The story making headlines across the globe over the weekend has been what is possibly one of the worst cyber attacks to have ever hit the city-state of Singapore.
A major data breach struck Singapore’s SingHealth database on Friday (20 July 2018), leaving 1.5 million Singaporeans feeling anxious; filled with a previously latent distrust of the security of cyberspace. The public was notified of the attack via a joint press release from the Ministry of Communications and Information (MCI) and the Ministry of Health (MOH).
On 4 July 2018, IHiS’ database administrators detected unusual activity on one of SingHealth’s IT databases. They acted immediately to halt the activity. IHiS investigated the incident to ascertain the nature of the activity while putting in place additional cybersecurity precautions. With heightened monitoring, further malicious activities were observed.
However, this was not before approximately 1.5 million patients who visited SingHealth’s specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018 had their non-medical personal particulars illegally accessed and copied.
Investigations by the CSA ascertained that the hackers accessed the SingHealth IT system through an initial breach on a particular front-end workstation. They subsequently managed to obtain privileged account credentials to gain privileged access to the database. The data taken included patient names, NRIC numbers, addresses, gender particulars, race and dates of birth. Information on the outpatient dispensed medicines of about 160,000 of these patients were also exfiltrated. The records were not tampered with, i.e. no records were amended or deleted. No other patient records, such as diagnosis, test results or doctors’ notes, were breached. All patient records in SingHealth’s IT system remain intact. There has been no disruption of healthcare services during the period of the cyber attack, and patient care has not been compromised.
Upon discovery, the breach was immediately contained, preventing further illegal exfiltration.
On 10 July 2018, investigations confirmed that it was a cyber attack, and the Ministry of Health (MOH), SingHealth and CSA were informed. It was established that data was exfiltrated from 27 June 2018 to 4 July 2018. SingHealth lodged a police report on 12 Jul 2018. However, no further illegal exfiltration has been detected since 4 July 2018.
The Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS) noted that this was not the work of casual hackers or criminal gangs. They confirmed that it was a deliberate, targeted and well-planned cyberattack. Prime Minister Lee Hsien Loong’s personal particulars and information on his outpatient dispensed medicines were specifically and repeatedly targeted.
With CSA’s support, IHiS has implemented further measures to tighten the security of SingHealth’s IT systems. These include temporarily imposing internet surfing separation, placing additional controls on workstations and servers, resetting user and systems accounts, and installing additional system monitoring controls. Similar measures are being put in place for IT systems across the public healthcare sector against this threat.
The inspection has not identified evidence of a similar breach in the other public healthcare IT systems. However, it is important to note that the police investigation is ongoing.
According to the press release, SingHealth began progressively contacting all patients who visited its specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018 on Friday (20 July 2018), to notify them if their data had been illegally exfiltrated. The patients, whether or not their data were compromised, are to receive an SMS notification between 20 to 25 July 2018.
Patients can also access the Health Buddy mobile app or SingHealth website to check if they have been affected by this incident.
MOH has directed IHiS to conduct a thorough review of our public healthcare system, with support from third-party experts, to improve cyber threat prevention, detection and response. Areas of the review will include cybersecurity policies, threat management processes, IT system controls and organisational and staff capabilities. Advisories have been sent to all healthcare institutions, public and private, on the cybersecurity precautions and measures to be taken.
The Minister-in-Charge of Cyber Security will establish a Committee of Inquiry to conduct an independent external review of this incident.