SINGAPORE: The “most serious breach of personal data” in Singapore’s history took place last month, with 1.5 million SingHealth patients’ records accessed and copied while 160,000 of those had their outpatient dispensed medicines’ records taken too, according to the Ministry of Health and Ministry of Communications and Information.
Among those affected was Prime Minister Lee Hsien Loong, with the attackers “specifically and repeatedly targeting” his personal particulars and information of his outpatient dispensed medicines, the ministries said in a joint release on Friday (Jul 20).
AdvertisementThe personal data taken from the 1.5 million patients include their names, NRIC numbers, address, gender, race and date of birth, the release said, adding that the hackers did not amend or delete the records. Patients’ medical records, including past diagnosis, doctors’ notes and health scans, were not affected.
“We have not found evidence of a similar breach in the other public healthcare IT systems,” they said.
Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHIS) confirmed that the attack was a “deliberate, targeted and well-planned cyberattack” and was not the work of casual hackers or criminal gangs.
Channel NewsAsia understands that attribution has been made as to who conducted the online attacks, and that there are only a few countries in the world who have the level of sophistication shown during the cyberattack campaign.
AdvertisementAdvertisement"I apologise. We are not able to reveal more because of operational security reasons," said CSA chief executive David Koh when asked which country might have been involved.
None of the stolen data has surfaced in the public domain.
SOPHISTICATED ATTACK
According to MCI and MOH, IHIS database administrators detected unusual activity on one of SingHealth’s IT databases on Jul 4, and acted immediately to stop it. They carried on their investigations, while putting in place additional security measures, the release said.
From Jul 4 to Jul 9, they continued to monitor the network traffic closely before ascertaining it was a cyberattack and alerted superiors. On Jul 10, MOH, SingHealth and CSA were informed and forensic investigations were carried out.
It was found that data was taken out from Jun 27 to Jul 4 this year, and the patient records accessed and copied were from those who visited SingHealth’s specialist outpatient clinics and polyclinics from May 1, 2015, to Jul 4 this year.
CSA ascertained the cyberattackers first accessed the network after breaching a front-end workstation, and managed to get privileged access to the database over time while also showing sophistication in cleaning up their digital footprints when doing so.
SingHealth has since lodged a police report on Jul 12, and police investigations are ongoing. These investigations are separate from those looking into the cyberattack, Channel NewsAsia understands.
Since kicking the cyberattacker out of the system on Jul 4, further attacks were observed but no further data were illegally stolen, the ministries said, adding there was no disruption of healthcare services during the period of the cyberattack and patient care has not been compromised.
STEPPING UP SECURITY
The ministries also said further measures have been introduced to tighten SingHealth’s IT security, including imposing Internet separation policies.
Additional controls on workstations and servers have also been introduced, as well as the resetting of user and systems accounts and installation of more system monitoring controls.
Furthermore, SingHealth will be progressively contacting all patients who visited its clinics and polyclinics during the abovementioned time period to notify them if their data has been stolen.
All patients, whether or not they are affected, will receive an SMS notification over the next five days. They can also proactively access the Health Buddy mobile app or SingHealth website to check if they have been affected, the release said.
MOH has also directed IHIS to conduct a thorough review of the public healthcare system here, with support from third-party experts. Areas of review include cybersecurity policies, threat management processes, IT system controls and organisational and staff capabilities.
Advisories have also been sent to all healthcare institutions, public and private, on the cybersecurity precautions and measures to be taken, the release added.
COI TO BE CONVENED
Separately, the Minister-in-charge of Cybersecurity S Iswaran on Friday will also convene a Committee of Inquiry, to be headed by Mr Richard Magnus, a retired Chief District Judge and member of the Public Service Commission.
More details of its members and terms of reference, as well as when the COI will be held, will be revealed at a later date, MCI said.
Addressing reporters at a news conference, Mr Iswaran said: "Because this incident occurred in the SingHealth IT system and is within the healthcare cluster, that has to be the natural focal point of the COI’s work."
However, to be meaningful it also has to draw lessons or policy recommendations that can be applied to the public sector and potentially the private sector, he added.
Mr Iswaran has also directed CSA to work closely with all 11 keys sectors - energy, water, banking and finance, healthcare, transport, Infocomm, media, security and emergency services and Government - to enhance the security of their critical information infrastructure systems.
The Smart Nation and Digital Government Group has also completed a scan of all government systems and found no evidence of compromise, MCI said.
There will be a pause in the introduction of new ICT systems in the interim, until their respective reviews have been completed and security posture established, it added.
There are no details on which ICT projects will be put on hold, but these could possibly include SingPass Mobile, Channel NewsAsia understands.
"While we will do utmost to secure our IT systems from attack, unfortunately we cannot completely eliminate the risk of another cybersecurity attack," MCI said. This is due to attackers constantly developing new techniques and probing for fresh weaknesses n IT systems.
"However, we must not allow this incident, or any others like it, to derail our plans for a Smart Nation," it added.
Let's block ads! (Why?)
More...