laboratories, video consultation and assessment of suspected stroke patients at the emergency department.

"Waiting times for consultation may also be longer as doctors may need to access references on the Internet through a separate computer."

Other unresolved issues include referrals to private sector partners, and submission and retrieval of results from screening systems.

"These do not compromise patient care and safety, but affect the efficiency of our healthcare delivery," said Mr Gan.

The attack has also called into question the security of the National Electronic Health Record (NEHR) system, although data from there was not leaked during the attack.

Ms Joan Pereira (Tanjong Pagar GRC) asked how the NEHR, which enables the sharing of patients' treatment and medical data among hospitals here, can be made more secure.

Describing the NEHR as a critical part of the healthcare system, she said: "(Such a) cyber attack can take many forms. On top of data leakage, it could be even worse if the system is shut down by the perpetrators - for example, by ransomware - or if patients' records are altered or deleted."

In his response, Mr Gan said that the NEHR is a separate system that was not affected by the SingHealth cyber attack.

"Due to the need for the system to interface with multiple external partners, the NEHR is designed differently from the systems that were infiltrated," he said. "Nevertheless, we recognise that this is an important national system of significant scale, as it will eventually house key medical records for all patients."

As such, mandatory contributions to the NEHR have been put on hold until further notice pending a cyber-security review of the system.

The Health Ministry has engaged the Cyber Security Agency of Singapore and professional services firm PwC Singapore to identify vulnerabilities and recommend ways to plug the gaps.

"We must assure ourselves, users and patients that the necessary safeguards are in place, before we proceed with wider implementation of the NEHR," said Mr Gan on Monday.

"However, we should not reverse our direction in the use of technology in healthcare. Digitalisation, technology and use of data in healthcare have brought many benefits to patients. We cannot return to the days of paper and pencil," he added.