2018 SingHealth data breach
The 2018 SingHealth data breach was a data breach incident initiated by unidentified state actors, which happened between 27 June and 4 July 2018. During that period, personal particulars of 1.5 million SingHealth patients and records of outpatient dispensed medicines belonging to 160,000 patients were stolen. Names, National Registration Identity Card (NRIC) numbers, addresses, dates of birth, race, and gender of patients who visited specialist outpatient clinics and polyclinics between 1 May 2015 and 4 July 2018 were maliciously accessed and copied. Information relating to patient diagnosis, test results and doctors' notes were unaffected.[1] Information on Prime Minister Lee Hsien Loong was specifically targeted.[2]
Date | 27 June to 4 July 2018 |
---|---|
Duration | 8 days |
Location | Singapore |
Type | Advanced persistent threat |
Cause | Inadequate training of staff, slow fixing of vulnerabilities |
Participants | Unidentified state actors |
Discovery
The database administrators for the Integrated Health Information Systems (IHIS), the public healthcare IT provider, detected unusual activity on one of SingHealth's IT databases on 4 July, and implemented precautions against further intrusions. Network traffic monitoring was enhanced; additional malicious activity was detected after 4 July, but did not result in the theft of any data.[3] Having ascertained that a cyberattack occurred, administrators notified the ministries and brought in the Cyber Security Agency (CSA) on 10 July to carry out forensic investigations. The agency determined that perpetrators gained privileged access to the IT network by compromising a front-end workstation, and obtained login credentials to assess the database, while hiding their digital footprints.[3] The attack was made public in a statement released by the Ministry of Communications and Information and Ministry of Health on 20 July.[2][4] The ten-day delay between the discovery of the attack and the public announcement was attributed to time needed to fortify the IT systems, conduct preliminary investigations, identify affected patients and prepare the logistics of the announcement.[5] Text messages were subsequently sent to patients whose data was affected.[3]
Investigation
In Parliament, S. Iswaran, Minister for Communications and Information, attributed the attack to sophisticated state-linked actors who wrote customized malware to circumvent SingHealth's antivirus and security tools. Iswaran did not name any state, in the interest of national security.[6]
A Committee of Inquiry was convened on 24 July 2018 to investigate the causes of the attack and identify measures to help prevent similar attacks. The four-member committee is chaired by former chief district judge Richard Magnus, and comprise leaders of a cyber-security firm, a healthcare technology firm and the National Trades Union Congress respectively.[7] The committee called on the Attorney-General's Chambers to lead evidence, and the Attorney-General's Chambers appointed the Cyber Security Agency to lead the investigations with the support of the Criminal Investigation Department. The committee held closed-door and public hearings from 28 August,[8] with another tranche of hearings from 21 September to 5 October.[9][10][11] In addition, the Personal Data Protection Commission investigated into possible breaches of the Personal Data Protection Act in protecting data and hence determine possible action.[12]
Committee of Inquiry hearings
The scheduled hearings concluded on 14 November 2018, with the closing submissions held on 30 November 2018.[13] Subsequently, the report was submitted to S. Iswaran on 31 December 2018 with the public version released on 10 January 2019.[14]
Release of report
On 10 January 2019, the Committee of Inquiry released a report on the SingHealth breach. The report found that staff are inadequately trained in cybersecurity, thus they are unable to stop the attacks. The key staff did not take immediate action to stop the attacks fearing pressure. To make things worse, vulnerabilities in the network and systems are not patched quickly, coupled with the fact that the attackers are well-skilled. As a result, the attackers found it easy to break in. The report did point that if the staff had been adequately trained and vulnerabilities fixed quickly, this attack could have been averted. The report also found that this is the work of an Advanced Persistent Threat group.[15]
In the same report, the Committee of Inquiry made 16 recommendations to boost cybersecurity, separated into priority and additional recommendations.[16] They are:
- Priority:
- Adopting an enhanced security structure and readiness by iHiS and public health institutions
- Review online security processes to assess ability to defend and respond to cyberattacks
- Improving staff awareness on cyberattacks
- Perform enhanced security checks, especially on critical information infrastructure (CII) systems
- Subject privileged administrator accounts to tighter control and greater monitoring
- Improve incident response processes
- Forge partnerships between industries and the Government to achieve higher cybersecurity
- Additional:
- IT security risk assessments and audits must be treated seriously and carried out regularly
- Enhanced safeguards must be put in place to protect confidentiality of electronic medical records
- Improve domain security against attacks
- Implement a robust patch management process
- Implement a software upgrade policy with a focus on cybersecurity
- Implement an Internet access strategy that limits exposure to external threats
- Clearer guidelines on when and how to respond to cybersecurity incidents
- Improve competence of computer security incident response personnel
- Consider a post-breach independent forensic review of the network
On 15 January 2019, S. Iswaran, Minister for Communications and Information announced in Parliament that the Government accepted the recommendations of the report and will fully adopt them. It has also sped up the implementation of the Cybersecurity Act to increase security of CIIs.[17] Separately, Gan Kim Yong, Minister for Health announced that changes to enhance governance and operations in Singapore's healthcare institutions and IHiS will be made. The dual role of Ministry of Health's chief information security officer (MOH CISO) and the director of cybersecurity governance at IHiS will be separated, where the MOH CISO has a dedicated office and reports to the Permanent Secretary of MOH, while IHiS will have a separate director in charge of cybersecurity governance, with changes at the cluster level. This will help boost operations and governance of the IT systems. In addition, MOH will establish an enhanced "Three Lines of Defence" system for public healthcare, and pilot a "Virtual Browser" for the National University Health System. All public healthcare staff will remain on Internet Surfing Separation, which was implemented immediately after the cyberattack, and the mandatory contribution of patient medical data to the National Electronic Health Record (NEHR) system will continue to be deferred.[18]
Aftermath
Following the cyberattack, Internet access was temporarily removed from all public healthcare IT terminals with access to the healthcare network, and additional system monitoring and controls were implemented.[19]
The attack led to a two-week pause in Singapore's Smart Nation initiatives and a review of the public sector's cyber-security policies during that time. The review resulted in implementation of additional security measures, and urged public sector administrators to remove Internet access where possible and to use secure Information Exchange Gateways otherwise.[20] The attack also renewed concerns among some healthcare practitioners regarding ongoing efforts to centralize electronic patient data in Singapore. Plans to pass laws in late 2018 making it compulsory for healthcare providers to submit data regarding patient visits and diagnoses to the National Electronic Health Record system were postponed.[21] In addition, the Ministry of Health announced on 6 August 2018 that the National Electrical Health Record (NEHR) will be reviewed by an independent group made up of Cyber Security Agency and PricewaterhouseCoopers before asking doctors to submit all records to the NEHR, even though it was not affected by the cyberattack.[22]
The Integrated Health Information Systems (IHiS) has since strengthened public health systems against data breaches. All suspicious IT incidents will have to be reported within 24 hours. 18 other measures are also put in place, including two-factor authentication for all administrators, proactive threat hunting and intelligence, allowing only computers with latest security updates on hospital networks, and a new database activity monitoring. Studies are done to keep Internet Separation Scheme (ISS) permanent in some parts of the healthcare system with a virtual browser being piloted as an alternative.[23]
After the report was released, on 14 January 2019, Integrated Health Information Systems (IHiS) dismissed two employees and demoted one for being negligent in handling and misunderstanding the attack respectively, with financial penalties imposed on two middle management supervisors, and five members of the senior management including CEO Bruce Liang. Three employees were commended by IHiS for handling the incident diligently even when not part of their job scope. IHiS has since fast-tracked a suite of 18 measures for enhancing cybersecurity.[24] The next day, the Personal Data Protection Commission fined IHiS $750,000 and SingHealth $250,000 for not doing enough to safeguard personal data under the Personal Data Protection Act, making it the largest fine imposed for data breaches.[25]
References
- Tham, Irene (20 July 2018). "Personal info of 1.5m SingHealth patients, including PM Lee, stolen in Singapore's worst cyber attack". The Straits Times. Archived from the original on 22 August 2018. Retrieved 2 October 2018.
- Kwang, Kevin (20 July 2018). "Singapore health system hit by 'most serious breach of personal data' in cyberattack; PM Lee's data targeted". Channel NewsAsia. Archived from the original on 26 July 2018.
- "Hackers stole data of PM Lee and 1.5 million patients in 'major cyberattack' on SingHealth". TODAYonline. 20 July 2018. Archived from the original on 21 July 2018. Retrieved 2 October 2018.
- Tham, Irene (20 July 2018). "Personal info of 1.5m SingHealth patients, including PM Lee, stolen in Singapore's worst cyber attack". The Straits Times. Retrieved 3 September 2019.
- Baharudin, Hariz (7 August 2018). "Ministers' answers". The Straits Times. Archived from the original on 17 August 2018. Retrieved 16 August 2018.
- "Singapore Minister: Major Cyberattack May Be State-Linked". Associated Press. 6 August 2018. Archived from the original on 17 August 2018. Retrieved 16 August 2018.
- Tham, Irene (24 July 2018). "4-member Committee of Inquiry convened to investigate SingHealth cyber attack". The Straits Times. Retrieved 20 January 2020.
- Baharudin, Hariz (8 August 2018). "COI hearings on SingHealth cyber attack from Aug 28". The Straits Times. Archived from the original on 17 August 2018. Retrieved 16 August 2018.
- Tham, Irene (12 September 2018). "Hearings on SingHealth cyber breach from Sept 21". The Straits Times. Retrieved 22 January 2020.
- Wong, Pei Ting (11 September 2018). "SingHealth cyber attack hearings resume Sept 21; inquiry committee seeks recommendations from the public". Today. Retrieved 22 January 2020.
- "Schedule of Public Hearing Convened by COI into the Cyber Attack on SingHealth". Ministry of Communications and Information. 20 September 2018. Retrieved 22 January 2020.
- Tham, Irene (24 July 2018). "Singapore's privacy watchdog to investigate SingHealth data breach". The Straits Times. Retrieved 20 January 2020.
- "Conclusion of Scheduled Hearings for COI into SingHealth Cyber Attack". MCI. 14 November 2018. Retrieved 17 February 2020.
- Tham, Irene (31 December 2018). "Top-secret report on SingHealth attack submitted to Minister-in-charge of Cyber Security". The Straits Times. Retrieved 17 February 2020.
- Tham, Irene; Baharudin, Hariz (10 January 2019). "COI on SingHealth cyber attack: 5 key findings". The Straits Times. Retrieved 3 September 2019.
- Baharudin, Hariz (10 January 2019). "COI on SingHealth cyber attack: 16 recommendations". The Straits Times. Retrieved 3 September 2019.
- "SingHealth cyberattack: Govt to fully adopt COI recommendations, S Iswaran says". Channel NewsAsia. 15 January 2019. Retrieved 3 September 2019.
- Abu Baker, Jalelah (15 January 2019). "SingHealth cyberattack: IHiS, public healthcare system to see enhanced governance, changes to organisational structure". Channel NewsAsia. Retrieved 3 September 2019.
- "SingHealth cyberattack: Internet surfing delinked at all public healthcare clusters". Channel NewsAsia. Archived from the original on 17 August 2018. Retrieved 16 August 2018.
- Tham, Irene (3 August 2018). "SingHealth cyber attack: Pause on Smart Nation projects lifted; 11 critical sectors told to review untrusted external connections". The Straits Times. Archived from the original on 17 August 2018. Retrieved 16 August 2018.
- Wong, Pei Ting (23 July 2018). "Doctors raise concerns again over national e-records system after data breach at SingHealth". TODAYonline. Archived from the original on 17 August 2018. Retrieved 16 August 2018.
- Choo, Cynthia (6 August 2018). "National e-records system to undergo 'rigorous' security review before proceeding with mandatory contribution". Today. Retrieved 3 September 2019.
- Tham, Irene (1 November 2018). "New measures to strengthen public healthcare systems following SingHealth data breach". The Straits Times. Retrieved 17 February 2020.
- Mohan, Matthew; Sim, Fann (14 January 2019). "SingHealth cyberattack: IHiS sacks 2 employees, imposes financial penalty on CEO". Channel NewsAsia. Retrieved 3 September 2019.
- Mohan, Matthew (15 January 2019). "PDPC fines IHiS, SingHealth combined S$1 million for data breach following cyberattack". Channel NewsAsia. Retrieved 3 September 2019.