SingHealth data breach (2018)
On 20 July 2018, the Ministry of Health (MOH) and Ministry of Communications and Information (MCI) released a joint press statement revealing that there had been a cyberattack on SingHealth’s electronic database. SingHealth is Singapore's largest group of healthcare institutions. This event marked Singapore’s most severe data breach, in which more than 1.5 million patients had their personal particulars stolen. Furthermore, 160,000 patients had their outpatient prescriptions taken as well, including Prime Minister Lee Hsien Loong and a few other ministers. Emeritus Senior Minister Goh Chok Tong was also a victim of the data breach.
Details of incident
The SingHealth network suffered its first intrusion by hackers in August 2017, after a user from the Singapore General Hospital fell prey to a phishing attack. A phishing scam is when hackers go under the pretense of well-known companies, using e-mails to elicit personal information from their target. The situation escalated between 27 June 2018 and 4 July 2018, where hackers stole the personal data of 1.5 million SingHealth patients. The hackers illegally accessed and copied personal information such as national identity card (NRIC) numbers, addresses, names and dates of birth. Those targeted had visited SingHealth’s specialist outpatient clinics and polyclinics between 1 May 2015 and 4 July 2018.
An employee from the Integrated Health Information Systems (IHiS) – the Ministry of Health's IT arm, Chai Sze Chun noticed peculiar database activity on 4 July 2018. After further investigation, he identified that the activity could potentially be malicious in nature. He then notified Katherine Tan, a IHiS database administrator. At a public hearing on 21 September 2018, Katherine Tan to a Committee of Inquiry (COI) stating that she had developed a script to prevent further breaches of the database around midnight on 5 July 2018. The attacks continued, but the heightened security ensured that no further personal information was stolen since 4 July 2018.
On 10 July 2018, with support from the Criminal Investigation Department, the cyberattack was confirmed and reported to the higher authorities at SingHealth, MOH, and the Cyber Security Agency (CSA) of Singapore.
On 12 July 2018, SingHealth filed a police report.
On 20 July 2018, information of the cyberattack was revealed to the public through a joint press statement by MOH and MCI.
From 20 July 2018 onwards, SingHealth notified all patients who have visited its specialist outpatient clinics and polyclinics between 1 May 2015 and 4 July 2018, on whether they are victims of the data breach. The SingHealth polyclinics that were affected by the breach are as follows: Bedok, Bukit Merah, Geylang, Marine Parade, Outram, Pasir Ris, Sengkang, Tampines, and Queenstown. As for SingHealth hospitals, Changi General Hospital, Sengkang General Hospital, KK Women's & Children Hospital, Bright Vision Hospital, National Cancer Centre, National Heart Centre, and Singapore National Eye Centre were affected.
Prime Minister Lee Hsien Loong personally addressed the situation through a Facebook post (original Facebook post) dated 20 July 2018. He stated that he has ordered the Cyber Security Agency of Singapore (CSA) and the Smart Nation and Digital Government Group (SNDGG) to work with MOH to improve cyber security in Singapore. He also states that a COI will be convened to look thoroughly into the attack. PM Lee also affirmed that Singapore will need to be more vigilant and stressed the importance of moving forward, to become a better and more secure Smart Nation.
Emeritus Senior Minister Goh Chok Tong also commented on the incident through a Facebook post (original Facebook post). He stated that cyber theft is a unavoidable risk when going digital, but Singapore should not be deterred by this incident and continue to engage the use of technology to advance.
At press conference on 20 July 2018, Minister-in-charge of Cybersecurity S. Iswaran addressed concerns, stating that he has directed the Cyber Security Agency of Singapore to enhance vital information infrastructure systems. He assured the public that the Smart Nation and Digital Government Group had scanned of all government systems and was no evidence of further compromise. Minister of Health, Gan Kim Yong added that the introduction of the National Electronic Health Record project would be paused in light of the event.
Committee of Inquiry (COI) hearings
It came to light during the COI hearings that there was a delay by an IHis middle manager in reporting the situation to higher authorities. At the COI hearing in September 2018, it was revealed that an the middle manager of cyber security, Ernest Tan had been repeatedly alerted by system engineer Benjamin Lee of dubious network activity since 13 June 2018. Benjamin Lee had reported to Ernest Tan that the hacker had attempted to access 100,000 patient records. In Ernest Tan’s testimony, he stated that he did not read any of the e-mails at the time they were sent as he was on overseas leave. He only read them on 18 June 2018. Ernest Tan also stated that he did not view malware infection as an incident worth reporting, considering that the IHiS receives about 50 malware infection reports on a daily basis. Additionally, he did not view reporting the cyber-security incident as part of his job scope, citing that the standard operating protocol places this responsibility on the security manager of the affected healthcare entity.
Additional evidence also surfaced at another COI hearing on 31 October 2018 of how Benjamin Lee had messaged the IHiS chat group on 6 July 2018, urging his colleagues to report the incident to higher authorities. Ernest Tan had replied to these messages, stating that once the incident has reached the management levels, there will be a lot of pressure and work, which he did not want to deal with. This piece of evidence proved his inaction, and his delay in the reporting of the situation to higher authorities.
In response to Ernest Tan’s statement, Benedict Tan, the SingHealth cluster's group Chief Information Officer at IHiS, argued that there is value in reporting incidents quickly even if the evidence might be inconclusive. He also urged his fellow IHiS staff to take more initiative to venture out of their job scopes and report such security breaches as soon as they notice suspicious activities occurring.
Initial actions taken
On 1 November 2018, Integrated Health Information Systems (IHiS) released a statement regarding the alterations that had been made in light of the SingHealth data breach. Firstly, all administrators would have two-factor authentication set up on their accounts for enhanced security. A new database activity monitoring system was also implemented to detect suspicious bulk queries to patient databases. The 6,000 servers and 60,000 endpoint devices under IHiS would also be installed with advanced malware blocking systems, and temporary Internet surfing separation (ISS) was implemented across all public healthcare systems.
MOH was also experimenting with the idea of using virtual browsers, which would enable users to safely access the Internet through quarantined serves, effectively reducing the number of potential attack points. At the point of the statement, the system was under development and is scheduled to be completed by mid-2019.
Committee of Inquiry (COI) report and recommendations
On 10 January 2019, the Committee of Inquiry (COI) released a 454 page report, detailing key findings about the cyber attack, and recommendations to further improve cybersecurity in Singapore. Based on the key findings of the report, the attacker was a skilled hacker, bearing the characteristics of an Advanced Persistent Threat (APT) group. The aim of an APT group is to repeatedly gather sensitive data over an extended time-frame in order to achieve a malicious purpose.
The 7 priority recommendations made in the report is as follows:
|Enhanced security structure to be adopted by IHiS and Public Health Institutions||Improve staff awareness on cybersecurity and the actions to be taken during security incidents|
|Review and assess the current cybersecurity infrastructures||Privileged administrator accounts need to be subjected to tighter control and stricter monitoring|
|Perform enhanced security checks on systems for key sectors||Improve efficiency of incident response processes|
|Strengthen intelligence sharing and partnerships between industry and government|
The recommendations in the COI report have all been accepted by MOH and SingHealth. SingHealth’s group Chief Executive Officer Ivy Ng asserted that SingHealth would actively implement the recommendations in the coming months.
Integrated Health Information Systems (IHiS) took the following actions to hold its staff accountable for their inaction leading up to the incident.
The team lead of the Infrastructure Systems team, and the senior manager in charge of cyber security at IHiS who displayed incompetent behaviour in relaying the information of the data breach to the relevant authorities were removed from their positions. A cluster information security officer was also re-assigned to a lower ranking position. Five senior management team members, as well as the two supervisors of the sacked personnel have been fined. The CEO of IHiS, Bruce Liang is also included in the 7 employees being fined.
Three employees received praise for their display of resourcefulness in managing the data breach incident. The Personal Data Protection Commission (PDPC) of Singapore also issued fines of SGD$750,000 to IHiS and SGD$250,000 to SingHealth for their failures in securing patient data.
References / Citations
- Tham, Irene. “Personal info of 1.5m SingHealth patients, including PM Lee, stolen in Singapore's worst cyber attack”. The Straits Times. July 21, 2018. Accessed on 8 January 2019. Retrieved from: https://www.straitstimes.com/singapore/personal-info-of-15m-singhealth-patients-including-pm-lee-stolen-in-singapores-most
- “PUBLIC REPORT OF THE COMMITTEE OF INQUIRY INTO THE CYBER ATTACK ON SINGAPORE HEALTH SERVICES PRIVATE LIMITED’S PATIENT DATABASE ON OR AROUND 27 JUNE 2018”. Ministry of Communications and Informations. January 10, 2018. Accessed on 10 January 2019. For more details, refer to: https://www.mci.gov.sg/coireport
- "SINGHEALTH'S IT SYSTEM TARGET OF CYBERATTACK". July 20, 2018. Accessed on 8 January 2019. Ministry of Health. Retrieved from: https://www.moh.gov.sg/news-highlights/details/singhealth's-it-system-target-of-cyberattack
- Chua, Alfred. “SingHealth cyber attack: Not all IHiS employees aware of what to do in a cyber-security incident”. Today. September 22, 2018. Accessed on 8 January 2019. Retrieved from: https://www.todayonline.com/singapore/singhealth-cyber-attack-not-all-ihis-employees-aware-what-do-cyber-security-incident
- Accessed on 8 January 2019. Retrieved from Lee Hsien Loong’s Facebook Profile: https://www.facebook.com/leehsienloong/posts/1957979740931389
- Accessed on 8 January 2019. Retrieved from Goh Chok Tong’s Facebook Profile: https://www.facebook.com/MParader/posts/2271495986226388
- Kwang, Kevin. “Singapore health system hit by ‘most serious breach of personal data’ in cyberattack; PM Lee's data targeted”. The Straits Times. July 20, 2018. Accessed on 8 January 2019. Retrieved from: https://www.channelnewsasia.com/news/singapore/singhealth-health-system-hit-serious-cyberattack-pm-lee-target-10548318
- Tham, Irene. “Top-secret report on SingHealth attack submitted to Minister-in-charge of Cyber Security”. The Straits Times. December 31, 2018. Accessed on 11 January 2019. Retrieved from: https://www.straitstimes.com/singapore/top-secret-report-on-singhealth-attack-submitted-to-minister-in-charge-of-cyber-security
- Tham, Irene. “SingHealth cyber attack COI: Senior manager reluctant to report attack because he did not want to deal with pressure”. The Straits Times. October 31, 2018. Accessed on 11 January 2019. Retrieved from: https://www.straitstimes.com/singapore/coi-on-singhealth-cyber-attack-new-chat-evidence-shows-bottleneck-in-reporting
- Tham, Irene. “New measures to strengthen public healthcare systems following SingHealth data breach”. The Straits Times. November 1, 2018. Accessed on 8 January 2019. Retrieved from: https://www.straitstimes.com/singapore/slew-of-new-measures-to-strengthen-public-healthcare-systems-unveiled-following-singhealth
- “PUBLIC REPORT OF THE COMMITTEE OF INQUIRY INTO THE CYBER ATTACK ON SINGAPORE HEALTH SERVICES PRIVATE LIMITED’S PATIENT DATABASE ON OR AROUND 27 JUNE 2018”. Ministry of Communications and Informations. January 10, 2019. Accessed on 10 January 2019. For the full report, refer to: https://www.mci.gov.sg/coireport
- Tham, Irene. “IHiS sacks 2 employees, slaps financial penalty on CEO over lapses in SingHealth cyber attack”. The Straits Times. January 15, 2019. Accessed on 15 January 2019. Retrieved from: https://www.straitstimes.com/singapore/ihis-sacks-2-employees-slaps-financial-penalty-on-ceo-over-lapses-in-singhealth-cyber
- Tham, Irene. “IHiS, SingHealth fined $1m; new cyber security steps taken”. The Straits Times. January 16, 2019. Accessed on 23 January 2019. Retrieved from: https://www.straitstimes.com/politics/ihis-singhealth-fined-1m-new-cyber-security-steps-taken