Hero Panel Image

Technology offers promise – and peril – for healthcare in Singapore

Share:
Francis Yeow

Francis Yeow

CISO

Parkway Hospitals Singapore Pte Ltd

Nov 21, 2022

Singapore's healthcare system relies on technology to serve its aging population. One CISO argues the country is not yet paying commensurate attention to IT security

People often say there’s a “silver tsunami” headed for the island of Singapore.

It’s estimated that, by 2030, one in four Singaporeans will be 65 or older. This, along with the World Health Organisation’s projected shortfall of 10 billion healthcare workers globally, means the country has no choice but to explore technology as a means of expanding its healthcare capacity.

From digitised medical records to an ever-expanding roster of IoT-enabled devices, the country leans heavily on technology to serve an aging population that’s both rapidly retiring from the workforce and increasingly requiring additional care. Singapore’s healthcare system handles millions, if not billions, of data objects each day to in catering to the island’s more than 5 million inhabitants. 

Some hospital groups in Singapore are experimenting with AI-assisted fall prevention, 5G-connected robots for medication delivery, augmented-reality surgical procedures, and other technological innovations that once seemed to belong to a permanently distant future.

There’s also the more mundane business of automating the intake of patient data using apps and routing care through AI-powered chatbots. While those technologies aren’t as flashy as some of the others wheeling around the halls of Singapore’s hospitals, they are nonetheless crucial to their smooth functioning.  

All modern hospitals are vulnerable to cyberattacks to some extent. But the healthcare system in Singapore is especially reliant on technology for some of the reasons just discussed. We can’t afford to ignore the benefits it offers. But we also need to recognise that it comes with significant risks. 

The proliferation of devices, especially internet-enabled ones, has drastically increased the attack surface of Singapore’s hospitals. Only recently in our own region, we’ve witnessed healthcare groups hit with very public and costly ransomware incidents ultimately resulting in the unauthorised release of patient data. But it could have been much worse.

In cases of legacy network architecture – in which a single breach threatens to allow cybercriminals widespread and persistent access to a hospital’s network – the compromise of a single connected device could allow cybercriminals to significantly disrupt a hospital’s operations. In a worst-case scenario, it could result in a DDoS or some other type of attack that seriously threatens a facility’s ability to function and ultimately impacts patient care. 

A system in need of identity and access management advances

Despite the technological advances meant to enhance the capacity of Singapore’s healthcare system, its cybersecurity progress has not always kept pace. Within some hospital systems, even the practice of using multi-factor identification (MFA) is still in its infancy.

There have been some efforts to codify the security status of certain IoT devices, but they are far from sufficient. As one recent H-ISAC white paper noted, identity and access management is an especially tricky practice in the healthcare industry. 

Staff regularly log onto different devices, in different rooms, and even in different buildings on a hospital’s campus. Some devices may be carried with them, and some may be logged into and then left. Behaviour like this, while standard for healthcare users, would appear suspicious in other industries. 

The challenge and the promise of zero trust lie in being able to verify the identity of users, IoT/OT devices, and even cloud-based workflows where they are in use. By embracing zero trust, all access requests are treated as suspicious until proven otherwise. 

As a security leader at a Singaporean hospital group myself, I came to view a zero trust model as the key to addressing what I recognized as security gaps within my own organization. Specifically, the model’s emphasis on identity verification presented itself as a solution for a problem plaguing the healthcare industry. Zero trust best practices overlap with my belief that MFA is a necessary but not sufficient component of controlling access. 

Granting access to resources based on least privilege means credentials alone are not sufficient to gain broad access to a network. This is very important in an environment where workers may be called away from their workstations at the drop of a hat to assist with emergencies. Context and per-session-based permissions allow for me and my team to more closely control who can access which resources.

Even though I suspected there would be significant benefits, setting out on a zero trust transformation was an intimidating prospect. I decided that, after carefully analysing the weaknesses in my environment, I would try to address them piecemeal. I adapted a “divide and conquer” mentality. My advice for those on a similar path, especially in the healthcare sector, would be to start small, tackle the low-hanging fruit, and let your confidence grow.

I began to see a reduction in security incidents when my zero trust transition was only in its initial phases. This gives me the confidence that, if the healthcare system begins its own digital transformation today, the country would continue to benefit from the promise of technology’s contribution to medicine with a fraction of the risk.

What to read next

Could double extortion prompt a public health crisis?

Zero trust element #1: Who’s connecting?

Recommended