Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
internal and external malicious actors. Dr James Yip (“Dr Yip”), MOH’s Chief Data Advisor, also testified that it would be possible to encrypt patient databases, and provide tiered access to the decrypted data. b) Tokenisation 97 also prevents unauthorised access to selected columns of data. Tokenisation can be used as an alternative to encryption on a column-by-column basis. Even if a database is compromised, tokenising PII (personally identifiable information, such as name and NRIC number) would effectively frustrate an attacker’s ability to query for the medical records of specific individuals. Dr Lim testified that even if the data cannot be wholly encrypted, key information can at least be anonymised and hashed. Even bulk downloads of medical records would provide the attacker with no means of ascertaining who the individual records relate to. As the full medical record is not encrypted, there would be less performance-overhead related issues, as compared with encryption. 1057. It is acknowledged that encryption and tokenisation of data may have some impact on the operations of the PHIs, in terms of speed of access to patient records. However, such adverse impact should not be presumed without further study. As before, security should not be sacrificed merely for convenience, given the high-threat environment that exists today. Implementation needs to be carefully handled to minimise disruption to operations. An independent study should be conduct on the feasibility of implementing these measures in the EMR systems of the PHIs. 97 Tokenisation is the process of substituting a sensitive data element with a nonsensitive equivalent, referred to as a token, that has no exploitable meaning or value. The token is a reference that maps back to the sensitive data through a tokenisation system. Ina relational database, a column is a set of data values of a particular type (e.g. NRIC, Name etc.)
