The rise of cyberattacks targeting healthcare data has never been more prominent than during the pandemic, bringing to light the urgent need to fortify security in healthcare institutions.
In a significant move, Singapore’s Integrated Health Information Systems (IHiS) has recently rebranded as Synapxe. The new name is a nod to the agency’s multifaceted and central role in Singapore’s healthtech landscape. According to Synapxe, it aims to connect people and systems so it can enhance public health while adapting to the sector’s evolving challenges.
Frontier Enterprise spoke with Leonard Ong, Synapxe’s newly appointed Director for Policy, Risk Management & Capability Development (Cyber Defence Group) about his new role, the organisational rebrand, and how healthcare institutions can better safeguard their assets.
Can you talk a little about the organisation’s rebrand? Is there a change in the remit, or a broadening of your role within Synapxe?
Typically, a rebrand brings new spirit and motivation, sparking fresh passion to achieve more than before. The name Synapxe itself is quite cool. The colours show our desire to explore new avenues. The ‘X’ in Synapxe signifies our ambition to multiply our current efforts to enable tomorrow’s healthcare. In this context, as we aim to do more, and with healthcare’s journey moving digital, cybersecurity undoubtedly becomes a critical element. I recall from the Minister’s speech during the rebranding exercise, he highlighted five priorities, one of which is cybersecurity. This illustrates our move towards a digital direction, and cybersecurity is one of the key aspects of our focus.
From Synapxe’s perspective, what are the biggest cybersecurity concerns out there?
Healthcare has become one of the most targeted sectors for cyberattacks. In recent years, the focus has shifted from the financial sector to healthcare. With our ageing population, we’re increasingly reliant on healthcare, striving to provide better care for everyone. This is where health transformations and cybersecurity will play a role. As we innovate to secure systems that save lives, the challenge is to ensure the delivery of better care for everyone.
At the same time, one of the challenges is securing these innovations and new initiatives while maintaining efficient clinical workflows. This differs from other industries, as it’s crucial for healthcare professionals to work to their fullest potential in a secure environment. The challenge lies in the increasing amount of data. With the innovation in healthcare technology, more data is being collected, and much of this data is sensitive personal information, such as medical records. Thus, we have to secure it as well.
How does your new role differ from your previous one, which was at a private company?
I wouldn’t say the security concerns at both organisations are totally different, but Synapxe plays a larger role. Think about what Synapxe does: it’s the national healthtech agency, an ecosystem enabler, a partner to public healthcare, and a producer of products and solutions for the healthcare sector.
In a way, there are a lot of roles that we are playing. Therefore, the scope and coverage are wider. Because of that, the things that we are doing here, in a way, are more diverse and complex.
A lot of enterprises complain that there’s too many security solutions out there that need to be stitched together. Is this also the case with Synapxe?
The most important thing is understanding why we do cybersecurity, or what is the primary mission of the organisation. We are very clear that our role is to enable innovations to provide a reliable and secure system for the healthcare sector, especially in Singapore. We then select technologies that are fit for purpose.
Instead of focusing on the numbers, it’s important to consider what we need based on our risk profile and the threat landscape. We address these needs to maintain a proper security posture; that’s how we evolve. Of course, there’s also the matter of establishing the level of maturity that we, along with other industries and players, have. We try to elevate ourselves to a point where we feel, “Yes, that’s where we want to be.”
How do you see AI within Synapxe, especially in terms of security?
AI is a tool, and its outcome depends on how we use it. If used by the good guys, it will multiply our capabilities and capacities. Likewise, this technology isn’t exclusive to the good guys; threat actors can also use it to their benefit. Just as we automate detection, prevention, and response to security events, threat actors are also automating their scanning processes and exploiting vulnerabilities found on the internet. My view on AI isn’t about it being good or bad; it’s about how it’s used within the enterprise context.
We try to leverage AI the best we can, and it’s obviously embedded in many of the security technologies. Many firms may have already used AI without realising it, as it’s integrated into the security tools they are using. But the good thing is, we understand that we can’t wait for AI to become fully mature. A good organisation should invest in it. For example, Synapxe has an area dedicated to AI innovation. While I can’t speak about the details yet, there is an intention to explore how AI can be used for cybersecurity in the healthcare sector.
What do you think are the biggest security threats at the moment for the healthcare sector?
The cybersecurity threats in healthcare are somewhat similar to other industries. It could be ransomware or zero-day vulnerabilities in technologies that we use in multiple industries. I don’t feel that there is a specific threat that is different from other industries. If there is a difference, it will be in the operational technologies (OT) that we are using. While OT is common in factories and other sectors, in healthcare, we focus on medical devices. We’re looking into this area, and therefore, we’ve established a program for medical device and OT technologies within the healthcare sector.
The most important aspect is identifying the risks and determining how to manage them. As part of a larger, national effort, how do we bring the maturity of other medical devices that we use into a more secure level? There’s a specific program in place, the cybersecurity labelling scheme for medical devices. We’ve just started a sandboxing exercise, receiving submissions from a medical device manufacturer. This is to assess how the initial set of medical devices might achieve certification under this labelling scheme.
