Is there a Cybersecurity Strategy in Place?
Recently, the Minister of Health was quoted to have said in his keynote address at the ASEAN Healthcare Transformation Summit 2019 that an electronic system to share patient information in 145 hospitals nationwide will be implemented in the next 3 years. The electronic system will facilitate the transfer and sharing of patient information. The Minister was also quoted to have said that 20% of the hospitals in the country already have the system in place except that it is not fully operational.
We are presuming that the Minister was referring to the Malaysian Health Data Warehouse project (MyHDW) started by the Ministry of Health in 2010. According to the Ministry's website, MyHDW was envisioned to act as a platform for the standardization and integration of health data from a variety of sources to better manage the health system, provide surveillance information and in addition provides a valuable source of data for research.
The Ministry of Health may recalled the 'Wannacry' incident in 2017 where a virus targeting computers running the Microsoft Windows operating system struck the National Health Service hospitals in England and Scotland. Up to 70,000 devices – including computers, MRI scanners, blood-storage refrigerators and theatre equipment were infected with the malware virus. Some NHS services had to turn away non-critical emergencies, and some ambulances were diverted. Thousands of appointments and operations were cancelled and in five areas patients had to travel further to accident and emergency departments. The cyber attack could have caused more disruption if it had not been stopped by a cyber researcher activating a ‘kill-switch’.
Healthcare cybersecurity is a serious undertaking and these threats are real and we are worried and concerned that our public health sector might not have sufficient defense mechanisms in place. Healthcare networks not only include clinics and doctor’s offices, but things like Internet-based consulting with remote healthcare providers which was proposed and planned to be implemented in our country. With the electronic system, all public hospitals will and are expected to rely heavily on information sharing across disparate users and departments.
A breach of the healthcare system can cripple a hospital or health system, preventing sick people from getting the care they need. All of the reported cases to date are very specific - hackers targeted a healthcare provider and hacked into their systems to steal data. As virtually all of the systems for healthcare providers are online and internet accessible, it creates a perfect storm for cyber attackers. Medical records represent the most comprehensive set of records for an individual as it can include sensitive information about a patient’s medical history and treatment, rivalling those records stored within credit bureaus for completeness and criminal utility.
We do hope that the Electronic Medical Record System has a comprehensive strategy both to detect and deter the sophisticated attacker moving through the electronic system network, as well as the multitudes of ransomware tools that they will deploy as attacks can compromise not only networks and data, but also threaten those applications and services supporting critical patient care systems in our public health system.
As stated by the Bukit Aman Commercial Crimes Investigation Department (CCID) director Datuk Mazlan Mansor, who was reportedly quoted to have said on 20 March 2019, that cyber crimes has cost Malaysia RM64 million in the first three months of the year, indicating an upward trend. He further said the police are expecting bigger losses this year. The signs are ominous that cyber breaches are not going to slow down.