THE HEALTH | MARCH-APRIL , 2023

THE latest Auditor-General ’ s 2021 Report ( Series 2 ) has uncovered several weaknesses involving MySejahtera ’ s user information registration , user account management for administrative matters , data management and security that may bring about the risk of account abuse and questionable data reliability .

The main issue with the app is its security level . The Report states that starting Oct 27 , 2021 , there were 1.12 million attempts to break into the MySejahtera app .

The personal information of three million vaccine recipients had been downloaded from the MySejahtera app by a “ Super Admin ” account under the MyVAS system , which vaccination clinics use to record and issue Covid-19 vaccination certificates .

The data breach took place between Oct 28 and Oct 31 , 2021 , using five different IP addresses , according to the national audit , citing an email from MySejahtera developer KPISoft Malaysia Sdn Bhd , currently known as Entomo Malaysia Sdn Bhd , to the National Security Council ( MKN ) on Nov 2 , 2021 .

On Nov 5 , 2021 , the Ministry of Health ( MoH ) filed a police report after notifying the National Cyber Security Agency ( NACSA ) of the incident .

MoH responded to the Auditor- General ’ s office , stating that police are still investigating the incident . Authorities were able to link the data breach to a MyVAS “ Super Admin ” account . Still , they have not yet identified the data field to which the millions of vaccine records were exported . The user ID was deactivated on Nov 2 , 2021 .

Other weaknesses involving the app identified by the Report included :

• User account management for administration , data matters , and data security may bring the risk of account abuse and questionable data reliability .

• There were 1,657 individuals having more than one MySJ ID .

• 1,543 individuals have between two and seven accounts involving 3,108 MySJ IDs with active status and their identity verified and having received vaccines .

• Registration and cancellation for the administrative management of MySejahtera and MyVAS applications are made using back-end scripts .

• PPV user account cancellation can only be made through back-end scripts .

• A total of 56 MyVAS Admins had been created . As many as 29 users had been given to third parties , and 10 as general users .

• Each PPV is only given one user account , which is used simultaneously by all officers on duty to carry out the entire vaccination process , such as checking , registering and validating vaccinated individuals without access limits .

• A total of 11 PPV user accounts were cancelled between three and 63 days after the PPV was closed .

• 28,735 vaccination records have showed that individuals received the vaccine

• from page 09 during critical periods and thus recommended theMoH , in collaboration with the Public Services Department , consider the need for additional staffing to overcome the problem of lack of health staff compared to the increase in workload .

• Inappropriate medical equipment storage location Medical equipment such as oxygen concentrators , high-flow nasal cannulas , ventilators , infusion pumps and syringe pumps were essential for the treatment of Covid-19 patients . Therefore , MoH ’ s facilities implemented additional procurement and received external donations for the asset .

An inspection was conducted to assess compliance with post-Covid-19 medical equipment storage procedures , which revealed inappropriate storage locations .

Unused medical equipment was found stored in the open , away from the medical building and not in a place designated as a storage room . The audit stressed that equipment stored in inappropriate places increases the risk of asset loss and damage .

• PPE surplus The Report found the excess stock of PPE causing storage problems and potentially cannot be used due to expiration .

This excess stock was due to the change in PPE application procedures in managing the Covid- 19 pandemic in February 2022 and the decrease in the number of Covid-19 patients . after the PPV closed .

• 70 individuals who have died have an active MySejahtera ( MySJ ID )

As of July 2022 , the percentage of boot cover and protective suit usage compared to the amount left in stock were at 2.2 and 3.1 per cent , respectively , with a balance of 3.08 million boot covers and 840,000 protective suits .

The Report also found that the Pharmacy Division store of the audited hospitals had a storage problem with an excess stock balance of protective jumpsuits / coveralls and boot covers .

The slow use rate of PPE items caused insufficient storage space , and the hospital had to use the seminar hall / room as a storage centre .

The MoH has responded to the audit review with a proposed planning plan to reduce PPE stock dumping in hospitals . It includes : a . Creating a stockpile of PPE to face the threat of epidemics ; b . Continuous use for the daily operation of the hospital ; and c . Continuous stock supply of continuous PPE to PTJ / state / hospital / external facility Responsibility Centers . On another note , the Report also commented on the MoH ’ s ambulance service key performance index ( KPI ) of arriving

application account .

• A total of 12,275 vaccination records were incomplete .

• A total of 3.89 million records were uploaded more than one day after the date the individual was vaccinated .

• The upload period for 1,262 records was unreasonable as the date of the vaccine uploaded into the system was before the start of the vaccine program on Feb 24 2021 .

• A total of 203,846 records had been uploaded into the system before the date of vaccination , while 46 records had no upload date into the system .

• MySejahtera SMS service payment and Google Maps and Places API are approved with a warning . Based on the findings , the Report recommended that the MoH ensure that account management for MySejahtera and MyVAS applications is carried out per MoH ’ s enforced ICT Security Policy .

MoH must also implement data housekeeping to ensure that data is always available , complete and reliable .

The Ministry is advised to thoroughly assess the security level of the MySejahtera and MyVAS applications and to improve the security level to ensure the security of the system and user data .

Finally , agencies must refer to the Ministry of Finance for urgent and immediate procurement or payment to avoid violating the regulations in force .

at the location in less than 15 minutes . The audit scope showed that Ministry did not achieve the KPI , at between 31.5 and 41.8 per cent compared to its set target of 50 per cent .

The scope duty of the ambulance service is fast and efficient emergency transport . It transfers patients between health facilities , with trained emergency personnel who can provide initial treatment outside the hospital before the patient is taken to the hospital .

One of the reasons for failing to achieve KPI is the weakness of management in activating the response team at the hospital close to the incident ’ s location . The Report also found the burden of ambulance use needs to be balanced between hospitals . The distribution imbalance caused the burden of ambulance use to be disproportionate between hospitals .

The lack of ambulances in health clinics ( Klinik Kesihatan ) also caused the MoH to be unable to respond within the specified time . The MoH is burdened with the shortage of healthcare personnel for ambulance services . – The Health