• Home
  • About RSIS
    • Introduction
    • Building the Foundations
    • Welcome Message
    • Board of Governors
    • Staff Profiles
      • Executive Deputy Chairman’s Office
      • Dean’s Office
      • Management
      • Distinguished Fellows
      • Faculty and Research
      • Associate Research Fellows, Senior Analysts and Research Analysts
      • Visiting Fellows
      • Adjunct Fellows
      • Administrative Staff
    • Honours and Awards for RSIS Staff and Students
    • RSIS Endowment Fund
    • Endowed Professorships
    • Career Opportunities
    • Getting to RSIS
  • Research
    • Research Centres
      • Centre for Multilateralism Studies (CMS)
      • Centre for Non-Traditional Security Studies (NTS Centre)
      • Centre of Excellence for National Security (CENS)
      • Institute of Defence and Strategic Studies (IDSS)
      • International Centre for Political Violence and Terrorism Research (ICPVTR)
    • Research Programmes
      • National Security Studies Programme (NSSP)
      • Studies in Inter-Religious Relations in Plural Societies (SRP) Programme
    • Future Issues and Technology Cluster
    • [email protected] Newsletter
    • Other Research
      • Science and Technology Studies Programme (STSP) (2017-2020)
  • Graduate Education
    • Graduate Programmes Office
    • Overview
    • MSc (Asian Studies)
    • MSc (International Political Economy)
    • MSc (International Relations)
    • MSc (Strategic Studies)
    • NTU-Warwick Double Masters Programme
    • PhD Programme
    • Exchange Partners and Programmes
    • How to Apply
    • Financial Assistance
    • Meet the Admissions Team: Information Sessions and other events
    • RSIS Alumni
  • Alumni & Networks
    • Alumni
    • Asia-Pacific Programme for Senior Military Officers (APPSMO)
    • Asia-Pacific Programme for Senior National Security Officers (APPSNO)
    • SRP Executive Programme
    • Terrorism Analyst Training Course (TATC)
  • Publications
    • RSIS Publications
      • Annual Reviews
      • Books
      • Bulletins and Newsletters
      • Commentaries
      • Counter Terrorist Trends and Analyses
      • Commemorative / Event Reports
      • IDSS Paper
      • Interreligious Relations
      • Monographs
      • NTS Insight
      • Policy Reports
      • Working Papers
      • RSIS Publications for the Year
    • Glossary of Abbreviations
    • External Publications
      • Authored Books
      • Journal Articles
      • Edited Books
      • Chapters in Edited Books
      • Policy Reports
      • Working Papers
      • Op-Eds
      • External Publications for the Year
    • Policy-relevant Articles Given RSIS Award
  • Media
    • Great Powers
    • Sustainable Security
    • Other Resource Pages
    • Media Highlights
    • News Releases
    • Speeches
    • Vidcast Channel
    • Audio/Video Forums
  • Events
  • Giving
  • Contact Us
Facebook
Twitter
YouTube
RSISVideoCast RSISVideoCast rsis.sg
Linkedin
instagram instagram rsis.sg
RSS
  • Home
  • About RSIS
      • Introduction
      • Building the Foundations
      • Welcome Message
      • Board of Governors
      • Staff Profiles
        • Executive Deputy Chairman’s Office
        • Dean’s Office
        • Management
        • Distinguished Fellows
        • Faculty and Research
        • Associate Research Fellows, Senior Analysts and Research Analysts
        • Visiting Fellows
        • Adjunct Fellows
        • Administrative Staff
      • Honours and Awards for RSIS Staff and Students
      • RSIS Endowment Fund
      • Endowed Professorships
      • Career Opportunities
      • Getting to RSIS
  • Research
      • Research Centres
        • Centre for Multilateralism Studies (CMS)
        • Centre for Non-Traditional Security Studies (NTS Centre)
        • Centre of Excellence for National Security (CENS)
        • Institute of Defence and Strategic Studies (IDSS)
        • International Centre for Political Violence and Terrorism Research (ICPVTR)
      • Research Programmes
        • National Security Studies Programme (NSSP)
        • Studies in Inter-Religious Relations in Plural Societies (SRP) Programme
      • Future Issues and Technology Cluster
      • [email protected] Newsletter
      • Other Research
        • Science and Technology Studies Programme (STSP) (2017-2020)
  • Graduate Education
      • Graduate Programmes Office
      • Overview
      • MSc (Asian Studies)
      • MSc (International Political Economy)
      • MSc (International Relations)
      • MSc (Strategic Studies)
      • NTU-Warwick Double Masters Programme
      • PhD Programme
      • Exchange Partners and Programmes
      • How to Apply
      • Financial Assistance
      • Meet the Admissions Team: Information Sessions and other events
      • RSIS Alumni
  • Alumni & Networks
      • Alumni
      • Asia-Pacific Programme for Senior Military Officers (APPSMO)
      • Asia-Pacific Programme for Senior National Security Officers (APPSNO)
      • SRP Executive Programme
      • Terrorism Analyst Training Course (TATC)
  • Publications
      • RSIS Publications
        • Annual Reviews
        • Books
        • Bulletins and Newsletters
        • Commentaries
        • Counter Terrorist Trends and Analyses
        • Commemorative / Event Reports
        • IDSS Paper
        • Interreligious Relations
        • Monographs
        • NTS Insight
        • Policy Reports
        • Working Papers
        • RSIS Publications for the Year
      • Glossary of Abbreviations
      • External Publications
        • Authored Books
        • Journal Articles
        • Edited Books
        • Chapters in Edited Books
        • Policy Reports
        • Working Papers
        • Op-Eds
        • External Publications for the Year
      • Policy-relevant Articles Given RSIS Award
  • Media
      • Great Powers
      • Sustainable Security
      • Other Resource Pages
      • Media Highlights
      • News Releases
      • Speeches
      • Vidcast Channel
      • Audio/Video Forums
  • Events
  • Giving
  • Contact Us
  • instagram instagram rsis.sg
Connect

Getting to RSIS

Map

Address

Nanyang Technological University
Block S4, Level B3,
50 Nanyang Avenue,
Singapore 639798

View location on Google maps Click here for directions to RSIS

Get in Touch

    Connect with Us

      rsis.ntu
      rsis_ntu
      rsisntu
    RSISVideoCast RSISVideoCast rsisvideocast
      school/rsis-ntu
    instagram instagram rsis.sg
      RSS
    Subscribe to RSIS Publications
    Subscribe to RSIS Events

    RSIS Intranet

    S. Rajaratnam School of International Studies Think Tank and Graduate School Ponder The Improbable Since 1966
    Nanyang Technological University Nanyang Technological University

    Skip to content

     
    • RSIS
    • Publication
    • RSIS Publications
    • Healthcare: A Critical Information Infrastructure
    • Annual Reviews
    • Books
    • Bulletins and Newsletters
    • Commentaries
    • Counter Terrorist Trends and Analyses
    • Commemorative / Event Reports
    • IDSS Paper
    • Interreligious Relations
    • Monographs
    • NTS Insight
    • Policy Reports
    • Working Papers
    • RSIS Publications for the Year

    CO19204 | Healthcare: A Critical Information Infrastructure
    Pauline C. Reich

    15 October 2019

    download pdf
    RSIS Commentary is a platform to provide timely and, where appropriate, policy-relevant commentary and analysis of topical and contemporary issues. The authors’ views are their own and do not represent the official position of the S. Rajaratnam School of International Studies (RSIS), NTU. These commentaries may be reproduced with prior permission from RSIS and due credit to the author(s) and RSIS. Please email to Editor RSIS Commentary at [email protected].

    SYNOPSIS

    As we rely more and more on networked data and devices with the advent of the 5G networks, there are more Internet-connected devices entering the medical marketplace worldwide. What are the cybersecurity risks to the healthcare sector?

    COMMENTARY

    YEARS AGO, in the film “The Net”, terrorists arranged to kill a diabetic patient by remotely changing the insulin dose in his IV drip. Today such attacks are possible in reality through remote access to network-connected health devices.

    According to the 2019 Health Canada advisory, a cybersecurity vulnerability could allow an attacker to access the settings of some Medtronic insulin pumps and tamper with the amount of insulin delivered to the patient. We have also seen ransomware attacks against hospitals, and major hacks of health insurance and patient electronic health records in some countries, including Singapore.

    Emerging Trend

    According to a Zion Market Research report, the Asia-Pacific cybersecurity in healthcare market is projected to show a high growth rate in the years ahead. This rapid growth is also attributed to the presence of research and development centres of the medical device and pharmaceutical industry and several MNC headquarters. “These organisations are highly vulnerable to cyberattacks from malicious insiders, state and non-state agents, and external hackers,” says the report.

    According to the 2019 IBM Security and Ponemon Cost of a Data Breach Report, the highest industry average cost of a data breach found in their global survey was $6.45 million in the healthcare category.

    A survey by Carbon Black entitled Healthcare Cyber Heists in 2019 conducted with CISOs from the healthcare industry worldwide indicates that two thirds (66%) of the surveyed healthcare organisations had encountered attacks in which the primary motivation was destruction of data; and two thirds (66%) reported that their organisation was targeted by a ransomware attack.

    Clearly the healthcare sector needs strong regulation and guidelines to help secure healthcare data and network-connected medical devices as elements of critical information infrastructure.

    What is “Critical Information Infrastructure”?

    There is no one definition of a Critical Information Infrastructure. Each country decides what its own critical sectors are. In Asia, only Singapore, Bangladesh, China, Japan, Malaysia, The Philippines, and Sri Lanka include public health and safety or medical and health services in their definitions.

    Under Singapore’s Cybersecurity Act of 2018, the Commissioner may “designate a computer or computer system as a critical information infrastructure … issue or approve one or more codes of practice or standards of performance for the regulation of the owners of critical information infrastructure with respect to measures to be taken by them to ensure the cybersecurity of the critical information infrastructure”.

    Singapore’s Guidelines

    Since network-connected medical devices are part of the critical information infrastructure, some of the standards, legislation and best practices applicable to their cybersecurity are as follows:

    The Health Sciences Authority (HSA) reviews connected medical devices (wireless-enabled, Internet-connected and network connected) and specifies that medical device cybersecurity is a shared responsibility between stakeholders (i.e. the health care facilities, patients, providers, and the Product Owner of the medical devices).

    The HAS also specifies that information to support the cybersecurity of these devices shall be provided. This will include, but is not limited to:

    (i) Cybersecurity vulnerabilities and risk management approach for the device, including validation reports where necessary;

    (ii) Cybersecurity controls measures;

    (iii) On-going plans for surveillance, timely detection and management of the cybersecurity related threats during the useful life of the device, especially when a breach has been detected.

    The Cybersecurity guidelines for healthcare institutions are published by the Singapore Standards Council. They provide guidelines for institutions on how to mitigate cybersecurity risks in the procurement of new connected medical devices, and day-to-day operations of existing connected medical devices.

    International Standards

    The ISO/IEC 80001-2-2 standard is a voluntary technical control standard for ‘Application of risk management for IT-networks incorporating medical devices’ and presents a unified and amalgamated approach to the safety of medical devices connected to IT networks.

    USA – NIST

    The National Institute of Standards and Technology, US Department of Commerce is a major source of standards used in the Information Security industry. In July 2018 it issued Special Publication 1-800-1, entitled Securing Electronic Health Records on Mobile Devices.

    European Union

    In May 2020, the EU will have a new Medical Device Regulation in effect.

    More Collaboration Needed

    The standards exist, but they must be applied and enforced. The safety of new and existing network-connected medical devices is of great concern to the medical community worldwide, but doctors cannot do it alone without the help of technologists and enforcement by regulators. Vigilant regulators like HSA and Health Canada are needed to help keep unsafe connected medical devices away from the market.

    Industry is focused on profits; government agencies and medical institutions worldwide suffer from the shortage of trained and certified cybersecurity experts; and there are not enough university programmes in healthcare cybersecurity issues that incorporate law, policy, and medical issues. Greater collaboration across disciplines is needed, to ensure that patients do not die due to hacking of connected medical devices.

    About the Author

    Pauline C. Reich is a Senior Fellow at the Centre of Excellence for National Security (CENS) at the S. Rajaratnam School of International Studies (RSIS), Nanyang Technological University (NTU), Singapore.

    Categories: Commentaries / Country and Region Studies / Cybersecurity, Biosecurity and Nuclear Safety / Non-Traditional Security / East Asia and Asia Pacific / Global / South Asia / Southeast Asia and ASEAN

    Last updated on 14/10/2019

    comments powered by Disqus
    RSIS Commentary is a platform to provide timely and, where appropriate, policy-relevant commentary and analysis of topical and contemporary issues. The authors’ views are their own and do not represent the official position of the S. Rajaratnam School of International Studies (RSIS), NTU. These commentaries may be reproduced with prior permission from RSIS and due credit to the author(s) and RSIS. Please email to Editor RSIS Commentary at [email protected].

    SYNOPSIS

    As we rely more and more on networked data and devices with the advent of the 5G networks, there are more Internet-connected devices entering the medical marketplace worldwide. What are the cybersecurity risks to the healthcare sector?

    COMMENTARY

    YEARS AGO, in the film “The Net”, terrorists arranged to kill a diabetic patient by remotely changing the insulin dose in his IV drip. Today such attacks are possible in reality through remote access to network-connected health devices.

    According to the 2019 Health Canada advisory, a cybersecurity vulnerability could allow an attacker to access the settings of some Medtronic insulin pumps and tamper with the amount of insulin delivered to the patient. We have also seen ransomware attacks against hospitals, and major hacks of health insurance and patient electronic health records in some countries, including Singapore.

    Emerging Trend

    According to a Zion Market Research report, the Asia-Pacific cybersecurity in healthcare market is projected to show a high growth rate in the years ahead. This rapid growth is also attributed to the presence of research and development centres of the medical device and pharmaceutical industry and several MNC headquarters. “These organisations are highly vulnerable to cyberattacks from malicious insiders, state and non-state agents, and external hackers,” says the report.

    According to the 2019 IBM Security and Ponemon Cost of a Data Breach Report, the highest industry average cost of a data breach found in their global survey was $6.45 million in the healthcare category.

    A survey by Carbon Black entitled Healthcare Cyber Heists in 2019 conducted with CISOs from the healthcare industry worldwide indicates that two thirds (66%) of the surveyed healthcare organisations had encountered attacks in which the primary motivation was destruction of data; and two thirds (66%) reported that their organisation was targeted by a ransomware attack.

    Clearly the healthcare sector needs strong regulation and guidelines to help secure healthcare data and network-connected medical devices as elements of critical information infrastructure.

    What is “Critical Information Infrastructure”?

    There is no one definition of a Critical Information Infrastructure. Each country decides what its own critical sectors are. In Asia, only Singapore, Bangladesh, China, Japan, Malaysia, The Philippines, and Sri Lanka include public health and safety or medical and health services in their definitions.

    Under Singapore’s Cybersecurity Act of 2018, the Commissioner may “designate a computer or computer system as a critical information infrastructure … issue or approve one or more codes of practice or standards of performance for the regulation of the owners of critical information infrastructure with respect to measures to be taken by them to ensure the cybersecurity of the critical information infrastructure”.

    Singapore’s Guidelines

    Since network-connected medical devices are part of the critical information infrastructure, some of the standards, legislation and best practices applicable to their cybersecurity are as follows:

    The Health Sciences Authority (HSA) reviews connected medical devices (wireless-enabled, Internet-connected and network connected) and specifies that medical device cybersecurity is a shared responsibility between stakeholders (i.e. the health care facilities, patients, providers, and the Product Owner of the medical devices).

    The HAS also specifies that information to support the cybersecurity of these devices shall be provided. This will include, but is not limited to:

    (i) Cybersecurity vulnerabilities and risk management approach for the device, including validation reports where necessary;

    (ii) Cybersecurity controls measures;

    (iii) On-going plans for surveillance, timely detection and management of the cybersecurity related threats during the useful life of the device, especially when a breach has been detected.

    The Cybersecurity guidelines for healthcare institutions are published by the Singapore Standards Council. They provide guidelines for institutions on how to mitigate cybersecurity risks in the procurement of new connected medical devices, and day-to-day operations of existing connected medical devices.

    International Standards

    The ISO/IEC 80001-2-2 standard is a voluntary technical control standard for ‘Application of risk management for IT-networks incorporating medical devices’ and presents a unified and amalgamated approach to the safety of medical devices connected to IT networks.

    USA – NIST

    The National Institute of Standards and Technology, US Department of Commerce is a major source of standards used in the Information Security industry. In July 2018 it issued Special Publication 1-800-1, entitled Securing Electronic Health Records on Mobile Devices.

    European Union

    In May 2020, the EU will have a new Medical Device Regulation in effect.

    More Collaboration Needed

    The standards exist, but they must be applied and enforced. The safety of new and existing network-connected medical devices is of great concern to the medical community worldwide, but doctors cannot do it alone without the help of technologists and enforcement by regulators. Vigilant regulators like HSA and Health Canada are needed to help keep unsafe connected medical devices away from the market.

    Industry is focused on profits; government agencies and medical institutions worldwide suffer from the shortage of trained and certified cybersecurity experts; and there are not enough university programmes in healthcare cybersecurity issues that incorporate law, policy, and medical issues. Greater collaboration across disciplines is needed, to ensure that patients do not die due to hacking of connected medical devices.

    About the Author

    Pauline C. Reich is a Senior Fellow at the Centre of Excellence for National Security (CENS) at the S. Rajaratnam School of International Studies (RSIS), Nanyang Technological University (NTU), Singapore.

    Categories: Commentaries / Country and Region Studies / Cybersecurity, Biosecurity and Nuclear Safety / Non-Traditional Security

    Last updated on 14/10/2019

    Back to top

    Terms of Use | Privacy Statement
    Copyright © S. Rajaratnam School of International Studies. All rights reserved.
    This site uses cookies to offer you a better browsing experience. By continuing, you are agreeing to the use of cookies on your device as described in our privacy policy. Learn more
    OK
    Latest Book
    Healthcare: A Critical Information Infrastructure

    SYNOPSIS

    As we rely more and more on networked data and devices with the advent of the 5G networks, there are more Internet-connected devices entering the m ...
    more info