Is technology threatening Singapore's healthcare system?

With state-of-the-art infrastructure and a reputation for excellent medical practice, Singapore has a well-deserved reputation for first-class healthcare. Singapore ranks second in the world providing its citizens with quality healthcare, and is also a major location for medical tourism in Asia. 

However, Singapore’s healthcare system cannot rest on its laurels. With 610,000 people aged above 65 in 2020, Health Minister Gan Kim Yong has emphasised the need for 30,000 more healthcare workers by 2020, including doctors who specialise in geriatric medicine. To improve productivity and reduce operational costs, the government has eagerly embraced technology to provide innovative solutions to these challenges.

Telehealth, robotics, and more
The potential applications for technology include everything from “intelligent” blood-sensitive bandages for dialysis patients, to robots that help stroke patients exercise or keep dementia patients occupied. In the operating theatre, robotic laparoscopic surgery has become relatively commonplace.

The Internet of Things and big data is driving positive disruption worldwide in healthcare and other industries; in Singapore, a few institutions are already examining how mobility might save time, money, and trouble for procedures that don’t need an in-person visit.

Catastrophic risks from security breaches
It all sounds like a brave new world – but there are warning signs on this expressway to digital health management that must not be ignored. In last year’s CyberArk Global Advanced Threat Landscape Survey, 61% of the survey respondents from United States, Europe (France, Germany, and United Kingdom), Israel, and Asia Pacific (Australia, New Zealand, Singapore) revealed that attacks impacting healthcare and hospital services are viewed as potentially the most catastrophic threat.

The main concern here is the ease with which IoT devices can be hacked. IoT devices are potentially the most vulnerable targets for cyber attackers today, for the very nature of their connectedness, the personal information they store, and the general lack of security protocols.

Passwords on a stick
IoT devices, like all digital technologies, come with administrative privileges to provide a certain level of security. However, we often overlook the need to change the factory default password on such devices – and default passwords are elementary and easy to hack. We only need to reference the widespread impact wrought by compromised devices of Starhub customers to see the damage potential for the healthcare industry.

The potential damage from hacked IoT devices includes the loss of personal, private patient data, as well as provide a gateway into the larger hospital system. Certainly, online repositories of data enable nurses and other professionals to easily provide advice remotely, but what if cyber attackers should get access to such data?

What’s more, the survey further revealed that 53% of the organisations (across all sectors) surveyed still store privileged and administrative passwords in a Word document or spreadsheet, whilst 39% use a shared server or USB stick.

A further threat is allowing third-party vendors access to internal networks. Organisations often overlook remote access controls, leaving an open door into the network. Singapore is the worst performer in this area, with 26% of Singaporean enterprises neglecting to secure third-party vendor access and 33% not monitoring at all.

The solution – a shared responsibility
Fortunately, there are well-defined steps that organisations can take to manage these risks. Allowing IoT devices to communicate openly and freely can no longer continue. Whilst it is the responsibility of the vendors to make securing their devices easy – and industry-enforced standards and regulations may be necessary to enforce these practices, administrative privilege must be managed by both the customer and vendor.

Staff training is another critical area. A study by Ponemon Institute recently reported that 56% of security practitioners surveyed said company insiders are the primary cause of security breaches – not due to malicious actors, but simply bad security habits.

The first line of defence against the well-intentioned insider is awareness and training. All employees should be educated to understand the risks, organisational policies, and the reasons for those policies.

Privileged accounts are another area of concern. The lack of accountability and protection of privileged accounts is most often exploited by cyber attackers. The benefits of protective controls and detection capabilities on privileged accounts and credentials should not be overlooked, as part of a comprehensive security strategy.

Finally, consumers too must play their part by a determined and consistent effort to adopt best practices. These include changing default passwords on IoT devices, keeping firmware updated, choosing more secured & supported IoT devices, being aware of phishing attacks, and avoiding sharing of private information and passwords.

One hundred percent cybersecurity can never be guaranteed, but a serious effort by vendors, healthcare staff, and consumers to improve their security consciousness will go a long way toward protecting the undoubted benefits that technology brings to patients.