SINGAPORE: Challenges in providing patient care are among the issues that have arisen because of temporary Internet Surfing Separation (ISS) enforced across public healthcare clusters following the cyberattack on SingHealth, chief data advisor for the Ministry of Health (MOH) James Yip told a Committee of Inquiry (COI) on Monday (Nov 12).
The interim security measure has also reduced efficiency in operations while introducing other potential cybersecurity risks, he said.
Presenting a report to the COI with input from SingHealth, the National University Health System (NUHS) and the National Health Group (NHG), Dr Yip added that healthcare professionals have "accepted the additional burden and challenges" of Internet access being delinked, but stressed that ISS "may not be sustainable in the long run".
"In the immediate aftermath of the cyberattack on SingHealth, public healthcare staff have accepted the additional burden and challenges that temporary ISS imposes. Patients have also accepted poorer service delivery standards, delays and inconveniences, in some instances for the moment," said Dr Yip.
"The operational challenges ... will inevitably translate into tangible manpower and financial costs, and reduced employee and patient satisfaction. Ultimately, healthcare costs for the general Singapore public will rise."
He added that the task of finding enough healthcare workers for the future will become "even more challenging", given Singapore’s manpower constraints.
READ: SingHealth COI: ‘Well-established’ IT security policy in place but more needs to be done, says expert witness
The cyberattack on SingHealth's database in July is Singapore’s most serious breach of public data to date. In all, 1.5 million patients' non-medical personal data were stolen, while 160,000 of those had their dispensed medicines' records taken.
Among those affected was Prime Minister Lee Hsien Loong, with the attackers targeting his personal particulars and information about his medicines.
Database administrators from Integrated Health Information Systems (IHiS) discovered the breach on Jul 4. Since September, a COI has been holding public hearings to investigate what happened during the data breach.
Temporary ISS was implemented at SingHealth on Jul 19, before it was extended to NUHS and NHG three days later.
This was to “strengthen (its) IT systems against evolving cybersecurity threats, and more importantly, to safeguard the confidentiality of our patients’ data," MOH had said in a press release.
"FIDDLING" WITH DEVICES
However, this has led to "difficulties on the ground", said Dr Yip, who is also the group chief medical informatics officer of the NUHS.
"The implementation of temporary ISS has had a significant impact on the public healthcare sector," he said, adding that it affects access to key information sources and impedes communication among clinicians and other healthcare personnel.
Citing the example of the TigerConnect2 desktop, a secure application which enables healthcare professionals to communicate with peers when they need to seek advice or guidance for treatment, Dr Yip said that some have had to turn to their personal mobile phones instead.
"In some polyclinics, the use of TigerConnect has been built into their workflow," he added. "As a result of temporary ISS, TigerConnect cannot be used on corporate work devices."
Seeing clinicians constantly use their own devices could also irk patients and they would "hate to see" a doctor "fiddling" with phones, added Dr Yip.
"SIGNIFICANT OPERATIONAL INEFFICIENCIES"
Dr Yip also said that the implementation of temporary ISS has resulted in "significant operational inefficiencies".
For one, administrative tasks have been affected by the ISS, said Dr Yip, as frontline staff now have to use a separate Internet-enabled device to check and retrieve patient information.
This initially led to lengthened wait times for patients, as such devices are shared, he said. Staff also have had to work overtime to complete tasks in some public healthcare institutions, as the management of multiple devices and the sharing of such devices between staff also increases the time taken to perform tasks.
While such issues have been "largely resolved", public healthcare institutions have spent a "significant amount of resources" to purchase additional Internet-enabled devices and tools such as Internet dongles to facilitate these administrative processes and reduce the time required to complete these tasks, said Dr Yip.
READ: SingHealth cyberattack: IHiS announces measures to protect healthcare sector against online threats
Some hospitals have also had to suspend their policies of disallowing staff from using their personal mobile phones while on duty, so that staff can use their personal mobile phones to carry out their work, he added.
As such, the use of separate Internet-enabled devices could lead to new cybersecurity risks and vulnerabilities, added Dr Yip.
"As the Internet-enabled devices are not on the corporate network, they need to be manually patched," he explained. "However, manual patching will likely lead to delays in updates and raises the risk of these Internet-enabled devices being compromised by malware and other viruses, which could be transmitted to the corporate devices when information is transferred between them."
COLLECTIVE EFFORT REQUIRED
Earlier in the day, the COI also heard from the former director of America's National Security Agency Keith Alexander, who stressed the importance of a "collective" effort in the battle against cyberattacks.
"I believe that critical infrastructure and government agencies must work together, and the government must be involved in the security, especially against advanced persistent threats," said Mr Alexander, who is now the chief executive officer of IronNet Cybersecurity.
Mr Alexander highlighted the importance of having a system with a "behavioural analytic capacity", which would flag suspicious activities.
Such a system would be able to detect unauthorised activities such as an individual accessing an unusually large number of data volumes such as patient records, explained Mr Alexander.
"Behavioural analytics make collective defence a possibility," said Mr Alexander. "An effective and tested behavioural analytic capability produces a wealth of events that can be shared in a collective defence strategy at network speed."
The hearings will continue on Tuesday.