Advertisement

SingHealth cyberattack: Singapore government reported incident in 'remarkably' short time

SingHealth was the subject of Singapore’s largest ever cyberattack. Yahoo News Singapore file photo.
SingHealth was the subject of Singapore’s largest ever cyberattack. Yahoo News Singapore file photo.

Given that a major corporation like Hong Kong flagship carrier Cathay Pacific took months to inform millions of its customers about a data breach, the Singapore government reported the SingHealth cyberattack in a “remarkably short time”, a Committee of Inquiry (COI) was told on Wednesday (14 November).

On the final day of hearings looking into Singapore’s largest ever data breach, SingHealth counsel Dr Stanley Lai noted that SingHealth had informed affected patients of the attack on 20 July, 10 days after it was classified by authorities as a cyberattack.

Lai suggested to Cyber Security Agency (CSA) chief executive David Koh that this represented “a remarkable turnaround period”.

Koh concurred, saying, “The general consensus among the professionals, not just in Singapore, (is) that the Singapore government reported the incident in a remarkably short time.”

The CSA chief was the 37th witness to testify before the COI over 20 days of hearings starting from the first in camera session on 28 August. The COI has also received 26 written submissions from individuals, organisations and industry associations.

From 27 June to 4 July, the personal particulars of 1,495,364 unique patients – including that of Prime Minister Lee Hsien Loong – were stolen from SingHealth’s database. The data comprises the patients’ demographic records and the dispensed medication records of about 159,000 of them.

In October, Cathay Pacific belatedly informed more than 9 million customers that they were affected by a sustained cyberattack that had gone on for months.

Rapidly evolving cyber threat

Koh, who is also Defence Cyber Chief at the Ministry of Defence, told the COI that since the CSA was set up in 2015, cyber threats faced by the Republic have grown in “scale and sophistication”, with new types of malware, vectors of attack and vulnerabilities.

Singapore has been the target of cyberattacks by Advanced Persistent Threat (APT groups), such as those targeting the National University of Singapore and Nanyang Technological University in 2017.

And given the large scale of operations of the healthcare sector – more than 60,000 endpoints, 6,000 servers and three terrabytes of Internet traffic passing through its networks daily – safeguarding the sector presents a “huge challenge”, said Koh.

The CSA chief provided three recommendations in the wake of the SingHealth cyberattack: firstly, cybersecurity should be seen as a risk management issue, not just a technical issue. While it requires a balance between “security, usability of systems and cost”, cybersecurity needs to be managed at the appropriate level of leadership.

“Senior leadership needs to have line of sight of the cybersecurity issues,” said Koh, who also advocated an independent line of reporting to senior management.

Secondly, the Integrated Health Information Systems (IHiS) should adopt a “defence-in-depth” approach when developing and upgrading their systems and networks. IHiS is the central IT agency for the healthcare sector

Using the analogy of a safe in a bank, Koh said the cyber-equivalent of tripwires, surveillance cameras and alarms should have been in place to protect the “crown jewels” of IHiS: the electronic medical records (EMR) of all SingHealth patients.

“Privileged access to these records should have been behind locked doors, only accessible to a tightly-controlled group of people.” Koh noted that “abnormal large queries” to SingHealth’s EMR database were not flagged until performance issues arose.

In September, an IHiS database administrator with more than 20 years’ experience testified that she did not immediately recognise that the multiple failed attempts to log-in to the SingHealth database she had encountered on 4 July amounted to a “serious security incident”.

Gaps between policy and practice

Thirdly, the gaps between policy and practice need to be addressed. Citing different witnesses’ testimony, Koh noted the “lack of clear understanding of SOPs and reporting protocols for security incidents, compounded by an initial failure to recognise that a malicious attack had occurred”.

For example, a suspected security incident in January 2018 involving a workstation at the Medical Records Office thought to have been infected with malware was not escalated as it did not fall under reporting parameters for security incidents.

Koh therefore urged IHiS to conduct a thorough review of its processes, “followed by a thorough and systematic training process” for staff to be familiar with these processes.

Nevertheless, he noted that IHiS has launched several cybersecurity initiatives in recent years. For example, following a spate of ransomware attacks in the healthcare sector in 2016, IHiS implemented security measures to guard against such attacks. It also shared its experience with other Critical Information Infrastructure (CII) sectors to raise awareness of the threat.

Koh concluded, “CSA’s view is that the healthcare sector has made progress in its cybersecurity efforts over the years. It was moving, and is continuing to move, strategically in the right direction.”

The closing submissions from the Attorney-General’s Chambers, SingHealth, Integrated Health Information Systems, MOH Holdings and Ministry of Health will be heard on 30 November.

Related stories

SingHealth cyberattack: Malware used was initially thought ‘benign’ by antiviral experts

SingHealth cyberattack: Database administrator did not immediately recognise ‘serious security incident’

Initial responses to SingHealth cyberattack ‘piecemeal and inadequate’: Solicitor-General

COMMENT: SingHealth cyberattack throws up leadership issue