Firms storing health data can expect more consumer scrutiny

Singapore

HEALTH-TECH startups expect Singaporeans to be more cautious about sharing their personal data in the wake of the massive data breaches at the HIV registry and SingHealth.

For many of these startups, which collect and store users' data as part of their core service, these two breaches could spell a near-term dent in consumer trust.

Dr Siaw Tung Yeng, CEO and founder of telehealth and mobile medicine startup MaNaDr, believes that the breaches will hit consumer confidence in handing over their data to health-tech startups and using these services.

The SingHealth data breach has raised awareness among Singaporeans about how "lucrative" healthcare data is to cyber criminals, he told The Business Times.

Meanwhile, the recent leak of the records of 14,200 people from the HIV registry highlights how easily health data can be used against someone. Beyond HIV, data on sexually transmitted infections and mental illness can also be especially sensitive.

Dr Siaw said: "Even a history of common chronic diseases may affect a promotion and insurance premiums. Singaporeans will certainly become more cautious about giving out their data."

MaNaDr collects data such as patients' contact details, identification number, health records for telehealth queries, telehealth prescriptions and lab reports.

Professor Shaun Wang of the Nanyang Business School at Nanyang Technological University said that with the high-profile breaches, industry players will need to pause and reassure consumers that their data is secure.

"People need to make sure that patient data confidentiality and privacy are secure before giving their data to health-tech start-ups. Once data is leaked, just like spilt water, you cannot put it back into the jar," he said.

Serene Cai, co-founder and head of marketing and communications at Speedoc, an app for on-demand house call doctors, said consumers are "right to be wary of where and who they give their data to" following the two high-profile breaches. "It is an immensely challenging and intensely personal time for everyone involved," she said.

Bryan Koh, CEO and founder of telemedicine app WhiteCoat, agrees that consumer confidence will likely be affected. To assuage fears, health-tech startups need to "provide consumers with the reassurance that their privacy and data will be safeguarded by ensuring continuous commitment to data security and accountability".

WhiteCoat, for instance, ensures that all patient data is securely encrypted and stored using enterprise-grade cloud solutions; patients' payment details are encrypted and tokenised to minimise the chances of credit card fraud, he added.

Some players are more sanguine. While declining to comment on overall sentiment among Singaporeans, Dr Vas Metupalle, co-founder and chief information officer of digital managed-care app MyDoc, said the confidence of his existing base of patients is "intact": "Our user base is growing and we continue to receive positive feedback from patients about the quality of our services."

Singapore's health-tech scene, especially that of telemedicine, is growing. Just last month, two telehealth apps entered the market - HiDoc, backed by the Singapore Medical Group, and Doctor World, which has a partnership with Raffles Medical Group.

Incumbents MaNaDr, WhiteCoat, MyDoc and Speedoc are part of the Ministry of Health's regulatory sandbox; HiDoc and Doctor World are applying to get into it.

Being in the sandbox and working closely with regulators will reassure consumers, said Carolyn Goh, co-founder and chief technology officer of HiDoc. "No provider can say they are 100 per cent safe. We work with MOH (Ministry of Health) pretty closely, and what they advise us, we add to the (data-protection) measures we already have," she said.

Cyber security researcher Professor Lam Kwok Yan of Nanyang Technological University said that while the recent breaches may cause uncertainty in the near term, they will not disrupt the march towards new forms of healthcare like telemedicine.

"We certainly can't resist new technologies... We should aim to achieve cyber resilience and make progress, even when surrounded by unpredictable risks," he said.

Dr Siaw of MaNaDr believes increased awareness of data risks will make consumers more discerning about the health-tech apps they use. "The extra caution and security-savviness is actually a positive outcome from the recent data breaches. The solution is not for everybody to stop giving out data and go back to the Stone Age."

But the key task at hand will be for health-tech startups, particularly those in telehealth, to strengthen their data-protection measures, said Vincent Goh, vice-president for the Asia-Pacific and Japan at cyber security firm CyberArk.

"Given that telehealth start-ups would need access to key credential information such as one's medical records and personal health conditions... startups would need to ensure that their internal IT teams control and secure cloud or on-premise access to their data server accounts, from server admin accounts to database instance accounts."

Tan Shong Ye, digital trust leader at PwC Singapore, pointed out that the other half of the battle is in realising that insider threats are just potent.

"The startup should put in place robust governance and processes to protect sensitive data. For example, strong access controls need to be in place, accompanied by relevant checks and balances to prevent a privileged account holder or administrator from stealing the data," he said.

Affected by the SingHealth data breach herself, Honey Mittal, chief product officer at on-demand home care startup Homage, said she is ever more conscious about the importance of data protection.

"There are many health-tech players who understand the responsibility towards their patients and have built a 'security never stops' mindset from the very start - something the whole ecosystem should adopt."