SingHealth hack 'exposed weaknesses': DPM Teo Chee Hean

Barring Internet access on work computers in the public healthcare system could have disrupted the cyber attack on SingHealth, Deputy Prime Minister Teo Chee Hean said yesterday in the wake of Singapore's worst data breach.

He said Internet surfing separation, like what has been done in the public sector, could and should have been implemented on public healthcare systems.

"This would have disrupted the cyber kill-chain for the hacker and reduced the surface area exposed to (the) attack," said Mr Teo, the Coordinating Minister for National Security.

He said the attackers had accessed the SingHealth system through one of the front-end computers connected to the Internet.

"This provided intruders with an attack surface of many thousands of users in the medical and academic community."

Since the attack was made public last Friday, SingHealth has imposed a temporary Internet surfing separation on all of its 28,000 staff members' work computers. The other two public healthcare groups, National Healthcare Group and National University Health System, have followed suit. No end-date has been set.

The "sophisticated and persistent" cyber attack had exposed weaknesses in end-user workstations of the public health sector, Mr Teo said at the Public Service Engineering Conference 2018.

The stolen data, which contained the personal information of some 1.5 million patients, including Prime Minister Lee Hsien Loong, was then exfiltrated to external servers outside Singapore, Mr Teo added.

The hack took place between June 27 and July 4, before unusual access queries to the main database made by the intruders were detected and triggered an alert.

"Of course, we are studying whether this could have been detected and reported more quickly, preventing such a large data loss," Mr Teo said.

Meanwhile, inquests by multiple agencies are underway.

A Committee of Inquiry (COI) was convened yesterday by Minister-in-charge of Cyber Security S. Iswaran to look into the SingHealth attack. (See report on Page 2.)

The Personal Data Protection Commission (PDPC), Singapore's privacy watchdog, is also investigating whether there were security lapses in SingHealth and Integrated Health Information Systems (IHiS), which runs the IT systems of public health institutions.

An MCI spokesman said PDPC will take into account the COI report in determining if any appropriate action needs be taken.

As corporate entities, SingHealth and IHiS are bound by the Personal Data Protection Act and could face a fine of up to $1 million if found not to have properly secured patients' personal data.

The Monetary Authority of Singapore has ordered financial institutions to immediately tighten their customer verification process. (See report on Page 26.)

In his keynote address at the Ministry of Communications and Information's Workplan Seminar yesterday, Mr Iswaran, who is also Minister for Communications and Information, said the SingHealth attack threatens to erode trust in Singapore's institutions.

"Trust is a precious and fragile asset - especially in the era of social media and fake news. It is difficult to build, and it is very easily destroyed," he said.

"(The COI) is an important step, both to get to the bottom of the incident and also ensuring we maintain and enhance Singaporeans' trust in our systems and our institutions."

With a worldwide surge of security incidents targeting government networks and systems and a near ten-fold increase in phishing attacks in Singapore in the past two years, Mr Teo said it was crucial that cyber security be taken seriously.

Mr Teo and Mr Iswaran emphasised that such security incidents should not derail plans to build a Smart Nation, which is on pause.

Mr Teo said: "We need to persist in our efforts to harness the potential of the digital age, while building deeper expertise in our cyber security... to do so confidently."