Name and Constituency of Member of Parliament
Dr Chia Shi-Lu
MP for Tanjong Pagar GRC
Question No. 2103
To ask the Minister for Health with regard to the SingHealth cyberattack, how will the Ministry assess whether (i) the data have not been tampered with (ii) subversive latent programmes have not infiltrated and been installed in SingHealth's network and (iii) access to other Government networks has been gained through SingHealth's system.
Name and Constituency of Member of Parliament
Ms Joan Pereira
MP for Tanjong Pagar GRC
Question No. 2111
To ask the Minister for Health (a) what steps will be taken to ensure that the data on the National Electronic Health Record (NEHR) system is protected from cyberattacks; (b) what systems are in place to determine whether medical records are tampered with; and (c) when there is a data leak or alteration of personal information or medical records, what will be done to safeguard the interests of patients whose data are in the record.
Name and Constituency of Member of Parliament
Mr Christopher de Souza
MP for Holland-Bukit Timah GRC
Question No. 2113
To ask the Minister for Health with regard to the recent hacking of SingHealth's IT system (a) what has been discovered in the investigations thus far; (b) what lessons are learned; and (c) how will similar situations be avoided in the future.
Name and Constituency of Member of Parliament
Ms Ang Wei Neng
MP for Jurong GRC
Question No. 2115
To ask the Minister for Health (a) when was the last audit, internal or external, conducted on the public SingHealth IT system, particularly in areas related to the patient database; (b) which are the public health care systems that use the similar IT system as that of SingHealth; (c) what are the immediate rectification measures taken by SingHealth and other health care groups under the Eastern, Western and Central regions.
Name and Constituency of Member of Parliament
Assoc Prof Daniel Goh Pei Siong
Non-Constituency MP
Question No. 2136
To ask the Minister for Health whether security measures implemented after the cyberattack on the SingHealth system have affected waiting time and consultation time at public hospitals and polyclinics.
Name and Constituency of Member of Parliament
Ms Sylvia Lim
MP for Aljunied GRC
Question No. 2138
To ask the Minister for Health whether he can elaborate on the reasons for the significant delay in informing the public of the cyberattack affecting Singhealth's database from the time the breach was discovered.
Name and Constituency of Member of Parliament
Mr Dennis Tan Lip Fong
Non-Constituency MP
Question No. 2140
To ask the Minister for Health (a) why were details of the cyberattack on the medical records of 1.5 million people under SingHealth's hospitals, speciality clinics and polyclinics not disclosed to the public earlier; (b) what measures have been taken to improve security since the cyberattack; and (c) what actions will be taken against the perpetrators of the cyberattack.
Combined Answer
STATEMENT BY MINISTER (HEALTH) MR GAN KIM YONG ON CYBERATTACK ON SINGHEALTH’S IT SYSTEM
Mr Speaker,
1. Thank you for allowing me to make this statement on the recent cyberattack on SingHealth’s IT system. Several MPs have asked about the incident, and I will address their questions in my statement.
2. What we encountered was a sophisticated and unprecedented cyberattack. Personal particulars and outpatient dispensed medicines of SingHealth’s patients were accessed and copied.
3. Let me once again apologise to our patients for this incident. Our healthcare family’s priorities are not just to provide good patient care, but also to safeguard the confidentiality of their data.
Details of Attack
4. This is a very serious cyberattack. The attacker accessed SingHealth’s system through an initial breach on a front-end workstation, circumvented the multi-layered security barriers by using advanced and sophisticated tools, and then gained privileged credentials to access the database. This is not the work of casual hackers or criminal gangs, but a sophisticated and resourceful attacker.
5. Let me provide a quick recap of the incident based on what we know thus far. On 4 July 2018, data administrators of our Integrated Health Information Systems, or IHiS, detected unusual activity on one of SingHealth’s IT databases. IHiS is the technology organization that administers the IT systems for the public healthcare sector.
6. The immediate priority of the team was to stop the unusual activity and block the connections to prevent further access. As a result, we prevented further loss of data. No further exfiltration has been detected since 4 July.
7. Concurrently, the IHiS team immediately investigated the suspicious activity, to determine its nature and whether it was malicious. This process takes time as our hospital systems process millions of data queries daily. There will always be a number of unusual processes that need to be investigated and most of these turn out to be legitimate activities. Furthermore, the attacker was careful to remove its traces as it worked, making investigation harder. On 10 July, IHiS confirmed from its investigations that it was a cyberattack, and informed SingHealth, MOH and CSA.
8. Thereafter, several streams of tasks were carried out concurrently. An inter-agency team, comprising MOH, IHiS, SingHealth, MCI and CSA, worked closely together to contain the cyberattack, and undertake measures to prevent further attacks. We implemented additional containment and monitoring measures such as restricting user access, blocking more connections, resetting security tokens, mandating password changes for users and heightened monitoring of the IT systems across the public healthcare sector. At the same time, a separate team in IHiS supported SingHealth’s efforts to assess the extent of the data affected and identify the patients these data belong to, and planning for patient engagement to inform them of the incident.
9. The cyberattack has resulted in the personal particulars of 1.5M SingHealth patients being accessed and copied. This included name, NRIC number, address, gender, race and date of birth. Of this, 160,000 had information on their outpatient dispensed medicines accessed. However, no phone numbers, passwords or credit card information were accessed. All records in SingHealth’s IT system remain intact and are unaltered. IHiS staff combed through detailed access logs to confirm that the databases were not tampered with. Patient care has not been compromised and services were not disrupted during the period of the cyberattack.
10. Despite the additional cybersecurity measures, we detected further malicious activity on our networks, but no further patient data were accessed or copied. We decided to effect internet surfing separation for SingHealth on 19 July to minimise the risk of further intrusion and exfiltration. On 20 July, we assessed that the situation had been stabilised and informed the public of the cyberattack, even while investigations were ongoing.
Informing Affected Patients
11. Between 20 and 23 July, SingHealth sent SMS notifications to about 2 million patients who visited its healthcare institutions between 1 May 2015 and 4 July 2018, to inform them whether their personal information or medication information were affected. This includes patients who visited Singhealth during this period, but whose data were not affected. It also set up an online data check through the SingHealth website and Health Buddy, and expanded its call centres to attend to queries from patients.
12. Many of our colleagues from the healthcare family were mobilised at short notice to help manage the situation and address patient concerns about the cyberattack. I would like to thank them for stepping up in this time of need.
Patient Interests our Key Concern
13. Patient well-being is our top priority. This includes safeguarding the confidentiality of patient data as well as ensuring safe and effective patient care. We face a constant challenge of striking the right balance between having stronger cybersecurity safeguards, while ensuring effective and safe patient care.
14. To achieve this, we adopted a multi-layered approach to cybersecurity:
15. First, prevention. Our systems are designed with defensive measures against illegal access. For example, there are multi-layer security defences in place both at the perimeter guarding against threats on the internet, as well as within the perimeter to protect against unauthorised access. Vulnerability scans and tests are conducted regularly. Independent IT security audits are also carried out, with the last such audit on the affected system performed in the second half of 2017.
16. Second, detection. We have monitoring tools and services to detect breaches. Our systems are also designed to provide extensive detailed activity logs for internal and external round-the-clock monitoring.
17. Beyond setting up a resilient system, we also need a culture of vigilance and cybersecurity awareness. This applies to our healthcare staff, as well as our IT staff. We should always adopt safe cyber practices, watch for suspicious emails and messages, and report them to our IT departments as soon as possible.
18. Third, response. We have established operating and technical procedures and measures to contain the impact and neutralise the threat once a breach is discovered. In the event of a breach, we will also notify and work with CSA to contain and investigate the breach. Exercises are conducted regularly to ensure staff are familiar with the procedures.
Internet Surfing Separation
19. MPs have also asked about internet surfing separation (ISS). In view of continued malicious activity that we observed, I decided to temporarily impose ISS for all our public healthcare clusters. ISS was implemented for SingHealth since 19 July, and NUHS and NHG have done so since 23 July. Imposing ISS will limit avenues for attackers to enter and exit the healthcare clusters’ IT systems. However, ISS has created some inconveniences and operational challenges for healthcare workers and patients. We have taken precautions to ensure patient care and safety are not affected. I would like to thank our healthcare workers and patients for their understanding and support.
20. Could we have initiated ISS earlier? ISS is not a decision to be taken lightly. In fact, even before the incident, IHiS had been working with our clusters to study and assess the feasibility of ISS and the ways to mitigate the impact on patients and healthcare professionals. Internet access is an integral part of many of our healthcare institutions’ daily operations. They rely on the Internet to access other systems for the delivery of some healthcare services. These include receiving and reading reports from laboratories, referrals to our private sector partners, video consultation and tele-rehabilitation, as well as the payments and claims systems. We were also learning from the experiences of other countries’ healthcare IT systems and exploring alternative approaches to achieve similar protection as ISS, while minimizing the impact on operations and patients.
21. Many healthcare systems in other countries have found it difficult to implement ISS for practical and operational considerations . Healthcare systems, such as Hong Kong’s Hospital Authority and Kaiser Permanante have not adopted full ISS. One possible approach we are studying and piloting is the virtual browser solution. This enables users to access the Internet safely via a set of quarantined servers. This will reduce the number of potential attack points. The virtual browser solution will be complemented by the deployment of Advanced Threat Protection (ATP), which will provide additional defence against advanced cyberattacks. The deployment of ATP had been initiated before this incident and is currently underway, expected to be completed by end August 2018.
22. Our ongoing pilot on virtual browser was scheduled to be completed by September this year. Nevertheless, given the urgency of the matter, we went ahead to implement ISS, albeit as a temporary measure. To mitigate the challenges on the ground and allow the healthcare institutions to continue to operate safely, our engineers worked overnight and through the weekend to put in place temporary work-around solutions. The team continues to be on the ground to resolve the problems that have arisen as a result of the ISS. Areas that have been affected include reading of diagnostic reports from laboratories, video consultation and assessment of suspected stroke patients at the emergency department. Waiting times for consultation may also be longer as doctors may need to access references on the internet through a separate computer.
23. There remain some issues not yet fully resolved, such as referrals to private sector partners, and submission and retrieval of results from screening systems. These do not compromise patient care and safety, but affect the efficiency of our healthcare system.
24. As a result of the security measures, some patients may experience a longer wait for consultations and receive their test results, as well as delays in checking their MediSave accounts or making their claims. The productivity and efficiency of our services may also have diminished in some cases. We would like to thank our patients for their understanding as we work through these issues on the ground.
25. Although I said ISS was a temporary measure, now that it has been implemented, we will study the impact of ISS on the ground, and determine whether we can keep it as a permanent measure, at least for some parts of our healthcare system. We will need to develop longer term mitigation solutions to overcome the operational issues if ISS is to stay.
Should Not Reverse Direction in Use of Technology in Healthcare
26. This cyberattack is unprecedented. Despite our security measures, the attackers had been very patient, very persistent, and very resourceful. With advanced hacking tools, they eventually succeeded in gaining access to SingHealth’s patient database. We take this seriouslyas there is no reason to believe that they will not try again, with even more advanced tools. Therefore, we are reviewing the cybersecurity measures of our key IT projects and strengthening them where necessary.
27. MPs have asked about the National Electronic Health Record (NEHR) system. The NEHR is a separate system that was not affected by this cyberattack. Due to the need for the system to interface with multiple external partners, the NEHR is designed differently from the systems that were infiltrated. Nevertheless, we recognise that this is an important national system of significant scale, as it will eventually house key medical records for all patients.
28. We will therefore put the NEHR through a rigorous independent external review before we proceed with mandatory contribution of electronic health records. We have engaged CSA and PwC Singapore as independent third parties to help identify any vulnerabilities and recommend measures to address them. We must assure ourselves, users and patients that the necessary safeguards are in place, before we proceed with wider implementation of the NEHR.
29. However, we should not reverse our direction in the use of technology in healthcare. Digitalisation, technology and use of data in healthcare have brought many benefits to patients. We cannot return to the days of paper and pencil.
30. IT systems have allowed us to greatly improve the safety and effectiveness of patient care. During an emergency where a patient is unconscious, access to his medical history in the NEHR helps doctors prescribe more effective medication and treatment in a timely manner. Data analytics helps us to better understand disease patterns and plan ahead to meet our needs in the future. Automation improves productivity, reduces human errors and enables patients to receive better care. When patients receive care beyond the hospital, integration of IT systems allows easier referrals across settings and enables better team-based care and more effective emergency response. These have to be matched with efforts to continually improve our ability to secure patients’ data, and the increasing robustness of the systems to deal with a constantly evolving cyber security threat.
Next Steps
31. Given the broader national cybersecurity implications, Minister Iswaran has appointed a Committee of Inquiry to look into this incident. We will extend our full support for the work of the Committee. We look forward to its report and recommendations to further strengthen our resilience against cyberattacks.
32. At the same time, we will be conducting a thorough review of the robustness of the cyber safeguards of our key IT systems. We will identify potential areas for improvement in cyber threat prevention, detection and response. To do this, we will bring in third party experts to support us in this work where necessary.
33. Finally, we will ensure that the lessons learnt and improvements needed are shared widely, across both the public and private healthcare sectors.
Closing
34. We must take this cyberattack seriously. While we have implemented additional cybersecurity measures, including ISS, we must not be complacent and assume that we are now safe from cyberattacks. Instead, we must continue on the assumption that the perpetrators will continue to try with increasingly sophisticated tools and techniques, and may succeed in getting through. We must all remain vigilant, learn from this and continually strengthen our systems against evolving cyber security threats.